[c-nsp] Best practice for deploying Palo Alto Networks' firewalls?

Jeff Wilson jazzbotley at gmail.com
Thu May 16 17:45:48 EDT 2013


We're upgrading our main campus infrastructure to ASR9006's on the border
and Nexus7000's on the core and distribution. Policy gets enforced by Palo
Alto Networks PA5050's between core and distribution.

Today the PA5050's are deployed as a routed hop (L3 interfaces). Moving
forward, Cisco recommends either enabling OSPF on the PA5050 or converting
to VWire. Palo Alto prefers the VWire approach as opposed to
OSPF-on-PA5050-L3. While it might seem like a slam dunk - both vendors
recommend VWire - I would love to hear from anyone in the community with
caveats or lessons learned.

Palo Alto reassures me that VWire (virtual wire) can be treated like a
patch cable, as far as network design goes. Literally break open the wire
across two physical interfaces on the PA5050, assign those interfaces to a
VWire with zones and policy, and off you go.

Any thoughts? Thanks for your time.

Jeff Wilson


More information about the cisco-nsp mailing list