Deploy the VM-Series Firewall Using L3 Interfaces
To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall as a L3 deployment; the VM-Series firewall is placed to secure traffic between the NetScaler VPX and the servers on your network.
The following procedure includes the tasks you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS Documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
- When provisioning the VM-Series firewall on the SDX server, you must ensure that you select the data interface accurately so that the firewall can access the server(s).
- Configure the data interface on the firewall.
- Selectand then select theNetworkVirtual Routerdefaultlink to open the Virtual Router dialog andAddthe interface to the virtual router.
- (Required only if the USIP option is enabled on the NetScaler VPX) On theStatic Routestab on the virtual router, select the interface and add the NetScaler SNIP (22.214.171.124 in this example) as theNext Hop. The static route defined here will be used to route traffic from the firewall to the NetScaler VPX.
- Selectand then select the interface you want to configure.NetworkInterfacesEthernet
- Select theInterface Type. Although your choice here depends on your network topology, this example usesLayer3.
- On theConfigtab, in theVirtual Routerdrop-down, selectdefault.
- SelectNew Zonefrom theSecurity Zonedrop-down. In the Zone dialog, define aNamefor new zone, for example default, and then clickOK.
- Select theIPv4 or IPv6tab, clickAddin the IP section, and enter two IP addresses and network mask to the interface—one for each subnet that is being serviced. For example, 192.168.1.2 and 192.168.2.1.
- (Optional) To enable you to ping or SSH in to the interface, select, expand theAdvancedOther InfoManagement Profiledrop-down, and selectNew Management Profile. Enter aNamefor the profile, selectPingandSSHand then clickOK.
- To save the interface configuration, clickOK.
- ClickCommitto save your changes to the firewall.
- Create a basic policy to allow traffic between the NetScaler VPX and the web servers.In this example, because we have set up only one data interface, we specify the source and destination IP address to allow traffic between the NetScaler VPX and the servers.
- Selectand clickPoliciesSecurity,Add.
- Give the rule a descriptive name in theGeneraltab.
- In theSourcetab, selectAddin the Source Address section and select the NewAddresslink.
- Create a new address object that specifies the SNIP on the NetScaler VPX. In this example, this IP address is the source for all requests to the servers.
- In theDestinationtab, selectAddin the Destination Address section and select theNew Addresslink.
- Create a new address object that specifies the subnet of the web servers. In this example, this subnet hosts all the web servers that service the requests.
- In theApplicationtab, select web-browsing.
- In theActionstab, complete these tasks:
- Set theAction SettingtoAllow.
- Attach the default profiles for antivirus, anti-spyware, and vulnerability protection, underProfile Setting.
- Verify that logging is enabled at the end of a session underOptions. Only traffic that matches a security rule will be logged.
- Create another rule to deny all other traffic from any source and any destination IP address on the network.Because all intra-zone traffic is allowed by default, in order to deny traffic other that web-browsing, you must create a deny rule that explicitly blocks all other traffic.For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.
Recommended For You
Recommended videos not found.