You can now deploy the VM-Series firewall on VMware
NSX-T as a partner service to provide comprehensive visibility
and safe application enablement of all East-West traffic in your
NSX-T software-defined data center. The VM-Series firewall as a
partner service enables micro-segmentation that allows you to protect
your data center, enable granular access control inter-tier application
The VM-Series firewall on VMware NSX-T (East-West) requires the
Panorama plugin for VMware NSX 3.1.0 or later.
—Multiple instances of the VM-Series firewall
are deployed on a single ESXi cluster. NSX-T manager redirects traffic between
VMs and security groups to the VM-Series firewall before it continues to
the intended destination.
—The VM-Series firewall is deployed on each ESXi
hosts in your software-defined data center. Traffic between guests
on the same host is inspected by the local firewall, so it does
not need to leave the host for inspection. Traffic leaving the host
is inspected by the firewall before reaching the vSwitch.
Deploying the VM-Series firewall to secure East-West traffic
in your NSX-T software-defined data center requires the following
Register the VM-Series firewall as a service
to connect to your VMware NSX-T manager. After establishing communication
with NSX-T Manager, configure the service definition.
NSX-T Manager uses this connection to send updates on the changes
in the NSX-T environment with Panorama.
Deploy the VM-Series firewall per host or in a service cluster
Manager uses the information pushed from Panorama in the service
definition to deploy the VM-Series firewall. Choose a where the VM-Series
firewall will be deployed (in a service cluster or on each ESXi
host) and how NSX-T provides a management IP address to the VM-Series
The VM-Series connects to Panorama
and sends security
policy to the VM-Series firewall
—The VM-Series firewall then connects
to Panorama to obtain its license. Panorama gets the license from
the Palo Alto Networks update server and sends it to the firewall.
When the firewall gets its license, it reboots and comes back up
with a serial number. When the firewall reconnects to Panorama after
rebooting, it is added to device group and template stack defined
in the service definition and Panorama pushes the appropriate security
policy to that firewall. The firewall is now ready to secure traffic
in your NSX-T data center.
NSX-T Manager sends real-time updates
about changes in the virtual environment to Panorama. As Panorama
receives updates from NSX-T Manager, it sends those updates from
its managed VM-Series firewalls as changes in dynamic address groups.
This allows firewalls to apply the correct security policy to traffic
flowing to and from virtual machines in your NSX-T data center.
Create network introspection rules to redirect traffic
to the VM-Series firewall
—On the NSX-T Manager, create a service
chain and network introspection rules that redirect traffic in your
NSX-T data center.