topic Re: PA VM-300 Hyper-V as a Gateway of Network in General Topics

PA VM-300 Hyper-V as a Gateway of Network

Animesh_Mishra — Wed, 03 Jul 2019 07:40:46 GMT

Hi Team,

We have requirement to build a permiter gateway firewall under Hyper-V using PA-VM-300.

In practical world this is realy possible to do so, force all traffic (in/out) pass through using Hyper-PA-VM. If it is there help with the documentation and suggestion like pre-requistes.

Please help.

Thanks ,

animesh

Re: PA VM-300 Hyper-V as a Gateway of Network

reaper — Wed, 03 Jul 2019 07:46:17 GMT

when you say force, does this mean you are not able to deploy in layer3 mode? you still have Layer2 vlan hopping and vwire 'bump in the wire' at your disposal to achieve this, although Layer3 would be preferable https://docs.paloaltonetworks.com/vm-series/8-0/vm-series-deployment/set-up-a-vm-series-firewall-on-the-citrix-sdx-server/secure-north-south-traffic-with-the-vm-series-firewall/deploy-the-vm-series-firewall-using-layer-2-l2-or-virtual-wire-interfaces.html#

Re: PA VM-300 Hyper-V as a Gateway of Network

OtakarKlier — Wed, 03 Jul 2019 17:41:49 GMT

Hello,

I agree that Layer3 should be the better option. Basically you have 3 interfaces on the VM-300, trust, untrust, and management. So on ESX you would mapp one interface/vswitch to the untrust, and same with the trust and managment (however the management interface can be on a vswitch with other internal networks).

Hope this helps.

Re: PA VM-300 Hyper-V as a Gateway of Network

Animesh_Mishra — Thu, 04 Jul 2019 04:42:28 GMT

Want to deploy in Layer 3 mode in Hyper-V. where in we can do the DNAT/SNAT easily, IPSec Tunnels creation all stuff that is possible through appliance.

Understading this is really possible in that way - spin up VM in Hyper-V and used Untrus and Trust Zone in layer 3 mode. ?

From User to Internet traffic flow would be like this -- Users --> Core Siwtch Layer 3 G/W --> Trust Interface of PA-VM (Hyper-V) --> Untrust Interface of PA-VM (Hyper-V) --> Core Switch Trunk Port --> ILL Router --> Internet.

Share some light here.....

Thanks

Re: PA VM-300 Hyper-V as a Gateway of Network

Animesh_Mishra — Thu, 04 Jul 2019 06:25:51 GMT

Want to deploy in Layer 3 mode in Hyper-V. where in we can do the DNAT/SNAT easily, IPSec Tunnels creation all stuff that is possible through appliance. Understanding this is really possible in that way - spin up VM in Hyper-V and used Untrus and Trust Zone in layer 3 mode. ? From User to Internet traffic flow would be like this -- Users --> Core Siwtch Layer 3 G/W --> Trust Interface of PA-VM (Hyper-V) --> Untrust Interface of PA-VM (Hyper-V) --> Core Switch Trunk Port --> ILL Router --> Internet. Share some light here.....

Re: PA VM-300 Hyper-V as a Gateway of Network

OtakarKlier — Fri, 05 Jul 2019 16:59:14 GMT

Hello,

If you are using the PAN interfaces in layer3, you shouldnt need a Layer3 interface on the switches. However the flow looks correct.

Regards,