End-of-Life (EoL)

Deploy the VM-Series Firewall Before the NetScaler VPX

The following example shows how to deploy the VM-Series firewall to process and secure traffic before it reaches the NetScaler VPX. In this example, the VM-Series firewall is deployed with virtual wire interfaces, and the client connection requests are destined to the VIP on the NetScaler VPX. Note that you can deploy the VM-Series firewall using L2 or L3 interfaces, based on your specific needs.
Topology Before Adding the VM-Series Firewall
Topology after adding the VM-Series firewall
The following table includes the basic configuration tasks you must perform on the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
  1. On the SDX server, make sure to enable
    Allow L2 Mode
    on the data interface. This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX.
  2. Re-cable the client-side interface assigned to the NetScaler VPX.
    Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.
    If you have already deployed a NetScaler VPX and are now adding the VM-Series firewall on the SDX server, you have two ports assigned to the VPX. When you deploy the VM-Series firewall, the NetScaler VPX will now only require one port that connects it to the server farm.
    Therefore, before you configure the data interfaces the VM-Series, you must remove the cable from the interface that connects the VPX to the client-side traffic and attach it to the firewall so that all incoming traffic is processed by the firewall.
  3. Configure the data interfaces.
    1. Launch the web interface of the firewall.
    2. Select
    3. Click the link for an interface, for example ethernet 1/1, and select the
      Interface Type
      Virtual Wire
    4. Click the link for the other interface and select the
      Interface Type
      Virtual Wire
    5. Each virtual wire interface must be connected to a security zone and a virtual wire. To configure these settings, select the
      tab and complete the following tasks:
      • In the Virtual wire drop-down click
        New Virtual Wire
        , define a
        and assign the two data interfaces (ethernet 1/1 and ethernet 1/2) to it, and then click
        When configuring ethernet 1/2, select this virtual wire.
      • Select
        New Zone
        from the
        Security Zone
        drop-down, define a
        for new zone, for example client, and then click
    6. Repeat step e for the other interface.
    7. Click
      to save changes to the firewall.
  4. Create a basic policy rule to allow traffic through the firewall.
    This example shows how to enable traffic between the NetScaler VPX and the web servers.
    1. Select
      , and click
    2. Give the rule a descriptive name in the
    3. In the
      tab, set the
      Source Zone
      to the client-side zone you defined. In this example, select client.
    4. In the
      tab, set the
      Destination Zone
      to the server-side zone you defined. In this example, select server.
    5. In the
      tab, click
      to select the applications to which you want to allow access.
    6. In the
      tab, complete these tasks:
      1. Set the
        Action Setting
      2. Attach the default profiles for antivirus, anti-spyware, vulnerability protection and URL filtering, under
        Profile Setting
    7. Verify that logging is enabled at the end of a session under
      . Only traffic that matches a security rule will be logged.

Recommended For You