Enable Communication Between the NSX Manager and Panorama
To automate the provisioning of the VM-Series firewall for NSX, enable communication between the NSX Manager and Panorama. This is a one-time setup, and only needs to be modified if the IP address of the NSX Manager changes or if the capacity license for deploying the VM-Series firewall is exceeded.
In this workflow, you must also install the API key required to complete the deactivation process from Panorama. The API key ensures that the VM-Series firewall licenses are automatically deactivated when you delete a service profile on the NSX Manager, and the licenses/entitlements are credited back to your account so that they become available for use later.
- Log in to the Panorama web interface.Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://<IP address>).
- Set up access to the NSX Manager.
- Select PanoramaVMware NSXService Managers and click Add.
- Enter the Service Manager Name.On the NSX Manager, this name displays in the Service Manager column on Networking & SecurityService DefinitionsService Managers.
- (Optional) Add a Description that identifies the VM-Series firewall as a service.
- Enter the NSX Manager URL—IP address or FQDN—at which to access the NSX Manager.
- Enter the NSX Manager Login credentials—username
and password, so that Panorama can authenticate to the NSX Manager.The ampersand (&) special character is not supported in the NSX Manager account password. If a password includes an ampersand, the connection between Panorama and NSX Manager fails.Any vSphere environment password can impact infrastructure updates and should be accounted for with respect to Panorama. For example, if you change your NSX Manager login password, ensure that you update the password on Panorama immediately. An incorrect password breaks the connection between Panorama and NSX Manager. Panorama does not receive updates about changes to your deployment while disconnected from NSX Manager. Additionally, if you change your vCenter password but do not update it on NSX Manager, Panorama will not receive updates from vCenter. However, the connection status between Panorama and NSX manager will remain Registered.
- Click OK.
- Commit your changes to Panorama.Select Commit and Commit Type: Panorama.
- Verify the connection status on Panorama.To view the connection status between Panorama and the NSX Manager.
- Select PanoramaVMware NSXService Managers.
- Verify the message in the Status column.When the connection is successful, the status displays as Registered. This indicates that Panorama and the NSX Manager are in sync and the VM-Series firewall is registered as a service on the NSX Manager.The unsuccessful status messages are:
- Not connected: Unable to reach/establish a network connection to the NSX Manager.
- Not authorized: The access credentials (username and/or password) are incorrect.
- Not registered: The service, service manager, or service profile is unavailable or was deleted on the NSX Manager.
- Out of sync: The configuration settings defined on Panorama are different from what is defined on the NSX Manager.Click the link for details on the reasons for failure. For example, NSX Manager may have a service definition with the same name as defined on Panorama. To fix the error, use the service definition name listed in the error message to validate the service definition on the NSX Manager. Until the configuration on Panorama and the NSX Manager is synchronized, you cannot add a new service definition on Panorama.
- No service/ No service profile: Indicates an incomplete configuration on the NSX Manager.
- Verify that the firewall is registered as a service on
the NSX Manager.
- On the vSphere web client, select Networking & SecurityService DefinitionsService Managers.
- Verify that Palo Alto Networks displays as a vendor in the list of services available for installation.
a License Deactivation API Key.Complete steps 1 and 2 in the link above to copy the API key from the CSP and install the license deactivation API key on the Panorama CLI. This API key ensures that VM-Series firewalls are automatically deactivated when you delete a Palo Alto Networks Service Deployment on the NSX Manager. So when a firewall is terminated, the licenses are deactivated and credited back to your account.
- If you are running VMware NSX plugin 2.0.4 or later,
you can configure Panorama to automatically synchronize dynamic objects
with NSX manager as if you issued an Synchronize Dynamic
Objects. By default, the DAG Sync interval is disabled and
the value is set to zero (0). To enable the DAG Sync, set the interval
between one hour and 72 hours. Setting a value of zero hours disables
the DAG sync. To configure or disable the interval, complete the
- Log in to the Panorama CLI.
- Execute the following command.request plugins vmware_nsx dag-sync-interval interval <interval-in-hours>You can view the configured value with the following show command.show plugins vmware_nsx dag-sync-interval
Configure Access to the NSX Manager
Configure Access to the NSX Manager Panorama > VMware NSX > Service Managers To enable Panorama to communicate with the NSX Manager, Add and configure ...
VM-Series Firewall for NSX Deployment Checklist
VM-Series Firewall for NSX Deployment Checklist To deploy the VM-Series firewall for NSX, use the following workflow: Step 1: Set up the Components —To deploy ...
Deploy the VM-Series Firewall in a Multi-NSX ManagerEnvironment
Deploy the VM-Series Firewall in a Multi-NSX Manager Environment Whether you are deploying a single NSX Manager or a multi-NSX Manager environment, set up the ...
How do the Components in the VM-Series Firewall for NSX Sol...
How Do the Components in the VM-Series Firewall for NSX Solution Work Together? To meet the security challenges in the software-defined data center, the NSX ...
NSX VM-Series Configuration through Panorama
NSX VM-Series Configuration through Panorama Beginning with 8.0, you can manage all security-related configuration for the VM-Series NSX integration through Panorama. The new workflow consolidates ...
Create the Service Definitions on Panorama
Create the Service Definitions on Panorama A service definition specifies the configuration for the VM-Series firewalls installed on each host in an ESXi cluster. The ...
Register the VM-Series Firewall as a Service on the NSX Man...
Register the VM-Series Firewall as a Service on the NSX Manager You need to enable communication between Panorama and the NSX Manager and then register ...
Dynamically Quarantine Infected Guests
Dynamically Quarantine Infected Guests Threat and traffic logs in PAN-OS include the source or destination universally unique identifier (UUID) of guest VMs in your NSX ...
Panorama Panorama is used to register the VM-Series firewall for NSX as the Palo Alto Networks NGFW service on the NSX Manager. Registering the Palo ...