Something to keep in mind. Thanks!
Just our own end. Thanks!
Would the virtual firewall in a cloud be a SPOF? Or could I stage a team in HA config?
Thanks, I believe I will give them a look, and may just take you up on a message!
I’ll have to read-up on SDWAN. I’ve heard it has “issues”.
Here is the high level concept:
Today, you have a single IPSec Tunnel and a route that sends your traffic into the tunnel interface.
With SDWAN, you will create two IPSec Tunnels and put them in a single zone. Then you route your traffic to that zone instead of the ipsec tunnels. Last, you go into that zone and define how traffic within that zone chooses which IPSec tunnel to use.
I’m gonna be frank here:
I listed it as an option because it is one, not because i would recommend it.
I have had similar experiences with palos, and while they are among the few actually usable “NGFW” products and great at performing that function, they in my experience and opinion lack in exactly such areas as this, which is why i personally just wouldn’t deploy them. Or only for the role of a pure FW where routing & edge functions are taken care of by other systems.
Wow! We went from first generation Cisco ASA to Palo NGFW, and Palo has been superb! We use them strictly as NGFW though. Just curious - what are you replacing your Palo’s with, if I may ask?
Considering you have public IP spacez assuming it is actually assigned to the company and not owned by the ISP, you could do a BGP announcement to both providers.
Thrse could be benefits having only one VPN to each cloud environment, but as mentioned you would need to do BGP and announce the IP space to each ISP.
I really would recommend to do some video call with an advisor/consultant, workout your plan and see what you can do yourself and what needs to be outsourced.
Although BGP routing is not standard, the techniques are pretty straightforward. And I have trained many new people to teach them the basics in troubleshooting (It rarely just dies…)
It would be a SPOF but it would be one you can respond to without needing to involve clients. I’ll go AWS-specific since that’s my normal stomping ground:
You get an Elastic IP so you have a permanent claim on the IP. Then set up backups daily or hourly or whatever. If the hardware running the firewall fails just kill the VM, restore it from backup, and reassign the IP. AWS hosts failing is somewhat rare but it does happen - just like your Palo Alto might fail.
To go further, literally everything in AWS is scriptable. You could have a lambda function that detects the VM dying and does the above automatically. I’d probably just set up an alarm to text me and call it a day.
There are times when an entire AWS region is hosed, but those make the news and you can just point to that. It depends how far you want to chase long tail events. A lot of people want infinite coverage after having to eat crow, but it can get prohibitively expensive.
Totally agree, glad it wasn’t just me!
I appreciate your candor and, duly noted!
Coming from your ASAs, I’m sure the Palos are an awesome upgrade. And honestly, as a NGFW, I loved them. They have quite the learning curve, but after a few years with them, I really enjoyed how powerful the security features are.
HOWEVER…. It became clear these were security appliances first, and routers second. And honestly, in our environment, we needed the opposite. In a big enough environment, I’m sure you’d have a true router and a true NGFW, but we’re just not large enough to justify that.
So we are moving to Juniper SSRs, which are very much a router first and a security appliance second. There are features I certainly miss from the Palos, but it was the right choice for us, as these have massively improved our network redundancy through their more powerful routing engine with true BGP support (Palos have BGP, but with so many caveats).