Palo Alto Networks Next Generation Firewall has a flexible deployment, meaning different methods of deployment will work. Our partner, Cloud Harmonics recently authored a blog for us on this topic.
In this demonstration video we dig a little deeper and show you how to deploy your NGFW in Vwire mode, which allows it to be active, in-line, while still invisible to the network.
Vwire Mode Overview for Palo Alto Networks NGFW
Your Palo Alto Networks NGFW needs to be active-inline in order to do it’s job of blocking and preventing external threats.
Vwire mode is the most common and best deployment mode because you can see the direction of the network traffic and enforce security settings with real network data. Now, couple Vwire with a bypass network tap - this is the recommended best practice by Cloud Harmonics, Palo Alto Network’s US distributor.
Why is this a best practice?
One disadvantage of a NGFW is that there is no failsafe built into the appliance, meaning if there is a power outage or appliance issues your network is down. Bypass network TAPs by Garland Technology have this failsafe feature built into each one.
Figure 1 - Move new NGFW to in-line, active via the Network TAPs Bypass Mode, which has a built in failsafe.
Managing Your Palo Alto Networks’ Deployment Lifecycle
Vwire mode deployment coupled with a bypass network TAP is a best practice because it benefits the entire lifecycle of an appliance, including: POC, validation & deployment, and troubleshooting - with only taking the mission critical network down once, at initial deployment.
A bypass tap is invisible to the network, during proof of concept (POC) it sees all directions of the traffic - as if it was inline, allowing the you to write policy because the traffic direction is known and is based on ‘real and observed data'.
It takes away the headache of cutover and allows you to 'test your policy' by having the NGFW process traffic as an inline device, while providing the ability to put it back to virtual inline when troubleshooting potential problems - all without affecting production traffic.
With one-click your NGFW can go from in-line to off-line/out of band for POC, troubleshooting and for failover protection. Before you deploy your NGFW, consider your connectivity options - and what the best long term solution is for 100% network visibility and uptime.
Garland Technology is technology Partners with Palo Alto Networks and a founding member of the Fuel User Group. View our joint solutions and past webinars.