Educause Security Discussion mailing list archives
Palo Alto Implementation
From: Dennis Bohn <bohn () ADELPHI EDU>
Date: Thu, 22 Oct 2015 13:30:36 -0400
Hello Colleagues, First of all, sorry for the cross-post if you are subscribed to Educause security and netman. Our border firewalls are being replaced from Cisco ASAs to Palo Altos. The responsibility for the firewalls is also moving from Networking to Security, since the PAs are more of an IPS than traditional L3-4 firewall. The PAs have been running in an in-line so-called transparent mode but now there is a desire to fully replace the ASAs, with all their natting, patting and L3/4 security postures . I would welcome being in touch with someone who has gone down this road. For the HA, I was given this document: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF/ta-p/52283 which opens up more questions than it answers, since their design is quite simple in that example. It also looks like they are using a floating static route which duplicates an ospf route to overcome arp and/or mac address timeouts which seems a little odd to me, but if it works great. We currently have our ASA as default gateway for a number of intermediate zones and I'd be interested in talking to someone who has gone through a similar upgrade. It looks to me like if we followed their design for all zones we would have to move our default gateways to the internal core, then set up OSPF for each of them and make sure the zone to zone traffic only traversed the PAs. (Trying to imagine this gives me a headache.) Amusingly, the document includes this statement: "As it is well understood, OSPF is easy to implement and *troubleshoot*," (emphasis mine) Since I am semi-retired I am no longer on the REN-ISAC list, but our security folks have not been able to give us anything useful from that list. Again, would totally welcome input from anyone who has done this. TIA, dennis Dennis Bohn Manager of Network and Systems (ret) Adelphi University bohn () adelphi edu 5168773327
Current thread:
- Palo Alto Implementation Dennis Bohn (Oct 22)
- <Possible follow-ups>
- Re: Palo Alto Implementation Councill, David (Oct 23)
- Re: Palo Alto Implementation Kapucu, Ali (Oct 23)
- Re: Palo Alto Implementation Alan Amesbury (Oct 23)
- Re: Palo Alto Implementation Kapucu, Ali (Oct 26)
- Re: Palo Alto Implementation Alan Amesbury (Oct 23)