Palo Alto Implementation

[Dennis Bohn <bohn () ADELPHI EDU>]

Hello Colleagues,

First of all, sorry for the cross-post if you are subscribed to Educause
security and netman. Our border firewalls are being replaced from Cisco
ASAs to Palo Altos. The responsibility for the firewalls is also moving
from Networking to Security, since the PAs are more of an IPS than
traditional L3-4 firewall. The PAs have been running in an in-line
so-called transparent mode but now there is a desire to fully replace the
ASAs, with all their natting, patting and L3/4 security postures . I would
welcome being in touch with someone who has gone down this road.

For the HA, I was given this document:


https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF/ta-p/52283

which opens up more questions than it answers, since their design is quite
simple in that example. It also looks like they are using a floating static
route which duplicates an ospf route to overcome arp and/or mac address
timeouts which seems a little odd to me, but if it works great.

We currently have our ASA as default gateway for a number of intermediate
zones and I'd be interested in talking to someone who has gone through a
similar upgrade. It looks to me like if we followed their design for all
zones we would have to move our default gateways to the internal core, then
set up OSPF for each of them and make sure the zone to zone traffic only
traversed the PAs. (Trying to imagine this gives me a headache.) Amusingly,
the document includes this statement:
"As it is well understood, OSPF is easy to implement and *troubleshoot*,"
(emphasis mine)

Since I am semi-retired I am no longer on the REN-ISAC list, but our
security folks have not been able to give us anything useful from that
list. Again, would totally welcome input from anyone who has done this.

TIA,
dennis

Dennis Bohn
Manager of Network and Systems (ret)
Adelphi University
bohn () adelphi edu
5168773327