Wednesday, January 3, 2018

Hold my hand through some PAN-OS concepts?

A Palo Alto deployment project has fallen into my lap. I'm in unfamiliar territory, need my assumptions checked.

The basic topology looks like this:

HQ site

  • Single PA 820
  • Two "small business" style ISPs, each with a handful of static IPs (no BGP)
  • NAT traffic outbound with failover between ISPs
  • An IP SLA style scheme to validate ISP health, facilitate NAT failover
  • Speak OSPF with internal L3 devices
  • L2 firewall features to protect Internet-facing devices with IPs in the same subnet as the PA 820
  • GRE-in-IPSec to remote sites, one tunnel over each ISP
  • Speak eBGP to remote sites for tunnel selection
  • Speak sparse mode PIM on LAN and Tunnel interfaces

Remote sites

  • Single PA 220
  • Single "small business" style ISP with handful of static IPs (no BGP)
  • Two GRE-in-IPSec tunnels to PA 820 at HQ, one via each ISP at HQ.
  • Outbound NAT for internal users.
  • Handful of subnets/VLANs for internal users.
  • 802.1Q trunks to L2-only access switches.
  • L2 firewall features to protect Internet-facing devices with IPs in the same subnet as the PA 220

If I were building this GRE/IPSec scheme with Cisco routers, I'd probably do this:

  • Put each external interface on the HQ box into a dedicated VRF (ISP-A and ISP-B)
  • Use the tunnel vrf directive on the GRE interfaces so they'll be transported by the appropriate ISP.
  • Leak the default route from the external VRFs to the global table with IP SLA facilitating some twiddling of the admin distance.
  • Configure interface-based overload NAT on each ISP-facing interface.

I'm primarily interested in exploring the redundant ISPs, and NAT functions right now, since those are important foundations for the rest of the config.

What's the PAN-OS way of handling the two ISPs, GRE tunnels and NAT failove?

I really like the VRF (Virtual Router?) approach to handling the two ISPs at the HQ site, would rather do that than fail a default route back-and-forth between proviers.

It looks like I might wind up BGP peering between three virtual routers: an "internal" instance talking to one instantiated for each ISP. Is that the right approach? Is there something else I should consider?

Does my desire for L2 firewall features on the external interface change things? It'll probably be the last thing I configure, don't want to shoot myself in the foot with an early decision.



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)