VM-Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure
|
Enable Communication Between the NSX Manager and Panorama.
|
This is one-time task and is required if you have not enabled access between the NSX Manager and Panorama.
|
|
Create Template(s), and Device Group(s) on Panorama.
|
Log in to the Panorama web interface.
Select
Panorama > Templates
to add a template. This use case has a template named NSX-Template.
Select
Panorama > Device Groups
and add device group. This use case has a device group named NSX-DG.
Create two NSX service profile zones within the Template. To isolate traffic for each tenant, you need two zones in this use case.
Select
Network > Zones.
Select the correct template in the
Template
drop-down.
Select
Add
and enter a zone
Name. For example,
Tenant1.
Select the
Service Profile Zone for NSX
check box. This selection automatically sets the interface
Type
to
Virtual Wire.Click
OK.
Repeat the steps to add another zone, for example,
Tenant2.
Verify that the zones are attached to the correct template.
|
|
Create the Service Definitions on Panorama.
|
Select
Panorama > VMware Service Manager.
Select
Add
in the VMware Service Definition section and fill in the details.
Click
Commit, and select
Panorama
as the
Commit Type
to save the changes to the running configuration on Panorama.
|
|
Prepare the ESXi Host for the VM-Series Firewall
|
The ESXi hosts in the cluster must have the necessary NSX components that allow the NSX firewall and the VM-Series firewall to work together. The NSX Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM-Series firewall.
|
|
Deploy the Palo Alto Networks NGFW Service
|
Select
Networking and Security > Installation > Service Deployments.
Click
New Service Deployment
(green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy,
Palo Alto Networks NGFW Test 1
in this example, make your selections including the appropriate ESXi cluster to which you want to deploy the firewall and click
Finish.
Verify that the NSX Manager reports the
Installation Status
as
Successful.
Verify that the VM-Series firewall is successfully deployed.
On the vCenter server, select
Hosts and Clusters
to check that every host in the cluster(s) has one instance of the firewall.
View the management IP address(es) and the PAN-OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN-OS software image and is automatically enabled when you launch the VM-Series firewall.
|
|
Define Policies on the NSX Manager
Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped.
|
Select
Networking and Security > Service Composer > Security Groups, and add new NSX Security Groups for each tenant’s virtual machines. For example, this use case has two security groups per tenant; one security group for the web servers and the other security group for the application servers.
Select
Networking and Security > Firewall > Configuration, and click
Partner Security Services, to set up redirection rules for sending traffic to the VM-Series firewall. You will select the service profile associated with each tenant for which you want to redirect traffic.
The service profile names on the NSX Manager must match the zone names you defined in the template on Panorama.
|
|
Apply Policies to the VM-Series Firewall
|
Create Dynamic Address groups for each tenant on Panorama. The dynamic address group(s) that match on the name of the security group(s) you defined on the NSX Manager.
On Panorama, select
Objects > Address Groups.
Select the correct
Device Group
from the drop-down and click
Add.
Add a
Name
for the address group and set Type as
Dynamic
and
Add Match Criteria. Verify that you select the correct tags for each tenant, the tag includes the service profile ID, the security group name and the security group ID. For example, for this use case there are four dynamic address groups:
On Panorama, create security policy rules and use the dynamic address groups as source or destination address objects in security policy rules and push it to the firewalls.
Select
Policies > Security > Prerules
and click
Add.
Create rules for each tenant. This use case has the following policy rules:
|
|
|
|
|
Click Commit, and select Commit Type as Device Groups. Select the device group, NSX-DG in this example and click OK.
|
|
Verify that traffic from each tenant is secured.
|
Log in to the CLI on the firewall
and enter the following command to view the subinterfaces on the firewall:
show interface all
total configured hardware interfaces: 2
name id speed/duplex/state mac address
--------------------------------------------------------------
ethernet1/1 16 auto/auto/up d4:f4:be:c6:af:10
ethernet1/2 17 auto/auto/up d4:f4:be:c6:af:11
aggregation groups: 0
total configured logical interfaces: 6
name id vsys zone forwarding
------------------- ----- ---- -----------------
ethernet1/1 16 1 vwire:ethernet1/2
ethernet1/1.3 4099 1 TENANT-1 vwire:ethernet1/2.3
ethernet1/1.4 4100 1 TENANT-2 vwire:ethernet1/2.4
ethernet1/2 17 1 vwire:ethernet1/1
ethernet1/2.3 4355 1 TENANT-1 vwire:ethernet1/1.3
ethernet1/2.4 4356 1 TENANT-2 vwire:ethernet1/1.4
On the web interface of the VM-Series firewall, select
Objects > Address Groups
and verify that you can view the IP address for the members of each Dynamic Address Group. The following is an example of duplicate IP addresses in dynamic address groups across both tenants.
|
|
|
|
|
View the
ACC
and the
Monitor > Logs > Traffic.
Filter on the zone name to ensure that traffic from the virtual machines for each tenant is secured.
|
