I have two Palo Alto firewalls connected to 2 x 4900M switches. I have assigned a /29 subnet (Vlan 100) for FW handoff and assigned IPs from this range to these devices.
I need to connect the management ports of the FWs too onto the switches. Can I connect the Mngmt port of the firewall and assign IP from the same /29 subnet? Or else it should be from a different subnet?
Can anyone please point me to a simple design which talks about IP assignments and port connections for Firewalls? And maybe some link which talks about design aspects involving firewalls?
Iam sorry if I have reached the wrong forum, but would appreciate your help in pointing me to the right direction.
Well this is mainly a Cisco forum so there isnt really any information here regarding Palo Alto firewalls unless someone happens to have used them or is still using them. And to be honest there is very little discussion here about other vendor products in general from what I have seen.
I have personally never used the firewalls in question so I cant really help you.
I would imagine that the Palo alto has some manuals/document that would provide information about setting them up in different scenarios? I can't really say as I have never dealt with Palo Alto products.
Thanks for your reply. Iam just looking for the standard practices while connecting and managing Firewalls in general (be it Palo Alto or Cisco ASA), and in my case how best to assign management IPs to FWs.
If you could point me to the Cisco documentation on Firewall design, that would be helpful too.
Well when talking about Cisco ASAs I guess the main management setups would be to
Use existing Data interfaces for management. This is a pretty common setup with regards to the situations I see here on the forums.
Use the separate Management interface solely for managing the firewall and connect this interface to its own Vlan/VRF on the core network.
Use a management network separate from the actual data network and connect this network either to the Management interface or have a separate device to provide Console access to the firewall directly. This would be especially good in certain troubleshooting situations.
Majority of the firewalls I manage are part of a separate management network isolated from all other networks. We have a predefined address space used for all those management purposes and reserve small subnets whenever a new device is connected to the network.
With regards to the documents its hard to say. I have never really used any. I have mainly dicussed the options regarding our network with my more expirienced co-workers.
Looking around quickly with Google will probably provide the same results as I got
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...