Integrate NGFWs into Your Network
Learn about how to integrate Next-Generation Firewalls (NGFWs) into your
network.
Where Can I Use This? | What Do I Need? |
All Palo Alto Networks NGFWs provide an out-of-band management port (MGT) that you can
use to perform the administrative functions. By using the MGT port, you separate the
management functions of the NGFW from the data processing functions, safeguarding access
to the NGFW, and enhancing performance. When using the web interface, you must perform
all initial configuration tasks from the MGT port even if you plan to use an in-band
data port for managing your NGFW going forward. This requirement applies whether you're
setting up the firewall for standalone operation or onboarding to Panorama or Strata
Cloud Manager.
Some management tasks, such as retrieving licenses and updating the threat and
application signatures on the firewall require access to the internet. If you don’t want
to enable external access to your MGT port, you will need to either set up an in-band
data port to provide access to required external services (using service routes) or plan
to manually upload updates regularly.
Don’t enable access to your management interface from the internet or from other
untrusted zones inside your enterprise security boundary. This applies whether you
use the dedicated management port (MGT) or you configured a data port as your
management interface. When integrating your firewall into your management network,
follow the Administrative best practices to ensure that you're securing
administrative access to your NGFWs and other security devices in a way that
prevents successful attacks.
After integrating the NGFWs into your network, learn how to perform the initial
configuration steps that are necessary to integrate a new NGFW into the management
network and deploy it in a basic security configuration.
The following topics describe how to integrate a single Palo Alto Networks NGFW into
your network. However, for redundancy, consider deploying a pair of NGFWs in a high
availability configuration.
Considerations for Business Continuity
Your business continuity plan should include provisions for how to
connect to critical devices, including NGFWs and Panorama, during power outages and
other events that prevent connecting to those devices over normal communication
channels. The ability to connect to and manage devices on an out-of-band (OOB)
network enables you to continue running your business when primary networks and
power sources are down. Business continuity should be a core consideration of your
network architecture.
An OOB network is a secure method of remotely accessing and managing devices and
does not use the primary communication channels. Instead, OOB networks use
separate communication channels that are always available if the primary channel
fails and has a different source of power than the primary network. Depending on
your network architecture, you may use both the primary network and the OOB
network to access and manage devices in day-to-day operation.
The OOB network should never rely on a power source or network that could fail
concurrently with the primary access network. How you architect OOB access to
devices depends on your network architecture and your business considerations, so
there is no “one size fits all” method of ensuring connectivity. However, there are
guidelines that help you understand how to meet the goals of an OOB access
network:
Power considerations—Use a different power source (a separate circuit
or a protected or battery-powered source) for the OOB network than you use
for the regular access network. If you lose power to the regular network,
you won’t lose power to the OOB network.
Use power distribution unit (PDU) controls to remotely power devices on and
off.
Secure connection method—There are a number of ways to connect
securely to an OOB network, for example, a terminal server device, a modem,
or a serial console server. Examples of secure networks you can use for OOB
access include LTE, dial-up, and broadband (separated from the normal
broadband network) networks. The connection method you use depends on your
business needs and network architecture.
Regardless of the method you select, the connection must be secure, with
strong encryption and authentication.
You can connect into an OOB network remotely using SSH with strong
authentication over an Ethernet LAN or you can dial in over a serial
connection. The outbound connection will be serial.
To get started with the initial set up and configuration of your NGFWs, click
here.