Palo Firewall Summary

Palo Alto Firewall Configuration Summary

Device: Palo Alto VM-Series (jarnetfw) Location: ESXi ghost-esxi-01 (10.1.1.120) Management IP: 10.1.1.103 Config File: current_2026.xml PAN-OS Version: 11.2.0

Interfaces

Layer 3 Interfaces

ethernet1/1 (Inside - Primary LAN)

  • IP Address: 10.1.1.1/24
  • Security Zone: inside
  • Management Profile: Interface-MGMT
  • DHCP Server: Enabled
  • Role: Internal network gateway

ethernet1/2 (VPN/WAN)

  • IP Address: 172.16.101.1/24
  • VPN Tunnel: tunnel.101
  • Peer: 130.41.228.218
  • Role: Site-to-site VPN or WAN link

ethernet1/3

  • IP Address: 172.16.101.1/24
  • Security Zone: (to be determined)
  • Role: Additional WAN/VPN interface

vlan.1 (VLAN Interface)

  • Security Zone: inside
  • Virtual Interface: Associated with DHCP_VLAN
  • Role: Internal VLAN routing

Security Zones

inside

  • Members: ethernet1/1, vlan.1
  • Functions:
    • User identification: Enabled
    • Device identification: Enabled
    • Log setting: default
  • Purpose: Internal trusted network

outside

  • Members: (Ethernet interfaces facing internet)
  • Purpose: External untrusted network
  • NAT: Source NAT applied for outbound traffic

DNS Configuration

Primary DNS: 10.1.1.35 (Pi-hole VM) DNS Suffix: skinner.network Domain: skinner.network

DHCP Server

Interface: ethernet1/1 (10.1.1.1/24) Server Mode: Enabled DNS Settings:

  • Primary DNS: 10.1.1.35 (Pi-hole)
  • DNS Suffix: skinner.network

Pool Configuration:

  • Network: 10.1.1.0/24
  • Gateway: 10.1.1.1 (Palo Alto)
  • DNS: 10.1.1.35 (Pi-hole)

Routing

Virtual Router: default

Static Routes:

  • DHCP_Route:
    • Destination: 172.16.100.0/24
    • Next-Hop: DHCP_VR (virtual router)
    • Interface: ethernet1/1
    • Metric: 10

Default Route:

  • Next-hop: (via outside zone - likely DHCP or static via ISP)

NAT Rules

No-NAT Rules (Exemptions)

  1. GP-No-NAT

    • From: inside
    • To: outside
    • Destination: H-ABB-Static (specific host)
    • Service: GP-9443
    • Action: No NAT (direct routing)

  2. GP-LB-No-Nat

    • From: inside
    • To: outside
    • Action: No NAT

Source NAT

  • Default rule: inside → outside (hide behind Palo Alto outside interface)

VPN Configuration

Tunnel: tunnel.101

  • Local Interface: ethernet1/2
  • Peer Address: 130.41.228.218
  • Purpose: Site-to-site IPSec VPN

Management

Management Interface: ethernet1/1 Default Gateway: 10.1.1.1 FQDN Refresh: 10 seconds

Key Network Services

GlobalProtect (GP):

  • Portal/Gateway services configured
  • Loopback interface for GP: GP-Loopback-Host
  • Client DNS: 10.1.1.35 (Pi-hole)
  • Client DNS Suffix: skinner.network

Migration Considerations

Critical Dependencies

  1. DHCP Server: Currently provided by Palo Alto (10.1.1.1)

    • Need alternative DHCP server before migrating off Palo Alto
    • Options: Pi-hole, router, or dedicated DHCP service

  2. Default Gateway: All clients use 10.1.1.1

    • Must maintain this IP or update all clients
    • Consider: Keep Palo Alto as gateway initially, or migrate to OPNsense/pfSense

  3. Inter-VLAN Routing: Palo Alto handles L3 routing

    • Alternative needed if migrating away

  4. DNS: Already using Pi-hole (10.1.1.35) ✓

    • No change needed

  5. NAT/Firewall: Complex rules and zones

    • Recommend export and document before migration
    • Plan replacement (OPNsense, pfSense, or physical firewall)

Migration Path Options

Option A: Keep Palo Alto VM (Recommended for now)

  • Migrate Palo Alto VM to Proxmox
  • Reconfigure network interfaces/VLANs
  • Test thoroughly before other migrations
  • Least disruption

Option B: Replace with Alternative

  • Deploy OPNsense or pfSense
  • Migrate DHCP, routing, NAT rules
  • Higher complexity, more downtime
  • User mentioned they’re “migrating off this firewall eventually”

Pre-Migration Backup Checklist

  • Configuration export (current_2026.xml) ✓
  • Document NAT rules
  • Document firewall security policies
  • Test DHCP failover plan
  • Document VPN configuration (if still in use)
  • Screenshot GlobalProtect settings (if still in use)

Network Topology Summary

Internet

    ├─ (Outside Zone) ─── ethernet1/? (VLAN 300 from switch)

[Palo Alto VM - jarnetfw]

    ├─ ethernet1/1 (10.1.1.1/24) ─── Inside Zone
    │   ├─ DHCP Server
    │   ├─ Default Gateway for 10.1.1.0/24
    │   └─ Routes to MikroTik switch SFP1 (VLAN 1)

    ├─ ethernet1/2 (172.16.101.1/24) ─── VPN Tunnel
    │   └─ Peer: 130.41.228.218

    └─ vlan.1 ─── Inside Zone (DHCP_VLAN)

Questions to Resolve

  1. Outside Interface: Which ethernet interface is the outside zone?

    • Likely connects to MikroTik switch SFP1 (VLAN 300)
    • MAC: 00:50:56:a7:0f:60 (seen on switch)

  2. VPN Status: Is the VPN tunnel to 130.41.228.218 still active/needed?

  3. GlobalProtect: Still in use for remote access? Or replaced by Cloudflared?

  4. DHCP Pool: What is the actual DHCP range (start/end IPs)?

  5. Migration Timeline: When to migrate off Palo Alto?

    • During Proxmox migration?
    • After everything else is stable?