Re: Palo Alto Implementation

["Kapucu, Ali" <akapucu () KENT EDU>]

We have Active/Passive units directly attached to our Core via OSPF we receive default route from core and advertise 
all the networks behind PA.  Each subnet has their zone. %90 of subnets are sub interface on internal side. In some 
cases we do vlan interface instead of sub interface. We have UserID implementation as well. So we can match every 
single campus ip (wired/wireless) to active-directory username.

For Border deployment you can seperate route instances. So you can run BGP with your ISP and run OSPF internally and 
keep them separate. 

—
Ali






On 10/23/15, 11:19 AM, "The EDUCAUSE Security Constituent Group Listserv on behalf of Councill, David" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of david.councill () WSU EDU> wrote:

> We have switched over several of our ASAs to Palo Altos, all in HA pairs. And I am currently in the process of 
> switching over our border firewall pair from ASA to PA. There are some differences as you have seen. On the HA 
> pairing, PAs do not use the active/standby IPs. In the active/passive HA pairing, the passive PA will deactivate its 
> interfaces (except management) thus only the active one will use the IPs. The PAs can serve as the default gateways 
> quite well - we trunk all the VLANs over the inside interface and separate them by sub-interfaces, each with their own 
> zone. And we use OSPF (within the virtual router) to advertise the networks with a static route out the outside 
> interface. Rules (access lists) are also a bit different, particularly in the use of applications rather than ports. 
> It is not difficult but there is a learning curve. For a border deployment, particularly if it is a "deny all" except 
> that which is allowed by rules, I would recommend at least one of your security folks attend some of the basic PA 
> training to get an idea of how PAs operate, particularly if they are going to setup and implement a major firewall.
>
>
> __
>
>
> David Councill
> Network Security Engineer
> Washington State University
> Information Technology Building | PO Box 641222 | Pullman, WA 99164
> david.councill () wsu edu
>
>
>
>
>
>
> -----Original Message-----
> Date:    Thu, 22 Oct 2015 13:30:36 -0400
> From:    Dennis Bohn <bohn () ADELPHI EDU>
> Subject: Palo Alto Implementation
>
> Hello Colleagues,
>
> First of all, sorry for the cross-post if you are subscribed to Educause security and netman. Our border firewalls are 
> being replaced from Cisco ASAs to Palo Altos. The responsibility for the firewalls is also moving from Networking to 
> Security, since the PAs are more of an IPS than traditional L3-4 firewall. The PAs have been running in an in-line 
> so-called transparent mode but now there is a desire to fully replace the ASAs, with all their natting, patting and 
> L3/4 security postures . I would welcome being in touch with someone who has gone down this road.
>
> For the HA, I was given this document:
>
>
> https://urldefense.proofpoint.com/v1/url?u=https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF/ta-p/52283&k=EWEYHnIvm0nsSxnW5y9VIw%3D%3D%0A&r=ZVL9qYClKQ5jC32j%2FafW%2BqiXoW28KPT152Q7uJrggis%3D%0A&m=eZ%2BVR9pGMPMzNlaUemXuNZLEx%2BTFwrKgYnHCeRDm724%3D%0A&s=9fd0d743d3e6c03cfff8eaad0fd014e3af4cbf41fb31ca7ea92fe17548cca258
>
> which opens up more questions than it answers, since their design is quite simple in that example. It also looks like 
> they are using a floating static route which duplicates an ospf route to overcome arp and/or mac address timeouts 
> which seems a little odd to me, but if it works great.
>
> We currently have our ASA as default gateway for a number of intermediate zones and I'd be interested in talking to 
> someone who has gone through a similar upgrade. It looks to me like if we followed their design for all zones we would 
> have to move our default gateways to the internal core, then set up OSPF for each of them and make sure the zone to 
> zone traffic only traversed the PAs. (Trying to imagine this gives me a headache.) Amusingly, the document includes 
> this statement:
> "As it is well understood, OSPF is easy to implement and *troubleshoot*,"
> (emphasis mine)
>
> Since I am semi-retired I am no longer on the REN-ISAC list, but our security folks have not been able to give us 
> anything useful from that list. Again, would totally welcome input from anyone who has done this.
>
> TIA,
> dennis
>
> Dennis Bohn
> Manager of Network and Systems (ret)
> Adelphi University
> bohn () adelphi edu
> 5168773327