End-of-Life (EoL)
This use case allows you to logically isolate traffic from two tenants that share an ESXi cluster and have a common set of security policies. In order to isolate traffic from each tenant you need to create a service definition with a template that includes two zones. Zone-based traffic separation makes it possible to distinguish traffic between virtual machines that belong to separate tenants, when it traverses through the firewall. The firewall is able to distinguish traffic between tenant virtual machines based on a service profiles and security groups created on the NSX Manager, which are available as match criteria in Dynamic Address Groups on the firewall. Therefore, even with overlapping IP addresses, you can segregate traffic from each tenant and secure each tenant’s virtual machines using zone-base policy rules (source and destination zones must be the same) and dynamic address groups.
VM-Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure
Enable Communication Between the NSX Manager and Panorama. This is one-time task and is required if you have not enabled access between the NSX Manager and Panorama.
Create Template(s), and Device Group(s) on Panorama. Log in to the Panorama web interface. Select Panorama > Templates to add a template. This use case has a template named NSX-Template. Select Panorama > Device Groups and add device group. This use case has a device group named NSX-DG. Create two NSX service profile zones within the Template. To isolate traffic for each tenant, you need two zones in this use case. Select Network > Zones. Select the correct template in the Template drop-down. Select Add and enter a zone Name. For example, Tenant1. Select the Service Profile Zone for NSX check box. This selection automatically sets the interface Type to Virtual Wire.Click OK.
Repeat the steps to add another zone, for example, Tenant2. Verify that the zones are attached to the correct template.
Create the Service Definitions on Panorama. Select Panorama > VMware Service Manager. Select Add in the VMware Service Definition section and fill in the details.
Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
Prepare the ESXi Host for the VM-Series Firewall The ESXi hosts in the cluster must have the necessary NSX components that allow the NSX firewall and the VM-Series firewall to work together. The NSX Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM-Series firewall.
Deploy the Palo Alto Networks NGFW Service Select Networking and Security > Installation > Service Deployments. Click New Service Deployment (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy, Palo Alto Networks NGFW Test 1 in this example, make your selections including the appropriate ESXi cluster to which you want to deploy the firewall and click Finish.
Verify that the NSX Manager reports the Installation Status as Successful. Verify that the VM-Series firewall is successfully deployed. On the vCenter server, select Hosts and Clusters to check that every host in the cluster(s) has one instance of the firewall. View the management IP address(es) and the PAN-OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN-OS software image and is automatically enabled when you launch the VM-Series firewall.
Define Policies on the NSX Manager Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped. Select Networking and Security > Service Composer > Security Groups, and add new NSX Security Groups for each tenant’s virtual machines. For example, this use case has two security groups per tenant; one security group for the web servers and the other security group for the application servers.
Select Networking and Security > Firewall > Configuration, and click Partner Security Services, to set up redirection rules for sending traffic to the VM-Series firewall. You will select the service profile associated with each tenant for which you want to redirect traffic. The service profile names on the NSX Manager must match the zone names you defined in the template on Panorama.
Apply Policies to the VM-Series Firewall Create Dynamic Address groups for each tenant on Panorama. The dynamic address group(s) that match on the name of the security group(s) you defined on the NSX Manager. On Panorama, select Objects > Address Groups. Select the correct Device Group from the drop-down and click Add. Add a Name for the address group and set Type as Dynamic and Add Match Criteria. Verify that you select the correct tags for each tenant, the tag includes the service profile ID, the security group name and the security group ID. For example, for this use case there are four dynamic address groups:
On Panorama, create security policy rules and use the dynamic address groups as source or destination address objects in security policy rules and push it to the firewalls. Select Policies > Security > Prerules and click Add. Create rules for each tenant. This use case has the following policy rules:
Click Commit, and select Commit Type as Device Groups. Select the device group, NSX-DG in this example and click OK.
Verify that traffic from each tenant is secured. Log in to the CLI on the firewall and enter the following command to view the subinterfaces on the firewall: show interface all total configured hardware interfaces: 2 name id speed/duplex/state mac address -------------------------------------------------------------- ethernet1/1 16 auto/auto/up d4:f4:be:c6:af:10 ethernet1/2 17 auto/auto/up d4:f4:be:c6:af:11 aggregation groups: 0 total configured logical interfaces: 6 name id vsys zone forwarding ------------------- ----- ---- ----------------- ethernet1/1 16 1 vwire:ethernet1/2 ethernet1/1.3 4099 1 TENANT-1 vwire:ethernet1/2.3 ethernet1/1.4 4100 1 TENANT-2 vwire:ethernet1/2.4 ethernet1/2 17 1 vwire:ethernet1/1 ethernet1/2.3 4355 1 TENANT-1 vwire:ethernet1/1.3 ethernet1/2.4 4356 1 TENANT-2 vwire:ethernet1/1.4 On the web interface of the VM-Series firewall, select Objects > Address Groups and verify that you can view the IP address for the members of each Dynamic Address Group. The following is an example of duplicate IP addresses in dynamic address groups across both tenants.
View the ACC and the Monitor > Logs > Traffic. Filter on the zone name to ensure that traffic from the virtual machines for each tenant is secured.

Recommended For You