Learn how the components of a VM-Series deployment on NSX-T work together.
NSX-T Manager, vCenter, Panorama, and the VM-Series firewall work together to meet
the security challenges of your NSX-T data center.
Register the VM-Series firewall as a service—Use
Panorama to connect to your VMware NSX-T manager. Panorama communicates
with NSX-T Manager using the NSX-T API and establishes bi-directional
communication. On Panorama, you configure the Service Manager by
entering the IP address, username, and password of NSX-T Manager
to initiate communication.
After establishing communication
with NSX-T Manager, configure the service definition. The service
definition includes the location of the VM-Series firewall base image,
the authorization code needed to license the VM-Series firewall,
and the device groups and template stack to which the firewall will
belong.
Additionally, NSX-T Manager uses this connection to
send updates on the changes in the NSX-T environment with Panorama.
Deploy the VM-Series firewall per host or in a service
cluster—NSX-T Manager uses the information pushed from Panorama
in the service definition to deploy the VM-Series firewall. Choose
a where the VM-Series firewall will be deployed (in a service cluster
or on each ESXi host) and how NSX-T provides a management IP address
to the VM-Series firewall (DHCP or static IP). When the firewall
boots up, NSX-T manager’s API connects the VM-Series firewall to
the hypervisor so it that can receive traffic from the vSwitch.
The VM-Series connects to Panorama—The VM-Series firewall then connects to Panorama to
obtain its license. Panorama gets the license from the Palo Alto Networks Update
Server and sends it to the firewall. When the firewall gets its license, it
reboots and comes back up with a serial number.
If Panorama does not have internet access, it cannot retrieve licenses and push them to the
firewall, so you have to manually license each firewall individually. If the
VM-Series firewall does not have internet access, you must manually add the
serial numbers to Panorama to register them as managed devices, so Panorama
can push template stacks, device groups, and other configuration
information. For more information, see
Activate the License for the VM-Series
Firewall for VMware NSX.
Panorama sends security policy to the VM-Series firewall—When
the firewall reconnects to Panorama, it is added to device group
and template stack defined in the service definition and Panorama
pushes the appropriate security policy to that firewall. The firewall
is now ready to secure traffic in your NSX-T data center.
Create network introspection rules to redirect traffic
to the VM-Series firewall—On the NSX-T Manager, create a service
chain and network introspection rules that redirect traffic in your
NSX-T data center.
Send real-time updates from NSX-T Manager—The NSX-T
Manager sends real-time updates about changes in the virtual environment
to Panorama. These updates include changes in group membership and
IP addresses of virtual machines in groups that send traffic to
the VM-Series firewall.
Panorama sends dynamic updates—As Panorama receives updates from NSX-T Manager, it sends
those updates from its managed VM-Series firewalls. Panorama places virtual
machines into Dynamic Address Groups based on criteria that you determine and
pushes dynamic address group membership information to the firewalls. This
allows firewalls to apply the correct security policy to traffic flowing to and
from virtual machines in your NSX-T data center.
