1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on VMware NSX
    5. Register the VM-Series Firewall as a Service on the NSX Manager
    6. Create Template(s), Template Stack(s), and Device Group(s) on Panorama

    Create Template(s), Template Stack(s), and Device Group(s) on Panorama

    To manage the VM-Series firewalls for NSX using Panorama, the firewalls must belong to a device group and a template that is a member of a template stack. Device groups allow you to assemble firewalls that need similar policies and objects as a logical unit; the configuration is defined using the Objects and Policies tabs on Panorama. Use template stacks to configure the settings that are required for the VM-Series firewalls to operate on the network and associate; the configuration is defined using the Device and Network tabs on Panorama. And each template stack with zones used in your NSX configuration on Panorama must be associated with a service definition; at a minimum, you must create a zone within the template stack so that the NSX Manager can redirect traffic to the VM-Series firewall.
    Each virtual wire zone belonging to the NSX-related template becomes available as a service profile on the Service Composer on the NSX Manager. When you create NSX-related zone on Panorama, Panorama pushes the zone as a part of the template stack configuration to the firewall, and the firewall automatically creates a pair of virtual wire subinterfaces, for example ethernet1/1.3 and ethernet 1/2.3, to isolate traffic for a tenant or sub-tenant. On the firewall, you can then Create Security Groups and Steering Rules to secure traffic that arrives on the virtual wire subinterface pair that maps to the zone.
    If you are new to Panorama, refer to the Panorama Administrator’s Guide for instructions on setting up Panorama.
    1. Add a device group or a device group hierarchy.
      1. Select PanoramaDevice Groups, and click Add. You can also create a device group hierarchy.
      2. Enter a unique Name and a Description to identify the device group.
      3. Click OK.
        After the firewalls are deployed and provisioned, they will display under PanoramaManaged Devices and will be listed in the device group.
      4. Click Commit and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
    2. Add a template.
      1. Select PanoramaTemplates, and click Add.
      2. Enter a unique Name and a Description to identify the template.
      3. Click OK.
      4. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
    3. Add a template stack.
      1. Select PanoramaTemplates, and click Add Stack.
      2. Enter a unique Name and a Description to identify the template stack.
      3. Click Add under Templates and select the template you created above.
      4. Click OK.
      5. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
    4. Create the zone(s) for each template.
      Each zone is mapped to a service profile on NSX Manager. To qualify, a zone must be of the virtual wire type and a template associated with a service definition.
      For a single-tenant deployment, create one zone. If you have multi-tenant deployment, create a zone for each sub-tenant.
      You can add up to 32 zones in each template.
      1. Select NetworkZones.
      2. Select the correct template in the Template drop-down.
      3. Select Add and enter a zone Name.
      4. Set the interface Type to Virtual Wire.
      5. Click OK.
      6. Verify that the zones are attached to the correct template.
        nsx_SP_zones_in_template.PNG
      7. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
        Panorama creates a corresponding service profile on NSX Manager for each qualified zone upon commit.

    Related Documentation

    Configure a Template Stack

    Configure a Template Stack A template stack is configurable and allows you to combine multiple templates to push full configurations to your managed firewalls. While ...

    Create Service Definitions

    Create Service Definitions Panorama > VMware NSX > Service Definitions A service definition allows you to register the VM-Series firewall as a partner security service ...

    Use Case: Shared Security Policies on Dedicated Compute Infrastructure

    Use Case: Shared Security Policies on Dedicated Compute Infrastructure If you are a Managed Service Provider who needs to secure a large enterprise ( tenant ...

    Add a Template

    Add a Template You must add at least one template before Panorama™ displays the Device and Network tabs required to define the network setup and ...

    Templates and Template Stacks

    Overview of template and template stack configuration functionality. ...

    Configure a Template or Template Stack Variable

    How to create a variable in a template or template stack and push it to firewalls and appliances. ...

    Create the Service Definitions on Panorama

    Create the Service Definitions on Panorama A service definition specifies the configuration for the VM-Series firewalls installed on each host in an ESXi cluster. The ...

    Plan Your Multi-NSX Deployment

    Plan Your Multi-NSX Deployment You must carefully plan your device group hierarchy and template stacks and consider how they interact with the other components needed ...

    Import Template Stack Variables

    Bulk import template stack variables to Panorama™ Interconnect. ...

    Deploy the VM-Series Firewall in a Multi-NSX Manager Environment

    Deploy the VM-Series Firewall in a Multi-NSX Manager Environment Whether you are deploying a single NSX Manager or a multi-NSX Manager environment, set up the ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo