Document:VM-Series Deployment Guide

Deploy the VM-Series Firewall Before the NetScaler VPX

Search the Table of Contents

The following example shows how to deploy the VM-Series firewall to process and secure traffic before it reaches the NetScaler VPX. In this example, the VM-Series firewall is deployed with virtual wire interfaces, and the client connection requests are destined to the VIP on the NetScaler VPX. Note that you can deploy the VM-Series firewall using L2 or L3 interfaces, based on your specific needs.

Topology Before Adding the VM-Series Firewall

Topology after adding the VM-Series firewall

The following table includes the basic configuration tasks you must perform on the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.

Set up the VM-Series Firewall Before the NetScaler VPX with Virtual Wire Interfaces
Install the VM-Series Firewall on the SDX Server.	On the SDX server, make sure to enable Allow L2 Mode on the data interface. This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX.
Re-cable the client-side interface assigned to the NetScaler VPX. Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.	If you have already deployed a NetScaler VPX and are now adding the VM-Series firewall on the SDX server, you have two ports assigned to the VPX. When you deploy the VM-Series firewall, the NetScaler VPX will now only require one port that connects it to the server farm. Therefore, before you configure the data interfaces the VM-Series, you must remove the cable from the interface that connects the VPX to the client-side traffic and attach it to the firewall so that all incoming traffic is processed by the firewall.
Configure the data interfaces.	Launch the web interface of the firewall. Select Network > Interfaces> Ethernet. Click the link for an interface, for example ethernet 1/1, and select the Interface Type as Virtual Wire. Click the link for the other interface and select the Interface Type as Virtual Wire. Each virtual wire interface must be connected to a security zone and a virtual wire. To configure these settings, select the Config tab and complete the following tasks: In the Virtual wire drop-down click New Virtual Wire, define a Name and assign the two data interfaces (ethernet 1/1 and ethernet 1/2) to it, and then click OK.When configuring ethernet 1/2, select this virtual wire. Select New Zone from the Security Zone drop-down, define a Name for new zone, for example client, and then click OK. Repeat step 5 for the other interface. Click Commit to save changes to the firewall.
Create a basic policy rule to allow traffic through the firewall. This example shows how to enable traffic between the NetScaler VPX and the web servers.	Select Policies > Security, and click Add. Give the rule a descriptive name in the General tab. In the Source tab, set the Source Zone to the client-side zone you defined. In this example, select client. In the Destination tab, set the Destination Zone to the server-side zone you defined. In this example, select server. In the Application tab, click Add to select the applications to which you want to allow access. In the Actions tab, complete these tasks: Set the Action Setting to Allow. Attach the default profiles for antivirus, anti-spyware, vulnerability protection and URL filtering, under Profile Setting. Verify that logging is enabled at the end of a session under Options. Only traffic that matches a security rule will be logged.