VM-Series for NSX implementation - High Availability


Per the link below, Palo Alto VM-Series and Panorama integration with NSX implementation doesn't offer high availability.

VM-Series in High Availability

so the question is If the VM-Series appliance on ESXi host fails/crashes due to any reason, what are the options to immediately recover from failure?

When I power down the firewall appliance on one of the hosts, the traffic (where that host is source or destination) stops.

I deleted the firewall appliance and then redeployed it but new firewall appliance had a different uuid so required registration/licensing.


0 Kudos
1 Reply

Hi rch,

With 3rd party service appliances, there is the option to 'fail open' in the event of a failure. By default, NSX will drop all traffic if it can't be forwarded to the PAN SVM via the dvfilter slowpath, which is normal in the 'fail closed' configuration. This can happen if the appliance hangs up, crashes or gets powered off for whatever reason. In a 'fail open' scenario, the PAN slowpath is bypassed in the event of a failure. Obviously there can be security considerations here. If L7 filtering is critical, this is probably not an option for you. The DFW (slot-2) filtering will continue to work, but all inspection by the PAN will be bypassed.

Hope this helps.

My blog: https://vswitchzero.com Follow me on Twitter: @vswitchzero
0 Kudos