End-of-Life (EoL)

Deploy the VM-Series Firewall Before the NetScaler VPX

The following example shows how to deploy the VM-Series firewall to process and secure traffic before it reaches the NetScaler VPX. In this example, the VM-Series firewall is deployed with virtual wire interfaces, and the client connection requests are destined to the VIP on the NetScaler VPX. Note that you can deploy the VM-Series firewall using L2 or L3 interfaces, based on your specific needs.
Topology Before Adding the VM-Series Firewall
L2_VM_VPX_before.png
Topology after adding the VM-Series firewall
L2_VM_VPX_after.png
The following table includes the basic configuration tasks you must perform on the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
  1. On the SDX server, make sure to enable
    Allow L2 Mode
    on the data interface. This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX.
  2. Re-cable the client-side interface assigned to the NetScaler VPX.
    Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.
    If you have already deployed a NetScaler VPX and are now adding the VM-Series firewall on the SDX server, you have two ports assigned to the VPX. When you deploy the VM-Series firewall, the NetScaler VPX will now only require one port that connects it to the server farm.
    Therefore, before you configure the data interfaces the VM-Series, you must remove the cable from the interface that connects the VPX to the client-side traffic and attach it to the firewall so that all incoming traffic is processed by the firewall.
  3. Configure the data interfaces.
    interface_vwire.PNG
    1. Launch the web interface of the firewall.
    2. Select
      Network
      Interfaces
      Ethernet
      .
    3. Click the link for an interface, for example ethernet 1/1, and select the
      Interface Type
      as
      Virtual Wire
      .
    4. Click the link for the other interface and select the
      Interface Type
      as
      Virtual Wire
      .
    5. Each virtual wire interface must be connected to a security zone and a virtual wire. To configure these settings, select the
      Config
      tab and complete the following tasks:
      • In the Virtual wire drop-down click
        New Virtual Wire
        , define a
        Name
        and assign the two data interfaces (ethernet 1/1 and ethernet 1/2) to it, and then click
        OK
        .
        When configuring ethernet 1/2, select this virtual wire.
      • Select
        New Zone
        from the
        Security Zone
        drop-down, define a
        Name
        for new zone, for example client, and then click
        OK
        .
    6. Repeat step e for the other interface.
    7. Click
      Commit
      to save changes to the firewall.
  4. Create a basic policy rule to allow traffic through the firewall.
    This example shows how to enable traffic between the NetScaler VPX and the web servers.
    basic_policy_2.PNG
    1. Select
      Policies
      Security
      , and click
      Add
      .
    2. Give the rule a descriptive name in the
      General
      tab.
    3. In the
      Source
      tab, set the
      Source Zone
      to the client-side zone you defined. In this example, select client.
    4. In the
      Destination
      tab, set the
      Destination Zone
      to the server-side zone you defined. In this example, select server.
    5. In the
      Application
      tab, click
      Add
      to select the applications to which you want to allow access.
    6. In the
      Actions
      tab, complete these tasks:
      1. Set the
        Action Setting
        to
        Allow
        .
      2. Attach the default profiles for antivirus, anti-spyware, vulnerability protection and URL filtering, under
        Profile Setting
        .
    7. Verify that logging is enabled at the end of a session under
      Options
      . Only traffic that matches a security rule will be logged.

Recommended For You