PaloAltoNetworks部署指南-RevB

liven1204
0 ℃
2020-04-16

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

DesigningNetworkswithPaloAltoNetworksFirewallsSuggestedDesignsforPotentialandExistingCustomersRevisionB©2012,PaloAltoNetworks,Inc.:TapMode..................................................................................................................7Section2:Virtual-wireDeploymentScenarios........................................................................................................132.1OperationofVirtualWireInterfaces........................................................................................................132.2ExampleScenario:VirtualWirewithActive/PassiveHA.........................................................................152.3ExampleScenario:VirtualWirewithActive/ActiveHA............................................................................242.4ExampleScenario:VirtualWirewithA/AHAandLinkAggregationonAdjacentSwitches....................332.5ExampleScenario:VirtualWirewithBypassSwitch(“fail-open”scenario)............................................452.6ExampleScenario:HorizontalScalingwithLoadBalancers...................................................................52Section3:Layer2DeploymentScenarios...............................................................................................................593.1OperationofL2Interfaces.......................................................................................................................593.2ExampleScenario:Layer2Active/PassiveHA.......................................................................................603.3ExampleScenario:CombinationLayer2andLayer3Topology............................................................68Section4:Layer3DeploymentScenarios...............................................................................................................754.1OperationofL3Interfaces.......................................................................................................................754.2ExampleScenario:Layer3Active/PassiveHAwithOSPF.....................................................................764.3ExampleScenario:Layer3Active/ActiveHAwithOSPF.......................................................................774.4ExampleScenario:Layer3Active/PassiveHAwithBGP.......................................................................784.5ExampleScenario:Layer3Active/ActiveHAwithBGP..........................................................................794.6ExampleScenario:Layer3Active/PassivewithLinkAggregation.........................................................804.8ExampleScenario:FirewallonaStick....................................................................................................99AppendixA:ReviewofUser-IDOperation............................................................................................................107RevisionHistory.....................................................................................................................................................110©2012,PaloAltoNetworks,Inc.[2]IntroductionHowtoUsethisDocumentThepurposeofthisdocumentistohelppeoplechoosehowtodeployPaloAltoNetworksdevicesintotheirnetwork.Variousscenariosaredescribed,aswellastheirconfiguration.Allofthesescenariosweretestedinthefield,runningPAN-OS5.0.2.PrerequisiteknowledgeThisdocumentisnotastep-by-stephow-todocument,butgivesasummaryoftheconfigurationneededtoimplementeachscenario.ItisassumedthatthereaderhastheknowledgetocompletethefollowingtasksonaPAfirewall:oConfigureinterfacesettings,suchasinterfacetype,duplex,speed,zoneoCreateandconfigurezonesoCreateandconfigurepoliciesoCreate/deletevirtualwiresoConfigurevirtualroutersWheredoIstart?Thebestplacetostartistoreviewdifferentdeploymentmodesbelow,andthenusethetableofcontentstodeterminewhichscenariosyoumightconsider.The4interfacemodes/deploymentscenariosare:•Tapmode•Virtualwiremode•Layer2mode•Layer3modeTapModeDeploymentsWhereasanetworktapisadevicethatprovidesawaytoaccessdataflowingacrossacomputernetwork,“tapmodedeployment”ofthePaloAltoNetworksfirewallsallowsyoutopassivelymonitortrafficflowsacrossanetworkbywayofataporswitchSPAN/mirrorport.TheSPANormirrorportpermitsthecopyingoftrafficfromotherportsontheswitch.BydesignatinganinterfaceonthefirewallasatapmodeinterfaceandconnectingittoaswitchSPANport,theswitchSPANportprovidesthefirewallwiththemirroredtraffic.Thisprovidesapplicationvisibilitywithinthenetworkwithoutbeingintheflowofnetworktraffic.Advantages:•Visibilityintothenetworktraffi