: VM-Series Firewall on VMware NSX-T (East-West)
Focus
Focus

VM-Series Firewall on VMware NSX-T (East-West)

Table of Contents
End-of-Life (EoL)

VM-Series Firewall on VMware NSX-T (East-West)

You can now deploy the VM-Series firewall on VMware NSX-T as a partner service to provide comprehensive visibility and safe application enablement of all East-West traffic in your NSX-T software-defined data center. The VM-Series firewall as a partner service enables micro-segmentation that allows you to protect your data center, enable granular access control inter-tier application traffic.
The VM-Series firewall on VMware NSX-T (East-West) requires the Panorama plugin for VMware NSX 3.1.0 or later.
  • Service Cluster—Multiple instances of the VM-Series firewall are deployed on a single ESXi cluster. NSX-T manager redirects traffic between VMs and security groups to the VM-Series firewall before it continues to the intended destination.
  • Host-Based—The VM-Series firewall is deployed on each ESXi hosts in your software-defined data center. Traffic between guests on the same host is inspected by the local firewall, so it does not need to leave the host for inspection. Traffic leaving the host is inspected by the firewall before reaching the vSwitch.
Deploying the VM-Series firewall to secure East-West traffic in your NSX-T software-defined data center requires the following steps.
  1. Register the VM-Series firewall as a service—Use Panorama to connect to your VMware NSX-T manager. After establishing communication with NSX-T Manager, configure the service definition.
    Additionally, NSX-T Manager uses this connection to send updates on the changes in the NSX-T environment with Panorama.
  2. Deploy the VM-Series firewall per host or in a service cluster—NSX-T Manager uses the information pushed from Panorama in the service definition to deploy the VM-Series firewall. Choose a where the VM-Series firewall will be deployed (in a service cluster or on each ESXi host) and how NSX-T provides a management IP address to the VM-Series firewall.
  3. The VM-Series connects to Panorama and sends security policy to the VM-Series firewall—The VM-Series firewall then connects to Panorama to obtain its license. Panorama gets the license from the Palo Alto Networks update server and sends it to the firewall. When the firewall gets its license, it reboots and comes back up with a serial number. When the firewall reconnects to Panorama after rebooting, it is added to device group and template stack defined in the service definition and Panorama pushes the appropriate security policy to that firewall. The firewall is now ready to secure traffic in your NSX-T data center.
    NSX-T Manager sends real-time updates about changes in the virtual environment to Panorama. As Panorama receives updates from NSX-T Manager, it sends those updates from its managed VM-Series firewalls as changes in dynamic address groups. This allows firewalls to apply the correct security policy to traffic flowing to and from virtual machines in your NSX-T data center.
  4. Create network introspection rules to redirect traffic to the VM-Series firewall—On the NSX-T Manager, create a service chain and network introspection rules that redirect traffic in your NSX-T data center.