Re: Palo Alto Firewalls

["Bradley, Stephen" <bradlesw () MIAMIOH EDU>]

I learned a long time ago that you let a box do what it does best.  If you
want routing use a router.

One of the best things we did after I got here was to move our BGP out to
real routers, not big switches that "can" route or firewalls that "can"
route but to devices that do what they do best.

Just my opinion though YMMV.


steve

(We do have PANs and no, they do not route.)



On Tue, Mar 18, 2014 at 9:23 AM, Jeremiah Cherwien <
jcherwien001 () luthersem edu> wrote:

> Not looking to hijack this thread, but have any of you running the Palo's
> used the BGP feature?
>
> We're mid implementation with a 3020, and the last slated item is to
> enable BGP on the Palo to take the place of several linux boxes that are
> running Quagga (Our routers).  Seeing this thread makes me wonder the
> wisdom in this, so I'm curious for other's thoughts/results.
>
> Miah
>
>
> On Mon, Mar 17, 2014 at 11:38 PM, Will Froning <will.froning () gmail com>wrote:
>
> > Hello Shayne,
> >
> > These PA questions come up a lot, if you haven't checked the archives you
> > might find some gems. I've also CC'd the Palo Alto Network's EDU list that
> > was created a couple years back.
> >
> >
> > On 18 Mar 2014, at 4:30, T. Shayne Ghere wrote:
> >
> >  1.)     How many Palo Alto Firewalls did you purchase?
> > >
> >
> > We have a pair of 4050s and 5060s. We are looking to upgrade the 4050s as
> > they are 5 years old.
> >
> >
> >  2.)    If you purchased just one, what do you have in place in case of a
> > > failure?
> >
> > We always go for a pair.
> >
> >
> >  3.)    If you purchased two for failover capability, are you using them
> > > active active, or active passive?
> >
> > Active-Passive. We've considered going active-active (A-A), but there's
> > always a fear it will introduce more complication than what it is intended
> > to solve. Having said that, I like the idea of using A-A as a way to grow
> > into more bandwidth.
> >
> >
> >  4.)    If you advertise or use full BGP tables (routes), and Palo Alto
> > > doesn't support this, how did you solve this if you have multiple Service
> > > Providers?
> >
> > We considered moving BGP to the firewall briefly, but decided to let our
> > routers do the routing. Part of the problem with the PAN is it's a really
> > good hammer, so you tend to see everything as a nail.
> >
> > There are some great cost saving possible when you consolidate all your
> > edge functions onto the PAN, but at the same time it can make
> > troubleshooting impossibly tough.
> >
> >
> >  5.)    Did you look at any other vendors and why did you pick Palo Alto?
> > >
> >
> > Most recently we looked at Sourcefire. They do't have all the bells and
> > whistles (AV & SSL decryption) we want. When we got our first pair 5+ years
> > ago we looked at everything on the market, but the landscape has completely
> > changed since then.
> >
> > If money is the limiting factor, consider going for a pair of 5020s in
> > active-active. You won't get the 10G interface, but the PAN supports
> > trunking/bundling.
> >
> > Thanks,
> > Will
> >
> > --
> > Will Froning
> > Will.Froning () GMail com
>
>
>
> --
> Jeremiah L. Cherwien
> *Assistant Director, IT Services*
> Office of Technology
> *Luther Seminary*
> 2481 Como Ave.
> St. Paul, MN 55108
> Ph:  651-641-3512
>
> *"Quis Custodiet Ipsos Custodes"*
> <http://www.luthersem.edu/>



-- 
Stephen W. Bradley CISSP GCFA GCIH GWAPT SSCP
Senior Security Engineer
Miami University
IT Services
bradlesw () miamioh edu
513-529-1809