Educause Security Discussion mailing list archives
Re: Palo Alto Firewalls
From: Robert Spellman <rspell () BATES EDU>
Date: Sat, 22 Mar 2014 23:00:12 -0400
We have a pair of 5020's. We are running active-active. I don't think too many sites are running active-active. We had some issues with the active-active configuration at first, but it has been stable for two years now. BGP is handled on the edge with a pair of Cisco routers. Robert Spellman Bates College Information and Library Services On Wed, Mar 19, 2014 at 9:41 AM, Chris Golden <cgolden () leeuniversity edu>wrote:
We are using OSPF on the PAN 5020's but not BGP. We have some Brocade CER's for that. -Chris From: Peter Setlak <psetlak () COLGATE EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, March 18, 2014 at 10:44 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Palo Alto Firewalls It was suggested to us by the sales Engineer that while the Palo Alto CAN do BGP, it should not be used for it as it is not built to handle a large convergence. We use separate edge routers built for BGP which gives us the performance we want and some added protection, for instance, ACLs on certain subnets that can keep some traffic from ever hitting the PA in the first place. On Tue, Mar 18, 2014 at 9:23 AM, Jeremiah Cherwien < jcherwien001 () luthersem edu> wrote:Not looking to hijack this thread, but have any of you running the Palo's used the BGP feature? We're mid implementation with a 3020, and the last slated item is to enable BGP on the Palo to take the place of several linux boxes that are running Quagga (Our routers). Seeing this thread makes me wonder the wisdom in this, so I'm curious for other's thoughts/results. Miah On Mon, Mar 17, 2014 at 11:38 PM, Will Froning <will.froning () gmail com>wrote:Hello Shayne, These PA questions come up a lot, if you haven't checked the archives you might find some gems. I've also CC'd the Palo Alto Network's EDU list that was created a couple years back. On 18 Mar 2014, at 4:30, T. Shayne Ghere wrote: 1.) How many Palo Alto Firewalls did you purchase?We have a pair of 4050s and 5060s. We are looking to upgrade the 4050s as they are 5 years old. 2.) If you purchased just one, what do you have in place in case of afailure?We always go for a pair. 3.) If you purchased two for failover capability, are you using themactive active, or active passive?Active-Passive. We've considered going active-active (A-A), but there's always a fear it will introduce more complication than what it is intended to solve. Having said that, I like the idea of using A-A as a way to grow into more bandwidth. 4.) If you advertise or use full BGP tables (routes), and Palo Altodoesn't support this, how did you solve this if you have multiple Service Providers?We considered moving BGP to the firewall briefly, but decided to let our routers do the routing. Part of the problem with the PAN is it's a really good hammer, so you tend to see everything as a nail. There are some great cost saving possible when you consolidate all your edge functions onto the PAN, but at the same time it can make troubleshooting impossibly tough. 5.) Did you look at any other vendors and why did you pick Palo Alto?Most recently we looked at Sourcefire. They do't have all the bells and whistles (AV & SSL decryption) we want. When we got our first pair 5+ years ago we looked at everything on the market, but the landscape has completely changed since then. If money is the limiting factor, consider going for a pair of 5020s in active-active. You won't get the 10G interface, but the PAN supports trunking/bundling. Thanks, Will -- Will Froning Will.Froning () GMail com-- Jeremiah L. Cherwien *Assistant Director, IT Services* Office of Technology *Luther Seminary* 2481 Como Ave. St. Paul, MN 55108 Ph: 651-641-3512 *"Quis Custodiet Ipsos Custodes"* <http://www.luthersem.edu/>-- Thank you, Peter J. Setlak Network Security Analyst, GSEC, GLEG, GCPM Colgate University --- psetlak () colgate edu (315) 228-7151 Case-Geyer 450 Colgate IT Security - http://colgate.edu/itsecurity Think *Green!* Please consider the environment before printing this email. *Engage with Colgate University: * News blog <http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv> , Facebook <https://www.facebook.com/colgateuniversity>, Google+<https://plus.google.com/u/0/b/113333907606560373469/> , Delicious <http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13> , Flickr <http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/> , LinkedIn <http://www.linkedin.com/company/colgate-university/>
Current thread:
- Palo Alto Firewalls T. Shayne Ghere (Mar 17)
- Re: Palo Alto Firewalls Nathaniel Hall (Mar 17)
- Re: Palo Alto Firewalls Will Froning (Mar 17)
- Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)
- Re: Palo Alto Firewalls Bradley, Stephen (Mar 18)
- Re: Palo Alto Firewalls Dan Brisson (Mar 18)
- Re: Palo Alto Firewalls Peter Setlak (Mar 18)
- Re: Palo Alto Firewalls Chris Golden (Mar 19)
- Re: Palo Alto Firewalls Robert Spellman (Mar 22)
- Re: Palo Alto Firewalls Julian Y Koh (Mar 22)
- Re: Palo Alto Firewalls Jeremiah Cherwien (Mar 18)