| Where Can I Use This? | What Do I Need? |
|---|
|
|
- VM-Series 10.x or above
- Panorama running PAN-OS 10.1.x or above versions
- Customer Support Portal (CSP) account with one of the
following user roles:
- Superuser, Standard User, Limited User, Threat
Researcher, AutoFocus Trial Role, Group superuser,
Group Standard User, Group Limited User, Group
Threat Researcher, Authorized Support Center (ASC)
User, and ASC Full Service User.
- Superuser access to the VM-Series
firewall
|
By default, the VM-Series firewall uses the
MAC address assigned to the physical interface by the host/hypervisor
to deploy a VM-Series firewall with Layer 3 interfaces. The firewall
can then use the hypervisor assigned MAC address in its ARP responses.
This capability allows non-learning switches, such as the VMware
vSwitch to forward traffic to the dataplane interface on the firewall
without requiring that promiscuous mode be enabled on the vSwitch.
If neither promiscuous mode nor the use of hypervisor assigned MAC
address is enabled, the host will drop the frame when it detects
a mismatch between the destination MAC address for an interface and
the host-assigned MAC address.
There is no option to
enable or disable the use of hypervisor assigned MAC addresses on
AWS and Azure. It is enabled by default for both platforms and cannot be
disabled.
If you are deploying the VM-Series firewall
in Layer 2, virtual wire, or tap interface modes, you must enable
promiscuous mode on the virtual switch to which the firewall is
connected. The use of hypervisor assigned MAC address is only relevant
for Layer 3 deployments where the firewall is typically the default
gateway for the guest virtual machines.
When hypervisor assigned
MAC address functionality is enabled on the VM-Series firewall,
make note of the following requirements:
IPv6 Address on an Interface—In an active/passive HA configuration (see
About the VM-Series firewall),
Layer 3 interfaces using IPv6 addresses must not use the EUI-64 generated
address as the interface identifier (Interface ID). Because the EUI-64 uses
the 48-bit MAC address of the interface to derive the IPv6 address for the
interface, the IP address is not static. This results in a change in the IP
address for the HA peer when the hardware hosting the VM-Series firewall
changes on failover, and leads to an HA failure.
Lease on an IP Address—When the MAC address changes,
DHCP client, DHCP relay and PPPoE interfaces might release the IP
address because the original IP address lease could terminate.
MAC address and Gratuitous ARP—VM-Series firewalls
with hypervisor assigned MAC addresses in a high-availability configuration
behave differently than the hardware appliances with respect to
MAC addressing. Hardware firewalls use self-generated floating MAC
addresses between devices in an HA pair, and the unique MAC address
used on each dataplane interface (say eth 1/1) is replaced with
a virtual MAC address that is common to the dataplane interface on
both HA peers. When you enable the use of the hypervisor assigned
MAC address on the VM-Series firewall in HA, the virtual MAC address
is not used. The dataplane interface on each HA peer is unique and
as specified by the hypervisor.
Because each dataplane interface
has a unique MAC address, when a failover occurs, the now active
VM-Series firewall must send a gratuitous ARP so that neighboring
devices can learn the updated MAC/IP address pairing. Hence, to enable
a stateful failover, the networking devices must not block or ignore gratuitous
ARPs; make sure to disable the anti-ARP poisoning feature on the internetworking
devices, if required.
Perform the following steps
to configure the VM-Series firewall to use the interface MAC addresses
provided by the host/hypervisor.
