VM-Series
Deployment
Guide
11
About the VM-Series Firewall
Monitor Changes in the Virtual Environment
Monitor Changes in the Virtual Environment
In a legacy client-server architecture with physical infrastructure resources, security administrators controlled
the deployment of servers on the network, and had visibility over the applications that traversed the network;
security policies were based on static IP addresses. By nature, the network architecture was static and inflexible,
and therefore unable to meet the scale and performance needs that emerged with growth.
To mitigate the challenges of scale, lack of flexibility and performance, server virtualization technology was
globally adopted. Virtual networks allow for servers and applications to be provisioned, changed, and deleted
on demand. This agility poses a challenge for security administrators because they have little visibility into the
IP addresses of the dynamically provisioned servers and the plethora of applications that can be enabled on
these virtual resources.
In order to protect the network resources and safely enable applications, the VM-Series firewall provides an
automated way to gather information on the virtual machine (or guest) inventory on each monitored source and
create policy objects that stay in sync with the dynamic changes on the network. This capability is provided by
the coordination between the
VM Information Sources
and
Dynamic Address Groups
features on the firewall.
The following tasks are applicable to the VM-Series firewall deployed on a VMware ESXi server or on the Citrix
SDX server.
Enable VM Monitoring to Track Changes on the Virtual Network
Use Dynamic Address Groups in Policy
Attributes Monitored on a VMware Source
Enable VM Monitoring to Track Changes on the Virtual Network
VM Information sources provides an automated way to gather information on the Virtual Machine (VM)
inventory on each monitored source (host); the sources that the firewall can monitor include VMware ESXi and
vCenter Server. As new virtual machines (guests) are deployed, the firewall monitors 16 metadata elements in
the VMware environment and collects the list of tags assigned to each guest; these tags can then be used to
define Dynamic Address Groups (see
Use Dynamic Address Groups in Policy
) and matched against in policy.
The firewall can monitor the VMware vCenter server and/or an ESX(i) server version 4.1 or 5.0, and poll for
information on IP address and tags on newly provisioned VMs, or on VMs that have been updated or moved
on the network. Up to 10 VM information sources can be configured on the firewall. By default, the traffic
between the firewall and the monitored sources uses the management (MGT) port on the firewall.
The VM-Series NSX edition firewall, which is jointly developed by Palo Alto Networks and VMware, is designed for
automated provisioning and distribution of Palo Alto Networks next-generation security services and the delivery of
dynamic context-based security policies using Panorama. For information on how the VM-Series NSX edition firewall
meets the security challenges on the virtual network, see
Set Up a VM-Series NSX Edition Firewall
.
VM Information Sources
offers easy configuration and enables you to monitor a predefined
set of 16 metadata elements or attributes in the VMware environment. See
Attributes Monitored
on a VMware Source
for the list.
If you can use the set of attributes that the firewall monitors (and do not need a customized set
of attributes), use the VM Information Sources on the firewall to enable VM monitoring, in lieu of
using external scripts and the XML API on the firewall.