: Why is the VM-Series firewall not receiving any network traffic?
Focus
Focus

Why is the VM-Series firewall not receiving any network traffic?

Table of Contents

Why is the VM-Series firewall not receiving any network traffic?

On the VM-Series firewall. check the traffic logs (MonitorLogs). If the logs are empty, use the following CLI command to view the packets on the interfaces of the VM-Series firewall:
show counter global filter
delta yes 
Global counters: 
Elapsed time since last sampling: 594.544 seconds 
-------------------------------------------------------------------------------- 
Total counters shown: 0 
-------------------------------------------------------------------------------- 
In the vSphere environment, check for the following issues:
  • Check the port groups and confirm that the firewall and the virtual machine(s) are on the correct port group
    Make sure that the interfaces are mapped correctly.
    Network adapter 1 = management
    Network adapter 2= Ethernet1/1
    Network adapter 3 = Ethernet1/2
    For each virtual machine, check the settings to verify the interface is mapped to the correct port group.
  • Verify that either promiscuous mode is enabled for each port group or for the entire switch or that you have configured the firewall to Hypervisor Assigned MAC Addresses.
    Since the dataplane PAN-OS MAC addresses are different than the vNIC MAC addresses assigned by vSphere, the port group (or the entire vSwitch) must be in promiscuous mode if not enabled to use the hypervisor assigned MAC address:
    • Check the VLAN settings on vSphere.
      The use of the VLAN setting for the vSphere port group serves two purposes: It determines which port groups share a layer 2 domain, and it determines whether the uplink ports are tagged (802.1Q).
    • Check the physical switch port settings
      If a VLAN ID is specified on a port group with uplink ports, then vSphere uses 802.1Q to tag outbound frames. The tag must match the configuration on the physical switch or the traffic does not pass.
      Check the port statistics if using virtual distributed switches (vDS); Standard switches do not provide any port statistics