I currently have a virtual machine hosted on Openstack that will function as a Syslog server for infrastructure devices externally.

The VM has one interface and assigned to the management network for internal administration. I have configured a VLAN external network in the same subnet of the external devices that will eventually be connected at Layer 2. A static floating-IP has been assigned to the VM. A virtual router is created with the external interface pointing to a virtual Palo Alto VM. I have also configured the Syslog VM to have a gateway of the external interface of the Openstack virtual router.

I can "source" ping "host" "floating IP of the VM from the Palo command line. My questions are:

Is this an accurate configuration for what I am aiming to accomplish? Is it correct that the VM's gateway is configured as the external interface of the virtual router or does it need to be the Palo interface? Since the external VLAN is already being advertised at Layer 3, I will need to define a VLAN at the Palo Alto...

The management net must always be protected and never advertised is the goal at Layer 2 and 3.

