Prisma AIRS
Deploy HSF Using Software Firewall Orchestration Plugin
Table of Contents
Deploy HSF Using Software Firewall Orchestration Plugin
The Software Firewall Orchestration plugin is introduced to orchestrate the HSF
Cluster deployments in ESXi environments.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
The Software Firewall Orchestration plugin is introduced to orchestrate the HSF Cluster
deployments in ESXi environments. Using the Software Firewall Orchestration plugin you
can configure, deploy, update, and monitor your HSF cluster. You can also autoscale and
manage software migrations in the VM firewall cluster using this plugin.
The following are the prerequisites to deploy the HSF:
Plugin Prerequistes
You will need to install three plugins:
- Software Firewall Orchestration plugin version 1.0.1 - The main plugin used to orchestrate HSF.
- Clustering plugin version 3.0.0 - For visibility, monitoring and to obtain metric data needed for autoscaling.
- VM-Series plugin on Panorama version 6.0.1 - To establish communication with the VM-Series plugin on your firewalls.
Prerequistes on ESXi
You will need to install three plugins:
- vCenter: Add ESXi servers to the vCentre by navigating to Datacentre
—> vSphere Cluster —-> ESXi Server hosts. vCenter credentials must have
global level administrator privileges for cluster deployment.
![]()
- vCenter and ESXi version: The plugin supports vCenter version 7.0+ and ESXi version 7.0.
- vSphere cluster with ESXI servers: All ESXi servers in a vSphere cluster must have identical host resources, network resources.
- Port Groups: Ensure that the port group and network is configured and
available for the ESXi servers vNIC. Configure the portgroups with the same
name across all the hosts. You can configure a standard switch or
distributed switch.Create the following vSwitch and Port groups for the interfaces of the deployed resources.
- Management
- Cluster Control Interconnect
- Cluster Traffic Interconnect
- Data InterfacesYou will need a minimum of three port groups for management, cluster control link, and cluster traffic link for the firewalls in the cluster. You may use the rest of the port groups to the data links.
![]()
- Ensure to set the MAC address changes of the Management VSwitch to accept config.
- Cluster Traffic Interconnect interface is to be set between 2000 to 9000 MTU in ESXi environments.
- vSphere Cluster:
- Create 1-2 vSphere Clusters – Based on cluster deployment needs, both AI-Gateway nodes and AI-DP nodes can be deployed in the same or separate vSphere clusters. Ensure to have at least one dedicated vCenter cluster created on vCenter and have the ESXi hosts added to it before you go ahead with the VM HSF Cluster deployment.
- All the hosts in a vCenter cluster must be identical (host resources, network, and so on).
- Create an iSCSI shared storage on the
vCENTER for multiple hosts to download the image from a
common location. Shared storage can be used with multiple host deployment, to download the image from a common location. The AI-Gateway and AI-DP node deployment happens using the shared storage. Alternatively, local datastore can also be used. All the hosts in the same cluster should have the same name for local datastore (for example, datastore, datastore(1), and so on).Ensure that the iSCSI drive is visible in the datastore of all the hosts in the cluster. It is recommended that you use a 10 gig link for your shared storage, for faster completion of the cluster deployment.
- Image: Ensure to upload the OVA image of Prisma AIRS in the
vCenter local content library. If the OVA deployment times out on the vCenter content library, ensure to increase the timeout to greater than 20 mins.
![]()
- Credentials with administrator permission for VM HSF deployment.
- If you are using Intel 810 SR-IOV, ensure to configure more queues (around 16).
Prerequisites on Panorama
- License authcode with HSF subscription.
- Configure license API-key on panorama to delicense the deleted VMs as part of the undeploy workflow or scale-in event - generate licensing API.request license api-key set key <key>
- (optional) Log Collector Group: Create a log collector group.
- Template:
- Policy template: Create a template for cluster nodes external interfaces and policies
- Custer Template - The Software Firewall Orchestration plugin will
automatically deploy a fixed template. This template contains
interfaces for cluster traffic ports based on the required config
for AI-Gateways to enable traffic flow. For SRIOV, clone and modify
the fixed template which contains the cluster traffic interconnect
interface config for all nodes.
- You may choose the fixed template created by the plugin AI-HSF-CLUSTERING-DO-NOT-MODIFY.
- If you are using SRIOV, then clone the AI-HSF-CLUSTERING-DO-NOT-MODIFY template and make the necessary changes to it and then choose the new cloned template.
- By default, the fixed template is for VMxNet3 deployments and the first Interface (eth1/1 ) is used for Cluster traffic Interconnect. For SRIOV based deployments or if you change the CT interface to a different one, then a fixed template can be cloned or edited to change the Cluster Traffic for each node.
- Download the same content on the Local and Device Deployment page of the Panorama.
- Schedule Download and Install of App&Thread and AV at the same time on both local and Device Deployment page of the Panorama.
![]()
- Clustering plugin should be installed on Panorama - This is needed to obtain metric data needed for autoscaling and for firewall cluster visibility.
- Commit the vCenter credentials and check the validity of the onboarded credentials.
