Palo Alto Virtual Firewall Platform

Reply
Highlighted
L4 Transporter

Palo Alto Virtual Firewall Platform

Is anyone using one of these but as an internet facing firewall vs. firewalling the VM's on the host the firewall is running on?

From the pricing and specs and the amount of HA that vSphere can provide, I'm trying to understand what the "catch" is vs. a physical Palo Alto?

Highlighted
L7 Applicator

The main "catch" would probably be capacity and HA capabilities.  The vm version cannot do any PA HA features.  So you could not have an active/passive cluster.

Also since the internal v-switch is 1 gig only, you would not be able to have a 10g interface on the PA.

I could see a v-sphere server with a local AD and file server along with a virtual PA being a good option in branch office scenarios.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L7 Applicator

The current focus for the VM Series is to secure east-west traffic in the virtualized datacenter.  That being said, there are some environments where the VM Series fits rather nicely, such as "branch in a box" architectures.  Additionally, any public cloud integrations/implementations will have to be delivered by a virtualized firewall.  I think Palo Alto Networks did a great job with the VM Series. it looks just like their hardware firewalls from a software, configuration, and capability standpoint. 

For most scenarios, I highly recommend a hardware firewall over the VM Series.  If the driver is purely "cost" - I don't think that's a good reason to use the VM Series in this manner.  That being said, I've run the VM Series as a perimeter firewall in my lab environment and its worked well for me.  Here's some of my observations:

The VM Series supports "HA Lite" (just like the PA-200), which means you can configure it as Active/Passive from a high-availability standpoint.  The main difference between Full and Lite "HA" is that you don't get session synchronization during failover in the Lite version. 

The interfaces are "vmxnet3" interfaces, which are technically 10GbE.  Here's the output from "show interface all" on my VM Series:

admin@pa0(active)> show interface all

total configured hardware interfaces: 12

name                    id    speed/duplex/state        mac address

--------------------------------------------------------------------------------

ethernet1/1             16    10000/full/up             00:1b:17:00:01:10

ethernet1/2             17    10000/full/up             00:1b:17:00:01:11

That doesn't necessarily mean you can firewall/inspect/control 10GbE of traffic.  That will be limited by the Type/Speed and Number of CPU cores that you allocate to the VM. 

I think the things to consider are:

- Predictable performance.  The hardware firewalls have dedicated resources, CPUs, ASICs, FPGAs, etc.  The VM series uses up to 8 x86 CPU cores.  This is one of the reasons why the hardware firewalls can scale to 20Gbps and beyond, while the VM Series datasheet rates it around 1Gbps. 

- Ease of troubleshooting.  If you're running into a problem with a hardware firewall, it's much easier for Palo Alto Networks' TAC to troubleshoot the issue from layer1-to-layer7.  On the VM Series side of things, you have Palo Alto, VMware, and the server manufacturer to deal with. 

- Complexity.  When you power-up a hardware firewall, it loads PAN-OS and is ready to go (for the most part).  On the VM Series side of things, you need VMware to boot, and then you need to configure auto-start for the firewall VM.  You'll also need to pay special attention to configuration changes and upgrades involving ESXi, vSphere/vCenter, shared storage (NFS/iSCSI/FC), VSS/VDS, etc, also have the potential to disrupt the firewall.  I've found that out the hard way a few times.

Hope that helps.  Let us know if you have any other questions about the VM Series. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!