Saucepan

User Tools

Site Tools

Trace: products sku soc decoders licencing dns_security licensing_vm training architecture
paloaltonetworks:architecture

This is an old revision of the document!

Palo Deployment Architecture

Configuration strategy:

Zones:

  • Untrust (for Internet links).
  • VPN (possibly use but only for third party - not VPN to other internal sites).
  • Trust (all interfaces that don't fit the others).
  • Guest (for guest networks that break out locally to the Internet and do not access any other site and are not accessible from any other site).

Tags:

  • global-block
  • inbound
  • global-allow (e.g. ping).
  • rest-of-rules, use “Group by” tag. Within a group, use normal 'tag' to describe destination.
  • For guest, explicily allow allowed traffic then block all from guest zone.
  • For each “zone” that isn't a zone (e.g. mgmt, printers, wifi, servers, dmz) create an address group that contains all the subnets.).

Two zone protection profiles - one for external interfaces and one for all others.

Create address group of firewall interface IP addresses to make a simple rule that allows the firewal interfaces to ping/traceroute/icmp anywhere.

Enable interface management profile with ping, ssh, https, user-id and snmp on loopback or firewall's interface to mgmt network. Use this for SNMP polling, User-ID redistribution (and use service route to use this to get User-ID from other firewalls) and managing the 'active' firewall. Enable ping, https, ssh and snmp on actually managment interfaces. Use this for backup access/troubleshooting. Consider doing RADIUS/LDAP/TACACS queries from loopback via service route. Would have to use a local account to get access to passive.

VLANs

10x Managment 

Firewall, switch, access point mgmt.
VMware mgmt and other 'all IT can access' mgmt.
UPS mgmt.
Other mgmt functions (e.g. wall board control)

11x Server 

Windows servers
Linux servers
Network servers (e.g. Infoblox DNS/DHCP)

12x Voice

  1. - if needed –

14x NetworkDevices 

Printers

10x Users Wired 

Up to 10 Wired VLANs. Can represent different buildings/floors/departments/etc.

10x Users WiFi 

Up to 10 WiFi VLANs for users. Could represent different SSID/etc.

15x Security 

CCTV
Building Alarm
Door Control

16x Guest 

Guest WLAN
Guest Wired

17x Lab 

Staging Lab
Demo environment
Internal Lab
Training VLANs

18x DMZ 

Up to 10 DMZ subnets
paloaltonetworks/architecture.1623669497.txt.gz · Last modified: (external edit)