Implementing SSL Orchestrator - L2 Service Configuration (Palo Alto)

Introduction

This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ.

Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on configuring a 3rd party, inline Layer 2 security device and everything you need to know about it.

This article covers the configuration of a Palo Alto NGFW running PAN-OS version 9.0.3.

Please forgive me for using SSL and TLS interchangeably in this article.

The simplest Palo Alto deployment is in Layer 2, or Virtual Wire mode. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. 

From the Palo Alto UI go to the Network tab > Interfaces.  

Click the name (ethernet1/X) of the interface you wish to configure.  

Set the Interface Type to Virtual Wire and the Security Zone to trust. Click OK. 

Do the same for the next interface.

Click the name of one of the interfaces configured previously. Click Virtual Wire > New Virtual Wire.  

Give it a name. Select the 2 interfaces configured previously. Click OK and OK.  

You will need to Commit the changes for them to take effect.

Note: setting the Security Zone to trust is needed for the F5 Health Monitors to work.

Summary

In this article you learned how to configure a Palo Alto NGFW in Layer 2 mode.

Configuration of Palo Alto NGFW can be downloaded from here from GitLab. 

Next Steps

Contact Palo Alto Networks if you need additional assistance with their products.

Click Next to proceed to the next article in the series.

Published Jan 10, 2020
Version 1.0
  • Hi Kevin,

     

    Just one simple question - but quite important when designing solution. Is that necessary to use separate physical interfaces for traffic going into L2 service and coming back form this service? Not possible to define VLANs (tagged) on the same interface? Or it's not really limitation on BIG-IP side but rather on Palo side - so it is not able to bridge between two different VLANs on the single physical interface?

    In other words if external L2 service will support bridging between two VLANs on one interface one interface and two tagged VLANs on BIG-IP will work?

    Piotr

  • My understanding is you can theoretically use a single physical interface with a whole bunch of vlans.

  • Hi,

    OK, will try to test it in my lab. Got confirmation from other source that such setup is working in production 😎

    Piotr