For details on cookie usage on our site, read our Privacy Policy
ESXi deployment question for Palo -VM series (L3 Mode)
- LIVEcommunity
- Discussions
- General Topics
- Re: ESXi deployment question for Palo -VM series (L3 Mode)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
ESXi deployment question for Palo -VM series (L3 Mode)
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-07-2021 03:22 PM
I'm having trouble interpreting this link for deployment scenarios of the vm series Palo Firewalls. Looking for clarification...
We have an ESXi cluster with 3 hosts running vSphere Distributed Switches. Our plan is to have one Palo VM-300 in the cluster and it will have the gateways (SVI's) for VM's on all ESXi hosts. I'm questioning if this will work. I'm questioning how a VM on host without the Palo will reach it's gateway.
Can this one Palo take traffic from all VM's across all hosts?
I feel like I'm missing something here.
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-09-2021 03:40 PM
I agree with your statement about using two physical Palos but that's not an option for us currently.
Is there anyway to do this with one PAN? If not, can you point me to any documentation on the setup for a PAN-VM on each ESXi host?
Thanks!
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-10-2021 12:01 PM
Hello,
Check out this article.
Regards,
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-10-2021 01:50 PM
Hello,
Also thinking outside the box, how about using Global Protect? This way all the VM's will VPN into the PAN and you now basically have zero trust if you configure the security policies correctly.
Just a thought.
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-10-2021 01:56 PM
Thanks for all the replies, I ended up getting my original setup working across all ESXi hosts. Even performed some vmotions of the VM's and even the Palo. VM's were fine to vmotion....with the Palo, things were down for about 30 seconds.
Now, I'm having issues with the zones. I can't create any more than 15 even though I have the VM-300 license installed.
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-10-2021 02:30 PM
Hello,
Not sure what the limit on Zones is, however what I did was create one zone and used subnets in it.
Zone DNZ-A then use vlan subnets and not allow the subnets to communicate unless they have a reason to.
Regards,
- Which VM-Series deployment model within vSphere allows for firewall insertion into an existing network and will also require additional VLANs for each in VM-Series in the Public Cloud
- PSE software firewall associate in General Topics
- VM Series in Azure - Active/Passive or Active/Active in VM-Series in the Public Cloud
- CPU for VM Panorama in VM-Series in the Public Cloud
- Provision Panorama VM in Panorama Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
