PaloAlto Networks VM series Deployment Manual
  1. Manuals
  2. Brands
  3. PaloAlto Networks Manuals
  4. Firewall
  5. VM series
  6. Deployment manual
PaloAlto Networks VM series Deployment Manual

PaloAlto Networks VM series Deployment Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
®
Palo Alto Networks
VM-Series Deployment Guide
PAN-OS 6.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the VM series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for PaloAlto Networks VM series

Summary of Contents for PaloAlto Networks VM series

  • Page 1 ® Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.0...

  • Page 2: About This Guide

    Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/ About this Guide This guide describes how to set up and license the VM-Series firewall; it is intended for administrators who want to deploy the VM-Series firewall. For more information, refer to the following sources: PAN-OS Administrator's Guide–...

  • Page 3: Table Of Contents

    Supported Deployments—VM Series Firewall on Citrix SDX ........
  • Page 4 Secure North-South Traffic with the VM-Series Firewall ........31 Deploy the VM-Series Firewall Using L3 Interfaces .

  • Page 5: About The Vm-Series Firewall

    About the VM-Series Firewall The Palo Alto Networks VM-Series firewall is the virtualized form of the Palo Alto Networks next-generation firewall. It is positioned for use in a virtualized or cloud environment where it can protect and secure east-west and north-south traffic. ...

  • Page 6: Vm-Series Models

    VM-Series Models About the VM-Series Firewall VM-Series Models The VM-Series firewall is available in four models—VM-100, VM-200, VM-300, and VM-1000-HV. All four models can be deployed as guest virtual machines on VMware ESXi and on Citrix NetScaler SDX; on VMWare NSX, only the VM-1000-HV is supported. The software package (.xva or .ovf file) that is used to deploy the VM-Series firewall is common across all models.

  • Page 7: Vm-Series Deployments

    About the VM-Series Firewall VM-Series Deployments VM-Series Deployments The VM-Series firewall can be deployed on the following platforms:  VM-Series for VMware vSphere Hypervisor (ESXi) VM-100, VM-200, VM-300, or VM-1000-HV is deployed as guest virtual machine on VMware ESXi; ideal for cloud or networks where virtual form factor is required.
  • Page 8 VM-Series Deployments About the VM-Series Firewall Here is a brief look at some of the requirements for deploying PAN-OS 6.0 on the VM-Series firewall: Deployment Hypervisor Base Image Required from the Palo Alto Relevant Capacity Versions Networks Support Portal Licenses Supported VM-Series for VMware 5.0, 5.1, and 5.5...

  • Page 9: License The Vm-Series Firewall

    About the VM-Series Firewall License the VM-Series Firewall License the VM-Series Firewall When you purchase a VM-Series firewall, you receive a set of authorization codes over email. Typically the email includes authorization code(s) to license the VM-Series model you purchased (VM-100, VM-200, VM300, VM-1000-HV), support entitlement that provides access to software/content updates (for example, PAN-SVC-PREM-VM-100 SKU auth-code), and any additional subscriptions such as Threat Prevention, URL Filtering, GlobalProtect, or WildFire.

  • Page 10: Register The Vm-Series Firewall

    License the VM-Series Firewall About the VM-Series Firewall Create a Support Account Log in to https://support.paloaltonetworks.com. Click and fill in the details in the user registration form. You must use the capacity auth-code and the sales Register order number or customer ID to register and create an account on the support portal. the form.

  • Page 11: Activate The License

    About the VM-Series Firewall License the VM-Series Firewall Activate the License To activate the license on your VM-Series firewall, you must have deployed the VM-Series firewall and completed initial configuration. For instructions to deploy the VM-Series firewall, see VM-Series Deployments. Until you activate the license on the VM-Series firewall, the firewall does not have a serial number, the MAC address of the dataplane interfaces are not unique, and only a minimal number of sessions are supported.
  • Page 12 License the VM-Series Firewall About the VM-Series Firewall Activate the License • If your VM-Series firewall does not have Internet Select and click the Device > Licenses Activate Feature using access. link. Auth Code Click , and download the Download Authorization File authorizationfile.txt on the client machine.

  • Page 13: Upgrade The Pan-Os Software Version

    About the VM-Series Firewall License the VM-Series Firewall Registered the auth-code to the support account. If you don’t register the auth-code, the licensing server  will fail to create a license. Configured the VMware Service Manager and entered this auth-code on Panorama. On Panorama, select ...
  • Page 14 License the VM-Series Firewall About the VM-Series Firewall Migrating from an evaluation license to a production license.  Upgrading the model to allow for increased capacity. For example you want to upgrade from the VM-200 to  the VM-1000-HV license. Migrate the License on the VM-Series Firewall Step 1 Power off the VM-Series firewall.

  • Page 15: Monitor Changes In The Virtual Environment

    About the VM-Series Firewall Monitor Changes in the Virtual Environment Monitor Changes in the Virtual Environment In a legacy client-server architecture with physical infrastructure resources, security administrators controlled the deployment of servers on the network, and had visibility over the applications that traversed the network; security policies were based on static IP addresses.
  • Page 16 Monitor Changes in the Virtual Environment About the VM-Series Firewall Set up the VM Monitoring Agent Step 1 Enable the VM Monitoring Agent. Select Device > VM Information Sources Click and enter the following information: Up to 10 sources can be configured for each firewall, or for •...

  • Page 17: Use Dynamic Address Groups In Policy

    About the VM-Series Firewall Monitor Changes in the Virtual Environment Set up the VM Monitoring Agent (Continued) Step 2 Verify the connection status. Verify that the connection displays as connected. Status If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source.
  • Page 18 Monitor Changes in the Virtual Environment About the VM-Series Firewall Platform Maximum number of dynamically registered IP addresses PA-4000 Series, PA-3000 Series 5000 PA-2000 Series, PA-500, PA-200, VM-300, VM-200, 1000 VM-100 The following example shows how dynamic address groups can simplify network security enforcement. The example workflow shows how to: Enable the VM Monitoring agent on the firewall, to monitor the VMware ESX(i) host or vCenter Server and ...
  • Page 19 About the VM-Series Firewall Monitor Changes in the Virtual Environment Use Dynamic Address Groups in Policy (Continued) Step 2 Create dynamic address groups on the Log in to the web interface of the firewall. firewall. Select Object > Address Groups View the tutorial to see a big...
  • Page 20 Monitor Changes in the Virtual Environment About the VM-Series Firewall Use Dynamic Address Groups in Policy (Continued) This example shows how to create two policies: one for all access to FTP servers and the other for access to web servers. Step 4 Validate that the members of the dynamic Select...

  • Page 21: Attributes Monitored On A Vmware Source

    About the VM-Series Firewall Monitor Changes in the Virtual Environment Attributes Monitored on a VMware Source When the firewall is configured to monitor VM Information Sources, the following metadata elements or attributes are monitored on each VMware source: UUID  Name ...
  • Page 22 Monitor Changes in the Virtual Environment About the VM-Series Firewall VM-Series Deployment Guide...

  • Page 23: Set Up A Vm-Series Firewall On An Esxi Server

    If you would like to automate the process of deploying a VM-Series firewall, you can create a gold standard template with the optimal configuration and policies, and use the vSphere API and the PAN-OS XML API to rapidly deploy new VM-Series firewalls in your network. For more information, see the article: VM Series DataCenter Automation.

  • Page 24: Supported Deployments On Vmware Vsphere Hypervisor (Esxi)

    Supported Deployments on VMware vSphere Hypervisor (ESXi) Set Up a VM-Series Firewall on an ESXi Server Supported Deployments on VMware vSphere Hypervisor (ESXi) You can deploy one or more instances of the VM-Series firewall on the ESXi server. Where you place the VM-Series firewall on the network depends on your topology.

  • Page 25: System Requirements And Limitations

    Set Up a VM-Series Firewall on an ESXi Server System Requirements and Limitations System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on VMware vSphere Hypervisor (ESXi). To deploy the VM-Series firewall, see Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi).

  • Page 26: Limitations

    System Requirements and Limitations Set Up a VM-Series Firewall on an ESXi Server Limitations The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations: Dedicated CPU cores are recommended.  Only High Availability (HA) lite is supported (active/passive with no stateful failover). ...

  • Page 27: Install A Vm-Series Firewall On Vmware Vsphere Hypervisor (Esxi)

    Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) To install a VM-Series firewall you must have access to the OVF) template. Use the Open Virtualization Format ( auth code you received in your order fulfillment email to register your VM-Series firewall and gain access to the OVF template.
  • Page 28 Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Set Up a VM-Series Firewall on an ESXi Server Provision a VM-Series Firewall (Continued) Step 2 Before deploying the OVF template, set To configure a virtual standard switch to receive frames for the up virtual standard switch(es) and virtual VM-Series firewall: distributed switch(es) that you will need...
  • Page 29 Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Provision a VM-Series Firewall (Continued) Step 3 Deploy the OVF template. Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed.

  • Page 30: Perform Initial Configuration On The Vm-Series On Esxi

    Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Set Up a VM-Series Firewall on an ESXi Server Perform Initial Configuration on the VM-Series on ESXi Use the virtual appliance console on the ESXi server to set up network access to the VM-Series firewall. You must first configure the management interface, and then access the web interface to complete further configurations tasks.

  • Page 31: Troubleshoot Esxi Deployments

    Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments Troubleshoot ESXi Deployments Many of the troubleshooting steps for the VM-Series firewall are very similar to the hardware versions of PAN-OS. When problems occur, you should check interface counters, system log files, and if necessary, use debug to create captures.
  • Page 32 Troubleshoot ESXi Deployments Set Up a VM-Series Firewall on an ESXi Server The vmdk extension is for the virtual disk image file.  The virtual disk in the OVF is large for the VM-Series; this file is nearly 900MB and must be present on the ...

  • Page 33: Licensing Issues

    Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments Modify the base image file (only if using the VM-1000-HV license in standalone mode) Step 3 Change the number of virtual CPU cores allotted from 2 to 4 or 8 as desired for your deployment: <Item>...

  • Page 34: Connectivity Issues

    Troubleshoot ESXi Deployments Set Up a VM-Series Firewall on an ESXi Server Will moving the VM-Series firewall cause license invalidation? If you are manually moving the VM-Series firewall from one host to another, be sure to select the option, This to prevent license invalidation.

  • Page 35: Set Up A Vm-Series Firewall On The Citrix Sdx Server

     About the VM-Series Firewall on the SDX Server  System Requirements and Limitations  Supported Deployments—VM Series Firewall on Citrix SDX  Install the VM-Series Firewall on the SDX Server  Secure North-South Traffic with the VM-Series Firewall ...

  • Page 36: About The Vm-Series Firewall On The Sdx Server

     use as MIPs providing access to those subnets. SNIPs may be bound to specific VLANs and interfaces. For examples on deploying the VM-Series firewall and the NetScaler VPX together, see Supported Deployments—VM Series Firewall on Citrix SDX. VM-Series Deployment...

  • Page 37: System Requirements And Limitations

    Set Up a VM-Series Firewall on the Citrix SDX Server System Requirements and Limitations System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on the Citrix SDX server.  Requirements  Limitations Requirements You can deploy multiple instances of the VM-Series firewall on the Citrix SDX server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—on the SDX server, make sure to conform to the specifications below to ensure optimal performance.

  • Page 38: Limitations

    Jumbo frames are not supported.  Link aggregation is not supported.  For the supported deployments, see Supported Deployments—VM Series Firewall on Citrix SDX. To deploy the firewall, see Install the VM-Series Firewall on the SDX Server. VM-Series...

  • Page 39: Supported Deployments-Vm Series Firewall On Citrix Sdx

    Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments—VM Series Firewall on Citrix SDX Supported Deployments—VM Series Firewall on Citrix SDX In the following scenarios, the VM-Series firewall secures traffic destined to the servers on the network. It works in conjunction with the NetScaler VPX to manage traffic before or after it reaches the NetScaler VPX.
  • Page 40 Supported Deployments—VM Series Firewall on Citrix SDX Set Up a VM-Series Firewall on the Citrix SDX Server VM-Series Firewall with L3 Interfaces Deploying the firewall with L3 interfaces allows you to scale more easily as you deploy new servers and new subnets.
  • Page 41 Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments—VM Series Firewall on Citrix SDX For security compliance, if USIP (Use client Source IP) is enabled on the NetScaler VPX, then the VM-Series firewall requires a default route that points to the SNIP 192.168.1.1, in this example.

  • Page 42: Scenario 2-Secure East-West Traffic (Vm-Series Firewall On Citrix Sdx)

    Supported Deployments—VM Series Firewall on Citrix SDX Set Up a VM-Series Firewall on the Citrix SDX Server VM-Series Firewall Before the NetScaler VPX In this scenario, the perimeter firewall is replaced with the VM-Series firewall that can be deployed using L3, L2, or virtual wire interfaces.

  • Page 43: Install The Vm-Series Firewall On The Sdx Server

    Set Up a VM-Series Firewall on the Citrix SDX Server Install the VM-Series Firewall on the SDX Server Install the VM-Series Firewall on the SDX Server A support account and a valid VM-Series license are required to obtain the .xva base image file that is required to install the VM-Series firewall on the SDX server.

  • Page 44: Provision The Vm-Series Firewall On The Sdx Server

    Install the VM-Series Firewall on the SDX Server Set Up a VM-Series Firewall on the Citrix SDX Server Provision the VM-Series Firewall on the SDX Server Provision the VM-Series Firewall on the SDX Server Step 1 Access the SDX server. Launch the web browser and connect to the SDX server.

  • Page 45: Secure North-South Traffic With The Vm-Series Firewall

    Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Secure North-South Traffic with the VM-Series Firewall This section includes information on deploying the NetScaler VPX and the VM-Series firewall on the Citrix SDX server: ...
  • Page 46 Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Topology After Adding the VM-Series Firewall The following table includes the tasks you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the .
  • Page 47 Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Set up the VM-Series Firewall to Process North-South Traffic Using L3 interfaces Step 1 Install the VM-Series Firewall on the When provisioning the VM-Series firewall on the SDX server, you Server.
  • Page 48 Go back to Secure North-South Traffic with the VM-Series Firewall, or see Secure East-West Traffic with the VM-Series Firewall. For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX. VM-Series Deployment Guide...

  • Page 49: Deploy The Vm-Series Firewall Using Layer 2 (L2) Or Virtual Wire Interfaces

    Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Deploy the VM-Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall in a L2 or a virtual wire deployment.
  • Page 50 Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Set up the VM-Series Firewall to Process North-South Traffic Using L2 or Virtual Wire Interfaces (Continued) Step 2 Re-cable the server-side interface If you have already deployed a NetScaler VPX and are now adding assigned to the NetScaler VPX.
  • Page 51 . Only traffic that matches a security rule will be logged. Options Go back to Secure North-South Traffic with the VM-Series Firewall, or see Secure East-West Traffic with the VM-Series Firewall. For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX. VM-Series Deployment Guide...

  • Page 52: Deploy The Vm-Series Firewall Before The Netscaler Vpx

    Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Deploy the VM-Series Firewall Before the NetScaler VPX The following example shows how to deploy the VM-Series firewall to process and secure traffic before it reaches the NetScaler VPX.
  • Page 53 Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Set up the VM-Series Firewall Before the NetScaler VPX with Virtual Wire Interfaces Step 1 Install the VM-Series Firewall on the On the SDX server, make sure to enable on the data Allow L2 Mode Server.
  • Page 54 . Only traffic that matches a security rule will be logged. Options Go back to Secure North-South Traffic with the VM-Series Firewall, or see Secure East-West Traffic with the VM-Series Firewall. For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX. VM-Series Deployment Guide...

  • Page 55: Secure East-West Traffic With The Vm-Series Firewall

    Set Up a VM-Series Firewall on the Citrix SDX Server Secure East-West Traffic with the VM-Series Firewall Secure East-West Traffic with the VM-Series Firewall The following example shows you how to deploy your VM-Series firewall to secure the application or database servers on your network.
  • Page 56 Leave all the other options at the default values. Click to save your changes. Commit For securing north-south traffic, see Secure North-South Traffic with the VM-Series Firewall. For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX. VM-Series Deployment Guide...

  • Page 57: Set Up A Vm-Series Nsx Edition Firewall

    Set Up a VM-Series NSX Edition Firewall The VM-Series NSX edition firewall is jointly developed by Palo Alto Networks and VMware. This solution uses the NetX API to integrate the Palo Alto Networks next-generation firewalls and Panorama with VMware ESXi servers to provide comprehensive visibility and safe application enablement of all datacenter traffic including intra-host virtual machine communications.

  • Page 58: Vm-Series Nsx Edition Firewall Overview

    VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview NSX, VMware's Networking and Security platform designed for the software-defined data center (SDDC), offers the ability to deploy the Palo Alto Networks firewall as a service on a cluster of ESXi servers. The term SDDC is a VMware term that refers to a datacenter where infrastructure—compute resources, network and storage—is virtualized using VMware NSX.

  • Page 59: What Are The Components Of The Nsx Edition Solution

    Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview What are the Components of the NSX Edition Solution? Table: VMware Components Table: Palo Alto Networks Components show the components of this joint Palo Alto Networks and VMware solution. The following topics describe each component in more detail: ...
  • Page 60 VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall Component Minimum Description Version Panorama Panorama is the centralized management tool for the Palo Alto Networks next-generation firewalls. In this solution, Panorama works with the NSX Manager to deploy, license, and centrally administer— configuration and policies—on the VM-Series NSX edition firewall.
  • Page 61 Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview vCenter Server The vCenter server is required to manage the NSX Manager and the ESXi hosts in your datacenter. This joint solution requires that the ESXi hosts be organized into one or more clusters on the vCenter server and must be connected to a distributed virtual switch.
  • Page 62 VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition The VM-Series NSX edition is the VM-Series firewall that is deployed on the ESXi hypervisor. The integration with the NetX API makes it possible to automate the process of installing the VM-Series firewall directly on the ESXi hypervisor, and allows the hypervisor to forward traffic to the VM-Series firewall without using the vSwitch configuration;...

  • Page 63: How Do The Components In The Nsx Edition Solution Work Together

    Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview How Do the Components in the NSX Edition Solution Work Together? To meet the security challenges in the software-defined datacenter, the NSX Manager, ESXi servers and Panorama work harmoniously to automate the deployment of the VM-Series firewall. 1.
  • Page 64 VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall 3. Establish communication between the VM-Series firewall and Panorama: The VM-Series firewall then initiates a connection to Panorama to obtain its license. Panorama retrieves the license from the update server and pushes it to the firewall.
  • Page 65 Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview Integrated Policy Rules The NSX Firewall and the VM-Series firewall work in concert to enforce security; each provides a set of traffic management rules that are applied to the traffic on each ESXi host. The first set of rules is defined on the NSX Firewall;...
  • Page 66 VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall Traffic that does not need to be inspected by the VM-Series firewall, for example network data backup or traffic to an internal domain controller, does not need to be redirected to the VM-Series firewall and can be sent to the virtual switch for onward processing.
  • Page 67 Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview If, for example, you have a multi-tier architecture for web applications, on the NSX Manager you create three security groups for the WebFrontEnd servers, Application servers and the Database servers. The NSX Manager updates Panorama with the name of the security groups and the IP address of the guests that are included in each security group.
  • Page 68 VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall When Panorama receives the API notification, it verifies/updates the IP address of each guest and the security group to which that guest belongs. Then, Panorama pushes these real-time updates to all the firewalls that are included in the device group and notifies device groups in the service manager configuration on Panorama.

  • Page 69: What Are The Benefits Of The Nsx Edition Solution

    Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview What are the Benefits of the NSX Edition Solution? The NSX edition of the VM-Series firewall is focused on securing east-west communication in the software-defined datacenter. Deploying the firewall has the following benefits: Automated Deployment—The NSX Manager automates the process of delivering next-generation firewall ...

  • Page 70: Vm-Series Nsx Edition Firewall Deployment Checklist

    VM-Series NSX Edition Firewall Deployment Checklist Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Deployment Checklist To deploy the NSX edition of the VM-Series firewall, use the following workflow:  Step 1: Set up the Components—To deploy the VM-Series NSX edition, set up the following components (see What are the Components of the NSX Edition Solution?):...
  • Page 71 Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Deployment Checklist – (On the NSX Manager) Define the network introspection rules that redirect traffic to the VM-Series firewall. The network introspection rules on the NSX Manager use the IP address as a match criterion to steer traffic to the VM-Series firewall.

  • Page 72: Create A Device Group And Template On Panorama

    Create a Device Group and Template on Panorama Set Up a VM-Series NSX Edition Firewall Create a Device Group and Template on Panorama To manage the VM-Series NSX edition firewalls using Panorama, the firewalls must belong to a device group; adding a firewall to a template is optional.

  • Page 73: Register The Vm-Series Firewall As A Service On The Nsx Manager

    Set Up a VM-Series NSX Edition Firewall Register the VM-Series Firewall as a Service on the NSX Manager Register the VM-Series Firewall as a Service on the NSX Manager To automate the provisioning of the VM-Series NSX edition firewall, enable communication between the NSX Manager and Panorama.
  • Page 74 Register the VM-Series Firewall as a Service on the NSX Manager Set Up a VM-Series NSX Edition Firewall Use Panorama to Register the VM-Series Firewall as a Service Step 4 Add the authorization code. Enter the authorization code that you received with your order fulfillment email.
  • Page 75 Set Up a VM-Series NSX Edition Firewall Register the VM-Series Firewall as a Service on the NSX Manager Use Panorama to Register the VM-Series Firewall as a Service Step 8 Verify the connection status on Displays the connection status between Panorama and the NSX Panorama Manager.

  • Page 76: Deploy The Vm-Series Firewall

    Deploy the VM-Series Firewall Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series Firewall After registering the VM-Series firewall as a service (Palo Alto Networks NGFW) on the NSX Manager, complete the following tasks on the NSX Manager.  Enable SpoofGuard ...

  • Page 77: Enable Spoofguard

    Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series Firewall Enable SpoofGuard The NSX distributed firewall can only redirect traffic to the VM-series firewall when it matches an IP address that is known to the vCenter Server. This means that any non-IP L2 traffic, or IP traffic that does not match the IP addresses known to the vCenter Server, will not match the redirection rules defined on the NSX Manager and be steered to the VM-Series firewall.
  • Page 78 Deploy the VM-Series Firewall Set Up a VM-Series NSX Edition Firewall Enable SpoofGuard and Block Non-IP L2 Traffic Step 2 Select the IP protocols to allow. Select Networking and Security > Firewall > Ethernet a rule that allows traffic. IPv4 IPv6 a rule that blocks everything else.

  • Page 79: Define An Ip Address Pool

    Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series Firewall Define an IP Address Pool The IP pool is a range of (static) IP addresses that are reserved for establishing management access to the VM-Series firewalls. When the NSX Manager deploys a new VM-Series firewall, the first available IP address from this range is assigned to the management interface of the firewall.

  • Page 80: Specify The Port Groups From Which To Redirect Traffic

    Deploy the VM-Series Firewall Set Up a VM-Series NSX Edition Firewall Specify the Port Groups from Which to Redirect Traffic So that the NSX Manager can redirect traffic to the VM-Series firewall, you must select the port groups or logical networks for which the VM-Series firewall must secure traffic. The port groups are defined on the Palo Alto Networks NGFW service profile.

  • Page 81: Prepare The Esxi Host For The Vm-Series Firewall

    Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series Firewall Prepare the ESXi Host for the VM-Series Firewall Before you deploy the VM-Series firewall, each guest in the cluster must have the necessary NSX components that allow the NSX firewall and the VM-Series firewall to work together. The NSX Manager will install the components—...

  • Page 82: Deploy The Palo Alto Networks Ngfw Service

    Deploy the VM-Series Firewall Set Up a VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service Use the following steps to automate the process of deploying an instance of the VM-Series NSX edition firewall on each ESXi host in the specified cluster. Deploy the Palo Alto Networks NGFW Service Step 1 Select...
  • Page 83 Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series Firewall Deploy the Palo Alto Networks NGFW Service Step 6 Select the IP address pool (you defined in Define an IP Address Pool) from which to assign a management IP address for each firewall when it is being deployed.
  • Page 84 Deploy the VM-Series Firewall Set Up a VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service Step 9 Access the Panorama web interface to make sure that the VM-Series firewalls are connected and synchronized with Panorama. Select to verify that the firewalls are connected and synchronized. Panorama >...

  • Page 85: Create Policies

    Set Up a VM-Series NSX Edition Firewall Create Policies Create Policies The following topics describe how to create policies on the NSX Manager to redirect traffic to the VM-Series firewall and how to create policies on Panorama and apply them on the VM-Series firewall so that the VM-Series firewall can enforce policy on the traffic that is redirected to it.

  • Page 86: Define Policies On The Nsx Manager

    Create Policies Set Up a VM-Series NSX Edition Firewall Define Policies on the NSX Manager In order for the VM-Series firewall to secure the traffic, you must complete the following tasks:  Set Up Security Groups on the NSX Manager ...
  • Page 87 Set Up a VM-Series NSX Edition Firewall Create Policies Define Policies to Redirect Traffic to the VM-Series Firewall Define Policies to Redirect Traffic to the VM-Series Firewall Step 1 Select , and click Networking and Security > Service Composer > Security Policies Create Security Policy Step 2 Add a...
  • Page 88 Create Policies Set Up a VM-Series NSX Edition Firewall Do not apply the traffic redirection policies that you created above unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped.

  • Page 89: Apply Policies To The Vm-Series Firewall

    Set Up a VM-Series NSX Edition Firewall Create Policies Apply Policies to the VM-Series Firewall Now that you have created the security policies on the NSX Manager, the names of the security groups that are referenced in security policy will be available on Panorama. You can now use Panorama for centrally administering policies on the VM-Series firewalls.
  • Page 90 Create Policies Set Up a VM-Series NSX Edition Firewall Define Policy on Panorama Step 1 Create Dynamic Address Groups. Log in to the Panorama web interface. Select Object > Address Groups Select the that you Device Group created for managing the VM-Series NSX edition firewalls in Create a Device Group and Template on Panorama.
  • Page 91 Set Up a VM-Series NSX Edition Firewall Create Policies Define Policy on Panorama Step 2 Create security policies. Select Policies > Security Select the that you Device Group created for managing the VM-Series NSX edition firewalls in Create a Device Group and Template on Panorama.
  • Page 92 Create Policies Set Up a VM-Series NSX Edition Firewall Define Policy on Panorama Step 3 Apply the policies to the VM-Series NSX Click , and select Commit Type as Commit Device Groups edition firewalls. Select the device group, NSX Device Group in this example and click Verify that the commit is successful.
  • Page 93 Set Up a VM-Series NSX Edition Firewall Create Policies Apply the Redirection Policies on the NSX Manager The last step in the process of deploying the VM-Series NSX Edition firewall is to apply the redirection policies to the security groups on the NSX Manager. Apply the Security Policies on the NSX Manager Select Networking and Security >...

  • Page 94: Steer Traffic From Guests That Are Not Running Vmware Tools

    Steer Traffic from Guests that are not Running VMware Tools Set Up a VM-Series NSX Edition Firewall Steer Traffic from Guests that are not Running VMware Tools VMware Tools contains a utility that allows the NSX Manager to collect the IP address(es) of each guest running in the cluster.

Table of Contents