You must carefully plan your device group hierarchy and template stacks and consider how they interact with the other components needed for deployment. Service definitions reference device groups and template stacks and push that information to the firewalls in the related ESXi clusters.
- Configure your device groups—Devices groups are logical units that group firewalls based on common aspects that require similar policy configurations. Each service definition requires a device group and each device group can only be referenced in one service definition.A device group inherits policy rules and object settings from device groups above it in the device group hierarchy. This allows you to configure common or shared settings in parent device groups and unique settings in child or grandchild device groups. By default, Panorama has a Shared device group and any configuration in the shared device group is pushed to all device groups. When configuring any policy rules or object settings, confirm that you have selected the right device group.See Managing Device Groups in the Panorama 8.0 Administrator’s Guide for information on configuring and managing device groups.
- Configure your templates—A template contains settings that enable a firewall to connect to your network, such as interface and zone configurations. Each service definition requires a template and each template can only be referenced in one service definition.When assigning a template stack to a service definition, consider the priority of the templates in the stack to ensure that the right configuration is pushed to the correct firewalls. If the templates in a stack contain overlapping configuration, the template with her priority takes precedence and the same setting in lower templates are ignored. Therefore, ensure that template configuration unique to an NSX Manager is given higher priority in the template stack assigned to that NSX Manager’s service definition.See Manage Templates and Template Stacks in the Panorama 8.0 Administrator’s Guide for information on configuring and managing templates.
- Create your service definition—A service definition specifies the configuration for the VM-Series firewalls on each host in the ESXi cluster. Each individual NSX manager configuration requires at least one service definition. A service manager can have multiple service definitions but each service definition can only have one device group and one template or template stack. After a device group or template has been assigned to a service definition, you can no longer select that device group or template for future service definitions.
For example, in a disaster recovery deployment scenario, you would need to create identical device groups for each data center. Because all the policy rules and objects are the same for data centers, you can perform all you configuration in a single device group. However, you cannot use the same device group in two service definitions. To ensure that each data center gets the same policy rules, create a child device group for each data center under the device group with the common configuration. These child device groups do not need any configuration of their own because they inherit everything the VM-Series firewalls need from the parent device group. And because each data center is identical, configure your network settings in a template (Template 1). Create a template stack for each data center and assign Template 1 to each stack.
Recommended For You
Recommended videos not found.