PaloAlto Networks VM-100 Deployment Manual
  1. Manuals
  2. Brands
  3. PaloAlto Networks Manuals
  4. Firewall
  5. VM-100
  6. Deployment manual
PaloAlto Networks VM-100 Deployment Manual

PaloAlto Networks VM-100 Deployment Manual

Vm-series firewall deployment guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

®
Palo Alto Networks
VM-Series Deployment Guide
PAN-OS 6.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the VM-100 and is the answer not in the manual?

Questions and answers

Related Manuals for PaloAlto Networks VM-100

Summary of Contents for PaloAlto Networks VM-100

  • Page 1 ® Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.0...

  • Page 2: About This Guide

    To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com. Palo Alto Networks, Inc. www.paloaltonetworks.com © 2014 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners.

  • Page 3: Table Of Contents

    Table of Contents Table of Contents About the VM-Series Firewall........1 VM-Series Models .
  • Page 4 Table of Contents The VM-Series NSX Edition Firewall ......41 VM-Series NSX Edition Firewall Overview..........42 What are the Components of the Solution? .

  • Page 5: About The Vm-Series Firewall

    About the VM-Series Firewall The Palo Alto Networks VM-Series firewall is the virtualized form of the Palo Alto Networks next-generation firewall. It is positioned for use in a virtualized data center environment where it can protect and secure traffic for private and public cloud deployments.

  • Page 6: Vm-Series Models

    VM-Series firewall. The Enterprise version is available in multiples of 25. For example, the orderable SKU PAN-VM-100-ENT has a single auth-code that allows you to register 100 instances of the VM-100. Each model of the VM-Series firewall is licensed for a maximum capacity. Capacity is defined in terms of the number of sessions, rules, security zones, address objects, IPSec VPN tunnels and SSL VPN tunnels that the VM-Series firewall is optimized to handle.

  • Page 7: Vm-Series Deployments

    The VM-Series firewall can be deployed on the following platforms:  VM-Series for VMware vSphere Hypervisor (ESXi) VM-100, VM-200, VM-300, or VM-1000-HV is deployed as guest virtual machine on VMware ESXi; ideal for cloud or networks where virtual form factor is required.

  • Page 8: License The Vm-Series Firewall

    When you purchase a VM-Series firewall, you receive a set of auth-codes over email. Typically the email includes a capacity auth-code for the model purchased (VM-100, VM-200, VM300, VM-1000-HV), a software and support auth-code (for example, PAN-SVC-PREM-VM-100 SKU auth-code) that provides access to software/content updates and support.

  • Page 9: Register The Vm-Series Firewall

    Register the VM-Series Firewall Use the instructions in this section to register your capacity auth-code with your support account. Register the VM-Series Firewall Log in to https://support.paloaltonetworks.com with your account credentials. Select and click Assets Add VM-Series Auth-Codes In the field, enter the capacity auth-code you received by email, and click the checkmark Add VM-Series Auth-Code to save your input.
  • Page 10 When you activate the license, the licensing server uses the UUID and the CPU ID of the virtual machine to generate a unique serial number for the VM-Series firewall. The capacity auth-code in conjunction with the serial number is used to validate your entitlement. Activate the License •...

  • Page 11: Upgrade The Pan-Os Software Version

    Upgrade the PAN-OS Software Version Now that the VM-Series firewall has network connectivity and the base PAN-OS software is installed, you need to upgrade to the latest version of PAN-OS (a support license is required). Upgrade PAN-OS Version From the web interface, navigate to and make sure you have the correct VM-Series firewall license Device >...
  • Page 12 Migrate the License on the VM-Series Firewall Step 5 Apply the new license. Activate the License. VM-Series Deployment Guide...

  • Page 13: Set Up A Vm-Series Firewall On An Esxi Server

    Set Up a VM-Series Firewall on an ESXi Server The VM-Series firewall is distributed using the Open Virtualization Format (OVF), which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of running VMware ESXi.

  • Page 14: Supported Deployments

    Supported Deployments Set Up a VM-Series Firewall on an ESXi Server Supported Deployments You can deploy one or more instances of the VM-Series firewall on the ESXi server. Where you place the VM-Series firewall on the network depends on your topology. Choose from the following options: One VM-Series firewall per ESXi host—Every VM server on the ESXi host passes through the firewall ...

  • Page 15: System Requirements And Limitations

    Minimum of 40GB of virtual disk space. You can add an additional disk of up to 2TB for logging purposes.  Limitations The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations: Dedicated CPU cores are required.
  • Page 16 System Requirements and Limitations Set Up a VM-Series Firewall on an ESXi Server Jumbo frames are not supported.  Link Aggregation is not supported.  VM-Series Deployment Guide...

  • Page 17: Install A Vm-Series Firewall

    Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall Install a VM-Series firewall To install a VM-Series firewall you must have access to the OVF) template. Use the Open Virtualization Format ( auth code you received in your order fulfillment email to register your VM-Series firewall and gain access to the OVF template.
  • Page 18 Install a VM-Series firewall Set Up a VM-Series Firewall on an ESXi Server Provision a VM-Series Firewall (Continued) Step 3 Deploy the OVF template. Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed. From the vSphere client, select File >...

  • Page 19: Perform Initial Configuration

    Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall Provision a VM-Series Firewall (Continued) Select the networks to use for the two initial vmNICs. The first vmNIC will be used for the management interface and the second vmNIC for the first data port.
  • Page 20 Verify connectivity to the default gateway, DNS server, and the Palo Alto Networks Update Server. the Palo Alto Networks Update Server as shown in the following example: admin@VM_200-Corp> ping host updates.paloaltonetworks.com PING updates.paloaltonetworks.com (67.192.236.252) 56(84) bytes of data.

  • Page 21: Troubleshoot Esxi Deployments

    Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments Troubleshoot ESXi Deployments Many of the troubleshooting steps for the VM-Series firewall are very similar to the hardware versions of PAN-OS. When problems occur, you should check interface counters, system log files, and if necessary, use debug to create captures.
  • Page 22 Troubleshoot ESXi Deployments Set Up a VM-Series Firewall on an ESXi Server The mf extension is for the OVF manifest file that contains the SHA-1 digests of individual files in the  package. The vmdk extension is for the virtual disk image file. ...

  • Page 23: Licensing Issues

    Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments Modify the base image file (only if using the VM-1000-HV license in standalone mode) Step 3 Change the number of virtual CPU cores allotted from 2 to 4 or 8 as desired for your deployment: <Item>...

  • Page 24: Connectivity Issues

    Troubleshoot ESXi Deployments Set Up a VM-Series Firewall on an ESXi Server Connectivity Issues Why is the VM-Series firewall not receiving any network traffic? On the VM-Series firewall. check the traffic logs ( ). If the logs are empty, use the following CLI Monitor >...

  • Page 25: Set Up A Vm-Series Firewall On The Citrix Sdx Server

    Set Up a VM-Series Firewall on the Citrix SDX Server To reduce your carbon footprint and consolidate key functions on a single server, you can deploy one or more instances of the VM-Series firewall on the Citrix SDX server. Deploying the VM-Series firewall in conjunction with the NetScaler VPX secures application delivery along with network security, availability, performance, and visibility.

  • Page 26: About The Vm-Series Firewall On The Sdx Server

    About the VM-Series Firewall on the SDX Server Set Up a VM-Series Firewall on the Citrix SDX Server About the VM-Series Firewall on the SDX Server One or more instances of the VM-Series firewall can be deployed to secure east-west and/or north-south traffic on the network;...

  • Page 27: System Requirements And Limitations

    Set Up a VM-Series Firewall on the Citrix SDX Server System Requirements and Limitations System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on the Citrix SDX server. Requirements You can deploy multiple instances of the VM-Series firewall on the Citrix SDX server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—on the SDX server, make sure to conform to the specifications below to ensure optimal performance.

  • Page 28: Supported Deployments

    Supported Deployments Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments In the following scenarios, the VM-Series firewall secures traffic destined to the servers on the network. It works in conjunction with the NetScaler VPX to manage traffic before or after it reaches the NetScaler VPX. ...
  • Page 29 Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments VM-Series Firewall with L3 Interfaces Deploying the firewall with L3 interfaces allows you to scale more easily as you deploy new servers and new subnets. You can deploy multiple instances of the firewall to manage traffic to each new subnet and then configure the firewalls as a high availability pair, if needed.
  • Page 30 Supported Deployments Set Up a VM-Series Firewall on the Citrix SDX Server For security compliance, if USIP (Use client Source IP) is enabled on the NetScaler VPX, then the VM-Series firewall requires a default route that points to the SNIP 192.168.1.1, in this example.

  • Page 31: Scenario 2-Secure East-West Traffic

    Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments VM-Series Firewall Before the NetScaler VPX In this scenario, the perimeter firewall is replaced with the VM-Series firewall that can be deployed using L3, L2, or virtual wire interfaces. All traffic on your network is secured by the VM-Series firewall before the request reaches the NetScaler VPX and is forwarded to the servers.

  • Page 32: Install The Vm-Series Firewall

    Install the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Install the VM-Series Firewall A support account and a valid VM-Series license are required to obtain the .xva base image file that is required to install the VM-Series firewall on the SDX server. If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your support account, see Register the VM-Series Firewall.

  • Page 33: Provision The Vm-Series Firewall

    Set Up a VM-Series Firewall on the Citrix SDX Server Install the VM-Series Firewall Provision the VM-Series Firewall Provision the VM-Series Firewall on the SDX Server Step 1 Access the SDX server. Launch the web browser and connect to the SDX server. Step 2 Create the VM-Series firewall.

  • Page 34: Secure North-South Traffic With The Vm-Series Firewall

    Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall This section includes information on the following deployments:  Deploy the VM-Series Firewall Using L3 Interfaces ...
  • Page 35 Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Topology After Adding the VM-Series Firewall The following table includes the tasks you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the .
  • Page 36 Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Set up the VM-Series Firewall to Process North-South Traffic Using L3 interfaces (Continued) (Optional) To enable you to ping or SSH in to the interface, select , expand the Advanced >...

  • Page 37: Deploy The Vm-Series Firewall Using Layer 2 (L2) Or Virtual Wire Interfaces

    Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Deploy the VM-Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall in a L2 or a virtual wire deployment.
  • Page 38 Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Set up the VM-Series Firewall to Process North-South Traffic Using L2 or Virtual Wire Interfaces (Continued) Step 2 Re-cable the server-side interface If you have already deployed a NetScaler VPX and are now adding assigned to the NetScaler VPX.

  • Page 39: Deploy The Vm-Series Firewall Before The Netscaler Vpx

    Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Set up the VM-Series Firewall to Process North-South Traffic Using L2 or Virtual Wire Interfaces (Continued) Step 4 Create a basic policy rule to allow traffic Select , and click Policies >...
  • Page 40 Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Topology after adding the VM-Series firewall The following table includes the basic configuration tasks you must perform on the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS Getting Started Guide.
  • Page 41 Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Set up the VM-Series Firewall Before the NetScaler VPX with Virtual Wire Interfaces (Continued) Step 3 Configure the data interfaces. Launch the web interface of the firewall. Select Network >...

  • Page 42: Secure East-West Traffic With The Vm-Series Firewall

    Secure East-West Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Secure East-West Traffic with the VM-Series Firewall The following example shows you how to deploy your VM-Series firewall to secure the application or database servers on your network.
  • Page 43 Set Up a VM-Series Firewall on the Citrix SDX Server Secure East-West Traffic with the VM-Series Firewall Topology After Adding the VM-Series Firewall When the VM-Series firewall is deployed (this example uses L3 interfaces), the flow of traffic is as follows: All incoming requests are authenticated and the SSL connection is terminated on the first instance of the ...
  • Page 44 Secure East-West Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server based on protocol, to the internal server IP address 172.16.10.20. The return traffic from 172.168.10.20 is then sent to the NetScaler VPX at 172.168.10.3, and the source IP address for the request is set as 172.168.10.3 and is routed to the VM-Series firewall at 172.168.10.2.

  • Page 45: The Vm-Series Nsx Edition Firewall

    The VM-Series NSX Edition Firewall The VM-Series NSX edition firewall is jointly developed by Palo Alto Networks and VMware. This solution uses the NetX API to integrate the Palo Alto Networks next-generation firewalls and Panorama with VMware ESXi servers to provide comprehensive visibility and safe application enablement of all datacenter traffic including intra-host virtual machine communications.

  • Page 46: Vm-Series Nsx Edition Firewall Overview

    NSX, VMware's Networking and Security platform designed for the software-defined data center (SDDC), offers the ability to deploy the Palo Alto Networks firewall as a service on ESXi servers. The term software-defined data center (SDDC) is a VMware term that refers to a datacenter where infrastructure—compute resources, network and storage—is virtualized using VMware NSX.
  • Page 47 VM-Series NSX edition firewall. Panorama must be able to connect to the NSX Manager, the vCenter server, the VM-Series firewalls and the Palo Alto Networks update server. The minimum system requirement for Panorama is as follows: •...
  • Page 48 Networks NGFW service on the NSX Manager). Panorama Panorama is used to register the NSX edition of the VM-Series firewall as the Palo Alto Networks NGFW service on the NSX Manager. Registering the Palo Alto Networks NGFW service on the NSX Manager allows the NSX Manager to deploy the NSX edition of the VM-Series firewall on each ESXi host in the ESXi cluster.

  • Page 49: How Do The Components Work Together

    Panorama and the NSX Manager. Panorama is configured with the IP address and access credentials to initiate a connection and register the Palo Alto Networks NGFW service on the NSX Manager. The configuration includes the URL for accessing the VM-Series base image that is required to deploy the VM-Series NSX edition firewall, the authorization code for retrieving the license and the device group to which the VM-Series firewalls will belong.
  • Page 50 Firewall; these rules determine traffic from which guests in the cluster are steered to the VM-Series firewall. The second set of rules (Palo Alto Networks next-generation firewall rules) is defined on Panorama and pushed to the VM-Series firewalls. These are security enforcement rules for the traffic that is steered to the Palo Alto Networks NGFW service.
  • Page 51 For traffic that needs to be inspected and secured by the VM-Series firewall, the NSX service composer policies redirect the traffic to the Palo Alto Networks NGFW service. This traffic is then steered to the VM-Series firewall and is first processed by the VM-Series firewall before it goes to the virtual switch.
  • Page 52 VM-Series NSX Edition Firewall Overview The VM-Series NSX Edition Firewall then enforces security policy by matching on source or destination IP address—the use of Dynamic Address Groups allows the firewall to populate the members of the groups in real time—and forwards the traffic to the filters on the NSX Firewall.
  • Page 53 The VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview On Panorama, you can then create three Dynamic Address Groups to match objects that are tagged as Database, Application and WebFrontEnd. Then, in security policy you can use the Dynamic Address Groups as source or destination objects, define the applications that are permitted to traverse these servers, and push the rules to the VM-Series firewalls.

  • Page 54: What Are The Benefits Of The Solution

    Sturdier Centralized Management—The firewalls deployed using this solution are licensed and managed  by Panorama, the Palo Alto Networks central management tool. Using Panorama to manage both the perimeter and datacenter firewalls (the hardware-based and virtual firewalls) allows you to centralize policy management and maintain agility and consistency in policy enforcement throughout the network.

  • Page 55: Deploy The Vm-Series Nsx Edition Firewall

    The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall To deploy the NSX edition of the VM-Series firewall, use the following workflow:  Step 1: Set up the Components—To deploy the VM-Series NSX edition, set up the following components: –...

  • Page 56: Create A Device Group And Template On Panorama

    Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Create a Device Group and Template on Panorama To manage the VM-Series NSX edition firewalls using Panorama, the firewalls must belong to a device group; adding a firewall to a template is optional. Device groups allows you to assemble firewalls that need similar policies and objects as a logical unit;...
  • Page 57 The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Use Panorama to Register the VM-Series Firewall as a Service Step 1 Log in to the Panorama web interface. Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://<IP address>).
  • Page 58 Verify that the firewall is registered as a service on the NSX Manager. On the vSphere web client, select Networking & Security > Service Definitions Verify that displays in the list of services available for installation. Palo Alto Networks NGFW VM-Series Deployment Guide...

  • Page 59: Deploy The Vm-Series Firewall

    VM-Series firewall must secure traffic. The port groups are defined on the Palo Alto Networks NGFW service profile. The Palo Alto Networks NGFW service profile simplifies the process of deploying the VM-Series firewall; once configured, the data traffic from the selected port group will be checked against the NSX security policies.
  • Page 60 Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Select the Port Groups from which to Redirect Traffic to the Palo Alto Networks NGFW Select , and double click the service. Networking and Security > Service Definitions Palo Alto Networks NGFW Click the link to view the profile for the service instance.
  • Page 61 More Tasks following tasks: Deploy the Palo Alto Networks NGFW Service Use the following steps to automate the process of deploying an instance of the VM-Series NSX edition firewall on each ESXi host in the specified cluster.
  • Page 62 Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service Select Networking and Security > Installation > Service Deployments Click (green plus icon), and select the service. Click New Service Deployment Palo Alto Networks NGFW Next.
  • Page 63 The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service Select the port group that provides management network traffic access to the firewall. Select the IP address pool from which to assign a management IP address for each firewall when it is being deployed.

  • Page 64: Create Policies

    Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service Access the Panorama web interface to make sure that the VM-Series firewalls are connected and synchronized with Panorama. Select to verify that the firewalls are connected and synchronized.
  • Page 65 The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall  Define Policies on the NSX Manager  Apply Policies to the VM-Series Firewall Define Policies on the NSX Manager In order for the VM-Series firewall to secure the traffic, you must first create security groups on the NSX Manager and assign virtual machines (guests) to the groups.
  • Page 66 Select the service profile that you created earlier; in this workflow This profile Palo Alto Networks profile 1 specifies the networks/port groups from which the firewall receives data traffic. It will perform network introspection services on the port specified in the profile.
  • Page 67 The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Do not apply the traffic redirection policies that you created above unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped.
  • Page 68 Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Define Policy on Panorama Step 1 Create Dynamic Address Groups. Log in to the Panorama web interface. Select Object > Address Groups Select the that you Device Group created for managing the VM-Series NSX edition firewalls in Create a Device Group and Template on Panorama.
  • Page 69 The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Define Policy on Panorama Step 2 Create security policies. Select Policies > Security Select the that you Device Group created for managing the VM-Series NSX edition firewalls in Create a Device Group and Template on Panorama.
  • Page 70 Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall Define Policy on Panorama Step 3 Apply the policies to the VM-Series NSX Click , and select Commit Type as Commit Device Groups edition firewalls. Select the device group, NSX Device Group in this example and click Verify that the commit is successful.
  • Page 71 The VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall  The last step in the process of deploying the VM-Series NSX Edition firewall is to apply the redirection policies to the security groups on the NSX Manager. Apply the Security Policies on the NSX Manager Select Networking and Security >...
  • Page 72 Deploy the VM-Series NSX Edition Firewall The VM-Series NSX Edition Firewall VM-Series Deployment Guide...

This manual is also suitable for:

Vm-200Vm-1000-hvVm-300

Table of Contents