Palo Alto Networks Knowledgebase: How to Configure Interfaces for VM-Series to Work in L3 without Promiscuous Mode
How to Configure Interfaces for VM-Series to Work in L3 without Promiscuous Mode
Created On 09/26/18 19:10 PM - Last Updated 02/07/19 23:38 PM
Prior to 7.0, VM-Series firewalls were not able to configure thier logical interfaces to use hypervisor-assigned MAC addresses. So, these firewalls required you either A) to enbable promiscuous mode on the vSwitch port group or B) manually configure the hypervisor to use the MAC address(es) of the firewall. VM-Series firewalls running 7.0 and later do not have this limitation and can now detect and use the MAC address assigned by the hypervisor. In 7.0 and later, using the hyperadvisor-assigned MAC address is the default behavior, but this can be disabled in the Device > Setup > Management > General Settings configuration.
The following steps describe how to modify the VM network configuration to use the native MAC address of the firewall. For firewalls running PAN-OS versions prior to 7.0, this will enable you to connect the firewall to your virtual infrastructure without requiring you to enable promiscuous mode on vSwitch port group to which the firewall is connected.
The following screenshot is an example of the VM properties (in VMware, right click on machine and edit settings)
The sys.s1.p3.hwaddr (00:50:56:a3:3c:37), shown in the screenshot below, corresponds to the configuration of the VM shown in the previous screenshot. See the MAC address, which Palo Alto Networks uses for ethernet1/3 that is: 12:ab:11:04:ac:12
Shut down the VM, switch ethernet1/3 to manual MAC and type in appropriate MAC (in this case 12:ab:11:04:ac:12):
Power on the VM and verify the changes:
Repeat for all interfaces that are required to work without promiscuous mode. Please note this only applies to L3 interfaces.