End-of-Life (EoL)
To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall as a L3 deployment; the VM-Series firewall is placed to secure traffic between the NetScaler VPX and the servers on your network.
Topology Before Adding the VM-Series Firewall
Topology After Adding the VM-Series Firewall
The following table includes the tasks you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS Documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
Set up the VM-Series Firewall to Process North-South Traffic Using L3 interfaces
Install the VM-Series Firewall on the SDX Server. When provisioning the VM-Series firewall on the SDX server, you must ensure that you select the data interface accurately so that the firewall can access the server(s).
Configure the data interface on the firewall. Select Network > Virtual Router and then select the default link to open the Virtual Router dialog and Add the interface to the virtual router. (Required only if the USIP option is enabled on the NetScaler VPX) On the Static Routes tab on the virtual router, select the interface and add the NetScaler SNIP (192.68.1.1 in this example) as the Next Hop. The static route defined here will be used to route traffic from the firewall to the NetScaler VPX. Select Network > Interfaces> Ethernet and then select the interface you want to configure. Select the Interface Type. Although your choice here depends on your network topology, this example uses Layer3. On the Config tab, in the Virtual Router drop-down, select default. Select New Zone from the Security Zone drop-down. In the Zone dialog, define a Name for new zone, for example default, and then click OK. Select the IPv4 or IPv6 tab, click Add in the IP section, and enter two IP addresses and network mask to the interface—one for each subnet that is being serviced. For example, 192.168.1.2 and 192.168.2.1. (Optional) To enable you to ping or SSH in to the interface, select Advanced > Other Info, expand the Management Profile drop-down, and select New Management Profile. Enter a Name for the profile, select Ping and SSH and then click OK. To save the interface configuration, click OK. Click Commit to save your changes to the firewall.
Create a basic policy to allow traffic between the NetScaler VPX and the web servers. In this example, because we have set up only one data interface, we specify the source and destination IP address to allow traffic between the NetScaler VPX and the servers. Select Policies > Security, and click Add. Give the rule a descriptive name in the General tab. In the Source tab, select Add in the Source Address section and select the New Address link. Create a new address object that specifies the SNIP on the NetScaler VPX. In this example, this IP address is the source for all requests to the servers.
In the Destination tab, select Add in the Destination Address section and select the New Address link. Create a new address object that specifies the subnet of the web servers. In this example, this subnet hosts all the web servers that service the requests.
In the Application tab, select web-browsing. In the Actions tab, complete these tasks: Set the Action Setting to Allow. Attach the default profiles for antivirus, anti-spyware, and vulnerability protection, under Profile Setting. Verify that logging is enabled at the end of a session under Options. Only traffic that matches a security rule will be logged.
Create another rule to deny all other traffic from any source and any destination IP address on the network. Because all intra-zone traffic is allowed by default, in order to deny traffic other that web-browsing, you must create a deny rule that explicitly blocks all other traffic.
For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.

Recommended For You