[c-nsp] Best practice for deploying Palo Alto Networks' firewalls?

Brad McGinn bmcginn at thiess.com.au
Fri May 17 01:14:27 EDT 2013 

The v-wire function works just as they say.  It literally seems to work just as a wire.  If the box fails, you can have it fail open or block.  Each interface still needs a zone though and it understands etherchannel too.

It's worth putting that v-wire into a separate v system though as the policy for a pass through can mess with the other policies you may have on the box (eg putting a virtual wire on two interfaces and using the layer 3 way on other interfaces).

Having said that, the 5050 is a pretty chunky box and should be able to handle a load of OSPF calculations fine; but that of course depends on how much traffic and OSPF calculations you expect to do.  From what I know, it also has trouble with OSPF reference bandwidth; certainly we've not been able to adjust the reference bandwidth in the palo's so if you're running 10G as a reference bandwidth in the cisco kit the palo's probably won't be able to do it; leaving you with different OSPF instances and redistribution I guess.  The Palo code we're on is 5.01

I've heard that on some smaller Palo's that if OSPF is hogging the CPU it really impacts on simple access to the device..  so if you're going to be pushing it a lot of traffic and OSPF operations it is not a good spot to be in between core and dist!

The palo's however are really good devices and the policy enforcement and functionality is up there with the best I think.

My advice would be to use the v-wire, it takes complexity away while still leaving you with the ability to enforce layer 7 policy in hardware..

Brad
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Wilson
Sent: Friday, 17 May 2013 7:46 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Best practice for deploying Palo Alto Networks' firewalls?

We're upgrading our main campus infrastructure to ASR9006's on the border and Nexus7000's on the core and distribution. Policy gets enforced by Palo Alto Networks PA5050's between core and distribution.

Today the PA5050's are deployed as a routed hop (L3 interfaces). Moving forward, Cisco recommends either enabling OSPF on the PA5050 or converting to VWire. Palo Alto prefers the VWire approach as opposed to OSPF-on-PA5050-L3. While it might seem like a slam dunk - both vendors recommend VWire - I would love to hear from anyone in the community with caveats or lessons learned.

Palo Alto reassures me that VWire (virtual wire) can be treated like a patch cable, as far as network design goes. Literally break open the wire across two physical interfaces on the PA5050, assign those interfaces to a VWire with zones and policy, and off you go.

Any thoughts? Thanks for your time.

Jeff Wilson
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list