0 Replies Latest reply: Mar 19, 2019 11:03 AM by Steven Williams RSS

    The Constant Core Firewall Placement Struggle

    Steven Williams

      I have been reading into more design references and hitting peoples thoughts on the design of a Core Firewall. I always struggle with concepts of this, not configuration per say but yet what is the best approach these days.

       

      I currently have Core ASA5585s running in Routed Mode. These are inline of the traffic and basically the route point for VRF to VRF communication southbound to a 4500x Core. So VRF red will traverse firewall and come back down to core 4500x to hit VRF green. All VRFs on the 4500x have an egress point to point network to the ASAs from the 4500x. The design works, but gets complicated sometimes.

       

      I have seen references as making the core firewalls your gateways for your user and server networks, I have seen running them in transparent mode, I have seen things like Palo Altos running in vWire mode.

       

      The goal is to inspect as much as traffic as possible, so making sure all user networks access server networks, etc, etc go though the core firewalls is important.

       

      Unless you want to have static routes on your core firewall and possible your core switches you are looking at the firewall participating in and IGP like OSPF. This is what we do now. "A firewall should never route..." blah blah. I have heard it so many times and I just think that we are beyond that now. Firewalls are capable of routing and most times when they are in the core they ARE routing.

       

      So really not looking for right or wrong answers because each network and requirements is different, but just want to get peoples take on what they are doing or what they are seeing these days. I mean of course we would all love to run something like Micro-segmentation and load our ESX hosts with ASAv or PAv and use vxlan to do true east to west security, but we just aren't there yet.