Re: Palo Alto Firewalls

[Robert Spellman <rspell () BATES EDU>]

We have a pair of 5020's.

We are running active-active.  I don't think too many sites are running
active-active.  We had some issues with the active-active configuration at
first, but it has been stable for two years now.

BGP is handled on the edge with a pair of Cisco routers.

Robert Spellman
Bates College
Information and Library Services


On Wed, Mar 19, 2014 at 9:41 AM, Chris Golden <cgolden () leeuniversity edu>wrote:

>  We are using OSPF on the PAN 5020's but not BGP.  We have some Brocade
> CER's for that.
>
>  -Chris
>
>
>
>   From: Peter Setlak <psetlak () COLGATE EDU>
> Reply-To: The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Tuesday, March 18, 2014 at 10:44 AM
> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] Palo Alto Firewalls
>
>   It was suggested to us by the sales Engineer that while the Palo Alto
> CAN do BGP, it should not be used for it as it is not built to handle a
> large convergence. We use separate edge routers built for BGP which gives
> us the performance we want and some added protection, for instance, ACLs on
> certain subnets that can keep some traffic from ever hitting the PA in the
> first place.
>
>
> On Tue, Mar 18, 2014 at 9:23 AM, Jeremiah Cherwien <
> jcherwien001 () luthersem edu> wrote:
>
> > Not looking to hijack this thread, but have any of you running the Palo's
> > used the BGP feature?
> >
> >  We're mid implementation with a 3020, and the last slated item is to
> > enable BGP on the Palo to take the place of several linux boxes that are
> > running Quagga (Our routers).  Seeing this thread makes me wonder the
> > wisdom in this, so I'm curious for other's thoughts/results.
> >
> >  Miah
> >
> >
> > On Mon, Mar 17, 2014 at 11:38 PM, Will Froning <will.froning () gmail com>wrote:
> >
> > > Hello Shayne,
> > >
> > > These PA questions come up a lot, if you haven't checked the archives
> > > you might find some gems. I've also CC'd the Palo Alto Network's EDU list
> > > that was created a couple years back.
> > >
> > >
> > > On 18 Mar 2014, at 4:30, T. Shayne Ghere wrote:
> > >
> > >  1.)     How many Palo Alto Firewalls did you purchase?
> > > >
> > >
> > >  We have a pair of 4050s and 5060s. We are looking to upgrade the 4050s
> > > as they are 5 years old.
> > >
> > >
> > >  2.)    If you purchased just one, what do you have in place in case of a
> > > > failure?
> > >
> > >  We always go for a pair.
> > >
> > >
> > >  3.)    If you purchased two for failover capability, are you using them
> > > > active active, or active passive?
> > >
> > >  Active-Passive. We've considered going active-active (A-A), but
> > > there's always a fear it will introduce more complication than what it is
> > > intended to solve. Having said that, I like the idea of using A-A as a way
> > > to grow into more bandwidth.
> > >
> > >
> > >  4.)    If you advertise or use full BGP tables (routes), and Palo Alto
> > > > doesn't support this, how did you solve this if you have multiple
> > > > Service
> > > > Providers?
> > >
> > >  We considered moving BGP to the firewall briefly, but decided to let
> > > our routers do the routing. Part of the problem with the PAN is it's a
> > > really good hammer, so you tend to see everything as a nail.
> > >
> > > There are some great cost saving possible when you consolidate all your
> > > edge functions onto the PAN, but at the same time it can make
> > > troubleshooting impossibly tough.
> > >
> > >
> > >  5.)    Did you look at any other vendors and why did you pick Palo Alto?
> > > >
> > >
> > >  Most recently we looked at Sourcefire. They do't have all the bells
> > > and whistles (AV & SSL decryption) we want. When we got our first pair 5+
> > > years ago we looked at everything on the market, but the landscape has
> > > completely changed since then.
> > >
> > > If money is the limiting factor, consider going for a pair of 5020s in
> > > active-active. You won't get the 10G interface, but the PAN supports
> > > trunking/bundling.
> > >
> > > Thanks,
> > > Will
> > >
> > > --
> > > Will Froning
> > > Will.Froning () GMail com
> >
> >
> >
> >  --
> > Jeremiah L. Cherwien
> > *Assistant Director, IT Services*
> > Office of Technology
> > *Luther Seminary*
> > 2481 Como Ave.
> > St. Paul, MN 55108
> > Ph:  651-641-3512
> >
> > *"Quis Custodiet Ipsos Custodes"*
> >  <http://www.luthersem.edu/>
>
>
>
>  --
> Thank you,
>
> Peter J. Setlak
> Network Security Analyst, GSEC, GLEG, GCPM
> Colgate University
> ---
> psetlak () colgate edu
> (315) 228-7151
> Case-Geyer 450
>
> Colgate IT Security - http://colgate.edu/itsecurity
>
> Think *Green!* Please consider the environment before printing this
> email.
>
>
> *Engage with Colgate University:  *
>  News blog <http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv>
> , Facebook <https://www.facebook.com/colgateuniversity>, Google+<https://plus.google.com/u/0/b/113333907606560373469/>
> , Delicious <http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13>
> , Flickr <http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/>
> , LinkedIn <http://www.linkedin.com/company/colgate-university/>