Multi-tenancy on the VM-Series firewall enables you to secure more than one
tenant
or more than one
sub-tenant
. A tenant is a customer or an organization such as Palo Alto Networks. A sub-tenant is a department or business unit within the organization such as Marketing, Accounting, or Human Resources. To allow you to secure multiple tenants, Panorama provides the flexibility to create multiple sets of security policy rules for each tenant, and multiple zones to isolate traffic from each sub-tenant and redirect traffic to the appropriately configured VM-Series firewall. You can also deploy more than one instance of the VM-Series firewall on each host within an ESXi cluster.
To deploy a multi-tenant solution, create one or more
service definition(s)
and
service profile zone(s)
on Panorama. A service definition on Panorama specifies the configuration of the VM-Series firewall using one device group and one template. This means that each instance of the VM-Series firewalls that is deployed using a service definition has one common set of policy rules for securing the tenants and sub-tenants in the ESXi cluster.
A service profile zone within a Panorama template is used to segment traffic from each sub-tenant using virtual wire subinterfaces. When you create a new service profile zone, Panorama pushes the zone as a part of the template configuration to the firewall, and the firewall automatically creates a pair of virtual wire subinterfaces, for example ethernet1/1.3 and ethernet 1/2.3 so that the firewall can isolate traffic for a sub-tenant. Because a template supports up to 32 subinterface pairs, you can logically isolate traffic and secure up to 32 sub-tenants.
Panorama registers each service definition as a service definition on the NSX Manager and each service profile zone as a service profile within the corresponding service definition. And, when you deploy the service definition from the NSX Manager, an instance of the VM-Series firewall is deployed on each host in the ESXi cluster. And you can use the steering rules on the NSX Manager to specify what traffic to redirect to the VM-Series firewall based on NSX security groups, and to which tenant or sub-tenant based on the service profile.