In a large-scale network, you can improve security and
reduce congestion by implementing network segmentation, which involves
segregating the subnetworks based on resource usage, user roles,
and security requirements. Panorama supports network segmentation
by enabling you to use multiple M-Series Appliance Interfaces for managing
devices (firewalls, Log Collectors, and WildFire appliances and
appliance clusters) and collecting logs; you can assign separate
interfaces to the devices on separate subnetworks.
Using multiple interfaces to collect logs also provides the benefit
of load balancing, which is particularly useful in environments
where the firewalls forward logs at high rates to the Log Collectors.
If you enable the
forward to all Log Collectors
the Collector Group log forwarding preference
list, logs are sent on all configured interfaces configured.
Otherwise, logs are forwarded over a single interface, and if that
interface goes down, log forwarding continues over the next configured
interface. For example, you configure Eth1/1, Eth1/2, and Eth1/3
for log forwarding. In the event the Eth1/1 interface goes down,
log forwarding continues over Eth1/2.
Because administrators access and manage Panorama over the MGT
interface, securing that interface is especially important. One
method for improving the security of the MGT interface is to offload
Panorama services to other interfaces. In addition to device management
and log collection, you can also offload Collector Group communication
and deployment of software and content updates to firewalls, Log Collectors,
and WildFire appliances and appliance clusters. By offloading these services,
you can reserve the MGT interface for administrative traffic and
assign it to a secure subnetwork that is segregated from the subnetworks
where your firewalls, Log Collectors, and WildFire appliances and
appliance clusters reside.