Integrate NGFWs into Your Network
Focus
Focus
Next-Generation Firewall

Integrate NGFWs into Your Network

Table of Contents

Integrate NGFWs into Your Network

Learn about how to integrate Next-Generation Firewalls (NGFWs) into your network.
Where Can I Use This?What Do I Need?
  • NGFW
All Palo Alto Networks NGFWs provide an out-of-band management port (MGT) that you can use to perform the administrative functions. By using the MGT port, you separate the management functions of the NGFW from the data processing functions, safeguarding access to the NGFW, and enhancing performance. When using the web interface, you must perform all initial configuration tasks from the MGT port even if you plan to use an in-band data port for managing your NGFW going forward. This requirement applies whether you're setting up the firewall for standalone operation or onboarding to Panorama or Strata Cloud Manager.
Some management tasks, such as retrieving licenses and updating the threat and application signatures on the firewall require access to the internet. If you don’t want to enable external access to your MGT port, you will need to either set up an in-band data port to provide access to required external services (using service routes) or plan to manually upload updates regularly.
Don’t enable access to your management interface from the internet or from other untrusted zones inside your enterprise security boundary. This applies whether you use the dedicated management port (MGT) or you configured a data port as your management interface. When integrating your firewall into your management network, follow the Administrative best practices to ensure that you're securing administrative access to your NGFWs and other security devices in a way that prevents successful attacks.
After integrating the NGFWs into your network, learn how to perform the initial configuration steps that are necessary to integrate a new NGFW into the management network and deploy it in a basic security configuration.
The following topics describe how to integrate a single Palo Alto Networks NGFW into your network. However, for redundancy, consider deploying a pair of NGFWs in a high availability configuration.

Considerations for Business Continuity

Your business continuity plan should include provisions for how to connect to critical devices, including NGFWs and Panorama, during power outages and other events that prevent connecting to those devices over normal communication channels. The ability to connect to and manage devices on an out-of-band (OOB) network enables you to continue running your business when primary networks and power sources are down. Business continuity should be a core consideration of your network architecture.
An OOB network is a secure method of remotely accessing and managing devices and does not use the primary communication channels. Instead, OOB networks use separate communication channels that are always available if the primary channel fails and has a different source of power than the primary network. Depending on your network architecture, you may use both the primary network and the OOB network to access and manage devices in day-to-day operation.
The OOB network should never rely on a power source or network that could fail concurrently with the primary access network. How you architect OOB access to devices depends on your network architecture and your business considerations, so there is no “one size fits all” method of ensuring connectivity. However, there are guidelines that help you understand how to meet the goals of an OOB access network:
  • Power considerations—Use a different power source (a separate circuit or a protected or battery-powered source) for the OOB network than you use for the regular access network. If you lose power to the regular network, you won’t lose power to the OOB network.
    Use power distribution unit (PDU) controls to remotely power devices on and off.
  • Secure connection method—There are a number of ways to connect securely to an OOB network, for example, a terminal server device, a modem, or a serial console server. Examples of secure networks you can use for OOB access include LTE, dial-up, and broadband (separated from the normal broadband network) networks. The connection method you use depends on your business needs and network architecture.
    Regardless of the method you select, the connection must be secure, with strong encryption and authentication.
    You can connect into an OOB network remotely using SSH with strong authentication over an Ethernet LAN or you can dial in over a serial connection. The outbound connection will be serial.
To get started with the initial set up and configuration of your NGFWs, click here.