Deploy the VM-Series Firewall Before the NetScaler VPX
The following example shows how to deploy the VM-Series firewall to process and secure traffic before it reaches the NetScaler VPX. In this example, the VM-Series firewall is deployed with virtual wire interfaces, and the client connection requests are destined to the VIP on the NetScaler VPX. Note that you can deploy the VM-Series firewall using L2 or L3 interfaces, based on your specific needs.
The following table includes the basic configuration tasks you must perform on the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
- On the SDX server, make sure to enableAllow L2 Modeon the data interface. This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX.
- Re-cable the client-side interface assigned to the NetScaler VPX.Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.If you have already deployed a NetScaler VPX and are now adding the VM-Series firewall on the SDX server, you have two ports assigned to the VPX. When you deploy the VM-Series firewall, the NetScaler VPX will now only require one port that connects it to the server farm.Therefore, before you configure the data interfaces the VM-Series, you must remove the cable from the interface that connects the VPX to the client-side traffic and attach it to the firewall so that all incoming traffic is processed by the firewall.
- Configure the data interfaces.
- Launch the web interface of the firewall.
- Click the link for an interface, for example ethernet 1/1, and select theInterface TypeasVirtual Wire.
- Click the link for the other interface and select theInterface TypeasVirtual Wire.
- Each virtual wire interface must be connected to a security zone and a virtual wire. To configure these settings, select theConfigtab and complete the following tasks:
- In the Virtual wire drop-down clickNew Virtual Wire, define aNameand assign the two data interfaces (ethernet 1/1 and ethernet 1/2) to it, and then clickOK.When configuring ethernet 1/2, select this virtual wire.
- SelectNew Zonefrom theSecurity Zonedrop-down, define aNamefor new zone, for example client, and then clickOK.
- Repeat step e for the other interface.
- ClickCommitto save changes to the firewall.
- Create a basic policy rule to allow traffic through the firewall.This example shows how to enable traffic between the NetScaler VPX and the web servers.
- Select, and clickPoliciesSecurityAdd.
- Give the rule a descriptive name in theGeneraltab.
- In theSourcetab, set theSource Zoneto the client-side zone you defined. In this example, select client.
- In theDestinationtab, set theDestination Zoneto the server-side zone you defined. In this example, select server.
- In theApplicationtab, clickAddto select the applications to which you want to allow access.
- In theActionstab, complete these tasks:
- Set theAction SettingtoAllow.
- Attach the default profiles for antivirus, anti-spyware, vulnerability protection and URL filtering, underProfile Setting.
- Verify that logging is enabled at the end of a session underOptions. Only traffic that matches a security rule will be logged.For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.
Recommended For You
Recommended videos not found.