This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Using a VM100 at the perimeter

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using a VM100 at the perimeter

HDC
L1 Bithead

‎01-21-2015 01:10 PM

Hi,

We are looking at deploying a VM-100 at the perimeter of our network. We currently have a PA-500 doing that job.  It is incredibly slow on the management side of things and quite frankly, expensive when it comes to support renewals.  Hence the thought of going to a VM-100.  Our supplier has told us that Palo Alto does not recommend a Virtual Firewall (hosted on VMWARE) at the perimeter however I can't find, any documentation to support this. 

Can anyone point me at the documentation supports the statement that PA don't recommend this deployment model?  Or can someone at PA confirm this?

Thanks in advance.

Labels:
0 Likes Likes
16 REPLIES 16

rmonvon
L6 Presenter

‎01-21-2015 01:29 PM

Hi HDC...The VM-100 can be installed on several VMware products (VM workstation, VM Fusion, VM Player) and the VM platform themselves are not designed to be a firewall at the perimeter.  There is a degree of risk when exposing the VM platform to an untrusted segment (the Internet).  You should consult with VMware on how to harden the VM platform if it is even possible.

As for the slow response on the mgmt of the PA-500, may I recommend that you consider upgrading its memory:  PA-500 Management Memory Upgrade Procedure.  Thanks.

0 Likes Likes

oklier
L3 Networker
In response to rmonvon

‎01-22-2015 03:59 PM

Hello i agree with rmovan in that the VM is not great to be put in a the perimeter since you now have exposed your hypervisor to the internet. I know there are VMWare hardening docs, but I think you are asking for trouble since if the hypervisor gets compromised, the firewall is useless. Stay with physical at the perimeter.

0 Likes Likes

networkadmin
L4 Transporter

‎01-25-2015 08:04 AM

If you wouldn't trust it enough to secure traffic at the perimeter, why would you trust it enough to secure your internal traffic?

Genuine question - like many people I'm wary of putting VMware at the very edge of the network but given the "on paper" specifications of the VM100 you could buy a dedicated host if you wanted to and it would still seem to give a 2000 or entry 3000 series a run for its money.

Palo Alto SE's say it's intended for east-west inspection but nobody really ever explains why it shouldn't be suitable to use at the perimeter especially when you can do HA using VMware vs. having to buy a pair of appliances.

0 Likes Likes

shamsway
Not applicable

‎01-26-2015 01:49 PM

We have isolated vmware boxes in our DMZ.  They are hardened and management isn't accessible from the internet.  I can't speak to the performance, but the arguments regarding security concerns ring hollow for me.

If you end up pursuing this, please come back and share your results.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks