Palo Alto Networks shares key details about deploying VM-Series Next-Generation Firewall on the ESXi in Layer 3 Mode. Learn more about the requirements, Creating the Network Topology, VM-Series Layer 3 Configuration, and more.
Deploying the VM-Series on ESXi in Layer 3 Mode
All virtual machines on the ESXi hosts will be segregated from each other on the network by the VM-Series next-generation firewall by IP addressing and Layer 3 gateways. The basis for this design is to provide maximum resiliency with regards to VM-Series HA placement, guest VM protection, and the inherent networking capabilities of the ESXi hypervisor and virtual switching. This technote will cover a multiple ESXi host environment showcasing east/west traffic separation to demonstrate the Layer 3 capabilities of the VM-Series next-generation firewall.
A highly available Active/Passive pair of VM-Series next-generation firewalls are positioned between the physical datacenter network and Guest VM workloads. A single Distributed vSwitch will be used in this example topology. Port Groups are used to segregate traffic between the untrusted side and the trusted side of the firewall. Layer 3 interfaces will be used to provide untrust/trust boundaries on the firewall as well as provide for default IP gateway reachability for the entire subnet.
Diagram of uplink ports and Layer 3 HA untrust/trust zone deployment
This design was validated with ESXi version 6.7u3, vCenter version 6.7, VM-Series PAN-OS version 9.1.2.
Creating the Network Topology
We often make virtual networking more complicated than it needs to be. ESXi virtual switches work on similar principles as physical network switches. Don’t overcomplicate it. The same principles that you would use to deploy our firewall in a physical Layer 2/3 networking environment is the same methodology that you would use to deploy the VM-Series in a virtualized environment.
Building the ESXi network topology is a crucial part of any Layer 3 design. Distributed vSwitches by themselves do not necessarily segregate traffic between port groups. The default configuration of a vSwitch, the initial port group configuration, and the vSwitch uplinks create a flat Layer 2 network.
There is a misconception about what port groups are. Port groups are simply a collection of virtual ports that share a common configuration set. A port group is not a VLAN. There are many attributes that can be configured under a port group and the VLAN ID is one of those attributes.
This design calls for only a couple of port groups to be configured on the vSwitch.
A single vSwitch was created - tswitch1
2 port groups for the firewall and VM guests
untrust (connected to IP Gateway)
trust (for L3 guest: Ubuntu Web & App)
uplink ports, tswitch1-DVUplinks, connect this vSwitch to the physical network switches Uplink ports: tswitch1_vDS uplinks
The following image shows the two (distributed) port groups assigned to the VM-Series:
Layer 3 based (distributed) port group: untrust/unprotected zone
Layer 3 based (distributed) port group: trust/protected zone
Assign Port Groups to VM-Series
VM-Series Firewalls are assigned to the firewall port groups. Network Adapter 1 is used for the firewall’s management interface. Network Adapter 2 is used for the untrusted side of the firewall. Network Adapter 3 is used for the trusted side of the firewall.
View of primary VM-300 VM hardware summary
The guest machines are assigned to their respective port-groups.
Layer 3 guest-a (Web) VM hardware summary
Layer 3 guest-b (App) VM hardware summary
VM-Series Layer 3 Configuration
This section covers the VM-Series next-generation firewall network configuration. All configuration is completed in the PAN-OS web interface.
Two zones were used in this example:
Firewall web interface - Zones: Layer 3
For this technote, two virtual routers were employed: both the default virtual router (VR) and a separately configured VR representing an internal trusted network boundary. A VR is a function of the firewall that participates in Layer 3 routing.
The firewall uses virtual routers to obtain routes to other subnets by either manually defining static routes or through participation in one or more Layer 3 routing protocols (dynamic routes). The routes that the firewall obtains through these methods populate the IP routing information base (RIB) on the firewall. When a packet is destined for a different subnet than the one it arrived on, the virtual router obtains the best route from the RIB, places it in the forwarding information base (FIB), and forwards the packet to the next hop router defined in the FIB.
In addition to routing to other network devices, virtual routers can route to other virtual routers within the same firewall if a next hop is specified to point to another virtual router as illustrated below.
Simple VR overview and configuration illustration
In a Layer 3 deployment, the firewall routes traffic between multiple ports. This deployment requires that you assign an IP address to each interface and configure Virtual Routers to rout the traffic. Choose this option when routing is required.
Alternate VR creation
Default virtual router static routes (NOTE: next-vr next-hop) : 😞
Default VR and inter-VR next-hop route configuration
Default virtual router static route table ( NOTE: next-vr next-hop) :
Default VR route table
Virtual Router 1:
Alternate VR1 and inter-VR next-hop route configuration
VR1 static route table:
VR1 route table
Firewall UI: Interfaces > Ethernet Tab
Interfaces will need to be configured under the Interfaces > Ethernet tab. Assign the Interface Type of the physical interface as Layer 3. Nothing else needs to be configured under the physical interface. Interfaces can be provisioned with either DHCP client or static IP addressing.
DHCP Layer 3 interface configuration:
Untrust Ethernet interface configuration. NOTE: interface can be provisioned with either static or DHCP IP addressing.
Static Layer 3 interface configuration:
Static IPv4 interface configuration
Assign the interface to the correct zone untrust/trust.
Untrust and trust zone interface configuration:
Ethernet1/1 untrust zone assignment illustration
Ethernet1/2 trust zone assignment
Add a policy to allow packets to traverse the VM-Series next-generation firewall.
Firewall web interface: Security > Add Policy
Commit the Configuration
Commit the configuration.
Verifying the Environment
Working with a Layer 3 environment requires investigating the guest VM’s connectivity by testing IP reachability to internal and external Internet hosts. The guest VM IP address information is listed below.
Ubuntu 19.10 Web VM: 172.17.0.724
Ubuntu 19.10 App VM: 172.17.0.5/24
The CLI can be used to view MAC/IP address information on the VM-Series. The command is:
show interface ethernet 1/<interface #>
Sample of command results for firewall interface
For the VM-Series routing table, the command is:
show routing route
VM-series separate "default" and "VR1" routing tables including next-hop information
Physical Network Commands
The command you are going to use to verify any MAC/IP address learning will differ based on your network switch vendor. This lab utilizes Juniper Networks EX Series Switches:
Sample of a show ethernet switching table output (e.g., Juniper Networks EX Series/Junos OS)
Guest VM Commands
Sample of guest VM commands: IP reachability
Firewall Traffic Log
You can view the firewall traffic log by navigating to Monitor Tab > Logs > Traffic.
Firewall Web Interface: Logs
Firewall Web Interface: Monitoring Traffic
Virtual Routers Technical Documentation
Configure Layer 3 Interfaces Technical Documentation
Video Tutorial: How To Configure a Layer 3 Interface
... View more