ccrcabiuki
Contributor
Contributor

Traffic steering to paloalto. Do I need DFW at all?

Jump to solution

Hello,

Our company has purchased Paloalto VM-Series ELA licenses to be deployed for microsegmentation. So we don't have any restriction on number of VM Firewalls or the size of them.

My boss wants to steer all the traffice to VM series firewalls and not use NSX DFW at all, considering two thing, having one single place to manage the traffic and firewall rules. and second because I am the only one with a little bit knowledge of NSX (VCP-NV) and the rest of the team only know PAN he wants to reduce the cost of education and relying only on one resource.

I know that when you vmotion a vm the current sessions won't be managed with the VMseries on the new host and they will continue to pass traffic until the session is ended, like a big file transfer or replication.

I also know that VRNI which we own as well makes life so easy by detecting traffic flows and suggesting security policies.

Other than the above is there any other reason we shouldn't steer all the traffic to VM series? and leave the NSX DFW to allow everything?

Regards

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
RaymundoEC
VMware Employee
VMware Employee

I'm not an expert in PA but I believe they have white tech papers about models versus throughput supported so from there you can have an Idea on correct dimensioning.

So on the policy just consider to map the VMs that are part of the Apps that required this kind of deep inspection from there you can set them to have redirected all traffic, so for the rest of VMs most probably NSX DFW will be enough and you will shine with an optimization of the use of PA instead of redirecting all to PA.

so in plain English could be something like having prepared with PA engine while others without since SVM of PA is not possible to vMotioned as you mentioned before.

hope this helps

+vRay

View solution in original post

0 Kudos
4 Replies
RaymundoEC
VMware Employee
VMware Employee
  • have in account performance on SVM of PA this means that you should have to take care of capacity of this since depending on the model/flavor you can have saturation on the SVM and most probably packet drops since this inspection takes a while when the traffic is very high.
  • check the correct deviation of all the traffic to PS from DFW.
  • Also, you will still need to know DFW any issue will need to check what happens in the guts of NSX.
  • Still, you need to kind of  microsegmentation-ish using DFW without PA will don't know all the SGs to work with.

my two pesos.

+vRay
0 Kudos
ccrcabiuki
Contributor
Contributor

Thanks for the response with all the great points.

We currently have few PA-VM500s deployed in the environment that are basically sitting there whistling.

pastedImage_0.png

But I know their policy model is not very optimal as they only have rules that apply to the vms that share the same host with them, and vmotion to other clusters has not been considered.

0 Kudos
nipanwar
Enthusiast
Enthusiast

You can use east-west service insertion and redirect 100% traffic to be inspected by partner VM.

But still you cant skip NSX DFW. You still need to open NSX DFW to allow intended traffic. I have a customer who does this by "allow any any in DFW" and "any to any redirect to partner SVM".

this means that all traffic in and out of any VM will still be checked and get allowed by NSX DFW.

Only problem is when partner SVM is down or unavailable. Based on your policy either all traffic will get dropped or all traffic will get allowed.

RaymundoEC
VMware Employee
VMware Employee

I'm not an expert in PA but I believe they have white tech papers about models versus throughput supported so from there you can have an Idea on correct dimensioning.

So on the policy just consider to map the VMs that are part of the Apps that required this kind of deep inspection from there you can set them to have redirected all traffic, so for the rest of VMs most probably NSX DFW will be enough and you will shine with an optimization of the use of PA instead of redirecting all to PA.

so in plain English could be something like having prepared with PA engine while others without since SVM of PA is not possible to vMotioned as you mentioned before.

hope this helps

+vRay

View solution in original post

0 Kudos