Using a VM100 at the perimeter

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using a VM100 at the perimeter

L1 Bithead


We are looking at deploying a VM-100 at the perimeter of our network. We currently have a PA-500 doing that job.  It is incredibly slow on the management side of things and quite frankly, expensive when it comes to support renewals.  Hence the thought of going to a VM-100.  Our supplier has told us that Palo Alto does not recommend a Virtual Firewall (hosted on VMWARE) at the perimeter however I can't find, any documentation to support this. 

Can anyone point me at the documentation supports the statement that PA don't recommend this deployment model?  Or can someone at PA confirm this?

Thanks in advance.


L6 Presenter

Hi HDC...The VM-100 can be installed on several VMware products (VM workstation, VM Fusion, VM Player) and the VM platform themselves are not designed to be a firewall at the perimeter.  There is a degree of risk when exposing the VM platform to an untrusted segment (the Internet).  You should consult with VMware on how to harden the VM platform if it is even possible.

As for the slow response on the mgmt of the PA-500, may I recommend that you consider upgrading its memory:  PA-500 Management Memory Upgrade Procedure.  Thanks.

Hello i agree with rmovan in that the VM is not great to be put in a the perimeter since you now have exposed your hypervisor to the internet. I know there are VMWare hardening docs, but I think you are asking for trouble since if the hypervisor gets compromised, the firewall is useless. Stay with physical at the perimeter.

L4 Transporter

If you wouldn't trust it enough to secure traffic at the perimeter, why would you trust it enough to secure your internal traffic?

Genuine question - like many people I'm wary of putting VMware at the very edge of the network but given the "on paper" specifications of the VM100 you could buy a dedicated host if you wanted to and it would still seem to give a 2000 or entry 3000 series a run for its money.

Palo Alto SE's say it's intended for east-west inspection but nobody really ever explains why it shouldn't be suitable to use at the perimeter especially when you can do HA using VMware vs. having to buy a pair of appliances.

Not applicable

We have isolated vmware boxes in our DMZ.  They are hardened and management isn't accessible from the internet.  I can't speak to the performance, but the arguments regarding security concerns ring hollow for me.

If you end up pursuing this, please come back and share your results.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!