Palo Alto Firewall VM "Bump on the Wire" configuration fails to pass traffic

search cancel

Palo Alto Firewall VM "Bump on the Wire" configuration fails to pass traffic

book

Article ID: 429446

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

After installing and configuring a Palo Alto Firewall VM as a "Bump on the Wire" Traffic fails to pass.

ARP traffic is observed entering on one vNic and leaving the other vNic, however the traffic doesn't leave the host.

Environment

ESX all versions

vCenter all versions

Cause

When the Firewall was deployed on two virtual switches, the traffic passing out the second "bump" interface has a different MAC than the vNIC MAC for the virtual machine.

This causes a policy violation and the traffic is dropped at the virtual switch port (VM side of virtual switch IOchain)

Resolution

To resolve this issues configure the virtual switch port policy as follows:

Additional Information

For information Forged transmits and MAC address changes see:

Forged transmits and MAC address changes on a port group - standard practices and security implications

Feedback

thumb_up Yes

thumb_down No