Multiple
Interfaces for Network Segmentation Example
Figure 1 illustrates
a deployment that uses multiple interfaces on M-500 appliances in Panorama
mode and Log Collector mode. In this example, the interfaces support network
segmentation as follows:
Panorama management network
—To protect the Panorama
web interface, CLI, and XML API from unauthorized access, the MGT
interface on Panorama connects to a subnetwork that only administrators
can access.
Internet
—Panorama uses the MGT interface to communicate
with external services such as the Palo Alto Networks Update Server.
Perimeter Gateway
and
Data Center
—Panorama
uses a separate pair of interfaces to manage the firewalls and Log Collectors
in each of these subnetworks. Managing firewalls typically generates less
traffic than querying Log Collectors for report information. Therefore, Panorama
uses 1Gbps interfaces (Eth1 and Eth2) for managing the firewalls
and uses 10Gbps interfaces (Eth4 and Eth5) for querying and managing
the Log Collectors. Each Log Collector uses its MGT interface to
respond to the queries but uses its Eth4 and Eth5 interfaces for
the heavier traffic associated with collecting logs from the firewalls.
Software and content updates
—The firewalls and Log
Collectors in both subnetworks retrieve software and content updates
over the Eth3 interface on Panorama.