leblanc
asked on
Virtual DMZ
I'd like to understand how to configure the FW to connect to a virtual DMZ.
I have a Palo Alto FW and I understand how to connect it to a physical device (like the F5) in the DMZ. I just assign an IP address to my FW interface and have a static route and allow policy pointing to the F5. But now if I have a virtual DMZ, meaning it will be stored in the VMWare environment in the datacenter (internal of my network), how will I logically configure my FW interface?
If we are talking about creating VLAN for the virtual DMZ, then does it defeat the purpose of the separation of the DMZ and the internal network as the DMZ traffic will traverse my internal network. Any thoughts?
I looked around and I could not find any sample of scenario with a virtual DMZ.
I have a Palo Alto FW and I understand how to connect it to a physical device (like the F5) in the DMZ. I just assign an IP address to my FW interface and have a static route and allow policy pointing to the F5. But now if I have a virtual DMZ, meaning it will be stored in the VMWare environment in the datacenter (internal of my network), how will I logically configure my FW interface?
If we are talking about creating VLAN for the virtual DMZ, then does it defeat the purpose of the separation of the DMZ and the internal network as the DMZ traffic will traverse my internal network. Any thoughts?
I looked around and I could not find any sample of scenario with a virtual DMZ.
ASKER
I'd like to implement the virtual DMZ. I have a Palo Alto firewall. Is there any tutorial to setup the FW with a virtual DMZ environemnt? I guess another way to ask this question is what is the best practice to implement a virtual DMZ?
Okay, so on your vSphere ESXi Server this is the tutorial....(and steps)
1. Create a new vSwitch.
2. Add at least a single network interface in the host (two is better to reduce a single point of failure).
3. Create a new virtual machine network portgroup and Label DMZ.
4. Any virtual machine which needs to be in the DMZ, allocate a DMZ IP Address.
5. in the VM Settings, edit the network interface and select the Label DMZ (the DMZ virtual machine portgroup created in 3 above).
6. Connect your DMZ Network Ports on your Palo Alto Firewall to Ports in 2 above.
Done.
1. Create a new vSwitch.
2. Add at least a single network interface in the host (two is better to reduce a single point of failure).
3. Create a new virtual machine network portgroup and Label DMZ.
4. Any virtual machine which needs to be in the DMZ, allocate a DMZ IP Address.
5. in the VM Settings, edit the network interface and select the Label DMZ (the DMZ virtual machine portgroup created in 3 above).
6. Connect your DMZ Network Ports on your Palo Alto Firewall to Ports in 2 above.
Done.
ASKER
"Connect your DMZ Network Ports on your Palo Alto Firewall " This connection here is not physical. So how do I get from my Palo Alto to the VM DMZ? A VLAN? A configure my FW interface with a VLAN where the DMZ subnet is in. Correct? If yes, then I am traversing my internal network in a VLAN to get to the virtual DMZ. Isn't that defeat the concept of DMZ? Thx
ok so this Palo Alto Firewall - is this a physical device or virtual device ?
ASKER
The Palo Alto FW is physical.
so connect physical ports on Palo Alto FW to Physical Ports on ESXi. - this is your DMZ.
Those ESXi ports are connected to DMZ vSwitch.
It's exactly the same if you wanted to connect 100 Physical Servers to the DMZ, you would connect 100 physical servers to a physical switch, and then connect this physical switch to a port on your Palo Alto FW.
You've now got 100 physical ports, 100 physical servers all in your DMZ.
with ESXi the physical switch is the vSwitch.
Those ESXi ports are connected to DMZ vSwitch.
It's exactly the same if you wanted to connect 100 Physical Servers to the DMZ, you would connect 100 physical servers to a physical switch, and then connect this physical switch to a port on your Palo Alto FW.
You've now got 100 physical ports, 100 physical servers all in your DMZ.
with ESXi the physical switch is the vSwitch.
ASKER
"connect physical ports on Palo Alto FW to Physical Ports on ESXi. " The Palo Alto is not physically next to my ESXi. My ESXi is in the datacenter and it is on another floor. So you are saying that the Palo interface has to be physically connected to the EXSi. Correct? It cannot logically be connected to the ESXi. By logically, I was thinking of VLAN.
Your Firewall and ESXi do not have to be close to one another to connect them directly!
Either physically, VLAN does not matter which, making it easier....
Access VLAN near the Firewall Server, Access VLAN near the ESXi server..... is one method....
or the correct method would be to introduce a VLAN from the Firewall labelled DMZ to the ESXi server, which could then be access VLAN or Trunk VLAN, depends on your ESXi networking configuration...
Do you not already have a DMZ VLAN in your network design ? (in your entire network) - just break out of this via Access Port or Trunk to ESXi.
e.g. we bring a massive TRUNK to our ESXi servers, carrying ALL 267 VLANs, two of which are two DMZs.
Either physically, VLAN does not matter which, making it easier....
Access VLAN near the Firewall Server, Access VLAN near the ESXi server..... is one method....
or the correct method would be to introduce a VLAN from the Firewall labelled DMZ to the ESXi server, which could then be access VLAN or Trunk VLAN, depends on your ESXi networking configuration...
Do you not already have a DMZ VLAN in your network design ? (in your entire network) - just break out of this via Access Port or Trunk to ESXi.
e.g. we bring a massive TRUNK to our ESXi servers, carrying ALL 267 VLANs, two of which are two DMZs.
ASKER
But if the traffic for the virtual DMZ going through a VLAN, thus traversing the internal network, doesn't it defeat the purpose of a DMZ which must be isolated. Thanks
There are two options for creating a DMZ that would connect to your Palo Alto Firewall now that you have introduced the VMware component.
1. Firewall > vmnic (interface directly on the ESXi host) > Dedicated DMZ virtual switch > DMZ VMs
2. Firewall > DMZ VLAN > Trunk to ESXi host > Dedicated DMZ virtual switch > DMZ VMs
Option #1 would provide the best security because you would not be traversing any internal network from the firewall and the VMs within VMware would only have a single egress point, the interface on the firewall. The downsides would be creating a dedicated interface on each ESXi host in the cluster which doesn't scale all that well.
Option #2 Create a DMZ VLAN on our switch and put layer 2 security controls in place (PVLAN, DHCP snooping, etc). Connect the firewall interface to the DMZ vlan and then trunk that VLAN down to each ESXi host. Once it gets to the host I would still recommend creating a new virtual switch to help force isolation of DMZ hosts. The hosts would still have a single egress point of the firewall interface.
1. Firewall > vmnic (interface directly on the ESXi host) > Dedicated DMZ virtual switch > DMZ VMs
2. Firewall > DMZ VLAN > Trunk to ESXi host > Dedicated DMZ virtual switch > DMZ VMs
Option #1 would provide the best security because you would not be traversing any internal network from the firewall and the VMs within VMware would only have a single egress point, the interface on the firewall. The downsides would be creating a dedicated interface on each ESXi host in the cluster which doesn't scale all that well.
Option #2 Create a DMZ VLAN on our switch and put layer 2 security controls in place (PVLAN, DHCP snooping, etc). Connect the firewall interface to the DMZ vlan and then trunk that VLAN down to each ESXi host. Once it gets to the host I would still recommend creating a new virtual switch to help force isolation of DMZ hosts. The hosts would still have a single egress point of the firewall interface.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Basically you can use a VLAN for the DMZ traffic, or you can connect a physical wire to a physical port on ESXi, and that's your DMZ.
Both separate traffic.