+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 26
  1. Senior Member Robbo777's Avatar
    Join Date
    Aug 2015
    Location
    UK
    Posts
    298
    #1

    Default ASA question and placement in a network?

    Hi, i have a question about setting up an asa with a lab network on packet tracer. I was wondering where would be the best place to put it? Should i put it after the router and connected to a cloud or put it before the router and the router is the last point connected to the cloud?
    Does this also mean that the asa needs basically the same config such as the full routing table from the router or does the asa just analyse traffic passing through it and could i just not allow any unknown traffic to pass through to the "inside" interface?

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,645

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #2
    Best place depends on what the goals of the network are.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  4. Senior Member Robbo777's Avatar
    Join Date
    Aug 2015
    Location
    UK
    Posts
    298
    #3
    Quote Originally Posted by networker050184 View Post
    Best place depends on what the goals of the network are.
    Network security is the main reason, am guessing then that means put it ahead of the router and connect the asa directly to the cloud?
    Reply With Quote Quote  

  5. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,645

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #4
    Again, it all depends. What is the router doing? If it's behind the ASA is it even needed? What exactly is the ASA securing and how?
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  6. Senior Member sucanushie's Avatar
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    158

    Certifications
    MCTS, Windows 7, MCITP: EDA Win7,CCNA Security,CCNA Voice, CCNP R&S
    #5
    Generally your ASA is going to secure you edge. At least at the CCNA level.

    So you might see you your outside interface of your ASA connected to the internet, which is generally a router. The inside interface can be connected to a switch.

    The ASA will have a default route with the next hop of your router's IP, as well as NAT and all of your hosts on the inside would have their default gateway set to the inside interface of the ASA.

    I hope that makes sense.
    Reply With Quote Quote  

  7. Senior Member Robbo777's Avatar
    Join Date
    Aug 2015
    Location
    UK
    Posts
    298
    #6
    Quote Originally Posted by sucanushie View Post
    Generally your ASA is going to secure you edge. At least at the CCNA level.

    So you might see you your outside interface of your ASA connected to the internet, which is generally a router. The inside interface can be connected to a switch.

    The ASA will have a default route with the next hop of your router's IP, as well as NAT and all of your hosts on the inside would have their default gateway set to the inside interface of the ASA.

    I hope that makes sense.

    I see, so is there much point in having a router in your example? One question as well, why would the asa be doing NAT when it still needs to pass through to the router? Surly it would make more sense for the router to do NAT?

    Thanks
    Reply With Quote Quote  

  8. Network Engineer Dieg0M's Avatar
    Join Date
    Jun 2013
    Location
    Montreal
    Posts
    853

    Certifications
    CCIE #48240, CCDP
    #7
    It really depends on what the business and technical requirements are. Generally, you do not want to do dynamic routing on a firewall so if BGP is required to the provider, you will have a router. Most ASA's do not even support BGP or IGP or do but have a hard time handling full internet routing tables. Also, you might want to consider ZBF if you just want to keep a router in the picture but in my opinion ASA's are a better option if clustering is required.
    Follow my CCDE journey at www.routingnull0.com
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Mar 2013
    Posts
    2,411
    #8
    ASA placement also depends upon if you manage the router or if the ISP manages the router.

    If you manage the router to the dmarc with the ISP handoff then you place it typically after the router with, like mentioned above, the default gateway being the router.

    If you don't manage the router, you still place it after the router.

    However while the above is typical you can place a firewall on a secondary ISP connection for VPN access (or a firewall-to-firewall tunnel) or web services like payment servers and such that need security on top of flow control. With that being said firewall have limitations as they don't suppose advanced routing protocols.

    Me personally, in my home-lab I now have 1921 with a Cable WIC and I let me ISP manage the WIC and I control the router, but I still connect my Sonicwall into the 1921 and using the 1921 as the default gateway. But it allows me now to use more advanced routing protocols to my friends that also have home-lab when we do WAN connections to our home-networks for home-based LAN parties.

    It all depends, as mentioned above, on network design and needs.
    Last edited by Deathmage; 12-02-2015 at 03:31 PM.
    Reply With Quote Quote  

  10. Senior Member Mitechniq's Avatar
    Join Date
    Jun 2012
    Posts
    262

    Certifications
    CCNA, GIAC G2700, VCP5-DCV C|EH, ISC2 CISSP, AWS-PSA (Most have Expired)
    #9
    Let the router route and the ASA do firewall stuff.

    Usually, I have a router on the edge for routing and configure it to do simple IP/Port acl in and out. The router also does my natting of the ASA interface or any DMZ requirements I might have.

    Once it passes the Router it goes to the ASA for further inspection, which could be considered 'defense in depth.'

    There are several other scenarios and more complicated solutions but to your one router and one ASA network. I think this works best.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jan 2012
    Posts
    1,237

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #10
    Quote Originally Posted by Robbo777 View Post
    One question as well, why would the asa be doing NAT when it still needs to pass through to the router? Surly it would make more sense for the router to do NAT?

    Thanks
    Its a security issue. As stated earlier it really depends on the design. When working with a firewall the security polices can protect the NAT entries such as static nat which maps an internal ip address to the external ip address. The router is not good for using as a firewall to many holes. If you configure NAT on the edge router and not on the firewall then that means an outside attacker can attack your router and get access to the internal network. Thats why as per Cisco it marks an internet edge router as the "untrusted zone".

    @Robo
    I know everyone keeps replying with, "it depends on the design" but its true. There isn't one right way to do something it really depends on the parameters of the network and the available equipment.

    Sometimes you have to be a bit creative to get a working solution. I know one time for a teleworker that needed a cisco ip phone at there house we set up a 1841 with a site to site vpn to HQ that had nat enabled, nat exempt rules and acl's for the tunnel and the personal network. He had a consumer based router/wifi that was placed behind the 1841 and it served as the firewall and nat as well for his personal network.
    Netgear router>Router>Internet
    Last edited by dmarcisco; 12-02-2015 at 05:10 PM.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jan 2012
    Posts
    1,237

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #11
    @Robo

    When I first was learning about firewalls I had a similar question so I understand the confusion when dealing with placement with a router and ASA on the same network. I will do my best to try to explain it with a high level view hopefully I do not confuse you any further.

    As mentioned earlier placement of the ASA really depends on the network design and what you are trying to achieve. Router and ASA placement depends on certain variables. There are different ways to do things and you can take a look at design guides to get a more in depth look but I'm going to give a few examples just to give you a general idea.

    If the Router is connected to the ISP via serial link or responsible for routing to external networks and its connecting to these networks with BGP and/or MPLS then the router will connect as the edge device which connects to the "cloud(internet)". In this scenario the router will be responsible for the routing and the ASA will be behind the router ASA>Router>Internet. The ASA's function would be for NAT and as a firewall to protect the internal network from outside attacks.

    In a single connection to an ISP that just has a default route to the ISP and no other routing requirements then the ASA can be placed at the edge which connects to the "cloud(internet)". In this layout the The ASA's function can be for VPNs, NAT and as a firewall to protect the internal network. In this layout there is no need for a router unless if its used for other services for internal use besides routing (voip, dhcp, etc). LAN>ASA>internet.

    In a scenario that you are running IGP's (interior gateway procotols ex: EIGRP,RIP,OSPF) within your network which is handled by a layer 3 device (layer 3 switch or router). Depending on the network it can be just a layer 3 switch(s) that has a static route on that device which is pointing traffic to the ASA to get to the internet. (LAN>ASA>ISP)

    Hope this clarifies it a bit.
    Last edited by dmarcisco; 12-03-2015 at 03:29 PM.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Jun 2015
    Location
    De' Nile..
    Posts
    795

    Certifications
    "I eat SubNets like You for breakfast..."
    #12
    Quote Originally Posted by Deathmage View Post
    Me personally, in my home-lab I now have 1921 with a Cable WIC and I let me ISP manage the WIC and I control the router, but I still connect my Sonicwall into the 1921 and using the 1921 as the default gateway. But it allows me now to use more advanced routing protocols to my friends that also have home-lab when we do WAN connections to our home-networks for home-based LAN parties.
    Now there's a practical application :]

    So which device is allowing the "WAN party" capabilities?
    Is it the 1941 Router, or is it the SonicWall?

    For instance, if i wanted to have a Wan-Party with you; which would i need first?
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jan 2012
    Posts
    1,237

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #13
    What are you guys running DMVPN's to connect to each other?
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  15. Senior Member Robbo777's Avatar
    Join Date
    Aug 2015
    Location
    UK
    Posts
    298
    #14
    Quote Originally Posted by dmarcisco View Post
    @Robo

    When first was learning about firewalls I had a similar question so I understand the confusion when dealing with placement with a router and ASA on the same network. I will do my best to try to explain it with a high level view hopefully I do not confuse you any further.

    As mentioned earlier placement of the ASA really depends on the network design and what you are trying to achieve. Router and ASA placement depends on certain variables. There are different ways to do things and you can take a look at design guides to get a more in depth look but I'm going to give a few examples just to give you a general idea.

    If the Router is responsible for routing to external networks and its connecting to these networks with BGP and/or MPLS then the router will connect as the edge device which connects to the "cloud(internet)". In this scenario the router will be responsible for the routing and the ASA will be behind the router ASA>Router>Internet. The ASA's function would be for NAT and as a firewall to protect the internal network from outside attacks.

    In a single connection to an ISP that just has a default route to the ISP and no other routing requirements then the ASA can be placed at the edge which connects to the "cloud(internet)". In this layout the The ASA's function can be for VPNs, NAT and as a firewall to protect the internal network. In this layout there is no need for a router unless if its used for other services for internal use besides routing (voip, dhcp, etc). LAN>ASA>internet.

    In a scenario that you are running IGP's (interior gateway procotols ex: EIGRP,RIP,OSPF) within your network which is handled by a layer 3 device (layer 3 switch or router). Depending on the network it can be just a layer 3 switch(s) that has a static route on that device which is pointing traffic to the ASA to get to the internet. (LAN>ASA>ISP)

    Hope this clarifies it a bit.

    For my design i was going with 3 sites across a frame relay network all running multi area ospf and using DHCP for internal addresses and dynamic NAT. I just have a few questions regarding as i said the placement of the router and the asa:

    1. What's the best placement in your opinion for this design then?
    2. Does the asa do the natting or the router
    3. Does the router route the traffic using ospf etc... (bit confusing in what other tasks the asa can actually be used for)
    4. Does the asa be the default gateway and then a static route to the router on the edge (if the router is on the edge for this example?)
    5. If not does the asa have any actual address?

    Bit confusing the actual set up of an asa, I've always just done it with a router. I have pretty much every practice down now confidently except for asa's.
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Jan 2012
    Posts
    1,237

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #15
    I know this all for a lab so how do you feel it should go? Take a step back and think about your design and what is the best way or possibilities to achieve your goal. This is your network design and you are the "network engineer" using all the tools you know how would you design and implement that solution? Before you think about adding a firewall to your design you need to understand features and limitations and what role it will play on your network before adding it to your topology. For multi point private wan connections you generally won't need nat unless if you using it for Internet access as well. The Asa doesn't deal with routing protocols that well and has limitations.
    Last edited by dmarcisco; 12-02-2015 at 07:30 PM.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  17. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,645

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #16
    The reason we are all saying it depends is because it does, but I'll try to give some high level stuff to your questions.

    1. If it's a serial frame relay hand off you'll have to use a router first. ASA's do not support these interface types.
    2. Usually you'd use the ASA as you may have policy NAT needs etc.
    3. That is one that completely depends.
    4. That'd be an easy way of doing it. There are some constraints with having the ASA as the DG though.
    5. Usually yes you'd address the ASA, but there are transparent mode options.

    Really you should be designing a network to support your traffic. Pretty hard to just say what should be where without knowing the end goal. Probably the biggest issues I run into with networks. People have a network design already made up before even knowing traffic patterns etc. That's setting yourself up for failure!
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Mar 2013
    Posts
    2,411
    #17
    Quote Originally Posted by volfkhat View Post
    Now there's a practical application :]

    So which device is allowing the "WAN party" capabilities?
    Is it the 1941 Router, or is it the SonicWall?

    For instance, if i wanted to have a Wan-Party with you; which would i need first?
    we both have Sonicwalls, and we use a Sonicwall to Sonicwall VPN Tunnel for WAN gaming, my friend also has a VMware cluster and we use the tunnel for SRM between our clusters. I really got the 1921 because I wanted control of the ISP modem. .... surprisingly my download speeds are actually faster now

    we basically talked it over and made a network scheme for our WAN connections that essentially make up a OSPF area 0 core, and then the exit interfaces into our home-networks are Area 10 and 20 respectfully to a L3 collapsed core. We just use the Sonicwall to Sonicwall VPN tunnel as like a P2P tunnel in essence, his router is a Cisco 2821.
    Last edited by Deathmage; 12-02-2015 at 07:27 PM.
    Reply With Quote Quote  

  19. Network Engineer Hondabuff's Avatar
    Join Date
    Aug 2012
    Location
    USA
    Posts
    637

    Certifications
    CCNA:S, CCNA, CCENT, CCNP:R&S,MECP, A+, Network+, Security+, Network Security Diploma
    #18
    Once you try a Palo Alto Firewall, You will never attempt to manage a network with an ASA ever again.
    Reply With Quote Quote  

  20. California Kid JoJoCal19's Avatar
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,324

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #19
    Quote Originally Posted by Hondabuff View Post
    Once you try a Palo Alto Firewall, You will never attempt to manage a network with an ASA ever again.
    Please, expound upon that. I have no experience with Palo Alto FWs.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, BSBA - University of Florida, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning Python
    Next Up:​ None
    Reading:​ Python Crash Course
    Reply With Quote Quote  

  21. Senior Member Robbo777's Avatar
    Join Date
    Aug 2015
    Location
    UK
    Posts
    298
    #20
    Okay I'm going to go with putting the router first because of its routing capabilities.
    What are the main functions i can use the asa for then?
    NAT
    Policy maps
    Inside and Outside zones

    I know there are more features but with me not knowing them, are there any more i should be implementing into the asa that are paramount?

    I have one more question about NAT as well, if i'm natting the private addresses at the asa, then how is the router going to know where to send the reply traffic to? I just cant quite wrap my head around WHY we need to NAT with the asa (why not just NAT with the router?) and how the router then understands what to do with it and then where to send the reply traffic.

    Thanks again
    Last edited by Robbo777; 12-03-2015 at 10:39 AM.
    Reply With Quote Quote  

  22. Network Engineer Hondabuff's Avatar
    Join Date
    Aug 2012
    Location
    USA
    Posts
    637

    Certifications
    CCNA:S, CCNA, CCENT, CCNP:R&S,MECP, A+, Network+, Security+, Network Security Diploma
    #21
    Quote Originally Posted by JoJoCal19 View Post
    Please, expound upon that. I have no experience with Palo Alto FWs.
    If you ever tried to setup an ASA out of the box you will know the frustration you experience just trying to get network connectivity up and running. The Palo Alto just has it down on the feel and flow of setting it up. I'm a Die hard Cisco guy and the IOS of the ASA's just drive me nuts. Between the commands that are like IOS but just enough that they don't work and I'm constantly checking white papers for the proper command. The Java based ASDM is slow and cumbersome. The Palo Altos menus are clean and simple. Setting up DMVPN with VTI tunnels I was able to do in the first attempt. Palo Alto's are made to be managed strictly by the GUI and to be user friendly. ASA seemed to be geared to a network specialist who's job role is to only manage the ASA. We use a pair of PA7000's and PA2000's in all the branch offices. We swapped out 3000+ users from using Anyconnect to now using GlobalProtect that just automatically connects when you open your laptop. Before we had to always do split tunneling due to the ASA's not handling the traffic. The PA, we just bring all the traffic back through the VPN with no impact on performance. ASA has a 50 page guide for setting up HA where as Palo Alto can do the same in under 9 pages, This sums up the management for an ASA vs. a PA.. If you get a chance to demo one I definitely would. We had a Palo Alto rep come in and do the dog and pony show and we were sold after 1hr.
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Jan 2012
    Posts
    1,237

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #22
    Quote Originally Posted by Robbo777 View Post
    Okay I'm going to go with putting the router first because of its routing capabilities.
    What are the main functions i can use the asa for then?
    NAT
    Policy maps
    Inside and Outside zones

    I know there are more features but with me not knowing them, are there any more i should be implementing into the asa that are paramount?

    I have one more question about NAT as well, if i'm natting the private addresses at the asa, then how is the router going to know where to send the reply traffic to? I just cant quite wrap my head around WHY we need to NAT with the asa (why not just NAT with the router?) and how the router then understands what to do with it and then where to send the reply traffic.

    Thanks again
    I think it'd be best if you learn how to work on the ASA and the capabilities before trying to blindly add it to your topology without knowing why you "feel" you need it there.

    Learn how it works in basic topologies once you have a hang on how it should would you can change variables and add it to a complex topology that deals with other components and take it from there.
    Last edited by dmarcisco; 12-03-2015 at 05:35 PM.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  24. California Kid JoJoCal19's Avatar
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,324

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #23
    Quote Originally Posted by Hondabuff View Post
    If you ever tried to setup an ASA out of the box you will know the frustration you experience just trying to get network connectivity up and running. The Palo Alto just has it down on the feel and flow of setting it up. I'm a Die hard Cisco guy and the IOS of the ASA's just drive me nuts. Between the commands that are like IOS but just enough that they don't work and I'm constantly checking white papers for the proper command. The Java based ASDM is slow and cumbersome. The Palo Altos menus are clean and simple. Setting up DMVPN with VTI tunnels I was able to do in the first attempt. Palo Alto's are made to be managed strictly by the GUI and to be user friendly. ASA seemed to be geared to a network specialist who's job role is to only manage the ASA. We use a pair of PA7000's and PA2000's in all the branch offices. We swapped out 3000+ users from using Anyconnect to now using GlobalProtect that just automatically connects when you open your laptop. Before we had to always do split tunneling due to the ASA's not handling the traffic. The PA, we just bring all the traffic back through the VPN with no impact on performance. ASA has a 50 page guide for setting up HA where as Palo Alto can do the same in under 9 pages, This sums up the management for an ASA vs. a PA.. If you get a chance to demo one I definitely would. We had a Palo Alto rep come in and do the dog and pony show and we were sold after 1hr.
    Wow that's incredible. Thanks for that. Yea the thing with the commands being like IOS but not quite would drive me crazy to have an entirely different syntax to try to remember stuff.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, BSBA - University of Florida, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning Python
    Next Up:​ None
    Reading:​ Python Crash Course
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Jan 2013
    Location
    Florida
    Posts
    1,321

    Certifications
    CCNP: R&S, CIW: Web Foundations; MCTS: Active Directory; MCP: 2000 Professional; CNA: NetWare 5; CompTIA A+
    #24
    For a regular Ethernet connection, the ASA can go directly on the edge of your network. For example, I have Cable Internet and have an ASA connected directly behind my ISP's modem (which is in bridged mode). OTOH, if you use a PPP or MPLS Circuit, you will need a router between your ASA and your ISP.

    SOHO Example (Using ASA 5505 and Wireless AP)

    Example.jpg

    MPLS Example (Using Cisco ASA and CE Router)

    MPLS.jpg

    Note that Switch(es) might not be a single switch, but a hierarchical Layer 2/Layer 3 topology using multiple Core/Distribution and Access switches. I recently got a new laptop, so I have not had a chance to load my custom network symbols (Cisco ASA, Wireless AP, Layer 3 Switch, Various Cisco Devices, etc...) back into Visio and had to use the ones provided by Microsoft.
    Last edited by theodoxa; 12-03-2015 at 03:50 PM.
    Reply With Quote Quote  

  26. Senior Member sucanushie's Avatar
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    158

    Certifications
    MCTS, Windows 7, MCITP: EDA Win7,CCNA Security,CCNA Voice, CCNP R&S
    #25
    In the next version of FireSight you will be able to manage ASA's from there, which will be a lot better than ASDM.

    PAN is nice, but it's also 4X more than a ASA with FirePower setup.

    So throw in that with AMP for network and end points it's hard to justify that price difference.


    Quote Originally Posted by Hondabuff View Post
    If you ever tried to setup an ASA out of the box you will know the frustration you experience just trying to get network connectivity up and running. The Palo Alto just has it down on the feel and flow of setting it up. I'm a Die hard Cisco guy and the IOS of the ASA's just drive me nuts. Between the commands that are like IOS but just enough that they don't work and I'm constantly checking white papers for the proper command. The Java based ASDM is slow and cumbersome. The Palo Altos menus are clean and simple. Setting up DMVPN with VTI tunnels I was able to do in the first attempt. Palo Alto's are made to be managed strictly by the GUI and to be user friendly. ASA seemed to be geared to a network specialist who's job role is to only manage the ASA. We use a pair of PA7000's and PA2000's in all the branch offices. We swapped out 3000+ users from using Anyconnect to now using GlobalProtect that just automatically connects when you open your laptop. Before we had to always do split tunneling due to the ASA's not handling the traffic. The PA, we just bring all the traffic back through the VPN with no impact on performance. ASA has a 50 page guide for setting up HA where as Palo Alto can do the same in under 9 pages, This sums up the management for an ASA vs. a PA.. If you get a chance to demo one I definitely would. We had a Palo Alto rep come in and do the dog and pony show and we were sold after 1hr.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks