Table of Contents Table of Contents About the VM-Series Firewall........1 VM-Series Models .
Page 4
Table of Contents The VM-Series NSX Edition Firewall ......41 VM-Series NSX Edition Firewall Overview..........42 What are the Components of the Solution? .
About the VM-Series Firewall The Palo Alto Networks VM-Series firewall is the virtualized form of the Palo Alto Networks next-generation firewall. It is positioned for use in a virtualized data center environment where it can protect and secure traffic for private and public cloud deployments.
VM-Series firewall. The Enterprise version is available in multiples of 25. For example, the orderable SKU PAN-VM-100-ENT has a single auth-code that allows you to register 100 instances of the VM-100. Each model of the VM-Series firewall is licensed for a maximum capacity. Capacity is defined in terms of the number of sessions, rules, security zones, address objects, IPSec VPN tunnels and SSL VPN tunnels that the VM-Series firewall is optimized to handle.
The VM-Series firewall can be deployed on the following platforms: VM-Series for VMware vSphere Hypervisor (ESXi) VM-100, VM-200, VM-300, or VM-1000-HV is deployed as guest virtual machine on VMware ESXi; ideal for cloud or networks where virtual form factor is required.
When you purchase a VM-Series firewall, you receive a set of auth-codes over email. Typically the email includes a capacity auth-code for the model purchased (VM-100, VM-200, VM300, VM-1000-HV), a software and support auth-code (for example, PAN-SVC-PREM-VM-100 SKU auth-code) that provides access to software/content updates and support.
Register the VM-Series Firewall Use the instructions in this section to register your capacity auth-code with your support account. Register the VM-Series Firewall Log in to https://support.paloaltonetworks.com with your account credentials. Select and click Assets Add VM-Series Auth-Codes In the field, enter the capacity auth-code you received by email, and click the checkmark Add VM-Series Auth-Code to save your input.
Page 10
When you activate the license, the licensing server uses the UUID and the CPU ID of the virtual machine to generate a unique serial number for the VM-Series firewall. The capacity auth-code in conjunction with the serial number is used to validate your entitlement. Activate the License •...
Upgrade the PAN-OS Software Version Now that the VM-Series firewall has network connectivity and the base PAN-OS software is installed, you need to upgrade to the latest version of PAN-OS (a support license is required). Upgrade PAN-OS Version From the web interface, navigate to and make sure you have the correct VM-Series firewall license Device >...
Page 12
Migrate the License on the VM-Series Firewall Step 5 Apply the new license. Activate the License. VM-Series Deployment Guide...
Set Up a VM-Series Firewall on an ESXi Server The VM-Series firewall is distributed using the Open Virtualization Format (OVF), which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of running VMware ESXi.
Supported Deployments Set Up a VM-Series Firewall on an ESXi Server Supported Deployments You can deploy one or more instances of the VM-Series firewall on the ESXi server. Where you place the VM-Series firewall on the network depends on your topology. Choose from the following options: One VM-Series firewall per ESXi host—Every VM server on the ESXi host passes through the firewall ...
Minimum of 40GB of virtual disk space. You can add an additional disk of up to 2TB for logging purposes. Limitations The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations: Dedicated CPU cores are required.
Page 16
System Requirements and Limitations Set Up a VM-Series Firewall on an ESXi Server Jumbo frames are not supported. Link Aggregation is not supported. VM-Series Deployment Guide...
Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall Install a VM-Series firewall To install a VM-Series firewall you must have access to the OVF) template. Use the Open Virtualization Format ( auth code you received in your order fulfillment email to register your VM-Series firewall and gain access to the OVF template.
Page 18
Install a VM-Series firewall Set Up a VM-Series Firewall on an ESXi Server Provision a VM-Series Firewall (Continued) Step 3 Deploy the OVF template. Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed. From the vSphere client, select File >...
Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall Provision a VM-Series Firewall (Continued) Select the networks to use for the two initial vmNICs. The first vmNIC will be used for the management interface and the second vmNIC for the first data port.
Page 20
Verify connectivity to the default gateway, DNS server, and the Palo Alto Networks Update Server. the Palo Alto Networks Update Server as shown in the following example: admin@VM_200-Corp> ping host updates.paloaltonetworks.com PING updates.paloaltonetworks.com (67.192.236.252) 56(84) bytes of data.
Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments Troubleshoot ESXi Deployments Many of the troubleshooting steps for the VM-Series firewall are very similar to the hardware versions of PAN-OS. When problems occur, you should check interface counters, system log files, and if necessary, use debug to create captures.
Page 22
Troubleshoot ESXi Deployments Set Up a VM-Series Firewall on an ESXi Server The mf extension is for the OVF manifest file that contains the SHA-1 digests of individual files in the package. The vmdk extension is for the virtual disk image file. ...
Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments Modify the base image file (only if using the VM-1000-HV license in standalone mode) Step 3 Change the number of virtual CPU cores allotted from 2 to 4 or 8 as desired for your deployment: <Item>...
Troubleshoot ESXi Deployments Set Up a VM-Series Firewall on an ESXi Server Connectivity Issues Why is the VM-Series firewall not receiving any network traffic? On the VM-Series firewall. check the traffic logs ( ). If the logs are empty, use the following CLI Monitor >...
Set Up a VM-Series Firewall on the Citrix SDX Server To reduce your carbon footprint and consolidate key functions on a single server, you can deploy one or more instances of the VM-Series firewall on the Citrix SDX server. Deploying the VM-Series firewall in conjunction with the NetScaler VPX secures application delivery along with network security, availability, performance, and visibility.
About the VM-Series Firewall on the SDX Server Set Up a VM-Series Firewall on the Citrix SDX Server About the VM-Series Firewall on the SDX Server One or more instances of the VM-Series firewall can be deployed to secure east-west and/or north-south traffic on the network;...
Set Up a VM-Series Firewall on the Citrix SDX Server System Requirements and Limitations System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on the Citrix SDX server. Requirements You can deploy multiple instances of the VM-Series firewall on the Citrix SDX server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—on the SDX server, make sure to conform to the specifications below to ensure optimal performance.
Supported Deployments Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments In the following scenarios, the VM-Series firewall secures traffic destined to the servers on the network. It works in conjunction with the NetScaler VPX to manage traffic before or after it reaches the NetScaler VPX. ...
Page 29
Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments VM-Series Firewall with L3 Interfaces Deploying the firewall with L3 interfaces allows you to scale more easily as you deploy new servers and new subnets. You can deploy multiple instances of the firewall to manage traffic to each new subnet and then configure the firewalls as a high availability pair, if needed.
Page 30
Supported Deployments Set Up a VM-Series Firewall on the Citrix SDX Server For security compliance, if USIP (Use client Source IP) is enabled on the NetScaler VPX, then the VM-Series firewall requires a default route that points to the SNIP 192.168.1.1, in this example.
Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments VM-Series Firewall Before the NetScaler VPX In this scenario, the perimeter firewall is replaced with the VM-Series firewall that can be deployed using L3, L2, or virtual wire interfaces. All traffic on your network is secured by the VM-Series firewall before the request reaches the NetScaler VPX and is forwarded to the servers.
Install the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Install the VM-Series Firewall A support account and a valid VM-Series license are required to obtain the .xva base image file that is required to install the VM-Series firewall on the SDX server. If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your support account, see Register the VM-Series Firewall.
Set Up a VM-Series Firewall on the Citrix SDX Server Install the VM-Series Firewall Provision the VM-Series Firewall Provision the VM-Series Firewall on the SDX Server Step 1 Access the SDX server. Launch the web browser and connect to the SDX server. Step 2 Create the VM-Series firewall.
Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall This section includes information on the following deployments: Deploy the VM-Series Firewall Using L3 Interfaces ...
Page 35
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Topology After Adding the VM-Series Firewall The following table includes the tasks you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the .
Page 36
Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Set up the VM-Series Firewall to Process North-South Traffic Using L3 interfaces (Continued) (Optional) To enable you to ping or SSH in to the interface, select , expand the Advanced >...
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Deploy the VM-Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall in a L2 or a virtual wire deployment.
Page 38
Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Set up the VM-Series Firewall to Process North-South Traffic Using L2 or Virtual Wire Interfaces (Continued) Step 2 Re-cable the server-side interface If you have already deployed a NetScaler VPX and are now adding assigned to the NetScaler VPX.
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Set up the VM-Series Firewall to Process North-South Traffic Using L2 or Virtual Wire Interfaces (Continued) Step 4 Create a basic policy rule to allow traffic Select , and click Policies >...
Page 40
Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Topology after adding the VM-Series firewall The following table includes the basic configuration tasks you must perform on the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS Getting Started Guide.
Page 41
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Set up the VM-Series Firewall Before the NetScaler VPX with Virtual Wire Interfaces (Continued) Step 3 Configure the data interfaces. Launch the web interface of the firewall. Select Network >...
Secure East-West Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Secure East-West Traffic with the VM-Series Firewall The following example shows you how to deploy your VM-Series firewall to secure the application or database servers on your network.
Page 43
Set Up a VM-Series Firewall on the Citrix SDX Server Secure East-West Traffic with the VM-Series Firewall Topology After Adding the VM-Series Firewall When the VM-Series firewall is deployed (this example uses L3 interfaces), the flow of traffic is as follows: All incoming requests are authenticated and the SSL connection is terminated on the first instance of the ...
Page 44
Secure East-West Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server based on protocol, to the internal server IP address 172.16.10.20. The return traffic from 172.168.10.20 is then sent to the NetScaler VPX at 172.168.10.3, and the source IP address for the request is set as 172.168.10.3 and is routed to the VM-Series firewall at 172.168.10.2.
The VM-Series NSX Edition Firewall The VM-Series NSX edition firewall is jointly developed by Palo Alto Networks and VMware. This solution uses the NetX API to integrate the Palo Alto Networks next-generation firewalls and Panorama with VMware ESXi servers to provide comprehensive visibility and safe application enablement of all datacenter traffic including intra-host virtual machine communications.
NSX, VMware's Networking and Security platform designed for the software-defined data center (SDDC), offers the ability to deploy the Palo Alto Networks firewall as a service on ESXi servers. The term software-defined data center (SDDC) is a VMware term that refers to a datacenter where infrastructure—compute resources, network and storage—is virtualized using VMware NSX.
Page 47
VM-Series NSX edition firewall. Panorama must be able to connect to the NSX Manager, the vCenter server, the VM-Series firewalls and the Palo Alto Networks update server. The minimum system requirement for Panorama is as follows: •...
Page 48
Networks NGFW service on the NSX Manager). Panorama Panorama is used to register the NSX edition of the VM-Series firewall as the Palo Alto Networks NGFW service on the NSX Manager. Registering the Palo Alto Networks NGFW service on the NSX Manager allows the NSX Manager to deploy the NSX edition of the VM-Series firewall on each ESXi host in the ESXi cluster.
Panorama and the NSX Manager. Panorama is configured with the IP address and access credentials to initiate a connection and register the Palo Alto Networks NGFW service on the NSX Manager. The configuration includes the URL for accessing the VM-Series base image that is required to deploy the VM-Series NSX edition firewall, the authorization code for retrieving the license and the device group to which the VM-Series firewalls will belong.
Page 50
Firewall; these rules determine traffic from which guests in the cluster are steered to the VM-Series firewall. The second set of rules (Palo Alto Networks next-generation firewall rules) is defined on Panorama and pushed to the VM-Series firewalls. These are security enforcement rules for the traffic that is steered to the Palo Alto Networks NGFW service.
Page 51
For traffic that needs to be inspected and secured by the VM-Series firewall, the NSX service composer policies redirect the traffic to the Palo Alto Networks NGFW service. This traffic is then steered to the VM-Series firewall and is first processed by the VM-Series firewall before it goes to the virtual switch.
Page 52
VM-Series NSX Edition Firewall Overview The VM-Series NSX Edition Firewall then enforces security policy by matching on source or destination IP address—the use of Dynamic Address Groups allows the firewall to populate the members of the groups in real time—and forwards the traffic to the filters on the NSX Firewall.
Page 53
The VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview On Panorama, you can then create three Dynamic Address Groups to match objects that are tagged as Database, Application and WebFrontEnd. Then, in security policy you can use the Dynamic Address Groups as source or destination objects, define the applications that are permitted to traverse these servers, and push the rules to the VM-Series firewalls.
Sturdier Centralized Management—The firewalls deployed using this solution are licensed and managed by Panorama, the Palo Alto Networks central management tool. Using Panorama to manage both the perimeter and datacenter firewalls (the hardware-based and virtual firewalls) allows you to centralize policy management and maintain agility and consistency in policy enforcement throughout the network.
The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall To deploy the NSX edition of the VM-Series firewall, use the following workflow: Step 1: Set up the Components—To deploy the VM-Series NSX edition, set up the following components: –...
Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Create a Device Group and Template on Panorama To manage the VM-Series NSX edition firewalls using Panorama, the firewalls must belong to a device group; adding a firewall to a template is optional. Device groups allows you to assemble firewalls that need similar policies and objects as a logical unit;...
Page 57
The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Use Panorama to Register the VM-Series Firewall as a Service Step 1 Log in to the Panorama web interface. Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://<IP address>).
Page 58
Verify that the firewall is registered as a service on the NSX Manager. On the vSphere web client, select Networking & Security > Service Definitions Verify that displays in the list of services available for installation. Palo Alto Networks NGFW VM-Series Deployment Guide...
VM-Series firewall must secure traffic. The port groups are defined on the Palo Alto Networks NGFW service profile. The Palo Alto Networks NGFW service profile simplifies the process of deploying the VM-Series firewall; once configured, the data traffic from the selected port group will be checked against the NSX security policies.
Page 60
Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Select the Port Groups from which to Redirect Traffic to the Palo Alto Networks NGFW Select , and double click the service. Networking and Security > Service Definitions Palo Alto Networks NGFW Click the link to view the profile for the service instance.
Page 61
More Tasks following tasks: Deploy the Palo Alto Networks NGFW Service Use the following steps to automate the process of deploying an instance of the VM-Series NSX edition firewall on each ESXi host in the specified cluster.
Page 62
Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service Select Networking and Security > Installation > Service Deployments Click (green plus icon), and select the service. Click New Service Deployment Palo Alto Networks NGFW Next.
Page 63
The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service Select the port group that provides management network traffic access to the firewall. Select the IP address pool from which to assign a management IP address for each firewall when it is being deployed.
Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service Access the Panorama web interface to make sure that the VM-Series firewalls are connected and synchronized with Panorama. Select to verify that the firewalls are connected and synchronized.
Page 65
The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Define Policies on the NSX Manager Apply Policies to the VM-Series Firewall Define Policies on the NSX Manager In order for the VM-Series firewall to secure the traffic, you must first create security groups on the NSX Manager and assign virtual machines (guests) to the groups.
Page 66
Select the service profile that you created earlier; in this workflow This profile Palo Alto Networks profile 1 specifies the networks/port groups from which the firewall receives data traffic. It will perform network introspection services on the port specified in the profile.
Page 67
The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Do not apply the traffic redirection policies that you created above unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped.
Page 68
Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Define Policy on Panorama Step 1 Create Dynamic Address Groups. Log in to the Panorama web interface. Select Object > Address Groups Select the that you Device Group created for managing the VM-Series NSX edition firewalls in Create a Device Group and Template on Panorama.
Page 69
The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Define Policy on Panorama Step 2 Create security policies. Select Policies > Security Select the that you Device Group created for managing the VM-Series NSX edition firewalls in Create a Device Group and Template on Panorama.
Page 70
Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Define Policy on Panorama Step 3 Apply the policies to the VM-Series NSX Click , and select Commit Type as Commit Device Groups edition firewalls. Select the device group, NSX Device Group in this example and click Verify that the commit is successful.
Page 71
The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall The last step in the process of deploying the VM-Series NSX Edition firewall is to apply the redirection policies to the security groups on the NSX Manager. Apply the Security Policies on the NSX Manager Select Networking and Security >...
Page 72
Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall VM-Series Deployment Guide...
Need help?
Do you have a question about the VM-100 and is the answer not in the manual?
Questions and answers