This reference architecture illustrates how organizations can protect Oracle applications, such as Oracle E-Business Suite and PeopleSoft, deployed in Oracle Cloud Infrastructure using Palo Alto Networks VM-Series firewalls. To protect these traffic flows, Palo Alto Networks recommends segmenting the network using a hub and spoke topology, where traffic is routed through a central hub and is connected to multiple distinct networks (spokes). All traffic
between spokes, whether to and from the internet, to and from on-premises, or to the Oracle Services Network, is routed through the hub and inspected with Palo Alto Networks VM-Series firewall’s multilayered threat prevention technologies. Deploy each tier of your application in its own virtual cloud network (VCN), which acts as a spoke. The hub VCN contains a Palo Alto Networks VM-Series firewall high availability cluster, Oracle internet gateway, dynamic routing gateway (DRG), Oracle
service gateway, and local peering gateways (LPGs). The hub VCN connects to the spoke VCNs through LPGs or by attaching secondary virtual network interface cards (VNIC) to the Palo Alto Networks VM-Series firewall. All spoke traffic uses route table rules to route traffic through the LPGs to the hub for inspection by the Palo Alto Networks VM-Series firewall high availability cluster. You can configure and manage the Palo Alto Networks VM-Series firewall locally, or centrally using
Panorama, the Palo Alto Networks centralized security management system. Panorama helps customers reduce the complexity and administrative overhead in managing configuration, policies, software, and dynamic content updates. Using device groups and templates on Panorama, you can effectively manage firewall-specific configuration locally on a firewall and enforce
shared policies across all firewalls or device groups. The following diagram illustrates this reference architecture.
Description of the illustration palo_alto_nw_vm_oci.png
North-South Inbound Traffic The following diagram illustrates how north-south inbound traffic accesses the web application tier from the internet and from remote data centers. This configuration ensures that network address translation (NAT) and security policies are open on Palo
Alto Networks VM-Series firewall.
Description
of the illustration palo_alto_north_south_inbound.png
North-South Outbound Traffic The following diagram illustrates how outgoing connections from the web application and database tiers to the internet provide software updates and access to external web services. This configuration ensures that the source NAT is configured in your Palo Alto Networks VM-Series firewall policy for the relevant networks.
Description of the illustration
palo_alto_north_south_outbound.png
East-West Traffic (Web to Database) The following diagram illustrates how traffic moves from the web application to the database tier.
Description of the illustration palo_alto_east_west_web_db.png
East-West Traffic (Database to Web) The following diagram illustrates how traffic moves from the database tier to the web application.
Description of the illustration
palo_alto_east_west_db_web.png
East-West Traffic (Web Application to Oracle Services Network) The following diagram illustrates how traffic moves from the web application to the Oracle Services Network. This configuration ensures that you have enabled Jumbo Frames on the Palo Alto Networks VM-Series firewall interfaces.
Description of the illustration palo_alto_east_west_webapp_osn.png
East-West Traffic (Oracle Services Network to Web Application) The
following diagram illustrates how traffic moves from the Oracle Services Network to the web application.
Description of the illustration palo_alto_east_west_osn_webapp.png
The architecture has the following components: - Palo Alto Networks VM-Series firewall
Provides all the capabilities of physical next generation firewalls in a virtual machine (VM) form,
delivering inline network security and threat prevention to consistently protect public and private clouds. - Oracle E-Business Suite or PeopleSoft application tier
Composed of Oracle E-Business Suite or PeopleSoft application servers and file system. - Oracle E-Business Suite or PeopleSoft database tier
Composed of Oracle Database, but not limited to Oracle Database Exadata Cloud Service
service or Oracle Database services. - Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents). - Availability domains
Availability domains are standalone, independent data centers within a region. The physical resources in each
availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region. - Fault domains
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability
domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain. - Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete
control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private. - Hub VCN
The hub VCN is a centralized
network where Palo Alto Networks VM-Series firewalls are deployed. It provides secure connectivity to all spoke VCNs, Oracle Cloud Infrastructure services, public endpoints and clients, and on-premises data center networks. - Application tier spoke VCN
The application tier spoke VCN contains a private subnet to host Oracle E-Business Suite or PeopleSoft components. - Database tier spoke VCN
The database tier spoke VCN
contains a private subnet for hosting Oracle databases. - Load balancer
The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end. - Security list
For each subnet, you can create security rules that specify the source,
destination, and type of traffic that must be allowed in and out of the subnet. - Route Table
Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways. In the hub VCN, you have the following route tables: - Management route table attached to the management subnet that has a default route connected to the internet gateway.
- Untrust route table attached to the untrust subnet or default VCN for routing traffic from the hub VCN to the internet or on-premises targets.
- Trust route table attached to the trust subnet pointing to the CIDR block of the spoke VCNs through the associated LPGs.
- High availability route table attached to the high availability subnet, which manages high availability between Palo Alto Networks VM-Series Firewall instances.
- For each spoke attached to the hub, a distinct
route table is defined and attached to an associated LPG. That route table forwards all traffic (0.0.0.0/0) from the associated spoke LPG through the Palo Alto Networks VM-Series Firewall trust interface floating IP.
- Oracle service gateway route table attached to the Oracle service gateway for Oracle Services Network communication. That route forwards all traffic (0.0.0.0/0) to the Palo Alto Networks VM-Series Firewall trust interface floating IP.
- To maintain traffic symmetry,
routes are also added to each Palo Alto Networks VM-Series Firewall to point the CIDR block of spoke traffic to the trust (internal) subnet’s default gateway IP (the default gateway IP available in the trust subnet on the hub VCN).
- Internet gateway
The internet gateway allows traffic between the public subnets in a VCN and the public internet. - Network address translation (NAT)
gateway
A NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections. - Local peering gateway (LPG)
An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or
routing through your on-premises network. - Dynamic routing gateway (DRG)
The DRG is a virtual router that provides a path for private network traffic between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider. - Service gateway
The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet. - FastConnect
Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated,
private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections. - Virtual network interface card (VNIC)
The services in Oracle Cloud Infrastructure data centers have physical network interface cards (NICs). Virtual machine instances communicate using virtual NICs (VNICs) associated with the physical
NICs. Each instance has a primary VNIC that's automatically created and attached during launch and is available during the instance's lifetime. DHCP is offered to the primary VNIC only. You can add secondary VNICs after instance launch. You should set static IPs for each interface. - Private IPs
A private IPv4 address and related information for addressing an instance. Each VNIC has a primary private IP and you can add and remove secondary private IPs. The primary
private IP address on an instance is attached during instance launch and doesn’t change during the instance’s lifetime. Secondary IPs should also belong to the same CIDR of the VNIC’s subnet. The secondary IP is used as a floating IP because it can move between different VNICs on different instances within the same subnet. You can also use it as a different endpoint to host different services. - Public IPs
The networking services define a public IPv4 address chosen by
Oracle that's mapped to a private IP. - Ephemeral: This address is temporary and exists for the lifetime of the instance.
- Reserved: This address persists beyond the lifetime of the instance. It can be unassigned and reassigned to another instance.
- Source and destination check
Every VNIC performs the source and destination check on its network traffic. Disabling this flag enables CGNS
to handle network traffic that's not targeted for the firewall. - Compute shape
The shape of a compute instance specifies the number of CPUs and amount of memory allocated to the instance. The compute shape also determines the number of VNICs and maximum bandwidth available for the compute instance.
What type of firewall is Palo Alto?
The Palo Alto Networks VM-Series is a virtualised next-generation firewall featuring our PAN-OSTM operating system. The VM-Series identifies, controls and safely enables intra-host traffic and comes with the following unique virtualisation security features.
What is single pass architecture?
The single-pass architecture allows a packet to pass through a processing chain once for all sub-processes or features. Single-pass architecture from PCNSA Study Guide. Latency is reduced with Single-Pass Parallel Processing (SP3) architecture. Components include: Single-pass software.
What makes Palo Alto firewalls different?
The only firewall to identify, control, and inspect your SSL encrypted traffic and applications. The only firewall with real-time (line-rate, low-latency) content scanning to protect you against viruses, spyware, data leakage, and application vulnerabilities based on a stream-based threat prevention engine.
Which three interface types are valid on a Palo Alto Networks firewall?
Which three interface types are valid on a Palo Alto Networks firewall? (Choose three.). Layer3.. Virtual Wire.. | 
