background image

10

VM-Series 

Deployment

 Guide

Supported Deployments

  Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments

You can deploy one or more instances of the VM-Series firewall on the ESXi server. Where you place the 
VM-Series firewall on the network depends on your topology. Choose from the following options:

One VM-Series firewall per ESXi host

—Every VM server on the ESXi host passes through the firewall 

before exiting the host for the physical network. VM servers attach to the firewall via virtual standard 
switches. The guest servers have no other network connectivity and therefore the firewall has visibility and 
control to all traffic leaving the ESXi host. One variation of this use case is to also require all traffic to flow 
through the firewall, including server to server (east-west traffic) on the same ESXi host. 

One VM-Series firewall per virtual network

—Deploy a VM-Series firewall for every virtual network. If 

you have designed your network such that one or more ESXi hosts has a group of virtual machines that 
belong to the internal network, a group that belongs to the external network, and some others to the DMZ, 
you can deploy a VM-Series firewall to safeguard the servers in each group. If a group or virtual network 
does not share a virtual switch or port group with any other virtual network, it is completely isolated from 
all other virtual networks within or across the host(s). Because there is no other physical or virtual path to 
any other network, the servers on each virtual network, must use the firewall to talk to any other network. 
Therefore, it allows the firewall visibility and control to all traffic leaving the virtual (standard or distributed) 
switch attached to each virtual network. 

Hybrid environment

—Both physical and virtual hosts are used, the VM-Series firewall can be deployed in 

a traditional aggregation location in place of a physical firewall appliance to achieve the benefits of a common 
server platform for all devices and to unlink hardware and software upgrade dependencies. 

Содержание VM-100

Страница 1: ...Palo Alto Networks VM Series Deployment Guide PAN OS 6 0 ...

Страница 2: ...cumentation for access to the knowledge base complete documentation set discussion forums and videos https support paloaltonetworks com for contacting support for information on the support programs or to manage your account or devices For the latest release notes go to the software downloads page at https support paloaltonetworks com Updates SoftwareUpdates To provide feedback on the documentatio...

Страница 3: ...loyments 17 Basic Troubleshooting 17 Installation Issues 17 Licensing Issues 19 Connectivity Issues 20 Set Up a VM Series Firewall on the Citrix SDX Server 21 About the VM Series Firewall on the SDX Server 22 System Requirements and Limitations 23 Requirements 23 Limitations 23 Supported Deployments 24 Scenario 1 Secure North South Traffic 24 Scenario 2 Secure East West Traffic 27 Install the VM S...

Страница 4: ...t are the Components of the Solution 42 How Do the Components Work Together 45 What are the Benefits of the Solution 50 Deploy the VM Series NSX Edition Firewall 51 Create a Device Group and Template on Panorama 52 Register the VM Series Firewall as a Service on the NSX Manager 52 Deploy the VM Series Firewall 55 Create Policies 60 ...

Страница 5: ...wall is the virtualized form of the Palo Alto Networks next generation firewall It is positioned for use in a virtualized data center environment where it can protect and secure traffic for private and public cloud deployments VM Series Models VM Series Deployments License the VM Series Firewall ...

Страница 6: ...00 includes an auth code to license one instance of the VM Series firewall The Enterprise version is available in multiples of 25 For example the orderable SKU PAN VM 100 ENT has a single auth code that allows you to register 100 instances of the VM 100 Each model of the VM Series firewall is licensed for a maximum capacity Capacity is defined in terms of the number of sessions rules security zone...

Страница 7: ...Series Firewall on an ESXi Server VM Series for VMware NSX The VM 1000 HV is deployed as a network introspection service with VMware NSX and Panorama This deployment is ideal for east west traffic inspection For details see The VM Series NSX Edition Firewall VM Series for Citrix SDX VM 100 VM 200 VM 300 or VM 1000 HV is deployed as guest virtual machine on Citrix NetScaler SDX consolidates ADC and...

Страница 8: ...ccount Register the VM Series Firewall Activate the License Upgrade the PAN OS Software Version Upgrade the VM Series Model For instructions on installing your VM Series firewall see VM Series Deployments Create a Support Account A support account is required to manage your VM Series firewall licenses and to download the software package required to install the VM Series firewall If you have an ex...

Страница 9: ...l the firewall is licensed to prevent issues caused by overlapping MAC addresses make sure that you do not have multiple unlicensed VM Series firewalls Register the VM Series Firewall 1 Log in to https support paloaltonetworks com with your account credentials 2 Select Assets and click Add VM Series Auth Codes 3 In the Add VM Series Auth Code field enter the capacity auth code you received by emai...

Страница 10: ...ses and click the Activate Feature using Auth Code link 2 Click Download Authorization File and download the authorizationfile txt on the client machine 3 Copy the authorizationfile txt to a computer that has access to the Internet and log in to the support portal Click My VM Series Auth Codes link and select the applicable auth code from the list and click the Register VM link 4 On the Register V...

Страница 11: ... upgrade from the VM 200 to the VM 1000 HV license Upgrade PAN OS Version 1 From the web interface navigate to Device Licenses and make sure you have the correct VM Series firewall license and that the license is activated 2 To upgrade the VM Series firewall PAN OS software select Device Software 3 Click Refresh to view the latest software release and also review the Release Notes to view a descri...

Страница 12: ...8 VM Series Deployment Guide Step 5 Apply the new license See Activate the License Migrate the License on the VM Series Firewall ...

Страница 13: ...e including vSphere networking ESXi host setup and configuration and virtual machine guest deployment If you would like to automate the process of deploying a VM Series firewall you can create a gold standard template with the optimal configuration and policies and use the vSphere API and the PAN OS XML API to rapidly deploy new VM Series firewalls in your network For more information see the arti...

Страница 14: ... virtual network If you have designed your network such that one or more ESXi hosts has a group of virtual machines that belong to the internal network a group that belongs to the external network and some others to the DMZ you can deploy a VM Series firewall to safeguard the servers in each group If a group or virtual network does not share a virtual switch or port group with any other virtual ne...

Страница 15: ...n add up to eight more vmNICs for data traffic The VM Series firewall requires that promiscuous mode is set to accept on the port group of the virtual switch to which the data interfaces on the firewall are attached Minimum of 4GB of memory for all models except the VM 1000 HV which needs 5GB Any additional memory will be used by the management plane only If you are applying the VM 1000 HV license...

Страница 16: ...12 VM Series Deployment Guide System Requirements and Limitations Set Up a VM Series Firewall on an ESXi Server Jumbo frames are not supported Link Aggregation is not supported ...

Страница 17: ...stallation is complete you will need to download and install the latest PAN OS version from the support portal This will ensure that you have the latest fixes that were implemented since the base image was created For instructions see Upgrade the PAN OS Software Version Step 2 Before deploying the OVF template set up virtual standard switch es and virtual distributed switch es that you will need f...

Страница 18: ... downloaded in Step 1 select the file and then click Next Review the templates details window and then click Next again 4 Name the VM Series firewall instance and in the Inventory Location window select a Data Center and Folder and click Next 5 Select an ESXi host for the VM Series firewall and click Next 6 Select the datastore to use for the VM Series firewall and click Next 7 Leave the default s...

Страница 19: ... the Panorama Administrator s Guide for information on managing the device using Panorama 8 Select the networks to use for the two initial vmNICs The first vmNIC will be used for the management interface and the second vmNIC for the first data port Make sure that the Source Networks maps to the correct Destination Networks 9 Review the details window select the Power on after deployment check box ...

Страница 20: ... gateway and DNS IP is the IP address of the DNS server Step 4 Commit your changes and exit the configuration mode Enter commit Enter exit Step 5 Verify network access to external services required for firewall management such as the Palo Alto Networks Update Server To verify that the firewall has external network access use the ping utility Verify connectivity to the default gateway DNS server an...

Страница 21: ...rce history click the Performance tab and monitor resource consumption over time Installation Issues Issues with deploying the OVF The VM Series is delivered as a downloadable Open Virtualization Format OVF file The OVF is downloaded as a zip archive that is expanded into three files If you are having trouble deploying the OVF make sure the three files are unpacked and present and if necessary dow...

Страница 22: ...license or edit the settings on the ESXi host or the vCenter server before you power on the VM Series firewall How do I modify the base image file for the VM 1000 HV license If you have purchased the VM 1000 HV license and are deploying the VM Series firewall in standalone mode on a VMware ESXi server or on a Citrix SDX server use these instructions to modify the following attributes that are defi...

Страница 23: ...VM Series firewall will result in a new firewall with an invalid license You will need a new auth code to activate the license on the newly deployed firewall You must apply the capacity auth code and a new support license in order to obtain full functionality support and software upgrades on the VM Series firewall Step 3 Change the number of virtual CPU cores allotted from 2 to 4 or 8 as desired f...

Страница 24: ...twork adapter 3 Ethernet1 2 For each virtual machine check the settings to verify the interface is mapped to the correct port group Verify that promiscuous mode is enabled for each port group or for the entire switch Since the dataplane PAN OS MAC addresses are different than the VMNIC MAC addresses assigned by vSphere the port group or the entire vSwitch must be in promiscuous mode Check the VLAN...

Страница 25: ...he Citrix SDX server Deploying the VM Series firewall in conjunction with the NetScaler VPX secures application delivery along with network security availability performance and visibility About the VM Series Firewall on the SDX Server System Requirements and Limitations Supported Deployments Install the VM Series Firewall Secure North South Traffic with the VM Series Firewall Secure East West Tra...

Страница 26: ...document assumes that you are familiar with the networking and configuration on the NetScaler VPX In order to provide context for the terms used in this section here is a brief refresher on the NetScaler owned IP addresses that are referred to in this document NetScaler IP address NSIP The NSIP is the IP address for management and general system access to the NetScaler itself and for HA communicat...

Страница 27: ... Resources Note Plan and allocate the total number of data interfaces that you might require on the VM Series firewall This task is essential during initial deployment because adding or removing interfaces to the VM Series firewall after initial deployment will cause the data interfaces Eth 1 1 and Eth 1 2 on the VM Series firewall to re map to the adapters on the SDX server Each data interface se...

Страница 28: ...secure north south traffic you have the following options VM Series Firewall Between the NetScaler VPX and the Servers VM Series Firewall Before the NetScaler VPX VM Series Firewall Between the NetScaler VPX and the Servers The perimeter firewall gates all traffic in to the network All traffic permitted into the network flows through the NetScaler VPX and then through the VM Series firewall before...

Страница 29: ...P 192 168 1 1 and 192 168 2 1 Based on your network configuration and default routes the routing on servers might need to be changed When you set up the VM Series firewall you must add a data interface for example eth1 1 and assign two IP addresses to the interface One IP address must be on the same subnet as the VIP and the other must be on the same subnet as the servers In this example the IP ad...

Страница 30: ...n traffic destined to the servers In this approach two data interfaces are created on the firewall and each belongs to a distinct zone The security policy is defined to allow traffic between the source and destination zones For details see Deploy the VM Series Firewall Using Layer 2 L2 or Virtual Wire Interfaces Topology After Adding the VM Series Firewall with L2 or Virtual Wire Interfaces For se...

Страница 31: ...er VPX Scenario 2 Secure East West Traffic The VM Series firewall is deployed along with two NetScaler VPX systems that service different server segments on your network or operate as termination points for SSL tunnels In this scenario the perimeter firewall secures incoming traffic Then the traffic destined to the DMZ servers flows to a NetScaler VPX that load balances the request To add an extra...

Страница 32: ...the Image to the SDX Server To provision the VM Series firewall you need to obtain the xva image file and upload it to the SDX server Upload the XVA Image to the SDX Server Step 1 Download and extract the base image zip file to a local computer 1 Go to https support paloaltonetworks com and download the VM Series Citrix SDX Base Image zip file 2 Unzip the base image zip file and extract the xva fi...

Страница 33: ...o VM Series Instances 2 Click Add 3 Enter a name for the VM Series firewall 4 Select the xva image that you uploaded earlier This image is required to provision the firewall 5 Allocate the memory additional disk space and the virtual CPUs for the VM Series firewall To verify resource allocation recommendations see Requirements 6 Select the network interfaces a Use the management interfaces 0 1 or ...

Страница 34: ...ng L3 Interfaces Deploy the VM Series Firewall Using Layer 2 L2 or Virtual Wire Interfaces Deploy the VM Series Firewall Before the NetScaler VPX Using Virtual Wire Interfaces Deploy the VM Series Firewall Using L3 Interfaces To secure north south traffic this scenario shows you how to deploy the VM Series firewall as a L3 deployment the VM Series firewall is placed to secure traffic between the N...

Страница 35: ...wall 1 Select Network Virtual Router and then select the default link to open the Virtual Router dialog and Add the interface to the virtual router 2 Required only if the USIP option is enabled on the NetScaler VPX On the Static Routes tab on the virtual router select the interface and add the NetScaler SNIP 192 68 1 1 in this example as the Next Hop The static route defined here will be used to r...

Страница 36: ...new address object that specifies the SNIP on the NetScaler VPX In this example this IP address is the source for all requests to the servers 5 In the Destination tab select Add in the Destination Address section and select the New Address link 6 Create a new address object that specifies the subnet of the web servers In this example this subnet hosts all the web servers that service the requests ...

Страница 37: ...before it is sent back to the client For the topology before adding the VM Series firewall see Topology Before Adding the VM Series Firewall The following table includes the basic configuration tasks you must perform to deploy the VM Series firewall For firewall configuration instructions refer to the PAN OS Getting Started Guide The workflow and configuration on the NetScaler VPX is beyond the sc...

Страница 38: ...erface of the firewall 2 Select Network Interfaces Ethernet 3 Click the link for an interface for example ethernet 1 1 and select the Interface Type as Layer2 or Virtual Wire Virtual Wire Configuration Each virtual wire interface ethernet 1 1 and ethernet 1 2 must be connected to a security zone and a virtual wire To configure these settings select the Config tab and complete the following tasks a...

Страница 39: ...ler VPX and the web servers 1 Select Policies Security and click Add 2 Give the rule a descriptive name in the General tab 3 In the Source tab set the Source Zone to the client side zone you defined In this example select client 4 In the Destination tab set the Destination Zone to the server side zone you defined In this example select server 5 In the Application tab click Add to select the applic...

Страница 40: ...make sure to enable Allow L2 Mode on the data interface This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX Step 2 Re cable the client side interface assigned to the NetScaler VPX Because the NetScaler VPX will reboot when recabled evaluate whether you would like to perform this task during a maintenance window If you have already deployed a NetSca...

Страница 41: ... example client and then click OK 6 Repeat step 5 for the other interface 7 Click Commit to save changes to the firewall Step 4 Create a basic policy rule to allow traffic through the firewall This example shows how to enable traffic between the NetScaler VPX and the web servers 1 Select Policies Security and click Add 2 Give the rule a descriptive name in the General tab 3 In the Source tab set t...

Страница 42: ...e authenticates users and terminates SSL connections and then load balances requests to the DMZ servers and the other VPX instance load balances connections to the corporate servers that host the application and database servers on your network Topology Before Adding the VM Series Firewall The communication between the servers in the DMZ and the servers in the corporate datacenter is processed by ...

Страница 43: ...rn traffic from the server is sent back to the NetScaler VPX at 20 5 5 1 and sent to the user with IP address 1 1 1 1 All requests between the DMZ servers and the Corporate datacenter are processed by the VM Series firewall For content that resides in the corporate datacenter the request is transparently processed if deployed using L2 or virtual wire interfaces or routed using Layer3 interfaces by...

Страница 44: ...terface on the SDX server Step 2 Re cable the interfaces assigned to the NetScaler VPX Because the NetScaler VPX will reboot when recabled evaluate whether you would like to perform this task during a maintenance window Step 3 Configure the data interfaces 1 Select Network Interfaces and assign the interfaces as type Layer3 see Step 2 Layer2 see Step 3 or virtual wire see Step 3 Step 4 Create secu...

Страница 45: ...e the Palo Alto Networks next generation firewalls and Panorama with VMware ESXi servers to provide comprehensive visibility and safe application enablement of all datacenter traffic including intra host virtual machine communications The following topics provide information about the VM Series NSX edition firewall VM Series NSX Edition Firewall Overview Deploy the VM Series NSX Edition Firewall ...

Страница 46: ...ks next generation firewall and continually enforcing security and compliance for the east west traffic in the SDDC For details on the VM Series NSX edition see the following topics What are the Components of the Solution How Do the Components Work Together What are the Benefits of the Solution What are the Components of the Solution The components of this joint Palo Alto Networks and VMware solut...

Страница 47: ... have vCPUs for the dataplane in the following increments 2 4 or 8 vCPUs 5GB of memory Any additional memory will be used by the management plane only 40GB of virtual disk space Panorama 6 0 Panorama is the centralized management tool for the Palo Alto Networks next generation firewalls In this solution Panorama works with the NSX Manager to deploy license and centrally administer configuration an...

Страница 48: ...y managed on Panorama using Device Groups and Templates The REST based XML API integration in this solution enables Panorama to synchronize with the NSX Manager and the VM Series NSX edition firewalls to allow the use of Dynamic Address Groups and share context between the virtualized environment and security enforcement For more information see Policy Enforcement using Dynamic Address Groups VM S...

Страница 49: ... The configuration includes the URL for accessing the VM Series base image that is required to deploy the VM Series NSX edition firewall the authorization code for retrieving the license and the device group to which the VM Series firewalls will belong The NSX manager uses this management plane connection to share updates on the changes in the virtual environment with Panorama 2 Deploy the VM Seri...

Страница 50: ...nvironment to Panorama These updates include information on the security groups and IP addresses of guests that are part of the security group from which traffic is redirected to the VM Series firewall See Integrated Policy Rules for details 7 Use Dynamic Address Groups in policy and push dynamic updates from Panorama to the VM Series firewalls On Panorama use the real time updates on security gro...

Страница 51: ...d of guests across different ESXi hosts within a cluster For traffic that needs to be inspected and secured by the VM Series firewall the NSX service composer policies redirect the traffic to the Palo Alto Networks NGFW service This traffic is then steered to the VM Series firewall and is first processed by the VM Series firewall before it goes to the virtual switch Traffic that does not need to b...

Страница 52: ... destination object in security policy Because IP addresses are constantly changing in a datacenter environment Dynamic Address Groups offer a way to automate the process of referencing source and or destination addresses within security policies Unlike static address objects that must be manually updated in configuration and committed whenever there is an address change addition deletion or move ...

Страница 53: ...ager uses the PAN OS REST based XML API to update Panorama with the IP address and the security group to which the guest belongs When Panorama receives the API notification it verifies updates the IP address of each guest and the security group to which that guest belongs Then Panorama pushes these real time updates to all the firewalls that are included in the device group and notifies device gro...

Страница 54: ...manual intervention The automated workflow allows you to keep pace with the virtual machine deployments in your datacenter The hypervisor mode on the firewall removes the need to reconfigure the ports vswitches network topology because each ESXi host has an instance of the firewall the traffic does not need to traverse the network or be backhauled for inspection and consistent enforcement of polic...

Страница 55: ... Deploy the Firewalls and Create Policies Install the VM Series firewall and create policies to redirect traffic to the VM Series firewall and to secure the traffic that is redirected to the firewall On the NSX Manager Define the IP address pool An IP address from the defined range is assigned to the management interface of each instance of the VM Series firewall On the NSX Manager Deploy the VM S...

Страница 56: ...ble communication between the NSX Manager and Panorama This is a one time setup and only needs to be modified if the IP address of the NSX Manager changes or if the capacity license for deploying the VM Series firewall is exceeded Create a Device Group and a Template on Panorama Step 1 Log in to the Panorama web interface Using a secure connection https from a web browser log in using the IP addre...

Страница 57: ...on of the web server that hosts the ovf file Both http and https are supported protocols Step 4 Add the authorization code Note The authorization code must be for the Enterprise version of the VM Series model VM 1000 HV Verify that the order quantity capacity is adequate to support the needs in your network Enter the authorization code that you received with your order fulfillment email The author...

Страница 58: ...ma Displays the connection status between Panorama and the NSX Manager When the connection is successful the status displays as Registered This indicates that Panorama and the NSX Manager are in sync and the VM Series firewall is registered as a service on the NSX Manager The unsuccessful status messages are Not connected Unable to reach establish a network connection to the NSX Manager Not author...

Страница 59: ...fic So that the NSX Manager can redirect traffic to the VM Series firewall you must select the port groups or logical networks for which the VM Series firewall must secure traffic The port groups are defined on the Palo Alto Networks NGFW service profile The Palo Alto Networks NGFW service profile simplifies the process of deploying the VM Series firewall once configured the data traffic from the ...

Страница 60: ... the Palo Alto Networks NGFW 1 Select Networking and Security Service Definitions and double click the Palo Alto Networks NGFW service 2 Click the Palo Alto NetworksNGFW GlobalInstance link to view the profile for the service instance 3 Click the Palo Alto Networks profile 1 link and select the Applied Objects option 4 Edit the profile to add one or more Logical Networks or Distributed Virtual Por...

Страница 61: ...1 On the NSX Manager select Networking and Security Installation Host Preparation 2 Click Install and verify that the installation status is successful Note As new ESXi hosts are added to a cluster this process is automated and the necessary NSX components are automatically installed on each guest on the ESXi host 3 If the Installation Status is not ready or a warning displays on screen click the ...

Страница 62: ...ce will be deployed One instance of the firewall will be deployed on each host in the selected cluster s 4 Select the datastore from which to allocate disk space for the firewall Select one of the following options depending on your deployment If you have allocated shared storage for the cluster select an available shared datatore If you have not allocated shared storage for the cluster select the...

Страница 63: ... process can take a while click the More tasks link on vCenter to monitor the progress of the installation Note If the installation of VM Series fails the error message is displayed on the Installation Status column You can also use the Tasks tab and the Log Browser on the NSX Manager to view the details for the failure and refer to the VMware documentation for troubleshooting steps 9 Verify that ...

Страница 64: ...e serial numbers to configuration If you reboot Panorama without committing the changes the managed devices will not connect back to Panorama although the Device Group will display the list of devices the devices will not display in Panorama Managed Devices 11 Verify that the capacity license is applied and apply any additional licenses that you have purchased At a minimum you must activate the su...

Страница 65: ...to manage and secure the guests to understand how security groups enable policy enforcement see Policy Enforcement using Dynamic Address Groups Set up Security Groups on the NSX Manager Assign the guests into security groups on NSX 1 Select Networking and Security Service Composer Security Groups and add a New Security Group 2 Add a Name and Description This name will display in the match criteria...

Страница 66: ...ofile that you created earlier Palo Alto Networks profile 1 in this workflow This profile specifies the networks port groups from which the firewall receives data traffic It will perform network introspection services on the port specified in the profile 6 Use the Change link under Source and Destination to specify the direction of flow of traffic that requires network introspection Either the sou...

Страница 67: ...NSX Manager Apply Policies to the VM Series Firewall Now that you have created the security policies on the NSX Manager the names of the security groups that are referenced in security policy will be available on Panorama You can now use Panorama for centrally administering policies on the VM Series firewalls To manage centralized policy you must first create Dynamic Address Group s that match on ...

Страница 68: ... and a Description for the address group 5 Select Type as Dynamic 6 Click Add Match Criteria Select the And or Or operator and select the next to the security group name s to match against Note The security groups that display in the match criteria dialog are derived from the groups you defined in the Service Composer on the NSX Manager Only the security groups that are referenced in the security ...

Страница 69: ...or region In this example we select an address group the Dynamic address group you created in Step 1 above 5 Select the Application to allow In this example we create an Application Group that includes a static group of specific applications that are grouped together a Click Add and select New Application Group b Click Add to select the application to include in the group In this example we select...

Страница 70: ...s firewall that enforces policy 1 From Panorama switch device context to launch the web interface of a firewall to which you pushed policies 2 On the VM Series firewall select Policies Security and select a rule 3 Select the drop down arrow next to the address group link and select Inspect You can also verify that the match criteria is accurate 4 Click the more link and verify that the list of reg...

Страница 71: ...pply the redirection policies to the security groups on the NSX Manager Apply the Security Policies on the NSX Manager 1 Select Networking and Security Service Composer Security Policies 2 Select the security policy and click Apply Security Policy and select the security groups to which the rules must be pushed The rules are applied to each ESXi host included in the selected security groups ...

Страница 72: ...68 VM Series Deployment Guide Deploy the VM Series NSX Edition Firewall The VM Series NSX Edition Firewall ...

Отзывы: