Palo Alto Networks ® VM-Series Deployment Guide PAN-OS 6.
Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 http://www.paloaltonetworks.com/contact/contact/ About this Guide This guide describes how to set up and license the VM-Series firewall; it is intended for administrators who want to deploy the VM-Series firewall. For more information, refer to the following sources: PAN-OS Administrator's Guide– for instructions on configuring the features on the firewall. https://paloaltonetworks.
Table of Contents About the VM-Series Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 VM-Series Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 VM-Series Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 License the VM-Series Firewall . . . . . . . . . . . . . . . . . . . . .
Set Up a VM-Series NSX Edition Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . 45 VM-Series NSX Edition Firewall Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Deploy the VM-Series NSX Edition Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About the VM-Series Firewall The Palo Alto Networks VM-Series firewall is the virtualized form of the Palo Alto Networks next-generation firewall. It is positioned for use in a virtualized or cloud environment where it can protect and secure east-west and north-south traffic.
VM-Series Models About the VM-Series Firewall VM-Series Models The VM-Series firewall is available in four models—VM-100, VM-200, VM-300, and VM-1000-HV. All four models can be deployed as guest virtual machines on VMware ESXi and on Citrix NetScaler SDX; on VMWare NSX, only the VM-1000-HV is supported. The software package (.xva or .ovf file) that is used to deploy the VM-Series firewall is common across all models.
About the VM-Series Firewall VM-Series Deployments VM-Series Deployments The VM-Series firewall can be deployed on the following platforms: VM-Series for VMware vSphere Hypervisor (ESXi) VM-100, VM-200, VM-300, or VM-1000-HV is deployed as guest virtual machine on VMware ESXi; ideal for cloud or networks where virtual form factor is required. For details, see Set Up a VM-Series Firewall on an ESXi Server.
VM-Series Deployments About the VM-Series Firewall Deployment Hypervisor Versions Supported Base Image Required from the Palo Alto Relevant Capacity Networks Support Portal Licenses VM-Series for VMware NSX 5.5 PAN-OS for VM-Series NSX Base Images VM-1000-HV For example, the download-able image name reads as: PA-VM-NSX-6.0.0.zip vSphere with VMware NSX and Panorama VM-Series for Citrix SDX SDX version 10.1+ XenServer version 6.0.
About the VM-Series Firewall License the VM-Series Firewall License the VM-Series Firewall When you purchase a VM-Series firewall, you receive a set of auth-codes over email. Typically the email includes a capacity auth-code for the model purchased (VM-100, VM-200, VM300, VM-1000-HV), a software and support auth-code (for example, PAN-SVC-PREM-VM-100 SKU auth-code) that provides access to software/content updates and support.
License the VM-Series Firewall About the VM-Series Firewall Register the VM-Series Firewall Use the instructions in this section to register your capacity auth-code with your support account. Register the VM-Series Firewall 1. Log in to https://support.paloaltonetworks.com with your account credentials. 2. Select Assets and click Add VM-Series Auth-Codes. 3.
About the VM-Series Firewall License the VM-Series Firewall When you activate the license, the licensing server uses the UUID and the CPU ID of the virtual machine to generate a unique serial number for the VM-Series firewall. The capacity auth-code in conjunction with the serial number is used to validate your entitlement.
License the VM-Series Firewall About the VM-Series Firewall Activate the License • If your VM-Series firewall does not have Internet 1. access. Navigate to Device > Licenses and click the Activate Feature using Auth Code link. 2. Click Download Authorization File, and download the authorizationfile.txt on the client machine. 3. Copy the authorizationfile.txt to a computer that has access to the Internet and log in to the support portal.
About the VM-Series Firewall License the VM-Series Firewall If you have purchased an evaluation auth-code, you can license up to 5 VM-Series firewalls with the VM-1000-HV capacity license for a period of 30 or 60 days. Because this solution allows you to deploy one VM-Series firewall per ESXi host, the ESXi cluster can include a maximum of 5 ESXi hosts when using an evaluation license.
License the VM-Series Firewall About the VM-Series Firewall Migrate the License on the VM-Series Firewall Step 1 Power off the VM-Series firewall. Step 2 Clone the VM-Series firewall. If you are manually cloning, when prompted indicate that you are copying and not moving the firewall. Step 3 Power on the new instance of the VM-Series firewall. 1. Launch the serial console of the firewall on the vSphere/SDX web interface and enter the following command: show system info 2.
About the VM-Series Firewall Monitor Changes in the Virtual Environment Monitor Changes in the Virtual Environment In a legacy client-server architecture with physical infrastructure resources, security administrators controlled the deployment of servers on the network, and had visibility over the applications that traversed the network; security policies were based on static IP addresses.
Monitor Changes in the Virtual Environment About the VM-Series Firewall Set up the VM Monitoring Agent Step 1 Enable the VM Monitoring Agent. 1. Select Device > VM Information Sources. 2. Click Add and enter the following information: a. A Name to identify the VMware ESX(i) or vCenter server that you want to monitor. Note Up to 10 sources can be configured for each firewall, or for each virtual system on a multiple virtual systems capable firewall.
About the VM-Series Firewall Monitor Changes in the Virtual Environment Set up the VM Monitoring Agent (Continued) Step 2 Verify the connection status. 1. Verify that the connection Status displays as connected. If the connection status is pending or disconnected, verify that the source is operational and that the firewall is able to access the source.
Monitor Changes in the Virtual Environment Platform About the VM-Series Firewall Maximum number of dynamically registered IP addresses PA-2000 Series, PA-500, PA-200, VM-300, VM-200, 1000 VM-100 The following example shows how dynamic address groups can simplify network security enforcement. The example workflow shows how to: Enable the VM Monitoring agent on the firewall, to monitor the VMware ESX(i) host or vCenter Server and register VM IP addresses and the associated tags.
About the VM-Series Firewall Monitor Changes in the Virtual Environment Use Dynamic Address Groups in Policy (Continued) Step 2 Create dynamic address groups on the firewall. 1. Log in to the web interface of the firewall. 2. Select Object > Address Groups. View the tutorial to see a big picture view 3. of the feature. Click Add and enter a Name and a Description for the address group. 4. Select Type as Dynamic. 5. Define the match criteria.
Monitor Changes in the Virtual Environment About the VM-Series Firewall Use Dynamic Address Groups in Policy (Continued) Step 3 Use dynamic address groups in policy. 1. Select Policies > Security. View the tutorial. 2. Click Add and enter a Name and a Description for the policy. 3. Add the Source Zone to specify the zone from which the traffic originates. 4. Add the Destination Zone at which the traffic is terminating. 5.
About the VM-Series Firewall Monitor Changes in the Virtual Environment Attributes Monitored on a VMware Source When the firewall is configured to monitor VM Information Sources, the following metadata elements or attributes are monitored on each VMware source: UUID Name Guest OS VM State — the power state can be poweredOff, poweredOn, standBy, and unknown.
Monitor Changes in the Virtual Environment 18 About the VM-Series Firewall VM-Series Deployment Guide
Set Up a VM-Series Firewall on an ESXi Server The VM-Series firewall is distributed using the Open Virtualization Format (OVF), which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of running VMware ESXi. In order to deploy a VM-Series firewall you must be familiar with VMware and vSphere including vSphere networking, ESXi host setup and configuration, and virtual machine guest deployment.
Supported Deployments on VMware vSphere Hypervisor (ESXi) Set Up a VM-Series Firewall on an ESXi Server Supported Deployments on VMware vSphere Hypervisor (ESXi) You can deploy one or more instances of the VM-Series firewall on the ESXi server. Where you place the VM-Series firewall on the network depends on your topology.
Set Up a VM-Series Firewall on an ESXi Server System Requirements and Limitations System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on VMware vSphere Hypervisor (ESXi). To deploy the VM-Series firewall, see Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi). Requirements You can create and deploy multiple instances of the VM-Series firewall on an ESXi server.
System Requirements and Limitations Set Up a VM-Series Firewall on an ESXi Server Dedicated CPU cores are recommended. Only High Availability (HA) lite is supported (active/passive with no stateful failover). High Availability (HA) Link Monitoring is only supported on VMware ESXi installations that support DirectPath I/O. Up to 10 total ports can be configured; this is a VMware limitation. One port will be used for management traffic and up to 9 can be used for data traffic.
Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) To install a VM-Series firewall you must have access to the Open Virtualization Format (OVF) template. Use the auth code you received in your order fulfillment email to register your VM-Series firewall and gain access to the OVF template. The OVF is downloaded as a zip archive that is expanded into three files: the .
Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Set Up a VM-Series Firewall on an ESXi Server Provision a VM-Series Firewall (Continued) Step 2 Before deploying the OVF template, set To configure a virtual standard switch to receive frames for the up virtual standard switch(es) and virtual VM-Series firewall: distributed switch(es) that you will need 1. Configure a virtual standard switch from the vSphere Client by for the VM-Series firewall.
Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Provision a VM-Series Firewall (Continued) Step 3 Deploy the OVF template. 1. Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed. 2. From the vSphere client, select File > Deploy OVF Template. 3. Browse to the OVF template that you downloaded in Step 1, select the file and then click Next.
Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Set Up a VM-Series Firewall on an ESXi Server Provision a VM-Series Firewall (Continued) Note 8. Select the networks to use for the two initial vmNICs. The first vmNIC will be used for the management interface and the second vmNIC for the first data port. Make sure that the Source Networks maps to the correct Destination Networks. 9. Review the details window, select the Power on after deployment check box and then click Next.
Set Up a VM-Series Firewall on an ESXi Server Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) Configure the Management Interface Step 1 Gather the required information from your network administrator. • IP address for MGT port • Netmask • Default gateway • DNS server IP address Step 2 Step 3 Access the console of the VM-Series firewall. 1. Select the Console tab on the ESXi server for the VM-Series firewall, or right click the VM-Series firewall and select Open Console. 2.
Troubleshoot ESXi Deployments Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments Many of the troubleshooting steps for the VM-Series firewall are very similar to the hardware versions of PAN-OS. When problems occur, you should check interface counters, system log files, and if necessary, use debug to create captures. For more details on PAN-OS troubleshooting, refer to the article on Packet Based Troubleshooting.
Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments The vmdk extension is for the virtual disk image file. The virtual disk in the OVF is large for the VM-Series; this file is nearly 900MB and must be present on the computer running the vSphere client or must be accessible as a URL for the OVF. Make sure the network connection is sufficient between the vSphere client computer and the target ESXi host.
Troubleshoot ESXi Deployments Set Up a VM-Series Firewall on an ESXi Server Modify the base image file (only if using the VM-1000-HV license in standalone mode) Step 3 Change the number of virtual CPU cores allotted from 2 to 4 or 8 as desired for your deployment: - hertz * 10^6 Number of Virtual CPUs 2 virtual CPU(s) 1 3
Set Up a VM-Series Firewall on an ESXi Server Troubleshoot ESXi Deployments Will moving the VM-Series firewall cause license invalidation? If you are manually moving the VM-Series firewall from one host to another, be sure to select the option, This guest was moved to prevent license invalidation. Connectivity Issues Why is the VM-Series firewall not receiving any network traffic? On the VM-Series firewall. check the traffic logs (Monitor > Logs).
Troubleshoot ESXi Deployments 22 Set Up a VM-Series Firewall on an ESXi Server VM-Series Deployment Guide
Set Up a VM-Series Firewall on the Citrix SDX Server To reduce your carbon footprint and consolidate key functions on a single server, you can deploy one or more instances of the VM-Series firewall on the Citrix SDX server. Deploying the VM-Series firewall in conjunction with the NetScaler VPX secures application delivery along with network security, availability, performance, and visibility.
About the VM-Series Firewall on the SDX Server Set Up a VM-Series Firewall on the Citrix SDX Server About the VM-Series Firewall on the SDX Server One or more instances of the VM-Series firewall can be deployed to secure east-west and/or north-south traffic on the network; virtual wire interfaces, Layer 2 interfaces, and Layer 3 interfaces are supported. To deploy the firewall, see Install the VM-Series Firewall on the SDX Server.
Set Up a VM-Series Firewall on the Citrix SDX Server System Requirements and Limitations System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on the Citrix SDX server. Requirements You can deploy multiple instances of the VM-Series firewall on the Citrix SDX server.
System Requirements and Limitations Set Up a VM-Series Firewall on the Citrix SDX Server To deploy the firewall, see Install the VM-Series Firewall on the SDX Server.
Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments—VM Series Firewall on Citrix SDX Supported Deployments—VM Series Firewall on Citrix SDX In the following scenarios, the VM-Series firewall secures traffic destined to the servers on the network. It works in conjunction with the NetScaler VPX to manage traffic before or after it reaches the NetScaler VPX.
Supported Deployments—VM Series Firewall on Citrix SDX Set Up a VM-Series Firewall on the Citrix SDX Server VM-Series Firewall with L3 Interfaces Deploying the firewall with L3 interfaces allows you to scale more easily as you deploy new servers and new subnets. You can deploy multiple instances of the firewall to manage traffic to each new subnet and then configure the firewalls as a high availability pair, if needed.
Set Up a VM-Series Firewall on the Citrix SDX Server Supported Deployments—VM Series Firewall on Citrix SDX For security compliance, if USIP (Use client Source IP) is enabled on the NetScaler VPX, then the VM-Series firewall requires a default route that points to the SNIP 192.168.1.1, in this example. If a default NAT (mapped/SNIP) IP address is used, then you do not need to define a default route on the VM-Series firewall. For instructions, see Deploy the VM-Series Firewall Using L3 Interfaces.
Supported Deployments—VM Series Firewall on Citrix SDX Set Up a VM-Series Firewall on the Citrix SDX Server VM-Series Firewall Before the NetScaler VPX In this scenario, the perimeter firewall is replaced with the VM-Series firewall that can be deployed using L3, L2, or virtual wire interfaces. All traffic on your network is secured by the VM-Series firewall before the request reaches the NetScaler VPX and is forwarded to the servers.
Set Up a VM-Series Firewall on the Citrix SDX Server Install the VM-Series Firewall on the SDX Server Install the VM-Series Firewall on the SDX Server A support account and a valid VM-Series license are required to obtain the .xva base image file that is required to install the VM-Series firewall on the SDX server. If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your support account, see Register the VM-Series Firewall.
Install the VM-Series Firewall on the SDX Server Set Up a VM-Series Firewall on the Citrix SDX Server Provision the VM-Series Firewall on the SDX Server Provision the VM-Series Firewall on the SDX Server Step 1 Access the SDX server. Launch the web browser and connect to the SDX server. Step 2 Create the VM-Series firewall. 1. Select Configuration > Palo Alto VM-Series > Instances. 2. Click Add. 3. Enter a name for the VM-Series firewall. 4. Select the .xva image that you uploaded earlier.
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Secure North-South Traffic with the VM-Series Firewall This section includes information on deploying the NetScaler VPX and the VM-Series firewall on the Citrix SDX server: Deploy the VM-Series Firewall Using L3 Interfaces Deploy the VM-Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces Deploy the VM-Series Firewall Before the NetScaler VPX (Using Virtual Wire Interfaces) Depl
Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Topology After Adding the VM-Series Firewall The following table includes the tasks you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS Documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Set up the VM-Series Firewall to Process North-South Traffic Using L3 interfaces (Continued) 8. (Optional) To enable you to ping or SSH in to the interface, select Advanced > Other Info, expand the Management Profile drop-down, and select New Management Profile. Enter a Name for the profile, select Ping and SSH and then click OK. 9. To save the interface configuration, click OK. 10.
Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX. Deploy the VM-Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall in a L2 or a virtual wire deployment. The VM-Series firewall secures traffic destined to the servers.
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Set up the VM-Series Firewall to Process North-South Traffic Using L2 or Virtual Wire Interfaces (Continued) Step 2 Re-cable the server-side interface assigned to the NetScaler VPX. Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window. Step 3 Configure the data interfaces.
Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Set up the VM-Series Firewall to Process North-South Traffic Using L2 or Virtual Wire Interfaces (Continued) Step 4 Create a basic policy rule to allow traffic through the firewall. 1. Select Policies > Security, and click Add. 2. Give the rule a descriptive name in the General tab. This example shows how to enable traffic 3. between the NetScaler VPX and the web servers. 4. 5. 6.
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Topology Before Adding the VM-Series Firewall Topology after adding the VM-Series firewall The following table includes the basic configuration tasks you must perform on the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS documentation.
Secure North-South Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Set up the VM-Series Firewall Before the NetScaler VPX with Virtual Wire Interfaces (Continued) Step 2 Re-cable the client-side interface assigned If you have already deployed a NetScaler VPX and are now adding the VM-Series firewall on the SDX server, you have two ports to the NetScaler VPX. assigned to the VPX.
Set Up a VM-Series Firewall on the Citrix SDX Server Secure North-South Traffic with the VM-Series Firewall Go back to Secure North-South Traffic with the VM-Series Firewall, or see Secure East-West Traffic with the VM-Series Firewall. For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.
Secure East-West Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server Secure East-West Traffic with the VM-Series Firewall The following example shows you how to deploy your VM-Series firewall to secure the application or database servers on your network.
Set Up a VM-Series Firewall on the Citrix SDX Server Secure East-West Traffic with the VM-Series Firewall Topology After Adding the VM-Series Firewall When the VM-Series firewall is deployed (this example uses L3 interfaces), the flow of traffic is as follows: All incoming requests are authenticated and the SSL connection is terminated on the first instance of the NetScaler VPX.
Secure East-West Traffic with the VM-Series Firewall Set Up a VM-Series Firewall on the Citrix SDX Server based on protocol, to the internal server IP address 172.16.10.20. The return traffic from 172.168.10.20 is then sent to the NetScaler VPX at 172.168.10.3, and the source IP address for the request is set as 172.168.10.3 and is routed to the VM-Series firewall at 172.168.10.2. On the VM-Series firewall, a policy lookup is again performed and the traffic is routed to the server in the DMZ (192.168.10.
Set Up a VM-Series NSX Edition Firewall The VM-Series NSX edition firewall is jointly developed by Palo Alto Networks and VMware. This solution uses the NetX API to integrate the Palo Alto Networks next-generation firewalls and Panorama with VMware ESXi servers to provide comprehensive visibility and safe application enablement of all datacenter traffic including intra-host virtual machine communications.
VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview NSX, VMware's Networking and Security platform designed for the software-defined data center (SDDC), offers the ability to deploy the Palo Alto Networks firewall as a service on a cluster of ESXi servers. The term SDDC is a VMware term that refers to a datacenter where infrastructure—compute resources, network and storage—is virtualized using VMware NSX.
Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview Provider Component Minimum Version Description Palo Alto Networks PAN-OS 6.0 The VM-Series base image (PA-VM-NSX-6.0.0.zip) used for deploying the VM-Series NSX edition firewall is PAN-OS version 6.0. The minimum system requirement for deploying the VM-Series NSX edition firewall on the ESXi server is as follows: • Two vCPUs. One for the management plane and one for the dataplane.
VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall NSX Manager NSX is VMware’s network virtualization platform that is completely integrated with vSphere. The NSX Firewall and the Service Composer are key features of the NSX Manager.
Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview How Do the Components in the NSX Edition Solution Work Together? To meet the security challenges in the software-defined datacenter, the NSX Manager, ESXi servers and Panorama work harmoniously to automate the deployment of the VM-Series firewall. 1. Register the Palo Alto Networks NGFW service—The first step is to register the Palo Alto Networks NGFW as a service on the NSX Manager.
VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall 3. Establish communication between the VM-Series firewall and Panorama: The VM-Series firewall then initiates a connection to Panorama to obtain its license. Panorama retrieves the license from the update server and pushes it to the firewall. The VM-Series firewall receives the license (VM-1000-HV) and reboots with a valid serial number. 4.
Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview Integrated Policy Rules The NSX Firewall and the VM-Series firewall work in concert to enforce security; each provides a set of traffic management rules that are applied to the traffic on each ESXi host. The first set of rules is defined on the NSX Firewall; these rules determine traffic from which guests in the cluster are steered to the VM-Series firewall.
VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall Traffic that does not need to be inspected by the VM-Series firewall, for example network data backup or traffic to an internal domain controller, does not need to be redirected to the VM-Series firewall and can be sent to the virtual switch for onward processing. Rules centrally managed on Panorama and applied by the VM-Series firewall—The next- generation firewall rules are applied by the VM-Series firewall.
Set Up a VM-Series NSX Edition Firewall VM-Series NSX Edition Firewall Overview If, for example, you have a multi-tier architecture for web applications, on the NSX Manager you create three security groups for the WebFrontEnd servers, Application servers and the Database servers. The NSX Manager updates Panorama with the name of the security groups and the IP address of the guests that are included in each security group.
VM-Series NSX Edition Firewall Overview Set Up a VM-Series NSX Edition Firewall When Panorama receives the API notification, it verifies/updates the IP address of each guest and the security group to which that guest belongs. Then, Panorama pushes these real-time updates to all the firewalls that are included in the device group and notifies device groups in the service manager configuration on Panorama. On each firewall, all policy rules that reference these Dynamic Address Groups are updated at runtime.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall To deploy the NSX edition of the VM-Series firewall, use the following workflow: Step 1: Set up the Components—To deploy the VM-Series NSX edition, set up the following components: – Set up the vCenter server, install and register the NSX Manager with the vCenter server.
Deploy the VM-Series NSX Edition Firewall – Set Up a VM-Series NSX Edition Firewall (On the NSX Manager) Define the network introspection rules that redirect traffic to the VM-Series firewall. The network introspection rules on the NSX Manager use the IP address as a match criterion to steer traffic to the VM-Series firewall. If VMware tools is not installed on the guest, see Steer Traffic from Guests that are not Running VMware Tools.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Create a Device Group and a Template on Panorama Step 3 (Optional) Add a template. 1. Select Panorama > Templates, and click Add. 2. Enter a unique Name and a Description to identify the template. Note The Operational Mode options, Virtual Systems check box and the VPN Disable Mode check box do not apply to the VM-Series firewall. 3. Click OK. 4.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall Use Panorama to Register the VM-Series Firewall as a Service Step 4 Note Step 5 Enter the authorization code that you received with your order The authorization code must be for fulfillment email. The authorization code is used to license each the VM-Series model NSX bundle; for instance of the VM-Series.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Use Panorama to Register the VM-Series Firewall as a Service Step 8 Verify the connection status on Panorama Displays the connection status between Panorama and the NSX Manager. When the connection is successful, the status displays as Registered. This indicates that Panorama and the NSX Manager are in sync and the VM-Series firewall is registered as a service on the NSX Manager.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall Enable SpoofGuard The NSX distributed firewall can only redirect traffic to the VM-series firewall when it matches an IP address that is known to the vCenter Server. This means that any non-IP L2 traffic, or IP traffic that does not match the IP addresses known to the vCenter Server, will not match the redirection rules defined on the NSX Manager and be steered to the VM-Series firewall.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Enable SpoofGuard and Block Non-IP L2 Traffic Step 2 Select the IP protocols to allow. 1. Select Networking and Security > Firewall > Ethernet. 2. Add a rule that allows ARP, IPv4 and IPv6 traffic. 3. Add a rule that blocks everything else. Define an IP Address Pool The IP pool is a range of (static) IP addresses that are reserved for establishing management access to the VM-Series firewalls.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall The port groups are defined on the Palo Alto Networks NGFW service profile. The Palo Alto Networks NGFW service profile simplifies the process of deploying the VM-Series firewall; once configured, the data traffic from the selected port group will be checked against the NSX security policies. If NSX security policies are defined and a policy match occurs for the traffic, the traffic is redirected to the VM-Series firewall.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Prepare the ESXi Hosts for the VM-Series Firewall 1. On the NSX Manager, select Networking and Security > Installation > Host Preparation. 2. Click Install and verify that the installation status is successful. Note 3. As new ESXi hosts are added to a cluster, this process is automated and the necessary NSX components are automatically installed on each guest on the ESXi host.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service 1. Select Networking and Security > Installation > Service Deployments. 2. Click New Service Deployment (green plus icon), and select the Palo Alto Networks NGFW service. Click Next. 3. Select the Datacenter and the cluster(s) on which the service will be deployed. One instance of the firewall will be deployed on each host in the selected cluster(s). 4.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service 5. Select the port group that provides management network traffic access to the firewall. 6. Select the IP address pool from which to assign a management IP address for each firewall when it is being deployed. 7. Review your configuration and click Finish. 8. Verify that the NSX Manager reports the Installation Status as Successful.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall Deploy the Palo Alto Networks NGFW Service 10. Access the Panorama web interface to make sure that the VM-Series firewalls are connected and synchronized with Panorama. a. Select Panorama > Managed Devices to verify that the firewalls are connected and synchronized. b. Click Commit, and select Commit Type as Panorama.
Set Up a VM-Series NSX Edition Firewall Define Policies on the NSX Manager Apply Policies to the VM-Series Firewall Deploy the VM-Series NSX Edition Firewall Define Policies on the NSX Manager In order for the VM-Series firewall to secure the traffic, you must first create security groups on the NSX Manager and assign virtual machines (guests) to the groups. Then, define and apply rules to redirect traffic from the ESXi hosts in these groups to the VM-Series firewall.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall Define Policies to Redirect Traffic to the VM-Series Firewall Create security policies to steer traffic from the NSX Manager to the VM-Series firewall. 1. Select Networking and Security > Service Composer > Security Policies, and click Create Security Policy. 2. Add a Name and a Description. 3. In the Network Introspection Services, click Add and enter a Name for the service. 4.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Do not apply the traffic redirection policies that you created above unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall Define Policy on Panorama Step 1 Create Dynamic Address Groups. 1. Log in to the Panorama web interface. 2. Select Object > Address Groups. 3. Select the Device Group that you created for managing the VM-Series NSX edition firewalls in Create a Device Group and Template on Panorama. 4. Click Add and enter a Name and a Description for the address group. 5. Select Type as Dynamic. 6. Click Add Match Criteria.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall Define Policy on Panorama Step 2 Create security policies. 1. Select Policies > Security. 2. Select the Device Group that you created for managing the VM-Series NSX edition firewalls in Create a Device Group and Template on Panorama. 3. Click Add and enter a Name and a Description for the rule. In this example, the security rule allows all traffic between the WebFrontEnd servers and the Application servers. 4.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall Define Policy on Panorama Step 3 Apply the policies to the VM-Series NSX 1. edition firewalls. 2. Step 4 Validate that the members of the Dynamic Address Group are populated on the VM-Series firewall. Note You cannot verify the members (registered IP addresses) for the Dynamic Address Group on Panorama. This information can only be viewed from the VM-Series firewall that enforces policy.
Set Up a VM-Series NSX Edition Firewall Deploy the VM-Series NSX Edition Firewall The last step in the process of deploying the VM-Series NSX Edition firewall is to apply the redirection policies to the security groups on the NSX Manager. Apply the Security Policies on the NSX Manager 1. Select Networking and Security > Service Composer > Security Policies. 2. Select the security policy and click Apply Security Policy and select the security groups to which the rules must be pushed.
Deploy the VM-Series NSX Edition Firewall Set Up a VM-Series NSX Edition Firewall Steer Traffic from Guests that are not Running VMware Tools Step 2 Verify that SpoofGaurd is enabled. If not enabled, see Enable SpoofGuard Step 3 Manually approve the IP address(es) for each guest in Spoofguard; this validates that the approved IP addresses is the accurate address for that network adapter.
