topic Re: ESXi deployment question for Palo -VM series (L3 Mode) in General Topics

ESXi deployment question for Palo -VM series (L3 Mode)

geewiss — Tue, 07 Dec 2021 23:22:55 GMT

I'm having trouble interpreting this link for deployment scenarios of the vm series Palo Firewalls. Looking for clarification...

https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-a-vm-series-firewall-on-an-esxi-server/supported-deployments-on-vmware-vsphere-hypervisor-esxi.html

We have an ESXi cluster with 3 hosts running vSphere Distributed Switches. Our plan is to have one Palo VM-300 in the cluster and it will have the gateways (SVI's) for VM's on all ESXi hosts. I'm questioning if this will work. I'm questioning how a VM on host without the Palo will reach it's gateway.

Can this one Palo take traffic from all VM's across all hosts?

I feel like I'm missing something here.

Re: ESXi deployment question for Palo -VM series (L3 Mode)

BPry — Wed, 08 Dec 2021 01:10:07 GMT

@geewiss,

Can a VM on one ESXi host reach the other VMs running on a different host within your existing network? The answer to that question would really depend on your environment, but the vast majority of environments the answer would be yes. The deployment method that you use really depends on your own network design and actual goals.

Re: ESXi deployment question for Palo -VM series (L3 Mode)

geewiss — Wed, 08 Dec 2021 01:14:26 GMT

Right now I don't have a way to test it as the gateways for all the VM's will be on the Palo VM. I'm pretty sure all VM's on the physical ESX host with the Palo VM will be fine. What I'm worried about are the VM's that are on other ESX hosts that do not have the Palo.

Does that make sense?

Re: ESXi deployment question for Palo -VM series (L3 Mode)

geewiss — Thu, 09 Dec 2021 22:38:17 GMT

I'd like to give some additional details on this as I'm still looking for feedback and am a little confused.

See attached picture. It represents one physical ESXi host of a cluster of 3. I'm curious if this setup would work and allow network connectivity between VM's on vlans 68 and 69 across all hosts. Please let me know if more detail is needed to answer this question. Thank you!

Re: ESXi deployment question for Palo -VM series (L3 Mode)

OtakarKlier — Thu, 09 Dec 2021 23:33:03 GMT

Hello,

From what I remember trying to architect something like this, you would need a PAN on each ESXi host. If you just have one it will/might create major routing issues if the ESXi host the PAN is running on get rebooted etc.

Just another thought. What if instead of your physical switch you had a physical PAN's, 2x in HA,? This way it would all be layer 2 vlans to the PAN and they are all anchored there? Just thinking out loud.

Regards,

Re: ESXi deployment question for Palo -VM series (L3 Mode)

geewiss — Thu, 09 Dec 2021 23:40:06 GMT

I agree with your statement about using two physical Palos but that's not an option for us currently.

Is there anyway to do this with one PAN? If not, can you point me to any documentation on the setup for a PAN-VM on each ESXi host?

Thanks!

Re: ESXi deployment question for Palo -VM series (L3 Mode)

OtakarKlier — Fri, 10 Dec 2021 20:01:01 GMT

Hello,

Check out this article.

https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-a-vm-series-firewall-on-an-esxi-server/supported-deployments-on-vmware-vsphere-hypervisor-esxi

Regards,

Re: ESXi deployment question for Palo -VM series (L3 Mode)

OtakarKlier — Fri, 10 Dec 2021 21:50:08 GMT

Hello,

Also thinking outside the box, how about using Global Protect? This way all the VM's will VPN into the PAN and you now basically have zero trust if you configure the security policies correctly.

Just a thought.

Re: ESXi deployment question for Palo -VM series (L3 Mode)

geewiss — Fri, 10 Dec 2021 21:56:59 GMT

Thanks for all the replies, I ended up getting my original setup working across all ESXi hosts. Even performed some vmotions of the VM's and even the Palo. VM's were fine to vmotion....with the Palo, things were down for about 30 seconds.

Now, I'm having issues with the zones. I can't create any more than 15 even though I have the VM-300 license installed.

Re: ESXi deployment question for Palo -VM series (L3 Mode)

OtakarKlier — Fri, 10 Dec 2021 22:30:47 GMT

Hello,

Not sure what the limit on Zones is, however what I did was create one zone and used subnets in it.

Zone DNZ-A then use vlan subnets and not allow the subnets to communicate unless they have a reason to.

Regards,

Re: ESXi deployment question for Palo -VM series (L3 Mode)

geewiss — Mon, 13 Dec 2021 00:59:21 GMT

According to this link

https://www.paloguard.com/VM-Series.asp

I should be able to do 40 zones on the VM-300 but for some reason it only allows 15 as it errors when I get to 16. I'm sure the license is installed as I have a serial number and it shows a VM-300 license. I've tried rebooting but still no joy.