article Deploying VM-Series on ESXi in Layer 3 Mode in GlobalProtect Articles

article Deploying VM-Series on ESXi in Layer 3 Mode in GlobalProtect Articles https://live.paloaltonetworks.com/t5/globalprotect-articles/deploying-vm-series-on-esxi-in-layer-3-mode/ta-p/332043 <P class="lia-message-template-content-zone"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Deploying VM-Series on ESXi in Layer 3 Mode.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26118i9C01BF86C1EFE42D/image-size/large?v=v2&px=999" role="button" title="Deploying VM-Series on ESXi in Layer 3 Mode.png" alt="Deploying VM-Series on ESXi in Layer 3 Mode.png" /></span></P> <P> </P> <P><EM>Palo Alto Networks shares key details about deploying VM-Series Next-Generation Firewall on the ESXi in Layer 3 Mode. Learn more about the requirements, Creating the Network Topology, VM-Series Layer 3 Configuration, and more.</EM></P> <P> </P> <P> </P> <H2><STRONG>Deploying the VM-Series on ESXi in Layer 3 Mode</STRONG></H2> <P> </P> <P>All virtual machines on the ESXi hosts will be segregated from each other on the network by the VM-Series next-generation firewall by IP addressing and Layer 3 gateways. The basis for this design is to provide maximum resiliency with regards to VM-Series HA placement, guest VM protection, and the inherent networking capabilities of the ESXi hypervisor and virtual switching. This technote will cover a multiple ESXi host environment showcasing east/west traffic separation to demonstrate the Layer 3 capabilities of the VM-Series next-generation firewall.</P> <P> </P> <H2><STRONG>Topology</STRONG></H2> <P>A highly available Active/Passive pair of VM-Series next-generation firewalls are positioned between the physical datacenter network and Guest VM workloads. A single Distributed vSwitch will be used in this example topology. Port Groups are used to segregate traffic between the untrusted side and the trusted side of the firewall. Layer 3 interfaces will be used to provide untrust/trust boundaries on the firewall as well as provide for default IP gateway reachability for the entire subnet.</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Diagram of uplink ports and Layer 3 HA untrust/trust zone deployment" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26117i90CE9F783E888F27/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Uplink ports and Layer 3 HA.png" alt="Diagram of uplink ports and Layer 3 HA untrust/trust zone deployment" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Diagram of uplink ports and Layer 3 HA untrust/trust zone deployment</span></span></P> <P> </P> <P><STRONG style="color: inherit; font-family: inherit; font-size: 24px;">Requirements</STRONG></P> <P>This design was validated with ESXi version 6.7u3, vCenter version 6.7, VM-Series PAN-OS version 9.1.2.</P> <P> </P> <H2><STRONG>Creating the Network Topology</STRONG></H2> <P>We often make virtual networking more complicated than it needs to be. ESXi virtual switches work on similar principles as physical network switches. Don’t overcomplicate it. The same principles that you would use to deploy our firewall in a physical Layer 2/3 networking environment is the same methodology that you would use to deploy the VM-Series in a virtualized environment.</P> <P> </P> <P>Building the ESXi network topology is a crucial part of any Layer 3 design. Distributed vSwitches by themselves do not necessarily segregate traffic between port groups. The default configuration of a vSwitch, the initial port group configuration, and the vSwitch uplinks create a flat Layer 2 network.</P> <P> </P> <P>There is a misconception about what port groups are. Port groups are simply a collection of virtual ports that share a common configuration set. A port group is not a VLAN. There are many attributes that can be configured under a port group and the VLAN ID is one of those attributes.</P> <P> </P> <P>This design calls for only a couple of port groups to be configured on the vSwitch.</P> <P> </P> <UL class="lia-list-style-type-square"> <LI>A single vSwitch was created - tswitch1</LI> <LI>2 port groups for the firewall and VM guests <UL class="lia-list-style-type-circle"> <LI>untrust (connected to IP Gateway)</LI> <LI>trust (for L3 guest: Ubuntu Web & App)</LI> <LI>uplink ports, tswitch1-DVUplinks, connect this vSwitch to the physical network switches<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Uplink ports: tswitch1_vDS uplinks" style="width: 213px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26092i8F696AEABF82BA74/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="uplink ports tswitch1 vDS uplinks.png" alt="Uplink ports: tswitch1_vDS uplinks" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Uplink ports: tswitch1_vDS uplinks</span></span></LI> </UL> </LI> </UL> <P>The following image shows the two (distributed) port groups assigned to the VM-Series:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Layer 3 based (distributed) port group: untrust/unprotected zone" style="width: 384px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26093iCBF2A4579C6177D3/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Layer 3 based distributed port group untrust unprotected zone.png" alt="Layer 3 based (distributed) port group: untrust/unprotected zone" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Layer 3 based (distributed) port group: untrust/unprotected zone</span></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Layer 3 based (distributed) port group: trust/protected zone" style="width: 374px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26094i5E9216EA879E641B/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Layer 3 based distributed port group trust protected zone.png" alt="Layer 3 based (distributed) port group: trust/protected zone" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Layer 3 based (distributed) port group: trust/protected zone</span></span></P> <P> </P> <H2><STRONG style="font-family: inherit;">Assign Port Groups to VM-Series</STRONG></H2> <P>VM-Series Firewalls are assigned to the firewall port groups. Network Adapter 1 is used for the firewall’s management interface. Network Adapter 2 is used for the untrusted side of the firewall. Network Adapter 3 is used for the trusted side of the firewall.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="View of primary VM-300 VM hardware summary" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26095iF6FA3182EEF66681/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="View of primary VM 300 VM hardware summary.png" alt="View of primary VM-300 VM hardware summary" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">View of primary VM-300 VM hardware summary</span></span></P> <P>The guest machines are assigned to their respective port-groups.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Layer 3 guest-a (Web) VM hardware summary" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26096iDE92DC2AF987755E/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Layer 3 guest A Web VM hardware summary.png" alt="Layer 3 guest-a (Web) VM hardware summary" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Layer 3 guest-a (Web) VM hardware summary</span></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Layer 3 guest-b (App) VM hardware summary" style="width: 511px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26097iF134C39285EF2CB8/image-dimensions/511x378/is-moderation-mode/true?v=v2" width="511" height="378" role="button" title="Layer 3 guest B App VM hardware summary.png" alt="Layer 3 guest-b (App) VM hardware summary" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Layer 3 guest-b (App) VM hardware summary</span></span></P> <P> </P> <H2><STRONG>VM-Series Layer 3 Configuration</STRONG></H2> <P>This section covers the VM-Series next-generation firewall network configuration. All configuration is completed in the PAN-OS web interface.</P> <P> </P> <H3>Zones</H3> <P>Two zones were used in this example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Firewall web interface - Zones: Layer 3" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26098i3CD1CA05464DB937/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Firewall UI zones Layer 3.png" alt="Firewall web interface - Zones: Layer 3" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Firewall web interface - Zones: Layer 3</span></span></P> <P> </P> <H3><SPAN style="font-family: inherit;">Virtual-Routers</SPAN></H3> <P><SPAN style="font-family: inherit;">For this technote, two virtual routers were employed: both the default virtual router (VR) and a separately configured VR representing an internal trusted network boundary. A VR is a function of the firewall that participates in Layer 3 routing.</SPAN></P> <P> </P> <P><SPAN style="font-family: inherit;">The firewall uses virtual routers to obtain routes to other subnets by either manually defining static routes or through participation in one or more Layer 3 routing protocols (dynamic routes). The routes that the firewall obtains through these methods populate the IP routing information base (RIB) on the firewall. When a packet is destined for a different subnet than the one it arrived on, the virtual router obtains the best route from the RIB, places it in the forwarding information base (FIB), and forwards the packet to the next hop router defined in the FIB. </SPAN></P> <P> </P> <P><SPAN style="font-family: inherit;">In addition to routing to other network devices, virtual routers can route to other virtual routers within the same firewall if a next hop is specified to point to another virtual router as illustrated below.</SPAN></P> <P><SPAN style="font-family: inherit;"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Simple VR overview and configuration illustration" style="width: 557px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26099i99A7555BA4F29B4C/image-dimensions/557x299/is-moderation-mode/true?v=v2" width="557" height="299" role="button" title="Simple VR overview and configuration.png" alt="Simple VR overview and configuration illustration" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Simple VR overview and configuration illustration</span></span></SPAN></P> <P><SPAN style="font-family: inherit;">In a Layer 3 deployment, the firewall routes traffic between multiple ports. This deployment requires that you assign an IP address to each interface and configure <A title="Virtual Routers | TechDocs | Palo Alto Networks" href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/virtual-routers.html" target="_blank" rel="noopener"><FONT color="#FA582D">Virtual Routers</FONT></A> to rout the traffic. Choose this option when routing is required.</SPAN></P> <P><SPAN style="font-family: inherit;"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Alternate VR creation" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26100iDDE66A23413F0B30/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Alternate VR creation.png" alt="Alternate VR creation" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Alternate VR creation</span></span></SPAN></P> <P>Default virtual router static routes (<STRONG>NOTE:</STRONG> <EM>next-vr next-hop) :</EM><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Default VR and inter-VR next-hop route configuration" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26101iB71CB20573AE9D95/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="default VR and inter VR next hop route configuration.png" alt="Default VR and inter-VR next-hop route configuration" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Default VR and inter-VR next-hop route configuration</span></span></P> <P> <SPAN style="font-family: inherit;">Default virtual router static route table (</SPAN><STRONG style="font-family: inherit;">NOTE:</STRONG><SPAN style="font-family: inherit;"> next-vr next-hop) :</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Default VR route table" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26102i0111E6BC18E04618/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Default VR route table illustration.png" alt="Default VR route table" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Default VR route table</span></span></P> <P>Virtual Router 1:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Alternate VR1 and inter-VR next-hop route configuration" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26103iDA00BF5CF4745A58/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Alternate VR1 and inter VR next hop route configuration.png" alt="Alternate VR1 and inter-VR next-hop route configuration" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Alternate VR1 and inter-VR next-hop route configuration</span></span></P> <P> VR1 static route table:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="VR1 route table" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26104iB99118C07FF04F29/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="VR1 route table illustration.png" alt="VR1 route table" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">VR1 route table</span></span></P> <H3 class="lia-message-template-content-zone">Interfaces</H3> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Firewall UI: Interfaces > Ethernet Tab" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26105i773A58FA3D973F6B/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Firewall Web Interfaces Ethernet Tab.png" alt="Firewall UI: Interfaces > Ethernet Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Firewall UI: Interfaces > Ethernet Tab</span></span></P> <P>Interfaces will need to be configured under the Interfaces > Ethernet tab. Assign the Interface Type of the physical interface as Layer 3. Nothing else needs to be configured under the physical interface. Interfaces can be provisioned with either DHCP client or static IP addressing.</P> <P> </P> <P>DHCP Layer 3 interface configuration:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Untrust Ethernet interface configuration. NOTE: interface can be provisioned with either static or DHCP IP addressing." style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26106i6EA7D8C9D49B629A/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Untrust Ethernet interface configuration.png" alt="Untrust Ethernet interface configuration. NOTE: interface can be provisioned with either static or DHCP IP addressing." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Untrust Ethernet interface configuration. NOTE: interface can be provisioned with either static or DHCP IP addressing.</span></span></P> <P>Static Layer 3 interface configuration:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Static IPv4 interface configuration" style="width: 401px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26107i538A608B3290B447/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Static IPv4 interface configuration.png" alt="Static IPv4 interface configuration" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Static IPv4 interface configuration</span></span></P> <P> Assign the interface to the correct zone untrust/trust.</P> <P> </P> <P>Untrust and trust zone interface configuration:</P> <TABLE style="border-style: none; width: 100%; border-color: #ffffff;" width="100%"> <TBODY> <TR> <TD><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Ethernet1/1 untrust zone assignment illustration" style="width: 302px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26108iF55A89D668A08BDB/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="ethernet 1 1 untrust zone assignment.png" alt="Ethernet1/1 untrust zone assignment illustration" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Ethernet1/1 untrust zone assignment illustration</span></span></TD> <TD><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Ethernet1/2 trust zone assignment" style="width: 302px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26109i7477FE910817FB93/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="ethernet 1 2 trust zone assignment.png" alt="Ethernet1/2 trust zone assignment" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Ethernet1/2 trust zone assignment</span></span></TD> </TR> </TBODY> </TABLE> <P> </P> <H3>Policy</H3> <P>Add a policy to allow packets to traverse the VM-Series next-generation firewall.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Firewall web interface: Security > Add Policy" style="width: 591px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26110i9200C0E3D074ADB3/image-dimensions/591x105/is-moderation-mode/true?v=v2" width="591" height="105" role="button" title="Firewall UI Security Add Policy.png" alt="Firewall web interface: Security > Add Policy" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Firewall web interface: Security > Add Policy</span></span></P> <H3><SPAN style="font-family: inherit;">Commit the Configuration</SPAN></H3> <P><SPAN style="font-family: inherit;">Commit the configuration.</SPAN></P> <P> </P> <H2><STRONG><SPAN style="font-family: inherit;">Verifying the Environment</SPAN></STRONG></H2> <P><SPAN style="font-family: inherit;">Working with a Layer 3 environment requires investigating the guest VM’s connectivity by testing IP reachability to internal and external Internet hosts. The guest VM IP address information is listed below.</SPAN></P> <UL class="lia-list-style-type-square"> <LI><SPAN style="font-family: inherit;">Ubuntu 19.10 Web VM: 172.17.0.724</SPAN></LI> <LI><SPAN style="font-family: inherit;">Ubuntu 19.10 App VM: 172.17.0.5/24</SPAN></LI> </UL> <P> </P> <H3><SPAN style="font-family: inherit;">VM-series Commands</SPAN></H3> <P><SPAN style="font-family: inherit;">The CLI can be used to view MAC/IP address information on the VM-Series. The command is: </SPAN></P> <P><SPAN style="font-family: inherit;"><FONT face="courier new,courier">show interface ethernet 1/<interface #></FONT></SPAN></P> <P><SPAN style="font-family: inherit;"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Sample of command results for firewall interface" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26111i9FE6525FC000E84D/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Sample of command results for firewall interface.png" alt="Sample of command results for firewall interface" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Sample of command results for firewall interface</span></span></SPAN></P> <P>For the VM-Series routing table, the command is:</P> <P><FONT face="courier new,courier">show routing route</FONT></P> <P><SPAN style="font-family: inherit;"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="VM-series separate "default" and "VR1" routing tables including next-hop information" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26112i75CBDF3E4B2DFEC2/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="VM-series separate default and VR1 routing tables.png" alt="VM-series separate "default" and "VR1" routing tables including next-hop information" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">VM-series separate "default" and "VR1" routing tables including next-hop information</span></span></SPAN></P> <H3><SPAN style="font-family: inherit;">Physical Network Commands</SPAN></H3> <P><SPAN style="font-family: inherit;">The command you are going to use to verify any MAC/IP address learning will differ based on your network switch vendor. This lab utilizes Juniper Networks EX Series Switches:</SPAN></P> <P><SPAN style="font-family: inherit;"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Sample of a show ethernet switching table output (e.g., Juniper Networks EX Series/Junos OS)" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26113i642881261918D7E9/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="show ethernet switching table output.png" alt="Sample of a show ethernet switching table output (e.g., Juniper Networks EX Series/Junos OS)" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Sample of a show ethernet switching table output (e.g., Juniper Networks EX Series/Junos OS)</span></span></SPAN></P> <H3>Guest VM Commands</H3> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Sample of guest VM commands: IP reachability" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26114iBA1E582B20283521/image-size/large/is-moderation-mode/true?v=v2&px=999" role="button" title="Guest VM commands.png" alt="Sample of guest VM commands: IP reachability" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Sample of guest VM commands: IP reachability</span></span></P> <H3><SPAN style="font-family: inherit;">Firewall Traffic Log</SPAN></H3> <P><SPAN style="font-family: inherit;">You can view the firewall traffic log by navigating to Monitor Tab > Logs > Traffic.</SPAN></P> <P><SPAN style="font-family: inherit;"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Firewall Web Interface: Logs" style="width: 611px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26115i511AABC3DC4F00CC/image-dimensions/611x142/is-moderation-mode/true?v=v2" width="611" height="142" role="button" title="Firewall UI logs.png" alt="Firewall Web Interface: Logs" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Firewall Web Interface: Logs</span></span></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Firewall Web Interface: Monitoring Traffic" style="width: 609px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26116i19FCDFE193EACDEF/image-dimensions/609x107/is-moderation-mode/true?v=v2" width="609" height="107" role="button" title="Firewall UI monitoring traffic.png" alt="Firewall Web Interface: Monitoring Traffic" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Firewall Web Interface: Monitoring Traffic</span></span></P> <P> </P> <H2><STRONG>Additional Information</STRONG></H2> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/virtual-routers.html" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">Virtual Routers Technical Documentation</SPAN></A></P> <P><A href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/layer-3-interfaces/configure-layer-3-interfaces.html" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">Configure Layer 3 Interfaces Technical Documentation</SPAN></A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000HAGKCA4" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">Video Tutorial: How To Configure a Layer 3 Interface</SPAN></A></P> <P> </P> Sat, 06 Jun 2020 03:17:09 GMT pkofoid 2020-06-06T03:17:09Z Deploying VM-Series on ESXi in Layer 3 Mode https://live.paloaltonetworks.com/t5/globalprotect-articles/deploying-vm-series-on-esxi-in-layer-3-mode/ta-p/332043 <P><SPAN style="font-weight: 400;"> Learn about deployment of the VM-Series Next-Generation Firewall on the ESXi hypervisor in Layer 3 mode.</SPAN></P> Sat, 06 Jun 2020 03:17:09 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/deploying-vm-series-on-esxi-in-layer-3-mode/ta-p/332043 pkofoid 2020-06-06T03:17:09Z