What’s New in Panorama Plugin for VMware NSX 3.2.0

The Panorama Plugin for VMware NSX 3.2.0 introduces the following features:

Device Certificate Support for the VM-Series Firewall on VMware NSX

The firewall requires a device certificate to retrieve the site license entitlements and securely access cloud services such as WildFire, AutoFocus, Cortex Data Lake, etc. There are two methods for applying a site license to your VM-Series firewall—One-Time Password (OTP) and auto-registration PIN. Each password or PIN is generated on the Palo Alto Networks Customer Support website and unique to your Palo Alto Networks support account. For the VM-Series firewall on NSX-V and NSX-T, you can add the auto-registration PIN to your service definition configuration so the device certificate is fetched by the firewall upon initial boot up. Additionally, if you upgrade previously-deployed firewalls to PAN-OS version that supports device certificates, you can apply a device certificate to the those firewalls individually using a one-time password.
You must enable Device Certificates to deploy firewalls successfully when using one of the following VM-Series firewall for NSX OVFs—
10.0.1 and later, 9.1.5 and later, 9.0.11 and later, or 8.1.17 and later
. However, you are not required to enter a PIN ID and PIN Value. If you do not enable Device Certificates, firewall deployment will fail. You can add an OTP to your firewalls after deployment to have them fetch a device certificate. See the Panorama Admin Guide for more information about installing a device certificate on firewalls manage by Panorama. See the Compatibility Matrix for supported version information.

Security Policy Extension Between NSX-V and NSX-T

If you adding VMware NSX-T to your existing network that includes NSX-V or moving from NSX-V to NSX-T, you can now use your existing NSX-V security policy rules in NSX-T. The Panorama plugin for VMware NSX 3.2.0 allows you to use your existing NSX-V device groups and templates with your new NSX-T firewalls. When you create an NSX-T service definition, select an device group and a template stack used in an NSX-V service definition. After deploying the firewalls in NSX-T, you will see match criteria retrieved from NSX-T available for in dynamic address groups used in NSX-V. If you add NSX-T match criteria to an NSX-V dynamic address group, any security policy referencing the those dynamic address groups will also be applied to traffic matching the NSX-T or NSX-V criteria.

Recommended For You