Deployment Flashcards
Where can be the VM-Series deploymed? (8)
- VMware vSphere Hypervisor (ESXi)
- VMware vCloud Air
- VMware NSX-T
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Microsoft Azure
- Kernel Virtualization Module (KVM)
- Microsoft Hyper-V
What do the virtual firewalls need to match in order to be able to form an HA pair? (3)
- must be deployed on the same type of hypervisor
- have identical hardware resources (such as CPU cores/network interfaces) assigned to them
- have the set same of licenses/subscriptions
Where can be the VM firewall deployed in active/active state?
- in virtual wire and Layer 3 deployments on some private cloud hypervisors
- recommended only if each firewall needs its own routing instances and you require full, real-time redundancy out of both firewalls all the time
Do any of the public cloud providers support active/active deployment?
no
Why NSX-V doesn’t support any of the HA features?
HA is achieved through the NSX-T feature called service health check
What are PAN-OS XFR releases?
PAN-OS for VM-Series firewalls only; can include new features and bug fixes for VM-Series firewalls
What MAC addresses does the VM-Series use by default on its created L3 interfaces?
- those assigned by the hypervisor
- the firewall can then use the hypervisor assigned MAC address in its ARP responses
Is there an option to enable or disable the use of hypervisor assigned MAC addresses on AWS and Azure?
no, it is enabled by default for both platforms and cannot be disabled
if hypervisor assigned MAC address functionality is enabled on the VM-Series firewall, what needs to be considered in terms of IPv6 Address on an Interface in active/passive HA configuration?
Layer 3 interfaces using IPv6 addresses must not use the EUI-64 generated address as the interface identifier (Interface ID), as the IP address is not stati, as it results in a change in the IP address for the HA peer when the hardware hosting the VM-Series firewall changes on failover, which leads to an HA failure
if hypervisor assigned MAC address functionality is enabled on the VM-Series firewall, what needs to be considered in terms of Lease on an IP Address when changing MAC address?
when the MAC address changes, DHCP client, DHCP relay and PPPoE interfaces might release the IP address because the original IP address lease could terminate
if hypervisor assigned MAC address functionality is enabled on the VM-Series firewall, what needs to be considered in terms of MAC address and Gratuitous ARP in HA?
because each dataplane interface has a unique MAC address, when a failover occurs, the now active VM-Series firewall must send a gratuitous ARP so that neighboring devices can learn the updated MAC/IP address pairing - make sure to disable the anti-ARP poisoning feature on the internetworking devices, if required
When deployed in public cloud, the firewall natively publishes metrics to monitoring systems in the respective public clouds. What are the names of the monitoring systems in AWS, Azure nad GCP?
- AWS = CloudWatch
- Azure = Application Insights
- GCP = Stackdriver
Why does firewall natively publish certain metrics to cloud monitoring systems in public clouds?
to assess firewall performance and usage patterns so that you can set alarms and take action to automate events such as launching or terminating instances of the VM-Series firewalls
How are the public cloud metrics published to firewalls?
through content updates
What are some of the metrics published by the firewall?
- Dataplane CPU Utilization (%)
- panSessionConnectionsPerSecond
- Sessions Active
- panSessionThroughputKbps
