1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up a VM-Series NSX Edition Firewall
    5. Define Policies on the NSX Manager
    Previous
    Next
    In order for the VM-Series firewall to secure the traffic, you must complete the following tasks:
    Set Up Security Groups on the NSX Manager Redirect Traffic to the VM-Series Firewall Apply Policies to the VM-Series Firewall.
    Set Up Security Groups on the NSX Manager
    A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. Creating security groups makes it easier to manage and secure the guests; to understand how security groups enable policy enforcement, see Policy Enforcement using Dynamic Address Groups.
    Set up Security Groups on the NSX Manager
    Select Networking and Security > Service Composer > Security Groups, and add a New Security Group.
    Add a Name and Description. This name will display in the match criteria list when defining dynamic address groups on Panorama.
    Select the guests that constitute the security group. You can either add members dynamically or statically. You can Define Dynamic Membership by matching on Security tags (recommended), or statically Select the Objects to Include. In the following screenshot, the guests that belong to the security group are selected using the Objects Type: Virtual Machine option.
    Review the details and click OK to create the security group.
    Redirect Traffic to the VM-Series Firewall
    Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped. To create policies on Panorama and push them to the VM-Series firewall, see Apply Policies to the VM-Series Firewall.
    Define NSX Firewall Rules to Redirect Traffic to the VM-Series Firewall
    Select Networking and Security > Service Composer > Security Policies and click Create Security Policy ( ).
    Add a rule Name.
    Add a network introspection service. Select Network Introspection Services and click the green plus icon. Name the network introspection service and add a Description. Select Redirect to Service under Action. Select your service definition under Service Name. Select your service profile under Profile. Select a Source and a Destination. By default, traffic source is set to Policy’s Security Groups. This option dynamically includes all security groups where this policy is applied. Alternatively, you can choose to have traffic from any source redirected to the firewall or specify certain security groups. However, vSphere requires that Source or Destination (or both) be set Policy’s Security Group. If you select Any or specific security groups for Destination, then Source must be set to Policy’s Security Group. (Optional) Select specific network services to be redirected to the firewall. If you choose any service or services, all other traffic will not be redirected to the firewall. Click OK. Repeat steps 1 through 6 to add additional network introspection services. Click Finish to save your configuration.
    Apply redirection policy to security groups. Highlight a security policy by clicking it. Select Networking and Security > Service Composer > Security Policies and click Apply Security Policy ( ). Apply the redirection rules by checking all appropriate zones. Click OK.
    Previous
    Next

    Related Documentation

    How Do the Components in the NSX Edition Solution Work Together?

    How Do the Components in the NSX Edition Solution Work Together? To meet the security challenges in the software-defined data center, the NSX Manager, ESXi ...

    Support for Multi-Tenancy and Multiple Sets of Policy Rules on the VM-Series NSX Edition Firewall

    Support for Multi-Tenancy and Multiple Sets of Policy Rules on the VM-Series NSX Edition Firewall Beginning with PAN-OS 7.1, the VM-Series NSX edition firewall includes ...

    Use Case: Shared Security Policies on Dedicated Compute Infrastructure

    Use Case: Shared Security Policies on Dedicated Compute Infrastructure If you are a Managed Service Provider who needs to secure a large enterprise ( tenant ...

    Create Policies

    Create Policies The following topics describe how to create policies on the NSX Manager to redirect traffic to the VM-Series firewall and how to create ...

    Use Case: Shared Compute Infrastructure and Shared Security Policies

    Use Case: Shared Compute Infrastructure and Shared Security Policies This use case allows you to logically isolate traffic from two tenants that share an ESXi ...

    Apply Policies to the VM-Series Firewall

    Apply Policies to the VM-Series Firewall Now that you have created the security policies on the NSX Manager, the names of the security groups that ...

    Create the Service Definitions on Panorama

    Create the Service Definitions on Panorama A service definition specifies the configuration for the VM-Series firewalls installed on each host in an ESXi cluster. The ...

    VM-Series NSX Edition Firewall Deployment Checklist

    VM-Series NSX Edition Firewall Deployment Checklist To deploy the NSX edition of the VM-Series firewall, use the following workflow: Step 1: Set up the Components ...

    Set Up a VM-Series NSX Edition Firewall

    Set Up a VM-Series NSX Edition Firewall The VM-Series NSX edition firewall is jointly developed by Palo Alto Networks and VMware. This solution uses the ...

    Steer Traffic from Guests that are not Running VMware Tools

    Steer Traffic from Guests that are not Running VMware Tools VMware Tools contains a utility that allows the NSX Manager to collect the IP address(es) ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo