End-of-Life (EoL)
What is Multi-Tenant Support on the VM-Series Firewall for
NSX?
Multi-tenancy on the VM-Series firewall enables you
to secure more than one
tenant
or more than one sub-tenant
.
A tenant is a customer or an organization such as Palo Alto Networks.
A sub-tenant is a department or business unit within the organization
such as Marketing, Accounting, or Human Resources. To allow you
to secure multiple tenants, Panorama provides the flexibility to
create multiple sets of security policy rules for each tenant, and
multiple zones to isolate traffic from each sub-tenant and redirect
traffic to the appropriately configured VM-Series firewall. You
can also deploy more than one instance of the VM-Series firewall
on each host within an ESXi cluster.Panorama and managed VM-Series firewalls must be running
PAN-OS 7.1 or greater to support multi-tenancy.
To deploy a multi-tenant solution, create one or more
service
definition(s)
and service profile zone(s)
on
Panorama. A service definition on Panorama specifies the configuration
of the VM-Series firewall using one device group and one template.
This means that each instance of the VM-Series firewalls that is
deployed using a service definition has one common set of policy
rules for securing the tenants and sub-tenants in the ESXi cluster.A service profile zone within a Panorama template is used to
segment traffic from each sub-tenant using virtual wire subinterfaces.
When you create a new service profile zone, Panorama pushes the
zone as a part of the template configuration to the firewall, and
the firewall automatically creates a pair of virtual wire subinterfaces,
for example ethernet1/1.3 and ethernet 1/2.3 so that the firewall
can isolate traffic for a sub-tenant. Because a template supports
up to 32 subinterface pairs, you can logically isolate traffic and
secure up to 32 sub-tenants.
Panorama registers each service definition as a service definition
on the NSX Manager and each service profile zone as a service profile
within the corresponding service definition. And, when you deploy
the service definition from the NSX Manager, an instance of the
VM-Series firewall is deployed on each host in the ESXi cluster.
And you can use the steering rules defined on Panorama and applied
to the NSX Manager to specify what traffic to redirect to the VM-Series
firewall based on NSX security groups, and to which tenant or sub-tenant
based on the service profile.
Based on your requirements, you can choose from the following
multi-tenancy options:
- Shared cluster with shared VM-Series firewalls- Multiple tenants share the cluster and the VM-Series firewall. A single instance of the VM-Series firewall is deployed on each host in the cluster. In order to separate traffic from each tenant, you create a zone for each tenant, and you define a single, common set of policy rules to secure the virtual machines for all tenants. See Use Case: Shared Compute Infrastructure and Shared Security Policies.
- Dedicated cluster with dedicated VM-Series firewalls- A single tenant occupies the cluster, and a single instance of the VM-Series firewall is deployed on each host in the cluster. In this deployment, the tenant can have a single zone and a single policy set, or the tenant can have multiple zones for sub-tenants that require traffic separation (one zone per sub-tenant) and a single policy set with zone-based rules to secure traffic for each sub-tenant. Use Case: Shared Security Policies on Dedicated Compute Infrastructure.
- Shared cluster with dedicated VM-Series firewalls- Multiple tenants share the cluster and multiple instances of the VM-Series firewalls are deployed on each host in a cluster so that each tenant can have a dedicated instance of the VM-Series firewall. This deployment provides scalability and better performance on shared infrastructure for each tenant. Based on each tenant’s needs, you will define two or more service definitions for the cluster.When deploying multiple instances of the VM-Series firewall, you must ensure that each ESXi host has the sufficient CPU, memory and hard disk resources required to support the VM-Series firewalls and the other virtual machines that will be running on it.
Recommended For You
Recommended Videos
Recommended videos not found.