Beginning with PAN-OS 7.1, the VM-Series NSX edition firewall includes support for multi-tenancy, which means that you can use the VM-Series firewall to secure traffic from multiple tenants (or sub-tenants) hosted in the vSphere environment. The VM-Series NSX edition firewall allows you to create up to 32 service definitions, each with a unique device group and template. The device group allows you to create and manage policy rules for a tenant (or sub-tenant) and the template allows you to define one or more zones so that you can isolate traffic for each tenant or sub-tenant. Each tenant (or sub-tenant) is mapped to a specific zone on Panorama, and the zone becomes available as a service profile on the NSX Manager; the NSX security administrator can select the appropriate service profile to logically isolate traffic and redirect it to the VM-Series firewall.
In previous releases, the VM-Series NSX edition firewalls were all assigned to one service definition with a single template (with one default zone and, hence, a single service profile for redirecting traffic) and a single device group (one set of security policies). With the support for multiple service definitions in PAN-OS 7.1, whether you have a shared compute infrastructure and need shared security policies, or you have a dedicated compute infrastructure and need dedicated security policies, or you have shared compute infrastructure and need dedicated security policies (multiple instances of the VM-Series firewall per host in an ESXi cluster), you can configure the firewall for your needs.
For details on multi-tenant deployment options, see What is Multi-Tenant Support on the VM-Series NSX Edition Firewall?
High-Level Workflow for Deploying the VM-Series NSX Edition Firewall for Multi-Tenancy
Register the VM-Series firewall as a service on the NSX Manager. To enable communication between the NSX Manager and Panorama and to deploy the firewall as a service on the NSX Manager, you must provide the IP address or hostname along with the credentials of the NSX Manager on the VMware service manager configuration on Panorama. The registration also allows the NSX Manager to update Panorama with dynamic changes to the software-defined data center (SDDC).
On the NSX Manager, use the NSX service composer to create security groups. The NSX security group allows you to define which objects—DVS port-group, logical switch (VXLAN), or virtual machines—are included or excluded from the group. When you create a security group in NSX, the information is transmitted to Panorama. On Panorama, the security administrator can then use NSX security groups as match criteria or tags within dynamic address groups and then use dynamic address groups in security policy rules and push the rules to the VM-Series firewalls.
On Panorama, create the building blocks for redirecting traffic to the VM-Series firewall for policy enforcement. Create the template(s) and device group(s). On each template, create one or more zones (NSX service profile zone) for each tenant or sub-tenant from which you want to redirect traffic to the firewall. The firewall automatically creates a pair of virtual wire subinterfaces for each zone. Create dynamic address groups and use them in security policy rules. You can now use an NSX service profile zone name as the source and destination zone (must be the same zone) in a security policy rule. Using dynamic address groups in policy allows you to secure virtual machines as they are dynamically added or removed from your vSphere environment.
Create the service definition(s) on Panorama. The service definition includes the template and device group to which a VM-Series firewall belongs. When the firewall connects to Panorama, it receives its configuration settings, including the zone(s) for each tenant or department that the firewall will secure and its policy settings from the device group specified in the service definition.
On the NSX Manager, create security policies to granularly define which traffic flows to redirect to the VM-Series firewall for inspection and enforcement. NSX security policies allow you to assign security services, such as the VM-Series firewall for network introspection of traffic, for the objects that belong to NSX security groups. After you deploy the firewalls, the traffic redirection rules allow you to steer traffic to the appropriate Service Profile. The NSX Manager receives these Service Profile(s) from Panorama and each profile maps to the NSX service profile zone you created in the Panorama template. Make sure to select the correct service and profile when defining NSX security policies. To create policies, see Create Policies. Traffic allowed by the VM-Series firewall is then returned to the NSX virtual switch for delivery to the final destination (guest virtual machine or physical device).
Deploy the VM-Series firewalls. For instructions, see Deploy the VM-Series Firewalls. On the NSX Manager, make sure to select the appropriately defined service to ensure that you properly secure the ESXi cluster.

Related Documentation