The partition can be accomplished without editing the IP addresses or the default gateways of any of

the guest VMs by creating a new virtual switch and using the VM-Series firewall to separate virtual

switches using virtual wire mode. Then move the guests that require more security into the new

virtual switch. A virtual switch is a software-based switch that connects virtual machines (VMs) in a

VMware ESXi environment. A virtual wire is a deployment mode of the VM-Series firewall that allows

it to act as a bump in the wire between two network segments, without requiring an IP address or

routing configuration. By creating a new virtual switch and using the VM-Series firewall to separate

virtual switches using virtual wire mode, the customer can isolate the group of VMs that require

more security from the rest of the network, and apply security policies to the traffic passing through

the firewall. The partition cannot be accomplished without editing the IP addresses or the default

gateways of any of the guest VMs by editing the IP address of all of the affected VMs, creating a Layer

3 interface in the same subnet as the VMs and then configuring proxy Address Resolution Protocol

(ARP), or sending the VLAN out of the virtual environment into a hardware Palo Alto Networks

firewall in Layer 3 mode. Use the same IP address as the old default gateway, then delete it, as those

methods would require changing the network configuration of the guest VMs or introducing

additional complexity and latency. Reference: Palo Alto Networks Certified Software Firewall

Engineer (PCSFE), [Deploying Virtual Switches], [Virtual Wire Deployment], [Deploying Virtual Wire

on VMware ESXi]