Table of Contents
Advertisement
Troubleshoot ESXi Deployments
Connectivity Issues
Why is the VM-Series firewall not receiving any network traffic?
On the VM-Series firewall. check the traffic logs (
command to view the packets on the interfaces of the VM-Series firewall:
show counter global filter delta yes
Global counters:
Elapsed time since last sampling: 594.544 seconds
--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------
In the vSphere environment, check for the following issues:
Check the port groups and confirm that the firewall and the virtual machine(s) are on the correct port group
Make sure that the interfaces are mapped correctly.
Network adapter 1 = management
Network adapter 2= Ethernet1/1
Network adapter 3 = Ethernet1/2
For each virtual machine, check the settings to verify the interface is mapped to the correct port group.
Verify that promiscuous mode is enabled for each port group or for the entire switch.
Since the dataplane PAN-OS MAC addresses are different than the VMNIC MAC addresses assigned by
vSphere, the port group (or the entire vSwitch) must be in promiscuous mode:
Check the VLAN settings on vSphere.
The use of the VLAN setting for the vSphere port group serves two purposes: It determines which port groups
share a layer 2 domain, and it determines whether the uplink ports are tagged (802.1Q).
Check the physical switch port settings
If a VLAN ID is specified on a port group with uplink ports, then vSphere will use 802.1Q to tag outbound
frames. The tag must match the configuration on the physical switch or the traffic will not pass.
Check the port statistics if using virtual distributed switches (vDS); Standard switches do not provide any
port statistics
20
Set Up a VM-Series Firewall on an ESXi Server
). If the logs are empty, use the following CLI
Monitor > Logs
VM-Series
Deployment
Guide
Hide quick links:
Advertisement
Table of Contents
