1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up a VM-Series NSX Edition Firewall
    5. What is Multi-Tenant Support on the VM-Series NSX Edition Firewall?
    Previous
    Next
    Multi-tenancy on the VM-Series firewall enables you to secure more than one tenant or more than one sub-tenant . A tenant is a customer or an organization such as Palo Alto Networks. A sub-tenant is a department or business unit within the organization such as Marketing, Accounting, or Human Resources. To allow you to secure multiple tenants, Panorama provides the flexibility to create multiple sets of security policy rules for each tenant, and multiple zones to isolate traffic from each sub-tenant and redirect traffic to the appropriately configured VM-Series firewall. You can also deploy more than one instance of the VM-Series firewall on each host within an ESXi cluster.
    		Panorama and the VM-Series firewalls must be running PAN-OS 7.1 or greater to support multi-tenancy.
    To deploy a multi-tenant solution, create one or more service definition(s) and service profile zone(s) on Panorama. A service definition on Panorama specifies the configuration of the VM-Series firewall using one device group and one template. This means that each instance of the VM-Series firewalls that is deployed using a service definition has one common set of policy rules for securing the tenants and sub-tenants in the ESXi cluster.
    A service profile zone within a Panorama template is used to segment traffic from each sub-tenant using virtual wire subinterfaces. When you create a new service profile zone, Panorama pushes the zone as a part of the template configuration to the firewall, and the firewall automatically creates a pair of virtual wire subinterfaces, for example ethernet1/1.3 and ethernet 1/2.3 so that the firewall can isolate traffic for a sub-tenant. Because a template supports up to 32 subinterface pairs, you can logically isolate traffic and secure up to 32 sub-tenants.
    Panorama registers each service definition as a service definition on the NSX Manager and each service profile zone as a service profile within the corresponding service definition. And, when you deploy the service definition from the NSX Manager, an instance of the VM-Series firewall is deployed on each host in the ESXi cluster. And you can use the steering rules on the NSX Manager to specify what traffic to redirect to the VM-Series firewall based on NSX security groups, and to which tenant or sub-tenant based on the service profile.
    Based on your requirements, you can choose from the following multi-tenancy options:
    Shared cluster with shared VM-Series firewalls - Multiple tenants share the cluster and the VM-Series firewall. A single instance of the VM-Series firewall is deployed on each host in the cluster. In order to separate traffic from each tenant, you create a zone for each tenant, and you define a single, common set of policy rules to secure the virtual machines for all tenants. See Use Case: Shared Compute Infrastructure and Shared Security Policies. Dedicated cluster with dedicated VM-Series firewalls - A single tenant occupies the cluster, and a single instance of the VM-Series firewall is deployed on each host in the cluster. In this deployment, the tenant can have a single zone and a single policy set, or the tenant can have multiple zones for sub-tenants that require traffic separation ( one zone per sub-tenant) and a single policy set with zone-based rules to secure traffic for each sub-tenant. Use Case: Shared Security Policies on Dedicated Compute Infrastructure. Shared cluster with dedicated VM-Series firewalls - Multiple tenants share the cluster and multiple instances of the VM-Series firewalls are deployed on each host in a cluster so that each tenant can have a dedicated instance of the VM-Series firewall. This deployment provides scalability and better performance on shared infrastructure for each tenant. Based on each tenant’s needs, you will define two or more service definitions for the cluster.
    When deploying multiple instances of the VM-Series firewall, you must ensure that each ESXi host has the sufficient CPU, memory and hard disk resources required to support the VM-Series firewalls and the other virtual machines that will be running on it.
    Previous
    Next

    Related Documentation

    Use Case: Shared Security Policies on Dedicated Compute Infrastructure

    Use Case: Shared Security Policies on Dedicated Compute Infrastructure If you are a Managed Service Provider who needs to secure a large enterprise ( tenant ...

    Support for Multi-Tenancy and Multiple Sets of Policy Rules on the VM-Series NSX Edition Firewall

    Support for Multi-Tenancy and Multiple Sets of Policy Rules on the VM-Series NSX Edition Firewall Beginning with PAN-OS 7.1, the VM-Series NSX edition firewall includes ...

    What are the Benefits of the NSX Edition Solution?

    What are the Benefits of the NSX Edition Solution? The NSX edition of the VM-Series firewall is focused on securing east-west communication in the software-defined ...

    Virtualization Features

    Virtualization Features New Virtualization Feature Description VM-Series Firewall for Microsoft Azure The VM-Series firewall can now be deployed in Azure , the Microsoft public cloud. ...

    Panorama > VMware Service Manager

    Panorama > VMware Service Manager To automate the provisioning of a VM-Series NSX edition firewall, you must enable communication between the NSX Manager and Panorama. ...

    Create the Service Definitions on Panorama

    Create the Service Definitions on Panorama A service definition specifies the configuration for the VM-Series firewalls installed on each host in an ESXi cluster. The ...

    Use Case: Shared Compute Infrastructure and Shared Security Policies

    Use Case: Shared Compute Infrastructure and Shared Security Policies This use case allows you to logically isolate traffic from two tenants that share an ESXi ...

    How Do the Components in the NSX Edition Solution Work Together?

    How Do the Components in the NSX Edition Solution Work Together? To meet the security challenges in the software-defined data center, the NSX Manager, ESXi ...

    Deploy the Palo Alto Networks NGFW Service

    Deploy the Palo Alto Networks NGFW Service Use the following steps to automate the process of deploying an instance of the VM-Series NSX edition firewall ...

    VM-Series NSX Edition Firewall Deployment Checklist

    VM-Series NSX Edition Firewall Deployment Checklist To deploy the NSX edition of the VM-Series firewall, use the following workflow: Step 1: Set up the Components ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo