End-of-Life (EoL)
To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall in a L2 or a virtual wire deployment. The VM-Series firewall secures traffic destined to the servers. The request arrives at the VIP address of the NetScaler VPX and is processed by the VM-Series firewall before it reaches the servers. On the return path, the traffic is directed to the SNIP on the NetScaler VPX and is processed by the VM-Series firewall before it is sent back to the client.
For the topology before adding the VM-Series firewall, see Topology Before Adding the VM-Series Firewall.
Topology After Adding the VM-Series Firewall
The following table includes the basic configuration tasks you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
Set up the VM-Series Firewall to Process North-South Traffic Using L2 or Virtual Wire Interfaces
Install the VM-Series Firewall on the SDX Server. On the SDX server, make sure to enable Allow L2 Mode on each data interface. This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX.
Re-cable the server-side interface assigned to the NetScaler VPX. Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window. If you have already deployed a NetScaler VPX and are now adding the VM-Series firewall on the SDX server, you have two ports assigned to the VPX. When you deploy the VM-Series firewall, the NetScaler VPX will now only require one port for handling client-side traffic. Therefore, before you configure the data interfaces the VM-Series, you must remove the cable from the interface that connects the VPX to the server farm and attach it to the firewall so that all traffic to the server farm is processed by the firewall.
Configure the data interfaces. This example shows the configuration for virtual wire interfaces.
Launch the web interface of the firewall. Select Network > Interfaces> Ethernet. Click the link for an interface (for example ethernet 1/1) and select the Interface Type as Layer2 or Virtual Wire. Virtual Wire Configuration Each virtual wire interface (ethernet 1/1 and ethernet 1/2) must be connected to a security zone and a virtual wire. To configure these settings, select the Config tab and complete the following tasks: In the Virtual wire drop-down click New Virtual Wire, define a Name and assign the two data interfaces (ethernet 1/1 and ethernet 1/2) to it, and then click OK.When configuring ethernet 1/2, select this virtual wire. Select New Zone from the Security Zone drop-down, define a Name for new zone, for example client, and then click OK. Layer 2 Configuration For each Layer 2 interface, you require a security zone. Select the Config tab and complete the following tasks: Select New Zone from the Security Zone drop-down, define a Name for new zone, for example client, and then click OK. Repeat steps 2 and 3 above for the other interface. Click Commit to save changes to the firewall.
Create a basic policy rule to allow traffic through the firewall. This example shows how to enable traffic between the NetScaler VPX and the web servers.
Select Policies > Security, and click Add. Give the rule a descriptive name in the General tab. In the Source tab, set the Source Zone to the client-side zone you defined. In this example, select client. In the Destination tab, set the Destination Zone to the server-side zone you defined. In this example, select server. In the Application tab, click Add to select the applications to which you want to allow access. In the Actions tab, complete these tasks: Set the Action Setting to Allow. Attach the default profiles for antivirus, anti-spyware, vulnerability protection and URL filtering, under Profile Setting. Verify that logging is enabled at the end of a session under Options. Only traffic that matches a security rule will be logged.
For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.

Recommended For You