Hello,
Our company has purchased Paloalto VM-Series ELA licenses to be deployed for microsegmentation. So we don't have any restriction on number of VM Firewalls or the size of them.
My boss wants to steer all the traffice to VM series firewalls and not use NSX DFW at all, considering two thing, having one single place to manage the traffic and firewall rules. and second because I am the only one with a little bit knowledge of NSX (VCP-NV) and the rest of the team only know PAN he wants to reduce the cost of education and relying only on one resource.
I know that when you vmotion a vm the current sessions won't be managed with the VMseries on the new host and they will continue to pass traffic until the session is ended, like a big file transfer or replication.
I also know that VRNI which we own as well makes life so easy by detecting traffic flows and suggesting security policies.
Other than the above is there any other reason we shouldn't steer all the traffic to VM series? and leave the NSX DFW to allow everything?
Regards
I'm not an expert in PA but I believe they have white tech papers about models versus throughput supported so from there you can have an Idea on correct dimensioning.
So on the policy just consider to map the VMs that are part of the Apps that required this kind of deep inspection from there you can set them to have redirected all traffic, so for the rest of VMs most probably NSX DFW will be enough and you will shine with an optimization of the use of PA instead of redirecting all to PA.
so in plain English could be something like having prepared with PA engine while others without since SVM of PA is not possible to vMotioned as you mentioned before.
hope this helps
my two pesos.
Thanks for the response with all the great points.
We currently have few PA-VM500s deployed in the environment that are basically sitting there whistling.
But I know their policy model is not very optimal as they only have rules that apply to the vms that share the same host with them, and vmotion to other clusters has not been considered.
You can use east-west service insertion and redirect 100% traffic to be inspected by partner VM.
But still you cant skip NSX DFW. You still need to open NSX DFW to allow intended traffic. I have a customer who does this by "allow any any in DFW" and "any to any redirect to partner SVM".
this means that all traffic in and out of any VM will still be checked and get allowed by NSX DFW.
Only problem is when partner SVM is down or unavailable. Based on your policy either all traffic will get dropped or all traffic will get allowed.
I'm not an expert in PA but I believe they have white tech papers about models versus throughput supported so from there you can have an Idea on correct dimensioning.
So on the policy just consider to map the VMs that are part of the Apps that required this kind of deep inspection from there you can set them to have redirected all traffic, so for the rest of VMs most probably NSX DFW will be enough and you will shine with an optimization of the use of PA instead of redirecting all to PA.
so in plain English could be something like having prepared with PA engine while others without since SVM of PA is not possible to vMotioned as you mentioned before.
hope this helps