Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA VM-300 Hyper-V as a Gateway of Network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA VM-300 Hyper-V as a Gateway of Network

L1 Bithead

Hi Team, 

 

We have requirement to build a permiter gateway firewall under Hyper-V using PA-VM-300. 

 

In practical world this is realy possible to do so, force all traffic (in/out) pass through using Hyper-PA-VM. If it is there help with the documentation and suggestion like pre-requistes. 

 

Please help. 

 

Thanks ,

animesh 

5 REPLIES 5

Cyber Elite
Cyber Elite
when you say force, does this mean you are not able to deploy in layer3 mode? you still have Layer2 vlan hopping and vwire 'bump in the wire' at your disposal to achieve this, although Layer3 would be preferable https://docs.paloaltonetworks.com/vm-series/8-0/vm-series-deployment/set-up-a-vm-series-firewall-on-...
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello,

I agree that Layer3 should be the better option. Basically you have 3 interfaces on the VM-300, trust, untrust, and management. So on ESX you would mapp one interface/vswitch to the untrust, and same with the trust and managment (however the management interface can be on a vswitch with other internal networks).

 

Hope this helps.

Want to deploy in Layer 3 mode in Hyper-V. where in we can do the DNAT/SNAT easily, IPSec Tunnels creation all stuff that is possible through appliance. 

Understading this is really possible in that way - spin up VM in Hyper-V and used Untrus and Trust Zone in layer 3 mode. ?

From User to Internet traffic flow would be like this -- Users --> Core Siwtch Layer 3 G/W --> Trust Interface of PA-VM (Hyper-V) --> Untrust Interface of PA-VM (Hyper-V) --> Core Switch Trunk Port --> ILL Router --> Internet. 

 

Share some light here..... 

 

Thanks 

 

Want to deploy in Layer 3 mode in Hyper-V. where in we can do the DNAT/SNAT easily, IPSec Tunnels creation all stuff that is possible through appliance. Understanding this is really possible in that way - spin up VM in Hyper-V and used Untrus and Trust Zone in layer 3 mode. ? From User to Internet traffic flow would be like this -- Users --> Core Siwtch Layer 3 G/W --> Trust Interface of PA-VM (Hyper-V) --> Untrust Interface of PA-VM (Hyper-V) --> Core Switch Trunk Port --> ILL Router --> Internet. Share some light here.....

Hello,

If you are using the PAN interfaces in layer3, you shouldnt need a Layer3 interface on the switches. However the flow looks correct.

 

Regards,

  • 3775 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!