1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up a VM-Series NSX Edition Firewall
    5. Steer Traffic from Guests that are not Running VMware Tools
    Previous
    Next
    VMware Tools contains a utility that allows the NSX Manager to collect the IP address(es) of each guest running in the cluster. NSX Manager uses the IP address as a match criterion to steer traffic to the VM-Series firewall. If you do not have VMware tools installed on each guest, the IP address(es) of the guest is unavailable to the NSX Manager and traffic cannot be steered to the VM-Series firewall.
    The following steps allow you to manually provision guests without VMware Tools so that traffic from each of these guests can be managed by the VM-Series firewall.
    Steer Traffic from Guests that are not Running VMware Tools
    Create an IP set that includes the guests that need to be secured by the VM-Series firewall. This IP set will be used as the source or destination object in an NSX distributed firewall rule in Step 4 below. Select NSX Managers > Manage > Grouping Objects > IP Sets. Click Add and enter the IP address of each guest that does not have VMware tools installed, and needs to be secured by the VM-Series firewall. Use commas to separate individual IP addresses; IP ranges or subnets are not valid.
    Verify that SpoofGaurd is enabled. If not enabled, see Enable SpoofGuard.
    Manually approve the IP address(es) for each guest in SpoofGuard; this validates that the approved IP addresses is the accurate address for that network adapter. For a manually-configured IP address, make sure to add the IP address to the IP set before approving it in SpoofGuard. Select the new SpoofGuard policy you created to earlier and View: Inactive Virtual NICs. Select the guest and add the IP address in the Approved IP field and Publish changes. Review and approve all previously approved IP addresses too.
    Attach the IP sets to the Security Groups on NSX, to enforce policy. Select Networking and Security > Service Composer > Security Groups. Select Select objects to includ e > IP Sets, add the IP set object to include.
    Previous
    Next

    Related Documentation

    Enable SpoofGuard

    Enable SpoofGuard The NSX distributed firewall can only redirect traffic to the VM-series firewall when it matches an IP address that is known to the ...

    Set Up a VM-Series NSX Edition Firewall

    Set Up a VM-Series NSX Edition Firewall The VM-Series NSX edition firewall is jointly developed by Palo Alto Networks and VMware. This solution uses the ...

    How Do the Components in the NSX Edition Solution Work Together?

    How Do the Components in the NSX Edition Solution Work Together? To meet the security challenges in the software-defined data center, the NSX Manager, ESXi ...

    VM-Series NSX Edition Firewall Deployment Checklist

    VM-Series NSX Edition Firewall Deployment Checklist To deploy the NSX edition of the VM-Series firewall, use the following workflow: Step 1: Set up the Components ...

    Device > VM Information Sources

    Device > VM Information Sources Use this tab to proactively track changes on the Virtual Machines (VMs) deployed on any of these sources—VMware ESXi server, ...

    Define Policies on the NSX Manager

    Define Policies on the NSX Manager In order for the VM-Series firewall to secure the traffic, you must complete the following tasks: Set Up Security ...

    Deploy the VM-Series Firewall

    Deploy the VM-Series Firewall After registering the VM-Series firewall as a service (Palo Alto Networks NGFW) on the NSX Manager, complete the following tasks on ...

    Create Template(s), and Device Group(s) on Panorama

    Create Template(s), and Device Group(s) on Panorama To manage the VM-Series NSX edition firewalls using Panorama, the firewalls must belong to a device group and ...

    Support for VMware Tools on Panorama and VM-Series on ESXi

    Support for VMware Tools on Panorama and VM-Series on ESXi VMware Tools is now supported on the VM-Series firewall and Panorama virtual machine deployed on ...

    Virtualization Features

    Virtualization Features New Virtualization Feature Description VM-Series Firewall for Microsoft Azure The VM-Series firewall can now be deployed in Azure , the Microsoft public cloud. ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo