Skip to content

Connecting MVEs Integrated with Palo Alto VM-Series

This topic describes how to connect a Megaport Virtual Edge (MVE) integrated with Palo Alto next-generation firewall (NGFW) to another MVE.

This deployment uses the Megaport private software defined network (SDN) to reduce reliance on the internet and connect enterprise branch locations.

Branch to branch

With two MVEs configured, you can create a private VXC to connect them on the Megaport network without the need for any physical infrastructure. A VXC is essentially a private point-to-point Ethernet connection between an A-End MVE and a B-End MVE.

Before you begin

Provision two MVEs in different locations. If you haven’t already created MVEs, see Creating a VM-Series MVE.

Creating a VXC between two MVEs

A private VXC deployment between two MVEs integrated with Palo Alto starts in the Megaport ONE Portal. To complete the configuration, you will use Palo Alto VM-Series.

To create a VXC

  1. In the Megaport ONE Portal, choose Networking > Services.

  2. Click the gear icon Gear icon next to the originating A-End Palo Alto MVE.

  3. Select Add Connection.

  4. Select Private VXC as the connection type.

    Private VXC

  5. Select the destination B-End MVE.
    Use the Country filter to narrow the selection.

  6. Specify the VXC Configuration details:

    • Connection Name – Specify a name for the VXC that is easily identifiable. For example, LA MVE 2 to Dallas MVE 4. You can change the name later, if you like.

    • Rate Limit (Mbps) – Specify a rate limit, in Mbps. The maximum speed is displayed. Although the rate limit for a VXC can be up to 10 Gbps, the compute capacity of the A-End or B-End MVE can influence the circuit throughput. Consult Palo Alto’s documentation for details.

    • A-End vNIC – Specify a vNIC by using the pre-populated default, or select from the drop-down list.

    • Preferred VLAN – Specify the 802.1q VLAN tag for this connection. Each VXC is delivered as a separate VLAN on the MVE. The VLAN ID must be unique on this MVE and can range from 2 to 4093. Megaport will attempt to use the same VLAN ID at both MVE instances, and it will also be used to configure the VLAN tag in Palo Alto PAN-OS. If you specify a VLAN ID that is already in use, you will be notified when placing the MVE order.

      VXC Configuration details

  7. Specify the Billing Details:

    • Service Level Reference (optional) – Specify a unique identifying number for the VXC to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.

    • Monthly Price – The monthly rate is based on location and size.

    • Promo Code – If you have a promotional code, enter it and click Add Code.

  8. Click Create Connection to order the connection.

  9. Review the new connection details and pricing then click Confirm.

Once the VXC is deployed, you can view it in the Megaport ONE Portal Services page. The Services page displays the VXC under the A-End MVE and the B-End MVE. Note that the service ID number is the same for the VXC at both ends of the connection.

The next step is to configure the A-End and B-End MVEs in the Palo Alto VM-Series.


The next procedure configures IP connectivity with BGP, providing just one solution out of many. Consult your SD-WAN vendor documentation for specific network design and configuration options before configuring interfaces for the MVEs.

Configuring the A-End MVE in VM-Series

  1. Log in to your VM-Series instance.

  2. Choose Network > Interfaces.

  3. Select the A-End MVE (ethernet1/1).

  4. Click Add Subinterface.

  5. Provide these details:

    • Interface Name – Enter a name for the subinterface. In the adjacent field, enter a number to identify the subinterface.

    • Comment – Enter an alternate name, for example, PA-MVE-1 to PA-MVE-2.

    • Tag – Specify the VLAN value associated with the VXC you created earlier. For ease of use, specify the same number as the Interface Name.

    • Virtual Router – Select a virtual router to the interface, as required by your network.

  6. Select the IPv4 tab.

  7. Select Static as the Type.
  8. Click +Add to add a new IP address.
  9. Enter the IPv4 address and netmask.
  10. Click OK.
  11. Click Commit in the top right corner.
    Commit button
  12. Review the changes and click Commit. Commit changes

The new VLAN interface appears with your ethernet1/1 physical interface.

Next, you will create a security zone so the interface can route traffic.

To create a security zone

  1. Select the ethernet1/1.1010 subinterface.
  2. Select New Zone from the Security Zone drop-down list.
  3. Specify a name for the security zone.
    Security zone settings
  4. Click +Add under Interfaces and add ethernet1/1.1010 to the security zone.
  5. Specify any additional details as required for your network security.
  6. Select New Zone Protection Profile from the Zone Protection Profile drop-down list.
  7. Specify any details as required for your network security.
    This example uses all the defaults.
    Zone Protection profile
  8. Click OK.
  9. Click OK in the Layer3 Subinterface screen.
  10. Click Commit in the top right corner.
    Commit button
  11. Review the changes and click Commit. Commit changes

Configuring the B-End MVE in VM-Series

  • Follow the same procedure to configure the B-End interface, using a different IP address.

Validating your connection

Next, you will test connectivity between the Palo Alto MVEs.


Because Palo Alto is a firewall, you must enable ICMP before an interface can respond to an ICMP echo request.

To validate your connection

  1. Log in to your VM-Series instance.
  2. Choose Network > Interfaces.
  3. Select the newly created subinterface.
    Select subinterface
  4. Select the Advanced tab.
    Advanced tab
  5. Select New Management Profile from the drop-down list.
  6. Specify a profile name in the Name field. Interface management profile
  7. Select Ping from the Network Services list.
  8. To add specific IP addresses or subnets to the ACL, click +Add under Permitted IP Addresses.
  9. Click OK.
    Layer 3 Subinterface
  10. Click OK.
  11. Click Commit in the top right corner.
    Commit button
  12. Review the changes and click Commit. Commit changes
  13. Repeat steps 1 to 12 for the second Palo Alto MVE.
  14. Choose Device > Troubleshooting to test connectivity between the Palo Alto MVEs.
  15. Select Ping from the Select Test drop-down list.
    Select ping test
  16. Enter the relevant details.
    See the Palo Alto Tech Docs for information on these fields.
  17. Click Execute to run the test.
    Successful ping

Last update: 2023-10-12