Enable Communication Between the NSX-V Manager and Panorama

To automate the provisioning of the VM-Series firewall for NSX-V, enable communication between the NSX-V Manager and Panorama. This is a one-time setup, and only needs to be modified if the IP address of the NSX-V Manager changes or if the capacity license for deploying the VM-Series firewall is exceeded.
  1. (
    Optional
    ) Bypass proxy server settings, configured on Panorama under
    Panorama
    Setup
    Services
    Proxy Server
    , for communication between Panorama and NSX-V Manager. This command allows Panorama to communicate directly with NSX-V Manager while maintaining proxied communication for other services. This feature requires Panorama plugin for VMware NSX 2.0.5.
    1. Log in to the Panorama CLI.
    2. Execute the following command to enable or disable proxy bypass.
      admin@Panorama> request plugins vmware_nsx proxy bypass {yes | no}
      Select
      yes
      to enable proxy bypass and
      no
      to disable proxy bypass.
  2. Log in to the Panorama web interface.
    Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://<
    IP address
    >).
  3. Set up access to the NSX-V Manager.
    1. Select
      Panorama
      VMware NSX-V
      Service Managers
      and click
      Add
      .
    2. Enter the
      Service Manager Name
      .
      On the NSX-V Manager, this name displays in the Service Manager column on
      Networking & Security
      Service Definitions
      Service Managers
      .
    3. (
      Optional
      ) Add a
      Description
      that identifies the VM-Series firewall as a service.
    4. Enter the
      NSX-V Manager URL
      —IP address or FQDN—at which to access the NSX-V Manager.
    5. Enter the
      NSX-V Manager Login
      credentials—username and password, so that Panorama can authenticate to the NSX-V Manager.
      The ampersand (&) special character is not supported in the NSX-V manager account password. If a password includes an ampersand, the connection between Panorama and NSX-V manager fails.
      If you change your NSX-V Manager login password, ensure that you update the password on Panorama immediately. An incorrect password breaks the connection between Panorama and NSX-V Manager. Panorama does not receive updates about changes to your deployment while disconnected from NSX-V Manager.
    6. Click
      OK
      .
  4. Commit your changes to Panorama.
    Select
    Commit
    and Commit Type:
    Panorama
    .
  5. Verify the connection status on Panorama.
    nsx_vmware_service_manager.PNG
    To view the connection status between Panorama and the NSX-V Manager.
    1. Select
      Panorama
      VMware NSX-V
      Service Managers
      .
    2. Verify the message in the
      Status
      column.
      When the connection is successful, the status displays as
      Registered
      . This indicates that Panorama and the NSX-V Manager are in sync and the VM-Series firewall is registered as a service on the NSX-V Manager.
      The unsuccessful status messages are:
      • Not connected
        : Unable to reach/establish a network connection to the NSX-V Manager.
      • Not authorized
        : The access credentials (username and/or password) are incorrect.
      • Not registered
        : The service, service manager, or service profile is unavailable or was deleted on the NSX-V Manager.
      • Out of sync
        : The configuration settings defined on Panorama are different from what is defined on the NSX-V Manager.Click the link for details on the reasons for failure. For example, NSX-V Manager may have a service definition with the same name as defined on Panorama. To fix the error, use the service definition name listed in the error message to validate the service definition on the NSX-V Manager. Until the configuration on Panorama and the NSX-V Manager is synchronized, you cannot add a new service definition on Panorama.
      • No service/ No service profile
        : Indicates an incomplete configuration on the NSX-V Manager.
  6. Verify that the firewall is registered as a service on the NSX-V Manager.
    1. On the vSphere web client, select
      Networking & Security
      Service Definitions
      Service Managers
      .
      nsx_pan-firewall_registered.png
    2. Verify that
      Palo Alto Networks
      displays as a vendor in the list of services available for installation.
  7. If you are running VMware NSX plugin 2.0.4 or later, you can configure Panorama to automatically synchronize dynamic objects with NSX-V manager as if you issued an
    Synchronize Dynamic Objects
    . By default, the DAG Sync interval is disabled and the value is set to zero (0). To enable the DAG Sync, set the interval between one hour and 72 hours. Setting a value of zero hours disables the DAG sync. To configure or disable the interval, complete the following procedure.
    1. Log in to the Panorama CLI.
    2. Execute the following command.
      request plugins vmware_nsx dag-sync-interval interval <interval-in-hours>
      You can view the configured value with the following show command.
      show plugins vmware_nsx dag-sync-interval
  8. (
    Optional
    ) In large NSX-V environments with tens of thousands of IP addresses, allowing Panorama enough time to retrieve IP address updates from NSX-V Manager is essential. You can now configure the amount of time—up to 10 minutes—Panorama has to retrieve updates from NSX-V Manager. By default, Panorama waits up to two minutes (120 seconds) to get IP address updates from NSX-V Manager. However, if Panorama does not retrieve all the IP address updates within the alloted two minutes, Panorama times out and the update fails.
    You can determine if you are experiencing curl call failures through the Panorama error log. Curl call failures return the following message.
    2019-05-23 06:50:15.780 -0700 ERROR: Curl call to NSX-V Manager failed
    Complete the following procedure to increase the amount of time Panorama has to process updates. This feature requires Panorama plugin for VMware NSX 2.0.5.
    1. Log in to the Panorama CLI.
    2. Execute the following command to set the curl call timeout. You can set the time out from 30 seconds to 600 seconds (10 minutes).
      admin@Panorama> request plugins vmware_nsx curl-timeout timeout <seconds>
      If Panorama is part of an HA pair, configure the same timeout value on the active and passive Panorama peers.

Related Documentation