<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

[Demo] How to Deploy Your Palo Alto NGFW in Vwire Mode

January 12, 2017

Palo Alto Networks Next Generation Firewall has a flexible deployment, meaning different methods of deployment will work. Our partner, Cloud Harmonics recently authored a blog for us on this topic.

In this demonstration video we dig a little deeper and show you how to deploy your NGFW in Vwire mode, which allows it to be active, in-line, while still invisible to the network. 

Watch now...

Vwire Mode Overview for Palo Alto Networks NGFW

Your Palo Alto Networks NGFW needs to be active-inline in order to do it’s job of blocking and preventing external threats.

Vwire mode is the most common and best deployment mode because you can see the direction of the network traffic and enforce security settings with real network data. Now, couple Vwire with a bypass network tap - this is the recommended best practice by Cloud Harmonics, Palo Alto Network’s US distributor.

Watch now!

Why is this a best practice?

One disadvantage of a NGFW is that there is no failsafe built into the appliance, meaning if there is a power outage or appliance issues your network is down. Bypass network TAPs by Garland Technology have this failsafe feature built into each one.

Palo Alto Network in Bypass ModeFigure 1 - Move new NGFW to in-line, active via the Network TAPs Bypass Mode, which has a built in failsafe.

Managing Your Palo Alto Networks’ Deployment Lifecycle

Vwire mode deployment coupled with a bypass network TAP is a best practice because it benefits the entire lifecycle of an appliance, including: POC, validation & deployment, and troubleshooting - with only taking the mission critical network down once, at initial deployment.
Supporting the Lifecycle of Palo Alto Networks' NGFW

A bypass tap is invisible to the network, during proof of concept (POC) it sees all directions of the traffic - as if it was inline, allowing the you to write policy because the traffic direction is known and is based on ‘real and observed data'.

It takes away the headache of cutover and allows you to 'test your policy' by having the NGFW process traffic as an inline device, while providing the ability to put it back to virtual inline when troubleshooting potential problems - all without affecting production traffic.

With one-click your NGFW can go from in-line to off-line/out of band for POC, troubleshooting and for failover protection. Before you deploy your NGFW, consider your connectivity options - and what the best long term solution is for 100% network visibility and uptime.

Garland Technology is technology Partners with Palo Alto Networks and a founding member of the Fuel User Group. View our joint solutions and past webinars.

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES