Fully separating traffic is easy with a next-generation firewall, while with other vendors you might need dedicated virtual systems. With PANW just adding another virtual router is enough. In a moment I will show you the concept including inter-VR routing. If this is your first time here, I’m Lars from Consigas. We call ourselves the Palo Alto Networks Experts, because the next generation firewall is our passion. It’s what we do all day, every day: migrating firewalls, providing managed services, and most important Implementing security best practices. When I started to work with this box in 2010 nearly anyone knew about Palo Alto Networks But as an engineer I felt that this solution will change the world of cyber security, and yes, today We know it did big time, because it’s one of the few security solutions that can truly secure your network. However, there’s a caveat. You need to set it up in the right way in order to be effective, because while it’s awesome, It’s not a magic box! So over the years we became Professional Services Partners for Palo Alto Networks, as well as one of the few Elite Authorized Training Centers (eATC), after working in the field for so many years, & being a trainer I would like to share my experience with you! so over the next couple of weeks and months we’ll release new videos and core concepts of the NG Firewall, starting with the Threat Landscape, deployment methods, NAT, App-ID, SSL decryption, VPNs and many more! So follow us on LinkedIn, YouTube or Twitter to stay up to date. But now let’s get started with Virtual Routers (VR). The basic concept of Virtual Routers is clear. We have here a layer 3 interface on the inside and on the outside, and then we’re going to use a Virtual Router to combine them. So basically via the routing table decide which traffic is going where. So that’s clear now, Virtual Routers are called VRs because we can actually have multiple ones, ok? Very similar to the concept of Virtual Routers on a router. So let’s say here we have our production environment, and then in parallel to the production environment, we have a pre-production environment, which actually has the same IP subnet 192.168.17.0/24. Now let’s say both are connected to the firewall, and now what we are trying to do is you have an independent data pass for this pre-production network also to access the internet. What we can do here is define a layer 3 interface and create a dedicated Virtual Router for the pre-production. We now have a VR here for our production environment, and the dedicated VR for our pre-production environment which on the outside also has a dedicated interface connecting this infrastructure up to the internet. Now we have two completely dedicated flows going through the firewall, and there’s no way that it can be any communication from one to the other. so a complete very clean separation. The beauty with such a setup Is that when we look at it from a security policy point of view the objective would be that we have the same security policy on the firewall for production, as well as pre-production, so that we know that when we move a server from one to the other environment, that all the security policy works so we have to test this as well. So with this, we have now our zone, which is the production zone, and this is assigned to both interfaces, and on the outside we have our internet zone, which also is going to be assigned to both outside interfaces. If now we define our security policy that simply says “from production zone to internet” and it doesn’t care about interfaces. With this, the same policy applies to both environments, and it’s completely transparent. Okay? That’s a very nice way to separate this using virtual routers. Now, let’s go a little bit further with with our example. So let’s say for both environments we also have a dedicated management network. So here we have a management network for our production environment, And then we’re gonna have as well a management environment (or management network) for our pre-production. It’s important for this example that these two networks to have dedicated IP subnets. So 10.1.10/24 for our production management network and 10.2.2.0/24 for our pre-production network. So both of them are connected to the firewall and have now connections to their respective Virtual Router, And with this obviously from each management network we do have connectivity into the respective environment. Let’s say hust for better or more effective operations, we do need our connectivity between these two management networks, okay? This we can do now with Inter-VR routing so routing between Virtual routers, and in order for this to work, what we simply do is our production VR we create a route saying inter-VR routing, where we’re saying that the subnet 10.2.2.0/24 is now reachable via the pre-production Virtual Router, so we’re just adding here this route. Very important, we’re gonna do the same way also for the other way around. So here we also say that the subnet 10.1.1.0/24 is reachable via the production VR. Okay, so that’s the route we’ll be adding to the pre-production, where we are pointing to the production VR. Obviously here we also do have our zones. A management zone for production and pre-production, and now when we define asecurity policy where we allow the communication from one management zone to the other, then first of all these two Virtual Routers, they are making sure that we have connectivity, and then the security policy where then just simply allows this traffic to flow. So with this, we can have multiple VRs, but we can also have routing in between these VRs. It’s important that this only works if we have unique subnets between the two of them. For instance this management network has no connectivity into this production network, because when the traffic arrives here, everything for 192.168.17.0, would always go down here, and the same applies here. But we can apply our connectivity between these two management networks. By the way if you’re interested in security best practices for Palo Alto Networks Then check out the blog on our webpage , in the best practice section you can download this worksheet with over 120 best practices for the next-generation firewall and Very soon we will also launch the security best practice training With a lot of videos explaining all of these security best practices in detail so if you’re interested Then sign up to our mailing list, and we will let you know as soon as this free training is available!