50
VM-Series
Deployment
Guide
VM-Series NSX Edition Firewall Overview
The VM-Series NSX Edition Firewall
On each firewall, all policy rules that reference these Dynamic Address Groups are updated at runtime. Because
the firewall matches on the security group tag to determine the members of a Dynamic Address Group, you do
not need to modify or update the policy when you make changes in the virtual environment. The firewall
matches the tags to find the current members of each Dynamic Address Group and applies the security policy
to the source/destination IP address that are included in the group.
What are the Benefits of the Solution?
The NSX edition of the VM-Series firewall is focused on securing east-west communication in the
software-defined datacenter. Deploying the firewall has the following benefits:
Automated Deployment
—The NSX Manager automates the process of delivering next-generation firewall
security services and the VM-Series firewall allows for transparent security enforcement. When a new ESXi
host is added to a cluster, a new VM-Series firewall is automatically deployed, provisioned and available for
immediate policy enforcement without any manual intervention. The automated workflow allows you to
keep pace with the virtual machine deployments in your datacenter. The hypervisor mode on the firewall
removes the need to reconfigure the ports/ vswitches/ network topology; because each ESXi host has an
instance of the firewall, the traffic does not need to traverse the network or be backhauled for inspection and
consistent enforcement of policies.
Tighter Integration Between Virtual Environment and Security Enforcement for Dynamic
Security
—Dynamic Address Groups maintain awareness of changes in the virtual machines/applications
and ensure that security policy stays in tandem with the changes in the network. This awareness provides
visibility and protection of applications in an agile environment.
Sturdier Centralized Management
—The firewalls deployed using this solution are licensed and managed
by Panorama, the Palo Alto Networks central management tool. Using Panorama to manage both the
perimeter and datacenter firewalls (the hardware-based and virtual firewalls) allows you to centralize policy
management and maintain agility and consistency in policy enforcement throughout the network.
In summary, this solution ensures that the dynamic nature of the virtual network is secured with minimal
administrative overhead. You can successfully deploy applications with greater speed, efficiency, and security.