What configuration is needed for traffic inspection between two VMs on the same hypervisor using Palo Alto Networks NGFW without NSX?

For traffic inspection between two virtual machines (VMs) on the same hypervisor using Palo Alto Networks Next-Generation Firewall (NGFW), the configuration of having the two VMs on separate virtual switches (vSwitches) is essential because it allows the firewall to intercept and inspect the traffic between them.

When the VMs are located on different vSwitches, the traffic between them does not flow directly but instead must pass through the Palo Alto NGFW, which is configured to inspect that traffic. This setup is crucial for the firewall to apply its security policies, carry out threat inspections, and enforce controls on the data moving between the VMs.

In contrast, if both VMs were on the same vSwitch, the traffic could potentially bypass the firewall, preventing the necessary inspection and control of the data stream. This configuration implies that the firewall needs to be strategically placed to correctly intercept and manage the traffic, which is why having the VMs on separate vSwitches is the appropriate answer for enabling effective traffic inspection.