Re: Palo Alto Implementation

["Councill, David" <david.councill () WSU EDU>]

We have switched over several of our ASAs to Palo Altos, all in HA pairs. And I am currently in the process of 
switching over our border firewall pair from ASA to PA. There are some differences as you have seen. On the HA pairing, 
PAs do not use the active/standby IPs. In the active/passive HA pairing, the passive PA will deactivate its interfaces 
(except management) thus only the active one will use the IPs. The PAs can serve as the default gateways quite well - 
we trunk all the VLANs over the inside interface and separate them by sub-interfaces, each with their own zone. And we 
use OSPF (within the virtual router) to advertise the networks with a static route out the outside interface. Rules 
(access lists) are also a bit different, particularly in the use of applications rather than ports. It is not difficult 
but there is a learning curve. For a border deployment, particularly if it is a "deny all" except that which is allowed 
by rules, I would recommend at least one of your security folks attend some of the basic PA training to get an idea of 
how PAs operate, particularly if they are going to setup and implement a major firewall.


__


David Councill
Network Security Engineer
Washington State University
Information Technology Building | PO Box 641222 | Pullman, WA 99164
david.councill () wsu edu




 

-----Original Message-----
Date:    Thu, 22 Oct 2015 13:30:36 -0400
From:    Dennis Bohn <bohn () ADELPHI EDU>
Subject: Palo Alto Implementation

Hello Colleagues,

First of all, sorry for the cross-post if you are subscribed to Educause security and netman. Our border firewalls are 
being replaced from Cisco ASAs to Palo Altos. The responsibility for the firewalls is also moving from Networking to 
Security, since the PAs are more of an IPS than traditional L3-4 firewall. The PAs have been running in an in-line 
so-called transparent mode but now there is a desire to fully replace the ASAs, with all their natting, patting and 
L3/4 security postures . I would welcome being in touch with someone who has gone down this road.

For the HA, I was given this document:


https://urldefense.proofpoint.com/v1/url?u=https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF/ta-p/52283&k=EWEYHnIvm0nsSxnW5y9VIw%3D%3D%0A&r=ZVL9qYClKQ5jC32j%2FafW%2BqiXoW28KPT152Q7uJrggis%3D%0A&m=eZ%2BVR9pGMPMzNlaUemXuNZLEx%2BTFwrKgYnHCeRDm724%3D%0A&s=9fd0d743d3e6c03cfff8eaad0fd014e3af4cbf41fb31ca7ea92fe17548cca258

which opens up more questions than it answers, since their design is quite simple in that example. It also looks like 
they are using a floating static route which duplicates an ospf route to overcome arp and/or mac address timeouts which 
seems a little odd to me, but if it works great.

We currently have our ASA as default gateway for a number of intermediate zones and I'd be interested in talking to 
someone who has gone through a similar upgrade. It looks to me like if we followed their design for all zones we would 
have to move our default gateways to the internal core, then set up OSPF for each of them and make sure the zone to 
zone traffic only traversed the PAs. (Trying to imagine this gives me a headache.) Amusingly, the document includes 
this statement:
"As it is well understood, OSPF is easy to implement and *troubleshoot*,"
(emphasis mine)

Since I am semi-retired I am no longer on the REN-ISAC list, but our security folks have not been able to give us 
anything useful from that list. Again, would totally welcome input from anyone who has done this.

TIA,
dennis

Dennis Bohn
Manager of Network and Systems (ret)
Adelphi University
bohn () adelphi edu
5168773327