Enable Communication Between the NSX Manager and Panorama

To automate the provisioning of the VM-Series firewall for NSX, enable communication between the NSX Manager and Panorama. This is a one-time setup, and only needs to be modified if the IP address of the NSX Manager changes or if the capacity license for deploying the VM-Series firewall is exceeded.
In this workflow, you must also install the API key required to complete the deactivation process from Panorama. The API key ensures that the VM-Series firewall licenses are automatically deactivated when you delete a service profile on the NSX Manager, and the licenses/entitlements are credited back to your account so that they become available for use later.
  1. Log in to the Panorama web interface.
    Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://<IP address>).
  2. Set up access to the NSX Manager.
    1. Select PanoramaVMware NSXService Managers and click Add.
    2. Enter the Service Manager Name.
      On the NSX Manager, this name displays in the Service Manager column on Networking & SecurityService DefinitionsService Managers.
    3. (Optional) Add a Description that identifies the VM-Series firewall as a service.
    4. Enter the NSX Manager URL—IP address or FQDN—at which to access the NSX Manager.
    5. Enter the NSX Manager Login credentials—username and password, so that Panorama can authenticate to the NSX Manager.
      The ampersand (&) special character is not supported in the NSX Manager account password. If a password includes an ampersand, the connection between Panorama and NSX Manager fails.
      Any vSphere environment password can impact infrastructure updates and should be accounted for with respect to Panorama. For example, if you change your NSX Manager login password, ensure that you update the password on Panorama immediately. An incorrect password breaks the connection between Panorama and NSX Manager. Panorama does not receive updates about changes to your deployment while disconnected from NSX Manager. Additionally, if you change your vCenter password but do not update it on NSX Manager, Panorama will not receive updates from vCenter. However, the connection status between Panorama and NSX manager will remain Registered.
    6. Click OK.
  3. Commit your changes to Panorama.
    Select Commit and Commit Type: Panorama.
  4. Verify the connection status on Panorama.
    nsx_vmware_service_manager.PNG
    To view the connection status between Panorama and the NSX Manager.
    1. Select PanoramaVMware NSXService Managers.
    2. Verify the message in the Status column.
      When the connection is successful, the status displays as Registered. This indicates that Panorama and the NSX Manager are in sync and the VM-Series firewall is registered as a service on the NSX Manager.
      The unsuccessful status messages are:
      • Not connected: Unable to reach/establish a network connection to the NSX Manager.
      • Not authorized: The access credentials (username and/or password) are incorrect.
      • Not registered: The service, service manager, or service profile is unavailable or was deleted on the NSX Manager.
      • Out of sync: The configuration settings defined on Panorama are different from what is defined on the NSX Manager.Click the link for details on the reasons for failure. For example, NSX Manager may have a service definition with the same name as defined on Panorama. To fix the error, use the service definition name listed in the error message to validate the service definition on the NSX Manager. Until the configuration on Panorama and the NSX Manager is synchronized, you cannot add a new service definition on Panorama.
      • No service/ No service profile: Indicates an incomplete configuration on the NSX Manager.
      If you make a change and need to manually sync, see (Optional) Synchronize the configuration between Panorama and the NSX Manager.
  5. Verify that the firewall is registered as a service on the NSX Manager.
    1. On the vSphere web client, select Networking & SecurityService DefinitionsService Managers.
      nsx_pan-firewall_registered.png
    2. Verify that Palo Alto Networks displays as a vendor in the list of services available for installation.
  6. Install a License Deactivation API Key.
    Complete steps 1 and 2 in the link above to copy the API key from the CSP and install the license deactivation API key on the Panorama CLI. This API key ensures that VM-Series firewalls are automatically deactivated when you delete a Palo Alto Networks Service Deployment on the NSX Manager. So when a firewall is terminated, the licenses are deactivated and credited back to your account.
  7. If you are running VMware NSX plugin 2.0.4 or later, you can configure Panorama to automatically synchronize dynamic objects with NSX manager as if you issued an Synchronize Dynamic Objects. By default, the DAG Sync interval is disabled and the value is set to zero (0). To enable the DAG Sync, set the interval between one hour and 72 hours. Setting a value of zero hours disables the DAG sync. To configure or disable the interval, complete the following procedure.
    1. Log in to the Panorama CLI.
    2. Execute the following command.
      request plugins vmware_nsx dag-sync-interval interval <interval-in-hours>
      You can view the configured value with the following show command.
      show plugins vmware_nsx dag-sync-interval

Related Documentation