PA VM-300 Hyper-V as a Gateway of Network

Reply
Highlighted
L1 Bithead

PA VM-300 Hyper-V as a Gateway of Network

Hi Team, 

 

We have requirement to build a permiter gateway firewall under Hyper-V using PA-VM-300. 

 

In practical world this is realy possible to do so, force all traffic (in/out) pass through using Hyper-PA-VM. If it is there help with the documentation and suggestion like pre-requistes. 

 

Please help. 

 

Thanks ,

animesh 

Community Manager

Re: PA VM-300 Hyper-V as a Gateway of Network

when you say force, does this mean you are not able to deploy in layer3 mode? you still have Layer2 vlan hopping and vwire 'bump in the wire' at your disposal to achieve this, although Layer3 would be preferable https://docs.paloaltonetworks.com/vm-series/8-0/vm-series-deployment/set-up-a-vm-series-firewall-on-...

Help the community: Like helpful comments and mark solutions
Reaper out
L7 Applicator

Re: PA VM-300 Hyper-V as a Gateway of Network

Hello,

I agree that Layer3 should be the better option. Basically you have 3 interfaces on the VM-300, trust, untrust, and management. So on ESX you would mapp one interface/vswitch to the untrust, and same with the trust and managment (however the management interface can be on a vswitch with other internal networks).

 

Hope this helps.

L1 Bithead

Re: PA VM-300 Hyper-V as a Gateway of Network

Want to deploy in Layer 3 mode in Hyper-V. where in we can do the DNAT/SNAT easily, IPSec Tunnels creation all stuff that is possible through appliance. 

Understading this is really possible in that way - spin up VM in Hyper-V and used Untrus and Trust Zone in layer 3 mode. ?

From User to Internet traffic flow would be like this -- Users --> Core Siwtch Layer 3 G/W --> Trust Interface of PA-VM (Hyper-V) --> Untrust Interface of PA-VM (Hyper-V) --> Core Switch Trunk Port --> ILL Router --> Internet. 

 

Share some light here..... 

 

Thanks 

 

L1 Bithead

Re: PA VM-300 Hyper-V as a Gateway of Network

Want to deploy in Layer 3 mode in Hyper-V. where in we can do the DNAT/SNAT easily, IPSec Tunnels creation all stuff that is possible through appliance. Understanding this is really possible in that way - spin up VM in Hyper-V and used Untrus and Trust Zone in layer 3 mode. ? From User to Internet traffic flow would be like this -- Users --> Core Siwtch Layer 3 G/W --> Trust Interface of PA-VM (Hyper-V) --> Untrust Interface of PA-VM (Hyper-V) --> Core Switch Trunk Port --> ILL Router --> Internet. Share some light here.....
L7 Applicator

Re: PA VM-300 Hyper-V as a Gateway of Network

Hello,

If you are using the PAN interfaces in layer3, you shouldnt need a Layer3 interface on the switches. However the flow looks correct.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!