Management and Dataplanes
Whether physical or virtual, the management plane and dataplane functionality is integral to all Palo Alto Networks firewalls. These functions have dedicated hardware resources, making them independent of each other. The following diagram details the architecture of a PA-200 firewall:
Every Palo Alto Networks firewall assigns a minimum of these functions to the management plane:
* Configuration management
* Logging
* Reporting functions
* User-ID agent process
* Route updates
The Management Network and Console connector terminates directly on this plane.
The following functions are assigned to the dataplane:
* Signature Match Processor:
- All Content-ID and App-ID services
* Security Processors
- Session management
- Encryption/decryption
- Compression/decompression
- Policy enforcement
* Network Processor:
- Route
- ARP
- MAC lookup
- QoS
- NAT
- Flow control
The dataplane connects directly to the traffic interfaces.
As more computing capability is added to more powerful firewalls models, the management and dataplanes gain other functionality as required, sometimes implemented on dedicated cards. Several core functions gain FPGAs (field-programmable gate arrays) for flexible high-performance processing. Additional management plane functions might include:
* First packet processing
* Switch fabric management
Dedicated log collection and processing is implemented as a separate card.
I usually build my virtual lab as I go along with my IT certification studies but I've built a hardware lab first since I've bought a PA-200 firewall and my switches were already available. I always try to build labs using real gear in order to get my feet wet and build the confidence in actual deployment just like what I did with the Cisco ASA 5505 and Check Point 1140 firewalls. My lab is based on RoutHub's topology and I've used PAN firewall visio stencils which is a free on this link.
Below is how the actual physical rack looked like. The Cisco 2811 router will be used for building a site-to-site IPSec VPN, BGP and dual Internet links with the PA-200 firewall.
Whether physical or virtual, the management plane and dataplane functionality is integral to all Palo Alto Networks firewalls. These functions have dedicated hardware resources, making them independent of each other. The following diagram details the architecture of a PA-200 firewall:
Every Palo Alto Networks firewall assigns a minimum of these functions to the management plane:
* Configuration management
* Logging
* Reporting functions
* User-ID agent process
* Route updates
The Management Network and Console connector terminates directly on this plane.
The following functions are assigned to the dataplane:
* Signature Match Processor:
- All Content-ID and App-ID services
* Security Processors
- Session management
- Encryption/decryption
- Compression/decompression
- Policy enforcement
* Network Processor:
- Route
- ARP
- MAC lookup
- QoS
- NAT
- Flow control
The dataplane connects directly to the traffic interfaces.
As more computing capability is added to more powerful firewalls models, the management and dataplanes gain other functionality as required, sometimes implemented on dedicated cards. Several core functions gain FPGAs (field-programmable gate arrays) for flexible high-performance processing. Additional management plane functions might include:
* First packet processing
* Switch fabric management
Dedicated log collection and processing is implemented as a separate card.
I usually build my virtual lab as I go along with my IT certification studies but I've built a hardware lab first since I've bought a PA-200 firewall and my switches were already available. I always try to build labs using real gear in order to get my feet wet and build the confidence in actual deployment just like what I did with the Cisco ASA 5505 and Check Point 1140 firewalls. My lab is based on RoutHub's topology and I've used PAN firewall visio stencils which is a free on this link.
Below is how the actual physical rack looked like. The Cisco 2811 router will be used for building a site-to-site IPSec VPN, BGP and dual Internet links with the PA-200 firewall.
No comments:
Post a Comment