We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x
Private

Deploying a Server Farm or Data Center Firewall

Medium Priority
85 Views
Last Modified: 2020-04-30
I'm working on a solution as a vendor over deployment model for Palo Alto NGFW with following interest

- To control and inspect the traffic from between users and servers
- To protect DMZ web servers sourcing from internet.

I put together a fairly current current designnetwork design. At the moment we have two internet boundry firewall handling ingress/egress NAT, VPN connections

So I am looking for advise validated design and suggestions where to install the new firewall pair in the path as mentioned above.
Comment
Watch Question

Network Engineer
CERTIFIED EXPERT
Commented:
Is the plan to replace the Sophos firewalls?

You can have servers physically on the TOR switches, can have them go back to the firewalls via L2 VLAN. Have L3 sub-interface on the firewalls as the gateway for the servers. I am doing this very successfully.

In fact, all new L3 interfaces are on my Palo Alto firewalls. It allows for full inspection and control of all traffic to/from the subnet. Basically every VLAN is a DMZ segment. I then use zone based rules to control the traffic. You do need to have a firewall that can handle the throughput though. So far, no issues. My Palo Alto firewalls go process over 5 Gbps of traffic. I think that's with full SSL decryption turned on.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
No, we are not replacing, they will still remain as Internet Edge Firewalls.
- We are deploying a firewall in the data  center to control access from the south to north.
- To implement DMZ DC for Web Servers.

I would appreciate if you can share a simple diagram for your deployment, it will be very helpful. Basically my objectives are mentioned above.

 
kevinhsiehNetwork Engineer
CERTIFIED EXPERT
Commented:
I don't know why you are not looking to have the DMZ segments off the Sophos firewalls.

You can put firewalls anywhere physically. The trick is to only allow L2 connections on the switches between the Palo Alto firewalls and the Sophos. Over that L2 connection run L3 interface on Sophos and Palo Alto.

Author

Commented:
Thanks for the valuable suggestion.  I would appreciate if you support the explanation with a simple diagram to just ensure I am understanding in context.


kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
You have  favorite free online network diagramming tool?

Author

Commented:
I use Microsoft Paint for demo purposes :) 

Author

Commented:
Hi kevinhsieh
Any further help ?

kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
It looks like you have just 1 TOR 9300 switch, I suggest putting both Palo Alto firewalls direct on it.

Proposed design

Author

Commented:
I have multiple TOR access switches, just for sake of simplicity

We dont have seperate core switches in Server Farm, TOR are directly connected to campus core. VLANs and SVI terminated on Core.
We want to deploy seperate cores as well in DC.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Are your ToR switches in VSS or equivalent? The firewalls can be anywhere you can get L2 connectivity from the servers to the firewalls. No SVI on the switches, just L2. Use the FW as your gateway for your "DMZ" machines. FW then routes back to the rest of the network using same physical interfaces (router on a stick), or different interfaces.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Are you planning physical or virtual firewalls?

Author

Commented:
Physical firewalls
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Physically you want to connect the Palo Alto to a pair of switches where you have LACP from the Palo Alto to the switches. That allows you to fail a switch without failing over the firewall.

Author

Commented:
So basically I would do these setup.
I can connect Internet Firewalls ( SOPHOS XG) and Palo Alto to the same data center core switches.
Servers will sit behind the PAN firewalls as a gateway and L3 interfaces on it
Enterprise core would have default route for south-north direction traffic to DC Core switches to access servers and internet. DC core switches will have default route to XG.
DC core switches would also learn DC routes via dyanmic routing protcol between DC Core and PAN Firewall

Please give suggestions if anything is wrong with above setup.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
DC Core switches are not on the diagram. Other than that, I would say that it looks good to me so far.

Author

Commented:
9500-48Y are the DC core switches shown in the diagram.

Author

Commented:
Internet edge firewalls should to Enterprise Core or Data Center ? Any thoughts ?
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Internet edge firewalls should be as close to the Internet as possible, and be connected to whatever hardware provides appropriate bandwidth and multi-chassis LACP connections. I certainly wouldn't want to burn a 10G switch port on a 1G interface, for example.

Author

Commented:
I meant Inside interface for firewalls should connect to LAN core or DC Core/Distribution ?
kevinhsiehNetwork Engineer
CERTIFIED EXPERT
Commented:
The answer is the same. Not much difference between "core" and "distribution" switches on a fast network.

Your network diagram only shows L1 connections, so I don't know where you're doing routing. Obviously you need to route traffic to the firewall. Does it matter to you if the traffic needs to travel through 1 more more physical switches between the firewall and your SVI? I don't care, but maybe you do. Depends on the network design philosophy.

Author

Commented:
Core would have default route to internet firewalls and DC routes will be learned through DC Core.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.