Ok guys, this is my first ever article. I rarely want to go to a debate on who is right or wrong an a particular deployment mode because I strongly believe that everyone has different use cases and they all are valid. But on this particular use case, I would like to share my experience with vwire. The main reason I put this together is because there is an article that is written a while ago ( 2012 to be exact ) which I believe is not accurate. A customer of mine asked me about this article a while ago and at that time, I did not really dig down into the technical details. For some funny reason, this came up again recently and a colleague of mine asking about this particular issue that was outlined in the article.
Let’s take a look at each step in greater detail. Change the Default Login Credentials. Step 1: Establish connectivity with the Palo Alto Networks Firewall by connecting an Ethernet cable between the Management and the laptop’s Ethernet interface. Step 2: Configure the laptop Ethernet interface with an IP address within the 192.168.1.0/24 network. Keep in mind that we’ll find the Palo. Installing System Center 2012 R2. This document shows the steps for Installing System Center 2012 R2 Configuration Manager on windows server. Windows Virtual PC and Windows XP Mode Setup and Installation Guide. After you install Windows Virtual PC, start the virtual machine that is running Windows XP with SP3 or Windows Vista with SP1.
So let me start with vwire mode. From Palo Alto Networks official documentation, 'In a virtual wire deployment, you install a firewall transparently on a network segment by binding two firewall ports (interfaces) together. The virtual wire logically connects the two interfaces; hence, the virtual wire is internal to the firewall.' https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virtual-wire-interfaces#ida53e3d57-15df-44da-9a49-a1115c6e5a82
As you can see from the description, virtual wire mode was designed to help us install the firewall transparently onto a network without the need to change broadcast or routing domain. When you have a packet coming into one of the vwire interface pair, then the same exact packet coming out from the other interface. No changes to the L2 and L3 header.
hen the founders of Palo Alto Networks started the company, Vwire mode came on the idea of how can they proof the value of this new 'Next Generation Firewall' without the need of re-architecting L3 domain and delaying the process. When I joined Palo Alto Networks, vwire mode proven to be quite effective. At that time, not many people heard of Palo Alto Networks NGFW, and as you can imagine, every where we go, there is already a firewall/s installed on the network. To convince someone ( or even myself ) to rip out my routing domain and install another L3 device which then I have to uninstall in a couple of weeks is a massive risk to the business. vwire provides a less risky deployment with the benefit of having the firewall inline to the traffic. One can argue that Tap mode is the easiest and non-intrusive way of testing the firewall and I agree with that, but I won't go into Tap versus vwire discussion in this article. I havent seen many vwire deployment lately, but that is due to the fact that Palo Alto Networks now is the leader in the enterprise firewall space and is part of the L3 domain which negate the needs of using vwire mode. But that doesn't mean there is no longer use case for vwire mode.
Now, let's go back to the testing that I've done. Quite simple actually. Using the design of 'router on a stick', I have a router/firewall/L3 device, that sits on the north side of the L2 switch. The router connected to the switch via trunk link, inter-vlan routing is performed by the router. The switch is configured as a L2 switch only. There router has 2 sub-interfaces, each sub-interface acts as the default gateway for the particular vlan. On the south side, I have 2 hosts connected to the switch. One host in vlan 200 and another in vlan 201. The hosts default gateway is the router's sub-interface.
I then run nginx in Docker on Host 201 to prove I can establish a full 3 way handshake from Host 200 to Host 201. I can successfully ping and browse from Host 200 to Host 201.
My aim is now to 'insert' Palo Alto Networks NGFW into this network using vwire mode and achieve the same connectivity without changing any L3 domain. I configure 2 interfaces to be the vwire interface pair, ethernet 1/3 and ethernet 1/4, then assign ethernet 1/3 to a vwire zone, called trust-vwire, and ethernet 1/4 to untrust-vwire zone.
Next, is to configure the vwire configuration itself. Always remember when you insert the firewall into a trunk link, always assign the allowed vlans in the 'Tag Allowed' column, otherwise the firewall drops every vlan and only allow native vlan 0 by default.
From Palo Alto Networks official documentation page. https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking/configure-interfaces/virtual-wire-interfaces/configure-virtual-wires
'For Tag Allowed, enter 0 to indicate untagged traffic (such as BPDUs and other Layer 2 control traffic) is allowed. The absence of a tag implies tag 0. Enter additional allowed tag integers or ranges of tags, separated by commas (default is 0; range is 0 to 4,094)'
Do not miss this step ! I've seen so many misconfiguration on this and people go into the default mode 'blame the firewall'
In short, the topology is as the per below diagram after the 'firewall insertion'.
For the sake of simplicity, I allowed any traffic from anywhere to everywhere. I know, this is not a good practice, it is terrible practice, but this article is not about that, it's about understanding how vwire works.
Now let's go to the fun part. Testing. So, following the rule of vwire pair, what comes in on one interface needs to come out on another, I would expect the traffic flow is as per the below.
- Traffic originated from Host 200 enters vwire-trust zone on ethernet 1/3
- exits vwire-untrust zone on ethernet 1/4
- routed by the north-bound router back to the firewall
- enters vwire-untrust zone on ethernet 1/4
- exits vwire-trust zone on ethernet 1/3
- then arrives at the destination, Host 201
as you can see from the the above steps, the same packet will hit the firewall twice and this is expected due to the 'router on a stick' topology. With a simple ping test, the result is as expected. I can see the packet traverses the firewall, router back to the firewall and the destination. This can be proven by looking at the monitor page on the firewall.
As I mentioned before, the firewall will see the packet twice in a reverse order and this is an expected behaviour. So far, the testing is looking very good. I am wondering, is there any difference if I use an application that use a stateful protocol instead of stateless such as ICMP. so I decided to use a simple web server to test TCP 3 hand shake.
The flow is the same with the previous test. Generates an HTTP request from Host 200 to Host 201, and as expected, I was able to successfully access the web page with no issue, and this can be proves by quickly running 'show session all filter application web-browsing' on the CLI.
As you can see from the tests that I performed, vwire is proven to be useful in an environment where you do not want or cannot change any L3 domain. There are some other useful vwire features and use cases that I won't discuss in this article, such as vwire sub-interfaces. if time permitted, in my next article I am going to write a more complex use cases for vwire, but I do not see much vwire deployment requests lately, so I might put my time and effort that is more relevant in production such as BGP use cases, troubleshooting, log links feature with Dynamic Address Group ( Ben Burt's idea to publish an article on Log Links), etc.