How Do the Components in the VM-Series Firewall for NSX Solution Work Together?

To meet the security challenges in the software-defined data center, the NSX Manager, ESXi servers and Panorama work harmoniously to automate the deployment of the VM-Series firewall.
nsx_solution_overview.png
  1. Register the Palo Alto Networks NGFW service—The first step is to register the Palo Alto Networks NGFW as a service on the NSX Manager. The registration process uses the NetX management plane API to enable bi-directional communication between Panorama and the NSX Manager. Panorama is configured with the IP address and access credentials to initiate a connection and register the Palo Alto Networks NGFW service on the NSX Manager. The service definition includes the URL for accessing the VM-Series base image that is required to deploy the VM-Series firewall for NSX, the authorization code for retrieving the license and the device group and template to which the VM-Series firewalls will belong. The NSX manager uses this management plane connection to share updates on the changes in the virtual environment with Panorama.
  2. Deploy the VM-Series automatically from NSX—The NSX Manager collects the VM-Series base image from the URL specified during registration and installs an instance of the VM-Series firewall on each ESXi host in the ESXi cluster. From a static management IP pool or a DHCP service (that you define on the NSX Manager), a management IP address is assigned to the VM-Series firewall and the Panorama IP address is provided to the firewall. When the firewall boots up, the NetX dataplane integration API connects the VM-Series firewall to the hypervisor so that it can receive traffic from the vSwitch.
    nsx_VM_ethernet_ports.png
  3. Establish communication between the VM-Series firewall and Panorama—The VM-Series firewall then initiates a connection to Panorama to obtain its license. Panorama retrieves the license from the update server and pushes it to the firewall. The VM-Series firewall receives the license and reboots with a valid serial number.
    If your Panorama is offline, which means that it does not have direct Internet access to retrieve the licenses and push them to the firewalls, you must manually license each firewall. If your VM-Series firewall does not have internetaccess, you must add the serial number of the firewall to Panorama so that it is registered as a managed device, so that you can push the appropriate template and device group settings from Panorama.
  4. Install configuration/policy from Panorama to the VM-Series firewall—The VM-Series firewall reconnects with Panorama and provides its serial number. Panorama now adds the firewall to the device group and template that was defined in the service definition and pushes the configuration and policy rules to the firewall. The VM-Series firewall is now available as a security virtual machine that can be further configured to safely enable applications on the network.
  5. Push traffic redirection rules to NSX Manager—Create security groups and define network introspection rules that specify the guests from which traffic will be steered to the VM-Series firewall. See Integrated Policy Rules for details.
    To ensure that traffic from the guests is steered to the VM-Series firewall, you must have VMware Tools installed on each guest. If VMware Tools is not installed, the NSX Manager does not know the IP address of the guest and therefore, the traffic cannot be steered to the VM-Series firewall. For more information, see Steer Traffic from Guests that are not Running VMware Tools. This is not required if you are running NSX Manager 6.2.4 or later.
  6. Receive real-time updates from NSX Manager—The NSX Manager sends real-time updates on the changes in the virtual environment to Panorama. These updates include information on the security groups and IP addresses of guests that are part of the security group from which traffic is redirected to the VM-Series firewall. See Integrated Policy Rules for details.
  7. Use dynamic address groups in policy and push dynamic updates from Panorama to the VM-Series firewalls—On Panorama, use the real-time updates on security groups to create dynamic address groups, bind them to security policies and then push these policies to the VM-Series firewalls. Every VM-Series firewall in the device group will have the same set of policies and is now completely marshaled to secure the SDDC. See Policy Enforcement using Dynamic Address Groups for details.

Related Documentation