VMware's Networking and Security platform must be installed and registered with the vCenter server. The NSX Manager is required to deploy the VM-Series NSX edition firewall on the ESXi hosts within a ESXi cluster.
ESXi is a hypervisor that enables compute virtualization.
Table: Palo Alto Networks Components
The VM-Series base image (PA-VM-NSX-7.1.0.zip) is used for deploying the VM-Series NSX edition firewall with PAN-OS 7.1.
The minimum system requirement for deploying the VM-Series NSX edition firewall on the ESXi server is as follows:
Two vCPUs. One for the management plane and one for the dataplane.
You can assign 2 or 6 additional vCPUs to allocate a total of 2, 4 or 8 vCPUs to the firewall; the management plane only uses one vCPU and any additional vCPUs are assigned to the dataplane.
5GB of memory. Any additional memory will be used by the management plane only.
40GB of virtual disk space.
Panorama must be running the same release version or later version that the firewalls that it will manage.
Panorama is the centralized management tool for the Palo Alto Networks next-generation firewalls. In this solution, Panorama works with the NSX Manager to deploy, license, and centrally administer—configuration and policies—on the VM-Series NSX edition firewall.
Panorama must be able to connect to the NSX Manager, the vCenter server, the VM-Series firewalls and the Palo Alto Networks update server.
The minimum system requirement for Panorama is as follows:
Two 8-Core vCPUs (2.2GHz); use 3GHz if you have 10 or more firewalls.
4GB RAM; 16GB recommended if have 10 or more firewalls.
40GB disk space; To expand log capacity, you must add a virtual disk or set up access to an NFS datastore. For details, refer to the Panorama documentation.
The only VM-Series license available in this solution is the VM-1000 in hypervisor mode (VM-1000-HV).
Table: Versions Supported
If using vCenter Server 6.0 and ESXi 6.0, you must use Panorama 7.0.1 or later.
5.5, 6.0, 6.5a
6.1, 6.2, 6.3
The vCenter server is required to manage the NSX Manager and the ESXi hosts in your data center. This joint solution requires that the ESXi hosts be organized into one or more clusters on the vCenter server and must be connected to a distributed virtual switch.
For information on clusters, distributed virtual switch, DRS, and the vCenter server, refer to your VMware documentation:
NSX is VMware’s network virtualization platform that is completely integrated with vSphere. The NSX Firewall and the Service Composer are key features of the NSX Manager. The NSX firewall is a logical firewall that allows you to attach network and security services to the virtual machines, and the Service Composer allows you to group virtual machines and create policy to redirect traffic to the VM-Series firewall (called the Palo Alto Networks NGFW service on the NSX Manager).
Panorama is used to register the NSX edition of the VM-Series firewall as the
Palo Alto Networks NGFW
service on the NSX Manager. Registering the Palo Alto Networks NGFW service on the NSX Manager allows the NSX Manager to deploy the NSX edition of the VM-Series firewall on each ESXi host in the ESXi cluster.
Panorama serves as the central point of administration for the VM-Series NSX edition firewalls. When a new VM-Series NSX edition firewall is deployed, it communicates with Panorama to obtain the license and receives its configuration/policies from Panorama. All configuration elements, policies, and dynamic address groups on the VM-Series NSX edition firewalls can be centrally managed on Panorama using Device Groups and Templates. The REST-based XML API integration in this solution, enables Panorama to synchronize with the NSX Manager and the VM-Series NSX edition firewalls to allow the use of dynamic address groups and share context between the virtualized environment and security enforcement. For more information, see
Policy Enforcement using Dynamic Address Groups.
VM-Series NSX Edition
The VM-Series NSX edition is the VM-Series firewall that is deployed on the ESXi hypervisor. The integration with the NetX API makes it possible to automate the process of installing the VM-Series firewall directly on the ESXi hypervisor, and allows the hypervisor to forward traffic to the VM-Series firewall without using the vSwitch configuration; it therefore, requires no change to the virtual network topology.
The VM-Series NSX edition only supports virtual wire interfaces. In this edition, ethernet 1/1 and ethernet 1/2 are bound together through a virtual wire and use the NetX dataplane API to communicate with the hypervisor. Layer 2 or Layer 3 interfaces are neither required nor supported on the VM-Series NSX edition, and therefore no switching or routing actions can be performed by the firewall. For enabling traffic separation in a multi-tenancy environment, you can create additional zones that internally map to a pair of virtual wire subinterfaces on the parent virtual wire interfaces, ethernet 1/1 and ethernet 1/2.
The only license available for this version of the VM-Series firewall is the VM-1000-HV. For a brief summary on the capacity, see
VM-Series Models; for complete information on the maximum capacities supported on the VM-1000-HV license refer to the VM-Series Specsheet.
Ports/Protocols used Network Communication
In order to enable the network communication required to deploy the VMWare NSX edition firewall, you must allow the use of the following protocols/ports and applications.
The NSX Manager and Panorama use SSL to communicate on TCP/443.
VM-Series NSX Edition
—If you plan to use WildFire, the VM-Series firewalls must be able to access wildfire.paloaltonetworks.com
on port 443. This is an SSL connection and the App-ID is paloalto-wildfire-cloud.
The management interface on the VM-Series firewall uses SSL to communicate with Panorama over TCP/3789.
The vCenter Server must be able to reach the deployment web server that is hosting the VM-Series OVA. The port is TCP/80 by default or App-ID web-browsing.