End-of-Life (EoL)

Deploy the VM-Series Firewall Using L3 Interfaces

To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall as a L3 deployment; the VM-Series firewall is placed to secure traffic between the NetScaler VPX and the servers on your network.
Topology Before Adding the VM-Series Firewall
Before_Scenario_1_details.png
Topology After Adding the VM-Series Firewall
After_Scenario_1_details.png
The following procedure includes the tasks you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS Documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
  1. When provisioning the VM-Series firewall on the SDX server, you must ensure that you select the data interface accurately so that the firewall can access the server(s).
  2. Configure the data interface on the firewall.
    1. Select
      Network
      Virtual Router
      and then select the
      default
      link to open the Virtual Router dialog and
      Add
      the interface to the virtual router.
    2. (
      Required only if the USIP option is enabled on the NetScaler VPX
      ) On the
      Static Routes
      tab on the virtual router, select the interface and add the NetScaler SNIP (192.68.1.1 in this example) as the
      Next Hop
      . The static route defined here will be used to route traffic from the firewall to the NetScaler VPX.
    3. Select
      Network
      Interfaces
      Ethernet
      and then select the interface you want to configure.
    4. Select the
      Interface Type
      . Although your choice here depends on your network topology, this example uses
      Layer3
      .
    5. On the
      Config
      tab, in the
      Virtual Router
      drop-down, select
      default
      .
    6. Select
      New Zone
      from the
      Security Zone
      drop-down. In the Zone dialog, define a
      Name
      for new zone, for example default, and then click
      OK
      .
    7. Select the
      IPv4 or IPv6
      tab, click
      Add
      in the IP section, and enter two IP addresses and network mask to the interface—one for each subnet that is being serviced. For example, 192.168.1.2 and 192.168.2.1.
    8. (
      Optional
      ) To enable you to ping or SSH in to the interface, select
      Advanced
      Other Info
      , expand the
      Management Profile
      drop-down, and select
      New Management Profile
      . Enter a
      Name
      for the profile, select
      Ping
      and
      SSH
      and then click
      OK
      .
    9. To save the interface configuration, click
      OK
      .
    10. Click
      Commit
      to save your changes to the firewall.
  3. Create a basic policy to allow traffic between the NetScaler VPX and the web servers.
    In this example, because we have set up only one data interface, we specify the source and destination IP address to allow traffic between the NetScaler VPX and the servers.
    1. Select
      Policies
      Security,
      and click
      Add
      .
    2. Give the rule a descriptive name in the
      General
      tab.
    3. In the
      Source
      tab, select
      Add
      in the Source Address section and select the New
      Address
      link.
    4. Create a new address object that specifies the SNIP on the NetScaler VPX. In this example, this IP address is the source for all requests to the servers.
      address_obj.PNG
    5. In the
      Destination
      tab, select
      Add
      in the Destination Address section and select the
      New Address
      link.
    6. Create a new address object that specifies the subnet of the web servers. In this example, this subnet hosts all the web servers that service the requests.
      address_obj_2.PNG
    7. In the
      Application
      tab, select web-browsing.
    8. In the
      Actions
      tab, complete these tasks:
      1. Set the
        Action Setting
        to
        Allow
        .
      2. Attach the default profiles for antivirus, anti-spyware, and vulnerability protection, under
        Profile Setting
        .
    9. Verify that logging is enabled at the end of a session under
      Options
      . Only traffic that matches a security rule will be logged.
      basic_policy.PNG
    10. Create another rule to deny all other traffic from any source and any destination IP address on the network.
      Because all intra-zone traffic is allowed by default, in order to deny traffic other that web-browsing, you must create a deny rule that explicitly blocks all other traffic.
      For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.

Recommended For You