End-of-Life (EoL)

Deploy the VM-Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces

To secure north-south traffic, this scenario shows you how to deploy the VM-Series firewall in a L2 or a virtual wire deployment. The VM-Series firewall secures traffic destined to the servers. The request arrives at the VIP address of the NetScaler VPX and is processed by the VM-Series firewall before it reaches the servers. On the return path, the traffic is directed to the SNIP on the NetScaler VPX and is processed by the VM-Series firewall before it is sent back to the client.
For the topology before adding the VM-Series firewall, see Topology Before Adding the VM-Series Firewall.
Topology After Adding the VM-Series Firewall
L2_VPX_VM_after.png
The following task includes the basic configuration steps you must perform to deploy the VM-Series firewall. For firewall configuration instructions refer to the PAN-OS documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
  1. On the SDX server, make sure to enable
    Allow L2 Mode
    on each data interface. This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX.
  2. Re-cable the server-side interface assigned to the NetScaler VPX.
    Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.
    If you have already deployed a NetScaler VPX and are now adding the VM-Series firewall on the SDX server, you have two ports assigned to the VPX. When you deploy the VM-Series firewall, the NetScaler VPX will now only require one port for handling client-side traffic.
    Therefore, before you configure the data interfaces the VM-Series, you must remove the cable from the interface that connects the VPX to the server farm and attach it to the firewall so that all traffic to the server farm is processed by the firewall.
  3. Configure the data interfaces.
    This example shows the configuration for virtual wire interfaces.
    interface_vwire.PNG
    1. Launch the web interface of the firewall.
    2. Select
      Network
      Interfaces
      Ethernet
      .
    3. Click the link for an interface (for example ethernet 1/1) and select the
      Interface Type
      as
      Layer2
      or
      Virtual Wire
      .
      Virtual Wire Configuration
      Each virtual wire interface (ethernet 1/1 and ethernet 1/2) must be connected to a security zone and a virtual wire. To configure these settings, select the
      Config
      tab and complete the following tasks:
      1. In the Virtual wire drop-down click
        New Virtual Wire
        , define a
        Name
        and assign the two data interfaces (ethernet 1/1 and ethernet 1/2) to it, and then click
        OK
        .
      2. When configuring ethernet 1/2, select this virtual wire.
      3. Select
        New Zone
        from the
        Security Zone
        drop-down, define a
        Name
        for new zone, for example
        client
        , and then click
        OK
        .
      Layer 2 Configuration
      For each Layer 2 interface, you require a security zone. Select the
      Config
      tab and complete the following tasks:
      1. Select
        New Zone
        from the
        Security Zone
        drop-down, define a
        Name
        for new zone, for example
        client
        , and then click
        OK
        .
    4. Repeat steps b and c above for the other interface.
    5. Click
      Commit
      to save changes to the firewall.
  4. Create a basic policy rule to allow traffic through the firewall.
    This example shows how to enable traffic between the NetScaler VPX and the web servers.
    basic_policy_2.PNG
    1. Select
      Policies
      Security
      , and click
      Add
      .
    2. Give the rule a descriptive name in the
      General
      tab.
    3. In the
      Source
      tab, set the
      Source Zone
      to the client-side zone you defined. In this example, select client.
    4. In the
      Destination
      tab, set the
      Destination Zone
      to the server-side zone you defined. In this example, select server.
    5. In the
      Application
      tab, click
      Add
      to select the applications to which you want to allow access.
    6. In the
      Actions
      tab, complete these tasks:
      1. Set the
        Action Setting
        to
        Allow
        .
      2. Attach the default profiles for antivirus, anti-spyware, vulnerability protection and URL filtering, under
        Profile Setting
        .
    7. Verify that logging is enabled at the end of a session under
      Options
      . Only traffic that matches a security rule will be logged.

Recommended For You