12-07-2021 03:22 PM
I'm having trouble interpreting this link for deployment scenarios of the vm series Palo Firewalls. Looking for clarification...
We have an ESXi cluster with 3 hosts running vSphere Distributed Switches. Our plan is to have one Palo VM-300 in the cluster and it will have the gateways (SVI's) for VM's on all ESXi hosts. I'm questioning if this will work. I'm questioning how a VM on host without the Palo will reach it's gateway.
Can this one Palo take traffic from all VM's across all hosts?
I feel like I'm missing something here.
12-09-2021 03:40 PM
I agree with your statement about using two physical Palos but that's not an option for us currently.
Is there anyway to do this with one PAN? If not, can you point me to any documentation on the setup for a PAN-VM on each ESXi host?
12-10-2021 12:01 PM
Check out this article.
12-10-2021 01:50 PM
Also thinking outside the box, how about using Global Protect? This way all the VM's will VPN into the PAN and you now basically have zero trust if you configure the security policies correctly.
Just a thought.
12-10-2021 01:56 PM
Thanks for all the replies, I ended up getting my original setup working across all ESXi hosts. Even performed some vmotions of the VM's and even the Palo. VM's were fine to vmotion....with the Palo, things were down for about 30 seconds.
Now, I'm having issues with the zones. I can't create any more than 15 even though I have the VM-300 license installed.
12-10-2021 02:30 PM
Not sure what the limit on Zones is, however what I did was create one zone and used subnets in it.
Zone DNZ-A then use vlan subnets and not allow the subnets to communicate unless they have a reason to.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!