PA-VM 10.1 (layer 3 interfaces) in a NSX-V IaaS data centre - Add to User Excluded VMs for NSX Firewall settings?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-VM 10.1 (layer 3 interfaces) in a NSX-V IaaS data centre - Add to User Excluded VMs for NSX Firewall settings?

L0 Member

I would go straight to PA with this query but the firewall was purchased through and is supported by a 3rd party vendor and we have limited control over it and the DC it's hosted in is similar. Support is terrible to say the least.

 

We lease an IaaS data centre which is connected to our ISP provided private WAN. We host 2 PA-VMs in a HA pair and they are used as our perimeter firewall.

 

This IaaS data centre is running NSX-V and VMWare 6.7. Important to note that the PA-VM is not running as a service for NSX as discussed here: VM-Series for Firewall NSX-V Overview (paloaltonetworks.com). It's not used for protecting the data centre. It's purely our perimeter (internet) firewall for our north / south traffic and running as standard VM in the DC.

 

Sometime ago we started getting intermittent and inconsistent traffic issues. Basically sometimes a continuous traffic stream will get black holed. Very noticeable for our remote users on Citrix sessions for example. I'm not sure if it started when we migrated to this setup from our old setup or sometime after.

 

With investigating, I've ruled out the PA-VM itself as the culprit and have started to focus on the NSX Edge nodes and the DC in general but I have come across articles saying that VMs such as FWs should be added to the "User Excluded VMs for NSX Firewall settings" but then I read that's only necessary if you need to accept Promiscuous Mode, MAC Address Changes and Forged Transmits.

 

We have those options set to Reject. We're configured using L3 interfaces and hypervisor assigned MAC addresses.

 

So my questions:

  1. Should our PA-VMs be added to the "User Excluded VMs for NSX Firewall settings"?

  2. Should we change Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept?

Thanks for any assistance.

1 accepted solution

Accepted Solutions

L0 Member

I've answered my 1st question: We added the PA-VMs to the "User Excluded VMs for NSX Firewall settings" and it did not fix our issue.

 

I won't bother with changing Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept as we are running @ Layer 3 and shouldn't need to do that.

 

The problem is within our NSX IaaS data centre.

View solution in original post

1 REPLY 1

L0 Member

I've answered my 1st question: We added the PA-VMs to the "User Excluded VMs for NSX Firewall settings" and it did not fix our issue.

 

I won't bother with changing Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept as we are running @ Layer 3 and shouldn't need to do that.

 

The problem is within our NSX IaaS data centre.

  • 1 accepted solution
  • 1937 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!