1

I have a Palo Alto VM Series Firewall that I've spun up in an ESXi 6.0 box. How can I have the PAN act as a transparent firewall to all VM's on the box?

I was expecting that I could use two vSwitches, one with the physical uplink to the internal network (and eventually to the internet) and one which houses the VM's (PAN-Network). On this "PAN-Network" vSwitch, I would have the PAN have one of it's interfaces here along with the VM's, then have another interface in the "Internal Network" vSwitch (which is what eventually leads to the internet).

PAN offers a Layer 2 switch mode, or "Virtual Wire" mode to help act transparently, but I can't seem to get this working as I expected. Is this even a possible solution, or am I going to have to do something like a NAT'd network (which I really want to avoid). I assumed that having the PAN as a Layer 2, or even Virtual Wire, that it would "bridge" the two vSwitches and allow the VM's to connect to the physical uplink port, but that isn't happening as far as I've tested.

I'm not an ESXi or PAN expert, so I'm struggling with this concept.

Thanks.

Andrew
  • 2,057
  • 2
  • 16
  • 25

1 Answers1

1

I was able to find A solution, whether or not it's the best or most correct, I'm not sure.

I was able to use two vSwitch interfaces as expected (one with the phsyical connection, and one without) and then use the Virtual Wire interface type on the PAN (one leg in vSwitch 1 and the other in vSwitch2).

The key is that both vSwitches must have Promiscuous mode, MAC address changes, and Forged transmits enabled. I might goof with it to see if I need these enabled on both, but that's what worked.

Andrew
  • 2,057
  • 2
  • 16
  • 25