To automate the provisioning of a VM-Series NSX edition firewall, you must enable communication between the NSX Manager and Panorama. When Panorama registers the VM-Series firewall as a service on the NSX Manager, the NSX Manager has the configuration settings required to provision one or more instances of the VM-Series firewalls on each ESXi host in the cluster.
What do you want to know? See:
How do I configure Panorama to communicate with the NSX Manager? Configure Access to the NSX Manager
How do I define the configuration for the VM-Series NSX edition firewall? Create Service Definitions
How do I configure the firewall to consistently enforce policy in the dynamic vSphere environment? Select Objects > Address Groups and Policies > Security. To enable Panorama and the firewalls to learn about the changes in the virtual environment, use Dynamic Address Groups as source and destination address objects in security policy pre rules.
Looking for more? See Set up a VM-Series NSX Edition Firewall .
Configure Access to the NSX Manager
VMware Service Manager Settings
To enable Panorama to communicate with the NSX Manager, click Edit ( ) and complete the following fields.
VMware Service Manager Settings Description
Service Manager Name Enter a name to identify the VM-Series firewall as a service. This name displays on the NSX Manager and is used to deploy the VM-Series firewall on-demand. Supports up to 63 characters; use only letters, numbers, hyphens, and underscores.
Description (Optional) Enter a label to describe the purpose or function of this service.
NSX Manager URL Specify the URL that Panorama will use to establish a connection with the NSX Manager.
NSX Manager Login Enter the authentication credentials—username and password—configured on the NSX Manager. Panorama uses these credentials to authenticate with the NSX Manager. The ampersand (&) special character is not supported in the NSX manager account password. If a password includes an ampersand, the connection between Panorama and NSX manager fails.
NSX Manager Password
Confirm NSX Manager Password
VMware Service Manager Connection Status
After committing the changes to Panorama, the VMware Service Manager page displays the connection status between Panorama and the NSX Manager.
Type Description
Status Displays the connection status between Panorama and the NSX Manager. A successful connection displays as Registered—Panorama and the NSX Manager are synchronized and the VM-Series firewall is registered as a service on the NSX Manager. For an unsuccessful connection, the status can be: Connected Error —Unable to reach/establish a network connection with the NSX Manager. Not authorized —The access credentials (username and/or password) are incorrect. Unregistered—The service manager, service definition, or service profile is unavailable or was deleted on the NSX Manager. Out of sync —The configuration settings defined on Panorama are different from what is defined on the NSX Manager. Click Out of sync for details on the reasons for failure. For example, NSX Manager may have a service definition with the same name as defined on Panorama. To fix the error, use the service definition name listed in the error message to validate the service definition on the NSX Manager. Until the configuration on Panorama and the NSX Manager is synchronized, you cannot add a new service definition on Panorama.
Last Dynamic Update Displays the date and time when Panorama retrieved the Dynamic Address Group information from the NSX Manager.
Synchronize Panorama with the NSX Manager
Use the VMware Service Manager page to perform the following operations.
Task Description
NSX Config-Sync Click NSX Config-Sync to synchronize the service definitions configured on Panorama with the NSX Manager. If you have any pending commits on Panorama, this option is not available. If the synchronization fails, view the details in the error message to know whether the error is on Panorama or on the NSX Manager. For example, when you delete a service definition on Panorama, the synchronization with the NSX Manager fails if the service definition is referenced in a rule on the NSX Manager. Use the information in the error message to determine the reason for failure and where you need to take corrective action (on Panorama or on the NSX Manager).
Synchronize Dynamic Objects Click Synchronize Dynamic Objects to refresh the dynamic object information from the NSX Manager. Synchronizing dynamic objects enables you to maintain context on changes in the virtual environment and allows you to safely enable applications by automatically updating the Dynamic Address Groups used in policy rules. On Panorama, you can view only the IP addresses that are dynamically registered from the NSX Manager. Panorama does not display the dynamic IP addresses that are registered directly to the firewalls. If you use VM Information Sources (not supported on the VM-Series NSX edition firewalls) or the XML API to register IP addresses dynamically to the firewalls, you must log in to each firewall to view the complete list of dynamic IP addresses (both those that Panorama pushed and those that are locally registered) on the firewall.
Remove VMware Service Manager Click Remove VMware Service Manager to delete access to the NSX Manager and disable communication between Panorama and the NSX Manager. Before you remove the service manager configuration, you must first delete all service definitions.
Create Service Definitions
A service definition allows you to register the VM-Series firewall as a partner security service on the NSX Manager. You can define up to 32 service definitions on Panorama and synchronize them on the NSX Manager.
Typically, you will create one service definition for each tenant in an ESXi cluster. Each service definition specifies the OVF (PAN-OS version) used to deploy the firewall and includes the configuration for the VM-Series firewalls installed on the ESXi cluster. To specify the configuration, a service definition must have a unique template, a unique device group and the license auth-codes for the firewalls that will be deployed using the service definition. When the firewall is deployed, it connects to Panorama and receives both its configuration settings—including the zone(s) for each tenant or department that the firewall will secure—and its policy settings from the device group specified in the service definition.
To add a new service definition, fill in the following fields.
Field Description
Name Enter the name for the service you want to display on the NSX Manager.
Description (Optional) Enter a label to describe the purpose or function of this service definition.
Template Select the template to which the VM-Series firewalls will be assigned. For details, see Panorama > Templates. Each service definition must be assigned to a unique template or template stack. A template can have multiple zones ( NSX Service Profile Zones for NSX) associated with it. For a single-tenant deployment, create one zone (NSX Service Profile Zone) in the template. If you have a multi-tenant deployment, create a zone for each sub-tenant. When you create a new NSX Service Profile Zone, it is automatically attached to a pair of virtual wire subinterfaces. For more information, see Network > Zones.
VM-Series OVF URL Enter the URL (IP address or host name and path) where the NSX Manager can access the OVF file to provision new VM-Series firewalls.
Authorization Code Enter the authorization code from the order fulfillment email you received when you purchased the VM-Series firewall.
Device Group Select the device group or device group hierarchy to which these VM-Series firewalls will be assigned. For details, see Panorama > VMware Service Manager.
Notify Device Groups Add the device groups that must be notified of additions or modifications to the virtual machines deployed on the network. As new virtual machines are provisioned or existing machines are modified, the changes in the virtual network are provided as updates to Panorama. When configured to do so, Panorama populates and updates the dynamic address objects referenced in policy rules so that the firewalls in the specified device groups receive changes to the registered IP addresses in the dynamic address groups. To enable notification, make sure to select every device group to which you want to enable notification. If you are not able to select a device group (no check box available), it means that the device group is automatically included by virtue of the device group hierarchy. This notification process creates context awareness and maintains application security on the network. If, for example, you have a group of hardware-based perimeter firewalls that must be notified when a new application or web server is deployed, this process initiates an automatic refresh of the dynamic address groups for the specified device group. And all policy rules that reference the dynamic address object now automatically include any newly deployed or modified application or web servers and can be securely enabled based on your criteria.

Related Documentation