Why is the VM-Series firewall not receiving any network traffic?
On the VM-Series firewall. check the traffic logs ().
If the logs are empty, use the following CLI command to view the
packets on the interfaces of the VM-Series firewall:
show counter global filter
delta yes
Global counters:
Elapsed time since last sampling: 594.544 seconds
--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------
In the vSphere environment, check for the following issues:
Check the port groups and confirm that the firewall and
the virtual machine(s) are on the correct port group
Make
sure that the interfaces are mapped correctly.
Network adapter
1 = management
Network adapter 2= Ethernet1/1
Network
adapter 3 = Ethernet1/2
For each virtual machine, check the
settings to verify the interface is mapped to the correct port group.
Verify that either promiscuous mode is enabled for each port
group or for the entire switch or that you have configured the firewall
to
Hypervisor
Assigned MAC Addresses.
Since the dataplane PAN-OS
MAC addresses are different than the vNIC MAC addresses assigned
by vSphere, the port group (or the entire vSwitch) must be in promiscuous
mode if not enabled to use the hypervisor assigned MAC address:
Check the VLAN settings on vSphere.
The use of the
VLAN setting for the vSphere port group serves two purposes: It
determines which port groups share a layer 2 domain, and it determines
whether the uplink ports are tagged (802.1Q).
Check the physical switch port settings
If a VLAN ID
is specified on a port group with uplink ports, then vSphere uses
802.1Q to tag outbound frames. The tag must match the configuration on
the physical switch or the traffic does not pass.
Check the
port statistics if using virtual distributed switches (vDS); Standard
switches do not provide any port statistics
