This article is part of a series on implementing BIG-IP SSL Orchestrator. It includes high availability and central management with BIG-IQ.
Implementing SSL/TLS Decryption is not a trivial task. There are many factors to keep in mind and account for, from the network topology and insertion point, to SSL/TLS keyrings, certificates, ciphersuites and on and on. This article focuses on configuring a 3rd party, inline Layer 2 security device and everything you need to know about it.
This article covers the configuration of a Palo Alto NGFW running PAN-OS version 9.0.3.
Please forgive me for using SSL and TLS interchangeably in this article.
The simplest Palo Alto deployment is in Layer 2, or Virtual Wire mode. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface.
From the Palo Alto UI go to the Network tab > Interfaces.
Click the name (ethernet1/X) of the interface you wish to configure.
Set the Interface Type to Virtual Wire and the Security Zone to trust. Click OK.
Do the same for the next interface.
Click the name of one of the interfaces configured previously. Click Virtual Wire > New Virtual Wire.
Give it a name. Select the 2 interfaces configured previously. Click OK and OK.
You will need to Commit the changes for them to take effect.
Note: setting the Security Zone to trust is needed for the F5 Health Monitors to work.
In this article you learned how to configure a Palo Alto NGFW in Layer 2 mode.
Configuration of Palo Alto NGFW can be downloaded from here from GitLab.
Contact Palo Alto Networks if you need additional assistance with their products.
Click Next to proceed to the next article in the series.