To deploy the NSX edition of the VM-Series firewall, use the following workflow:
Step 1: Set up the Components —To deploy the VM-Series NSX edition, set up the following components (see What are the Components of the NSX Edition Solution?): Set up the vCenter server, install and register the NSX Manager with the vCenter server.
If you have not already set up the virtual switch(es) and grouped the ESXi hosts in to clusters, refer to the VMware documentation for instructions on setting up the vSphere environment. This document does not take you through the process of setting up the VMware components of this solution.
Do not modify the default value (1500 bytes) of the MTU on the virtual Distributed Switch (vDS) in the vSphere infrastructure. Modifying the MTU to any other value causes the VM-Series NSX edition firewall to discard packets.
Upgrade Panorama to version 7.1. If you are new to Panorama, refer to the Panorama documentation for instructions on setting up and upgrading Panorama. Download and save the ovf template for the NSX edition of the VM-Series firewall on a web server. The NSX Manager must have network access to this web server so that it can deploy the VM-Series firewall as needed. You cannot host the ovf template on Panorama.
Give the ova filename a generic name that does not include a version number. Using a generic naming convention, such as https://acme.com/software/PA-VM-NSX.ova allows you to overwrite the ova each time a newer version becomes available.
Register the capacity auth-code for the VM-Series NSX edition firewall with your support account on the Support Portal. For details, see Upgrade the VM-Series Firewall.
Step 2: Register —Configure Panorama to Register the VM-Series Firewall as a Service on the NSX Manager. When registered, the VM-Series firewall is added to the list of network services that can be transparently deployed as a service by the NSX Manager. The connection between Panorama and the NSX Manager is also required for licensing and configuring the firewall.
If you had configured Panorama to register the VM-Series firewall as a service on the NSX Manager in an earlier version, see Changes to default behavior to learn about the changes upon upgrade to version 7.1.
Step 3: Deploy the Firewalls and Create Policies —On Panorama, create the service definition(s) that specify the configuration for the VM-Series firewall. On the NSX Manager, install the VM-Series firewall, and create policies to redirect traffic to the VM-Series firewall. See Deploy the VM-Series Firewall and Create Policies. (On Panorama) Create the service definition.
If you upgrade from an earlier version, your existing service definition is automatically migrated for you. For details, see changes to default behavior.
(On the NSX Manager) Enable SpoofGuard and define rules to block non-IP protocols. (On the NSX Manager) Define the IP address pool. An IP address from the defined range is assigned to the management interface of each instance of the VM-Series firewall. (On the NSX Manager) Deploy the VM-Series firewall. The NSX Manager automatically deploys an instance of the VM-1000-HV on each ESXi host in the cluster. (On the NSX Manager) Set up the security groups. A security group assembles the specified guests/applications so that you can apply policy to the group. Then create the NSX Firewall policies to redirect traffic to the Palo Alto Networks service profile.
The NSX Manager uses the IP address as a match criterion to steer traffic to the VM-Series firewall. If VMware tools is not installed on the guest, see Steer Traffic from Guests that are not Running VMware Tools.
(On Panorama) Apply policies to the VM-Series firewall. From Panorama, you define, push, and administer policies centrally on all the VM-Series firewalls. On Panorama, create dynamic address groups for each security group and reference the dynamic address groups in policy, and then push the policies to the managed firewalls.
This centralized administration mechanism allows you to secure guests/applications with minimal administrative intervention.
Step 4: Monitor and Maintain Network Security —Panorama provides a comprehensive, graphical view of network traffic. Using the visibility tools on Panorama—the Application Command Center (ACC), logs, and the report generation capabilities—you can centrally analyze, investigate and report on all network activity, identify areas with potential security impact, and translate them into secure application enablement policies. Refer to the Panorama Administrator’s Guide for more information. Step 5: Upgrade the software version— When upgrading the VM-Series NSX edition firewalls, you must first upgrade Panorama before upgrading the firewalls. To upgrade the firewalls, see Upgrade the PAN-OS Software Version (NSX Edition).
For upgrading the PAN-OS version on the firewall, do not modify the VM-Series OVA URL in Panorama > VMware Service Manager. Do not use the VMware snapshots functionality on the VM-Series NSX edition firewall. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See VMWare’s best practice recommendation with using snapshots. If you need configuration backups, use Panorama or Export named configuration snapshot from the firewall ( Device > Set up > Operations). Using the Export named configuration snapshot exports the active configuration (running-config.xml) on the firewall and allows you to save it to any network location.
If you need to reinstall or remove the VM-Series from your NSX deployment, see the How to Remove VM-Series Integration from VMware NSX knowledge base article.

Related Documentation