topic Firewalls - Management in Network Security

Firewalls - Management

Mikey John — Tue, 12 Mar 2019 02:08:45 GMT

Hi,

I have two Palo Alto firewalls connected to 2 x 4900M switches. I have assigned a /29 subnet (Vlan 100) for FW handoff and assigned IPs from this range to these devices.

I need to connect the management ports of the FWs too onto the switches. Can I connect the Mngmt port of the firewall and assign IP from the same /29 subnet? Or else it should be from a different subnet?

Can anyone please point me to a simple design which talks about IP assignments and port connections for Firewalls? And maybe some link which talks about design aspects involving firewalls?

Iam sorry if I have reached the wrong forum, but would appreciate your help in pointing me to the right direction.

Thanks

Mikey

Firewalls - Management

Mikey John — Mon, 08 Jul 2013 15:07:02 GMT

Appreciate if someone replies to this post.

Thanks

Mikey

Firewalls - Management

Jouni Forss — Mon, 08 Jul 2013 15:17:12 GMT

Hi,

Well this is mainly a Cisco forum so there isnt really any information here regarding Palo Alto firewalls unless someone happens to have used them or is still using them. And to be honest there is very little discussion here about other vendor products in general from what I have seen.

I have personally never used the firewalls in question so I cant really help you.

I would imagine that the Palo alto has some manuals/document that would provide information about setting them up in different scenarios? I can't really say as I have never dealt with Palo Alto products.

- Jouni

Firewalls - Management

Mikey John — Mon, 08 Jul 2013 15:20:45 GMT

Hi Jouni,

Thanks for your reply. Iam just looking for the standard practices while connecting and managing Firewalls in general (be it Palo Alto or Cisco ASA), and in my case how best to assign management IPs to FWs.

If you could point me to the Cisco documentation on Firewall design, that would be helpful too.

Thanks

Mikey

Firewalls - Management

Jouni Forss — Mon, 08 Jul 2013 15:51:31 GMT

Hi,

Well when talking about Cisco ASAs I guess the main management setups would be to

Use existing Data interfaces for management. This is a pretty common setup with regards to the situations I see here on the forums.
Use the separate Management interface solely for managing the firewall and connect this interface to its own Vlan/VRF on the core network.
Use a management network separate from the actual data network and connect this network either to the Management interface or have a separate device to provide Console access to the firewall directly. This would be especially good in certain troubleshooting situations.

Majority of the firewalls I manage are part of a separate management network isolated from all other networks. We have a predefined address space used for all those management purposes and reserve small subnets whenever a new device is connected to the network.

With regards to the documents its hard to say. I have never really used any. I have mainly dicussed the options regarding our network with my more expirienced co-workers.

Looking around quickly with Google will probably provide the same results as I got

For example:

http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_FirewallAndIPSDeploymentGuide-Aug2012.pdf

http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp42252

Hope this helps

- Jouni