PA-VM 10.1 (layer 3 interfaces) in a NSX-V IaaS data centre - Add to User Excluded VMs for NSX Firewall settings?

boboshen — Wed, 25 Oct 2023 03:08:16 GMT

I would go straight to PA with this query but the firewall was purchased through and is supported by a 3rd party vendor and we have limited control over it and the DC it's hosted in is similar. Support is terrible to say the least.

We lease an IaaS data centre which is connected to our ISP provided private WAN. We host 2 PA-VMs in a HA pair and they are used as our perimeter firewall.

This IaaS data centre is running NSX-V and VMWare 6.7. Important to note that the PA-VM is not running as a service for NSX as discussed here: VM-Series for Firewall NSX-V Overview (paloaltonetworks.com). It's not used for protecting the data centre. It's purely our perimeter (internet) firewall for our north / south traffic and running as standard VM in the DC.

Sometime ago we started getting intermittent and inconsistent traffic issues. Basically sometimes a continuous traffic stream will get black holed. Very noticeable for our remote users on Citrix sessions for example. I'm not sure if it started when we migrated to this setup from our old setup or sometime after.

With investigating, I've ruled out the PA-VM itself as the culprit and have started to focus on the NSX Edge nodes and the DC in general but I have come across articles saying that VMs such as FWs should be added to the "User Excluded VMs for NSX Firewall settings" but then I read that's only necessary if you need to accept Promiscuous Mode, MAC Address Changes and Forged Transmits.

We have those options set to Reject. We're configured using L3 interfaces and hypervisor assigned MAC addresses.

So my questions:

Should our PA-VMs be added to the "User Excluded VMs for NSX Firewall settings"?
Should we change Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept?

Thanks for any assistance.

Re: PA-VM 10.1 (layer 3 interfaces) in a NSX-V IaaS data centre - Add to User Excluded VMs for NSX Firewall settings?

boboshen — Tue, 31 Oct 2023 23:01:10 GMT

I've answered my 1st question: We added the PA-VMs to the "User Excluded VMs for NSX Firewall settings" and it did not fix our issue.

I won't bother with changing Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept as we are running @ Layer 3 and shouldn't need to do that.

The problem is within our NSX IaaS data centre.

topic PA-VM 10.1 (layer 3 interfaces) in a NSX-V IaaS data centre - Add to User Excluded VMs for NSX Firewall settings? in VM-Series in the Private Cloud

PA-VM 10.1 (layer 3 interfaces) in a NSX-V IaaS data centre - Add to User Excluded VMs for NSX Firewall settings?

Re: PA-VM 10.1 (layer 3 interfaces) in a NSX-V IaaS data centre - Add to User Excluded VMs for NSX Firewall settings?