Enable Palo Alto firewall integration on a master switch to securely redirect internet inbound traffic from
branch switches using the branch config group into the PAN firewall. Although this configuration setting can be
used on standalone or local switches, this feature can only be used on switches in these types of deployments
when used in conjunction with the switch uplink VLAN manager feature.
The uplink VLAN manager is enabled by default on branch switch uplinks. Master or local (non-branch) switches
using the PAN portal feature must enable the uplink VLAN manager using the uplink command in the switch
command-line interface.
Figure 41 Branch Switch and PAN Firewall Integration
Integration Workflow
The following steps describes the work flow to integrate a branch switch with a Palo Alto Networks (PAN) Large-
Scale VPN (LSVPN) firewall.
1. Palo Alto Portal certificates are installed on the master switch, and the master switch is configured with the
Palo Alto portal IP address or FQDN, Palo Alto certificate, and the username and password for device
authentication using the Configuration> Branch > Smart Config > WAN section of the master switch
WebUI.
2. The OAW-40xx Series branch switch is provisioned via the basic setup dialog.
3. The Palo Alto portal may be configured with the device number (a text string comprised of the device serial
number followed by its MAC address) of the branch switch(es) at each remote office site. This allows the
branch switch to bypass the username and password challenge to authenticate to the portal.
4. The branch switch initiates a secure connection to the Palo Alto portal. Once the branch switch is
authenticated, the Palo Alto portal sends the branch switch a list of PAN gateways and priority levels. Once
the branch switch is authenticated, that device appears in the PAN satellite list, as shown in the figure below.
AOS-W 6.5.3.x | User Guide BranchSwitch Config for Cloud Services Switches | 227
To Next Page
Loading...