05-27-2020 09:12 AM
Hello,
I am kind a new with PaloAlto. I require some help with a scenario I try to put into practice in my lab.
I have a strange situation in my setup.
I have deployed a PaloAlto firewall virtual appliance on a ESXi host. And also created 2 Virtual machines.
On PaloAlto, I have created a subinterface and assigned it to vlan 14 and an interface, assigned to Vlan 12. Vlan 12 communicates with the exterior.
The to VMs are assigned to Vlan 14.
No here is the strange thing. The vms can ping to each other, but they cannot ping the gateway, which is the subinterface I have created on PaloAlto, Vlan 14.
However, the subinterface can be ping-ed if I try from outside the VmWare environment, via Vlan 12, from my phisical computer for example.
The physical computer runs in a different network, and communicates with the vmware environment via a firewall, physical box. The firewall (physical box) communicates with PaloAlto using Vlan 12.
Attached the config of the PaloAlto interface/subinterface fw and config for the virtual Nics in vmware.
Both port groups in VmWare use the same physical interface, in VmWare.
The interfaces in PaloAlto is configured to respond to PING.
What exactly am I missing in order to allow the VMs to ping the gateway and allow them access towards other networks?
Any tips much appreciated!
Thank you in advance.
05-27-2020 10:04 AM
Why do not you allocate a dedicated interface to the VLAN14 on Palo? Even if that trunking can work in principle there is still so many places where dot1q can go wrong in a virtualized environment... You need to make sure that VGT is configured correctly (https://kb.vmware.com/s/article/1003806#vgtPoints ), you need to make sure Palo uses hypervisor-assigned MAC address (Device > Management > General Settings).
05-27-2020 10:04 AM
Why do not you allocate a dedicated interface to the VLAN14 on Palo? Even if that trunking can work in principle there is still so many places where dot1q can go wrong in a virtualized environment... You need to make sure that VGT is configured correctly (https://kb.vmware.com/s/article/1003806#vgtPoints ), you need to make sure Palo uses hypervisor-assigned MAC address (Device > Management > General Settings).
05-27-2020 11:04 AM
Hello Nikolay,
Doing as you have suggested, works fine. Thank you!
I am very curious in trying the other alternative as well.
I did not properly configure the VGT. So this must be the issue.
Thank you again for your quick respons.
Best regards!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
