Palo Alto Virtual Firewall Platform

networkadmin — Sun, 27 Apr 2014 09:18:14 GMT

Is anyone using one of these but as an internet facing firewall vs. firewalling the VM's on the host the firewall is running on?

From the pricing and specs and the amount of HA that vSphere can provide, I'm trying to understand what the "catch" is vs. a physical Palo Alto?

Re: Palo Alto Virtual Firewall Platform

pulukas — Sun, 27 Apr 2014 17:57:56 GMT

The main "catch" would probably be capacity and HA capabilities. The vm version cannot do any PA HA features. So you could not have an active/passive cluster.

Also since the internal v-switch is 1 gig only, you would not be able to have a 10g interface on the PA.

I could see a v-sphere server with a local AD and file server along with a virtual PA being a good option in branch office scenarios.

Re: Palo Alto Virtual Firewall Platform

jvalentine — Sun, 27 Apr 2014 20:21:45 GMT

The current focus for the VM Series is to secure east-west traffic in the virtualized datacenter. That being said, there are some environments where the VM Series fits rather nicely, such as "branch in a box" architectures. Additionally, any public cloud integrations/implementations will have to be delivered by a virtualized firewall. I think Palo Alto Networks did a great job with the VM Series. it looks just like their hardware firewalls from a software, configuration, and capability standpoint.

For most scenarios, I highly recommend a hardware firewall over the VM Series. If the driver is purely "cost" - I don't think that's a good reason to use the VM Series in this manner. That being said, I've run the VM Series as a perimeter firewall in my lab environment and its worked well for me. Here's some of my observations:

The VM Series supports "HA Lite" (just like the PA-200), which means you can configure it as Active/Passive from a high-availability standpoint. The main difference between Full and Lite "HA" is that you don't get session synchronization during failover in the Lite version.

The interfaces are "vmxnet3" interfaces, which are technically 10GbE. Here's the output from "show interface all" on my VM Series:

admin@pa0(active)> show interface all

total configured hardware interfaces: 12

name id speed/duplex/state mac address

--------------------------------------------------------------------------------

ethernet1/1 16 10000/full/up 00:1b:17:00:01:10

ethernet1/2 17 10000/full/up 00:1b:17:00:01:11

That doesn't necessarily mean you can firewall/inspect/control 10GbE of traffic. That will be limited by the Type/Speed and Number of CPU cores that you allocate to the VM.

I think the things to consider are:

- Predictable performance. The hardware firewalls have dedicated resources, CPUs, ASICs, FPGAs, etc. The VM series uses up to 8 x86 CPU cores. This is one of the reasons why the hardware firewalls can scale to 20Gbps and beyond, while the VM Series datasheet rates it around 1Gbps.

- Ease of troubleshooting. If you're running into a problem with a hardware firewall, it's much easier for Palo Alto Networks' TAC to troubleshoot the issue from layer1-to-layer7. On the VM Series side of things, you have Palo Alto, VMware, and the server manufacturer to deal with.

- Complexity. When you power-up a hardware firewall, it loads PAN-OS and is ready to go (for the most part). On the VM Series side of things, you need VMware to boot, and then you need to configure auto-start for the firewall VM. You'll also need to pay special attention to configuration changes and upgrades involving ESXi, vSphere/vCenter, shared storage (NFS/iSCSI/FC), VSS/VDS, etc, also have the potential to disrupt the firewall. I've found that out the hard way a few times.

Hope that helps. Let us know if you have any other questions about the VM Series.

topic Palo Alto Virtual Firewall Platform in General Topics

Palo Alto Virtual Firewall Platform

Re: Palo Alto Virtual Firewall Platform

Re: Palo Alto Virtual Firewall Platform