Palo Alto VM vs Appliance Based Firewalls

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto VM vs Appliance Based Firewalls

L0 Member

Greetings,

I am still pretty new to the Palo Alto product line and was hoping I can enlist the help of the community to get some feedback and possible use case scenarios for using the VM based firewall. I am currently working on a few new branch office projects and originally planned on using the PA-500 for small office (less than 40 users) and the PA-3020 for larger office (40+ users with 100 max). Due to some new budget constraints, I am being asked to reduce the firewall budget. This is partially due to our IT folks deploying a 2 host Vmware cluster at each of the sites,  based on some hefty HP  G8 servers. Hence the reason why my budget was reduced. 🙂

After doing some research, I noticed that the VM edition firewalls are all rated at 1Gbps when the host machine is setup for (4) cores.There are some obvious differences between models when it comes to number of policies, sessions, and etc..

My plan is since there is going to be a vmware cluster, why not use the VM edition of the firewall running on the cluster to save some money on the appliance hardware. The use case for the cluster currently is to server up DHCP, DNS, and possibly a domain controller. So there should plenty of resources left over to run the firewall. My assumption is since we will have a vcenter license, that I will probably not need to cluster the VM appliances since if one Vmware host fails, the VM will be Vmotioned to the second Vmware host.

Is there anyone in the community that are using the virtual edition firewalls in this fashion? If they are, could you provide me some feedback with the performance and possibly some recommendations.

Best Regards,

Jaime Silva

1 accepted solution

Accepted Solutions

L7 Applicator

The use case of remote or branch office is not the anticipated one for the VM series Palo Alto.  This is designed as a solution to put a firewall inside VMware hosts at a data center to secure communications between virtual machines inside a host.

As a result there are some short comings for you deployment scenario.

  • V-motion is not supported, there are reports that it does work empirically, but you will not be able to open issue tickets for the feature
  • HA is only the "lite" version, meaning chassis failover  but there are no session sync for two devices on separate hosts
  • When you activate  a license the CPUID and UUID are intended to lock the device to a particular VMware host server

How to Authorize/Register a VM

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

2 REPLIES 2

L2 Linker

Hello,

some users say, that vMotion is possible, but for what i know, vMotion is officially not supported, might be interesting in a support case.

Furthermore only HA-Lite is supported meaning no session sync.

I would say a VM-Edition is useful for controlling traffic inside a datacenter or something similar, but for security reasons I would never use a vm as perimeter.

L7 Applicator

The use case of remote or branch office is not the anticipated one for the VM series Palo Alto.  This is designed as a solution to put a firewall inside VMware hosts at a data center to secure communications between virtual machines inside a host.

As a result there are some short comings for you deployment scenario.

  • V-motion is not supported, there are reports that it does work empirically, but you will not be able to open issue tickets for the feature
  • HA is only the "lite" version, meaning chassis failover  but there are no session sync for two devices on separate hosts
  • When you activate  a license the CPUID and UUID are intended to lock the device to a particular VMware host server

How to Authorize/Register a VM

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 3988 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!