Palo Alto Networks Verified Designs

PANOS 4.0
October 2011
Tap Mode Deployment (1)

Internet

SPAN port
on switch

Tap port on
firewall

Page 2 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Tap Mode Deployment (2)

Internet

Outbound Inbound
flow flow

Tap ports
on firewall

SPAN port
on switch

Page 3 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Tap Mode Deployment (3)

Internet

Tap port on
firewall

Tap port on
firewall

Page 4 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Virtual Wire with Active/Passive HA

Internet/Network A

Router A Router B

E1/1
E1/1
HA1
A/P firewall 1 HA2 A/P firewall 2

E1/2
E1/2

Router C Router D

Network B

Page 5 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Virtual Wire with Active/Active HA

Internet/Network A

Router A Router B

1.1.1.1 1.1.1.2
HA1
HA2
HA3

Router C
Router D

Network B

Page 6 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Virtual Wire with A/A HA and Link Agg (1)

Internal Network

Switch 1 Switch 2

Multi link Trunking

Multi link Trunking

Switch 3 Switch 4

Internal Network

Page 7 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Virtual Wire with A/A HA and Link Agg (2)

Internal Network

Switch 1 Switch 2

Multi link Trunking

HA1
HA2
HA3

Multi link Trunking

Switch 3 Switch 4

Internal Network

Page 8 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Virtual Wire with A/A HA and Link Agg (3)
Internal Network

EX4200 (VC member)

Multi link Trunking

HA1
HA2
HA3

EX Virtual Chassis

EX4200 EX4200

Internal Network

Page 9 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Virtual Wire with Bypass Switch

Internet

Internet Gateway

.254

Bypass Switch

198.51.100.0/24

Page 10 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Horizontal Scaling with Load Balancers
External
Network

192.168.1.1

Load Balancer

Vlan10: 10.10.10.1
VLAN Vlan20: 10.10.20.1
Trunk Vlan30: 10.10.30.1

eth1/1 vlan10 vlan20 vlan30

vwire

eth1/2

VLAN Vlan10: 10.10.10.2

Trunk Vlan20: 10.10.20.2
Vlan30: 10.10.30.2

192.168.2.1

10G 10G
DMZ DMZ

10G

Internal
Network

Page 11 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Layer 2- Simple L2 interfaces (non-trunked)

HA1
HA2

Page 12 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Layer 2- VLAN Rrewrite (trunked)

VLAN101 VLAN101

HA1
HA2

802.1Q 802.1Q
Trunk Trunk
VLAN102 VLAN102

Page 13 | © 2011 Palo Alto Networks. Proprietary and Confidential.

L2 & L3 Combination (1)

L3 segment

L2 segments
Direct connections &
VLAN trunks

Page 14 | © 2011 Palo Alto Networks. Proprietary and Confidential.

L2 & L3 Combination (2)

Broadcast domain L3 segment

BC-network50

L2 segment L2 segment

Page 15 | © 2011 Palo Alto Networks. Proprietary and Confidential.

L2 & L3 Combination (3)

L2 segment
192.168.50.0/24 L3 segment
Virtual IP 192.168.1.0/24
IP-BC zone Ethernet1/3
Intranet zone

L2 segment
192.168.50.0/24
L2 segment
Ethernet1/1
192.168.50.0/24
Engineering zone
Ethernet1/2
Prod-management zone

Page 16 | © 2011 Palo Alto Networks. Proprietary and Confidential.

OSPF with Active/Passive HA

Internet

192.0.2.33/30 192.0.2.34/30
edge router A edge router B

192.0.2.1/29 192.0.2.2/29

192.0.2.3/29
A/P firewall 1 HA1 A/P firewall 2
RID: 192.0.2.17 HA2
(same IP addresses as
the other firewall)
192.0.2.11/29

192.0.2.9/29 192.0.2.10/29

internal router A internal router B

192.0.2.37/30 192.0.2.38/30

The routers and firewalls shown

are all in OSPF area 0.0.0.0
•Datacenter

Page 17 | © 2011 Palo Alto Networks. Proprietary and Confidential.

OSPF with Active/Active HA
OSPF Costs
5
Internet 10
100

192.0.2.33/30 192.0.2.34/30
edge router A edge router B
192.0.2.9/30 192.0.2.13/30
192.0.2.1/30 192.0.2.5/30

192.0.2.2/30 192.0.2.14/30 192.0.2.10/30 192.0.2.6/30

A/A firewall 1 HA1 A/A firewall 2
RID: 192.0.2.17 HA2
RID: 192.0.2.25
HA3

192.0.2.17/30 192.0.2.21/30 192.0.2.29/30 192.0.2.25/30

192.0.2.18/30 192.0.2.30/30 192.0.2.22/30 192.0.2.26/30

internal router A internal router B

192.0.2.37/30 192.0.2.38/30

The routers and firewalls shown

are all in OSPF area 0.0.0.0
There are no floating IPs in this
•Datacenter scenario

Page 18 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Typical eBGP

Internet

ISP A ISP B

eBGP
eBGP

perimeter
perimeter
firewall
firewall

Internal Network

Page 19 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Full-Mesh Multi-homed eBGP with A/P HA

Internet

ISP A ISP B
AS 40001 AS 50001
RID 198.51.100.1 RID 192.0.2.1
198.51.100.5 192.0.2.5
198.51.100.1 192.0.2.1

198.51.100.2

A/A Firewall 1 192.0.2.6 A/P Firewall 2

HA1
AS: 40000 (same IP addresses
HA2
RID: 198.51.100.2 as the other firewall)
203.0.113.2

Internal Network

Page 20 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Full-Mesh Multi-homed eBGP with A/A HA

Internet

ISP A ISP B
AS 40001 AS 50001
RID 198.51.100.1 RID 192.0.2.1
198.51.100.5 192.0.2.5
198.51.100.1 192.0.2.1

198.51.100.2
192.0.2.2
A/A Firewall 1 192.0.2.6 198.51.100.6
A/A Firewall 2
HA1
AS: 40000 AS: 40000
HA2
RID: 198.51.100.2 RID: 198.51.100.6
HA3

203.0.113.2 203.0.113.3
Internal VIP:
203.0.113.1

Internal Network

Page 21 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Typical Multi-Segment Firewall Deployment
Corporate
Network

Layer 3 Routed
•Router VIP 203.0.113.1/24 Boundary

•Layer 2 switch

•e1 Secondary HA Firewall

•Primary HA Firewall •e1
• eth1 - 203.0.113.2/24
•eth2 – 10.1.100.2/24
•eth3 – 10.1.101.2/24 •e3 •e2
•eth4 – 10.1.102.2/24
•e4
•HA Firewall VIPs
•e2
•eth1 - 203.0.113.1/24
•eth2 – 10.1.100.1/24
•eth3 – 10.1.101.1/24
•eth4 – 10.1.102.1/24
eth1 - 203.0.113.3/24
eth2 – 10.1.100.3/24
eth3 – 10.1.101.3/24
•e3 eth4 – 10.1.102.3/24
•e4

•Layer 2 Switch

•Database VLAN •Application VLAN •Web VLAN

•VLAN 102 •VLAN 101 •VLAN 100
•10.1.102.0/24 •10.1.101.0/24 •10.1.100.0/24

Page 22 | © 2011 Palo Alto Networks. Proprietary and Confidential.

Active/Passive L3 HA with Link Aggregation
Corporate
Network
Virtual Router- Pair of
redundant routers in a virtual
configuration
Router VIP 203.0.113.1/24 Virtual IP: 203.0.113.1/24

Virtual Switch- Pair of switches

in a virtual switch configuration

Firewall A- Primary
Aggregate Ethernet Groups:
ae1 - e1/1 and e1/2 ae1 203.0.113.2/24 ae1
ae2 – e1/9 and e1/10 HA1 Firewall B-Secondary
HA2 Same config as active fw
All VLANs (100, 101 & 102) HA1 – 192.168.1.2/30
802.1q trunked to PA-5050s 10.1.100.1/24 ae2
ae2 10.1.101.1/24
via ae2
10.1.102.1/24
ae1 - 203.0.113.1/24
ae2.100 – 10.1.100.1/24
ae2.101 – 10.1.101.1/24
Virtual Switch- Pair of
ae2.102 – 10.1.102.1/24
switches in a virtual switch
HA1 – 192.168.1.1/30
configuration. VLAN 100,
VLAN 101, VLAN102 all
802.1Q tagged up single link
aggregated trunk port.

Database VLAN Application VLAN Web VLAN

VLAN 102 VLAN 101 VLAN 100
10.1.102.0/24 10.1.101.0/24 10.1.100.0/24
Page 23 | © 2011 Palo Alto Networks. Proprietary and Confidential.
L3 Firewall on a stick

L2 segment
10.0.0.1/24
VLAN20 zone

L2 segment
192.168.1.2/24 VLAN Trunk
VLAN10 zone Ethernet1/8
Sub-interface 1/8.10 zone VLAN10
Sub-interface 1/8.20 zone VLAN20

Page 24 | © 2011 Palo Alto Networks. Proprietary and Confidential.

L3 Firewall on a stick

L2 segment
VLAN 20

L2 segment VLAN Trunk

VLAN 10

Page 25 | © 2011 Palo Alto Networks. Proprietary and Confidential.