<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

What’s Your Palo Alto NGFW Deployment Plan?

December 12, 2019

young engeneer business man with thin modern aluminium laptop in network server room-4

A firewall is a network security device that monitors both incoming and outgoing network traffic, and based on a set of rules, decides whether to allow or block that traffic, protecting the network. Whether you are replacing a legacy firewall or adding an additional NGFW (Next-Generation Firewall) for internal security, a detailed deployment plan is required.


Palo Alto Networks’ Next Generation Firewall has different deployment methods. Let’s explore the different options to see which one works best, and why. Some content has been adapted from Palo Alto Networks’ Designing Networks with Palo Alto Networks Firewall. Let’s state the most important thing regardless of what deployment method you choose; your Palo Alto Networks NGFW needs to be inline in order to block and prevent suspicious behavior.

Four Methods of Deployment for a Palo Alto Networks NGFW:

  1. TAP Mode - Should only be used for Proof of Concept (POC) when gathering information to be fed via SPAN/Mirror port. This method does not see the direction of the traffic and is not useful beyond POC.
  2. Layer 3 - Routing mode deployment - the problem with this is that the network ‘sees’ the NGFW
  3. Layer 2 - Switch mode - same as above, the NGFW is visible to the network
  4. VMware mode - is located below layers 2 and 3 and the NGFW is invisible to the network, it is a simple, ‘bump in the wire.’

>> Download Now: 3 Keys to Network Resiliency [Free Whitepaper]

The most common and best form of deployment is VMware mode. In this instance, you can see the direction of the network traffic and enforce security settings with real network data. Ideally, you want to couple the VMware deployment with a Bypass TAP to monitor the health of your inline device and provide 100% network visibility.

Why is this a best practice?

One disadvantage of an NGFW is there is no failsafe built into the appliance. This means if there is a power outage or appliance issue your network will be down. Garland Technology’s EdgeSafe®: Bypass Network TAPs have a failsafe feature built-in for full uptime. When you use Garland’s EdgeSafe®: 1G Bypass Modular Network TAP within a 1U or 2U chassis, with a simple one-click command you’re able to take the NGFW off-line without taking down the network. When the power is resolved, simply click back to active, inline mode via a remote management card.

Managing Your Palo Alto Networks’ Deployment Lifecycle

Vmware mode deployment coupled with a bypass network TAP is part of best practices because it benefits the entire lifecycle of an appliance, including POC, validation & deployment, and troubleshooting - with only taking the mission-critical network down once, at initial deployment.

 

Bypass-Sandbox-PAN

“A bypass TAP is invisible to the network. During a proof of concept (POC), the network sees all directions of the traffic - as if it was inline, allowing you to write policy because the traffic direction is known and is based on ‘real and observed data'.

It takes away the headache of cutover and allows you to 'test your policy' by having the NGFW process traffic as an inline device while providing the ability to put it back to virtual inline when troubleshooting potential problems - all without affecting production traffic. With one-click, the bypass TAP can operate from inline to out-of-band for POCs, troubleshooting, and for failover protection. Even when your tools are out-of-band, the Bypass TAP will passively see all traffic, but will not affect it. Another benefit to using Network TAPs as part of your deployment is since Network TAPs don’t possess IP or Mac addresses, they are completely invisible to hackers. This means that when deploying network TAPS with your NGFW your visibility method into the traffic cannot be hacked. 

Palo Alto’s NGFW combined with a Garland Technology EdgeSafe Bypass TAP is a fundamental best practice that offers a unique ability to implement inline lifecycle management. From improving your POC, sandboxing new tools, troubleshooting, and most importantly, avoiding costly network downtime, the bypass TAP becomes the essential complement to your NGFW.

As you move forward to prepare and secure your data center, don’t leave your network out in the cold. Obtain 100% visibility and network uptime when you deploy a Palo Alto NGFW and Garland Technology bypass TAP.

Looking to add a bypass solution to your security deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do!

New call-to-action

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES