We are looking at deploying a VM-100 at the perimeter of our network. We currently have a PA-500 doing that job. It is incredibly slow on the management side of things and quite frankly, expensive when it comes to support renewals. Hence the thought of going to a VM-100. Our supplier has told us that Palo Alto does not recommend a Virtual Firewall (hosted on VMWARE) at the perimeter however I can't find, any documentation to support this.
Can anyone point me at the documentation supports the statement that PA don't recommend this deployment model? Or can someone at PA confirm this?
Thanks in advance.
I think you're right-on there. Check with VMware. I believe most of the uncertainty surrounding the wisdom/security/safety of exposing the hypervisor to the Internet really need to be answered by VMware. If they're cool with it and you've followed their hardening guides, then bring the discussion back here. We'd all love to hear what you find out! There are quite a few interesting "reads" on the internet. Google hypervisor escape, hypervisor breakout, hypervisor security.
One topic not brought up yet is troubleshooting. If Palo Alto Networks sells a hardware appliance, they have the ability to really dig deep into the architecture, identify issues, fix code, etc. When you "roll your own firewall", there are many more moving parts that aren't exposed to Palo Alto Networks' TAC (underlying hypervisor, storage, memory, networking, resource contention, etc.). The information is there, but you'd be digging around in multiple interfaces and potentially working with multiple vendors to find the source of a particularly troublesome issue.
I will post to VMware. I also think though that Palo Alto should be providing some clear guidance around this. If they support this appliance as a perimeter device or not. If they do what are other considerations etc etc. Like mentioned earlier if I cant trust it as a perimeter device why would i trust it as a device to secure zone within my network? If it isn't supported at the perimeter it is pretty much saying that it isn't actually a security device at all, by my logic anyway.
Having said that, this discussion would be very short if/when PA say yes or no, it is/isn't supported as a perimeter device and if it is then these are the caveats. Then we, as customers, can present our recommendations to the decisions makers and have them decide on risk verses cost/functionality etc etc etc.
I see that in the VMWare Hardening guide there is a Risk Profiles etc perhaps PA can look at this and say fully supported as long as a Minimum of Risk Profile 2 has been implemented on the host??
It is definitely supported and secure depending on the manner you deploy it just as any hardware firewall. The one thing I would do as far as ensuring that your Untrust traffic is isolated from the rest of the traffic is to ensure that the Ingress traffic from the internet comes in through it's own Physical NIC within the ESXi infrastructure. From there the untrust traffic will be as secure as the policies you configure within your firewall just as any other hardware device. There is no issue with deploying the virtual firewall as long as you architect the deployment properly but the same applies to a hardware PA Firewall as well. :smileyhappy:
I contacted a VAR we use and asked them the same. Their response is as follows. I am still a bit stumped as I can not fathom how the throughput would be an issue if it was put on a piece of hardware with two Intel CPUs with quad cores (or whatever) but here's what they said:
Palo Alto states that the VM firewalls are not recommended for edge use. Can you explain why? If it is the only VM on an ESXi box, I can’t imagine how that would be less secure than a physical box.:
Architecturally its just not going to deliver what PAN advertises – DoS, throughput are the two largest areas of concern – because everything is just virtualized on a intel CPU – no FPGA or math processor to offload the thinking of the box. – Also security concerns but if it’s the only thing on the box as you said its less of an issue.
Complexity in the configuration is also a concern with uptimes of firewalls normally 5 9’s
Do you have any clients running a PA virtualized? Are they happy with it?
Yes but all in test/dev environments nothing in production like suggested here
Yes, it's supported. The AWS version of the VM-series firewall is deployed in that fashion... you can't deploy a hardware appliance in front of it. You can't ship hardware to Amazon (at least that's how I understand it). So from that standpoint, it's not only supported, but also highly recommended - even by Palo Alto Networks! :smileyhappy:
Additionally, the datasheet specifies some of the use-cases that the VM series can address, and not all of them are "east-west datacenter traffic".
• Private or public cloud computing environments where virtualization is a dependency
• Environments where physical space is at a premium
• Remote locations where shipping hardware is not practical
DoS and overall performance should definitely be considered, along with all of the other points in this thread. For example, the higher-end appliances leverage dedicated network processors to handle Zone protection functions. And while you could easily build a server and throw enough cores at it to out-perform a PA-200 or PA-500, the performance pendulum swings to the hardware appliances when your requirements start getting into the 1Gbps+ range. The datasheet shows the VM-series capable of about 600Mbps with 4 CPU cores:
It comes down to understanding the considerations involved and making an informed decision. Yes, the management performance increase will be huge compared to a PA-200 and PA-500, and the on-going subscription costs for a VM-100 will be somewhat less expensive than a PA-500. You would need to compare that against the cost of the server hardware and hypervisor, your ability to secure that hypervisor, the added complexity of 3rd party moving parts that Palo Alto Networks won't have control over (server/CPU/storage/memory/virtual switches/network cards/etc), your ability to prevent the "server guys" or "storage guys" from messing with the virtual infrastructure and taking the firewall/Internet down, along the # of potential vendors involved in the troubleshooting process.
That's why you won't see a full, hearty recommendation from Palo Alto Networks to use VM-series instead of hardware appliances. If you feel that the benefits (ongoing maintenance costs and management performance in the case of the original poster) outweigh the potential risks, I say go for it!
I have one customer who uses it in this manner. It's not a huge environment... a PA-500 would have been appropriate for their requirements. They weighed the pros and cons, and went with the virtual firewall. For them it was a fairly easy choice as they had already been using virtual perimeter firewalls from another vendor and had experienced (first-hand!) the pitfalls involved. But they're just one customer compared to many, many more who went with hardware appliances.
-Jared (who may or may not be using a VM-series as a perimeter firewall in his "lab").
Thank you for the reply.
In my case, we are looking at going from 100 Mbps to 200 Mbps. We are a K-12 school with 100+ boarding students. We have 800+ devices with lots of media streaming after hours. The PA-500 handles 100Mbps very well with it's QOS, but I am concerned about the possibility of it handling 200Mbps with all of the options enabled AND it is roughly three years old.
There is also something to be said about having the VM run on box which is more redundant than a PA-500 (raid and dual power supply for example) and being able to restore a VM in case of hardware failure. Not to mention, I have a dual Xeon 2.9, quad core with 24 GB sitting around collecting dust.
We have upgraded the memory in all of our PA-500 devices and this does make a noticeable difference to the management interface speed, commit times etc.
We have also been trialling a VM-100. We've had a few reliability issues and I understand that the cause of these is being addressed in 6.1.3. Other than that though, we've been impressed by the general performance of the VM-100 and delighted by the boost in management interface speed / commit times.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!