The document discusses deploying Palo Alto VM-Series firewalls. It describes redirecting traffic between security groups to the VM-Series firewalls for inspection. Rules are centrally managed on Panorama and applied by the VM-Series firewalls to enforce security policy. The VM-Series firewall can be deployed before a load balancer to process and secure traffic before it reaches the LB. Deploying the VM-Series firewall using virtual wire or L3 interfaces is suggested, depending on specific needs. Configuration of the VM-Series firewall is referenced on the author's blog.

1. Traffic Between Security groups redirect Palo Alto Fws ServicesTraffic Between Security groups redirect Palo Alto Fws Services
PA VM series FW
VMVMVMVM VMVM VMVM
VMVM VMVM
APPLICATION DATABASEWEB FRONT END
Domain CTRL
Traffic that does not need to be inspected by the VM-Series firewall, for example network data backup or
traffic to an internal domain controller, does not need to be redirected to the VM-Series firewall and can be
sent to the virtual switch for onward processing.
Rules centrally managed on Panorama and applied by the VM-Series firewall
The next- generation firewall rules are applied by the VM-Series firewall.These rules are centrally defined
and managed on PA Mgmt Sytem using templates and device groups and the VM-Series firewalls.
The VM-Series firewall then enforces security policy by matching on source or destinatio IP address the
use of Dynamic Address Groups allows the firewall to populate the members of the groups in real
Time and forwards the traffic to the filters on the VM Firewall.
Please keep in Mind if you want deploy Palo Alto VM SeriesPlease keep in Mind if you want deploy Palo Alto VM Series
Fw than you should to refer my Blog.Fw than you should to refer my Blog.
http://ajeets1.blogspot.in/2015/10/a-palo-alto-networks-http://ajeets1.blogspot.in/2015/10/a-palo-alto-networks-
firewall-vm.htmlfirewall-vm.html

2. Deploy the VM-Series Firewall Before LBDeploy the VM-Series Firewall Before LB
VM-Series firewall to process and secure traffic before it reaches the LB.in the below the VM-Series firewall is deployed
with virtual wire interfaces, and the client connection requests are destined to the VIP on the LB. Please keep in mind
that you can deploy the VM-Series firewall using L2 or L3 interfaces, based on your specific needs
Below Desgine is without VM Series FirewallBelow Desgine is without VM Series Firewall
Remote Office Remote User
BAREMETEL
LB
Router
L3 Switch
Vip 10.10.1.20
Snip 10.10.2.10
10.10.2.0/24
Please keep in Mind if you want deploy Palo Alto VM SeriesPlease keep in Mind if you want deploy Palo Alto VM Series
Fw than you should to refer my Blog.Fw than you should to refer my Blog.
http://ajeets1.blogspot.in/2015/10/a-palo-alto-networks-http://ajeets1.blogspot.in/2015/10/a-palo-alto-networks-
firewall-vm.htmlfirewall-vm.html

3. Remote Office Remote User
BAREMETEL
LB
Router
L3 Switch
Vip 10.10.1.20
Snip 10.10.2.10
VM Series FW
Desgine after adding VM series FirewallDesgine after adding VM series Firewall
The basic configuration tasks you must perform on the VM-The basic configuration tasks you must perform on the VM-
Series firewall like PA. For firewall configuration instructionsSeries firewall like PA. For firewall configuration instructions
refer to the My existing Config documentation which i uploadedrefer to the My existing Config documentation which i uploaded
on my Blogon my Blog
http://ajeets1.blogspot.in/2015/10/a-palo-alto-networks-firewall-http://ajeets1.blogspot.in/2015/10/a-palo-alto-networks-firewall-
vm.htmlvm.html