What’s New in Panorama Plugin for VMware NSX 3.2.0
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
What’s New in Panorama Plugin for VMware NSX 3.2.0
The Panorama Plugin for VMware NSX 3.2.0
introduces the following features:
- Device Certificate Support for the VM-Series Firewall on VMware NSX
- Security Policy Extension Between NSX-V and NSX-T
Device Certificate Support for the VM-Series Firewall on VMware NSX
The firewall requires a device certificate to retrieve the site license entitlements and securely
access cloud services such as WildFire, AutoFocus, Strata Logging Service, etc.
There are two methods for applying a site license to your VM-Series
firewall—One-Time Password (OTP) and auto-registration PIN. Each password or PIN is
generated on the Palo Alto Networks Customer Support website and unique to your Palo Alto
Networks support account. For the VM-Series firewall on NSX-V and NSX-T, you can add
the auto-registration PIN to your service definition configuration so the device
certificate is fetched by the firewall upon initial boot up. Additionally, if you
upgrade previously-deployed firewalls to PAN-OS version that supports device
certificates, you can apply a device certificate to the those firewalls individually
using a one-time password.
You must enable Device Certificates to deploy firewalls successfully
when using one of the following VM-Series firewall for NSX OVFs—10.0.1
and later, 9.1.5 and later, 9.0.11 and later, or 8.1.17 and later.
However, you are not required to enter a PIN ID and PIN Value. If
you do not enable Device Certificates, firewall deployment will
fail. You can add an OTP to your firewalls after deployment to have
them fetch a device certificate. See the Panorama Admin Guide for
more information about installing a device certificate on firewalls manage
by Panorama. See the Compatibility Matrix for
supported version information.
Security Policy Extension Between NSX-V and NSX-T
If you adding VMware NSX-T to your existing network
that includes NSX-V or moving from NSX-V to NSX-T, you can now use
your existing NSX-V security policy rules in NSX-T. The Panorama
plugin for VMware NSX 3.2.0 allows you to use your existing NSX-V
device groups and templates with your new NSX-T firewalls. When
you create an NSX-T service definition, select an device group and
a template stack used in an NSX-V service definition. After deploying
the firewalls in NSX-T, you will see match criteria retrieved from
NSX-T available for in dynamic address groups used in NSX-V. If
you add NSX-T match criteria to an NSX-V dynamic address group,
any security policy referencing the those dynamic address groups
will also be applied to traffic matching the NSX-T or NSX-V criteria.