VM-Series Firewall for NSX-V Deployment Checklist
To deploy the VM-Series firewall for NSX-V, use the following workflow:
- Step 1: Set up the Components—To deploy the VM-Series firewall for NSX-V, set up the following components (see What are the Components of the VM-Series for NSX-V Solution?):
- Set up the vCenter server, install and register the NSX-V Manager with the vCenter server.If you have not already set up the virtual switch(es) and grouped the ESXi hosts in to clusters, refer to the VMware documentation for instructions on setting up the vSphere environment. This document does not take you through the process of setting up the VMware components of this solution.Unless you Enable Large Receive Offload, do not modify the default value (1500 bytes) of the MTU on the virtual Distributed Switch (vDS) in the vSphere infrastructure. Modifying the MTU to any other value causes the VM-Series firewall for NSX-V to discard packets.
- Upgrade Panorama. If you are new to Panorama, refer to the Panorama documentation for instructions on setting up and upgrading Panorama. See Migrate Operations-Centric Configuration to Security-Centric Configuration if you choose to migrate your Operations-Centric configuration to a Security-Centric configuration format.
- Configure an SSL/TLS Service Profile. If you are running NSX-V Manager 6.2.3 or earlier, you must configure an SSL/TLS Service profile that allows TLSv1.0 and apply it to the Panorama management interface. If you are running NSX-V Manager 6.2.4 or later, an SSL/TLS Service profile is not required.
- Install a License Deactivation API Key. Deleting the Palo Alto Networks Service Deployment on NSX-V Manager automatically triggers license deactivation. A license deactivation API key is required to successfully deactivate the VM-Series license.
- Download and save the ovf template for the VM-Series firewall for NSX-V on a web server. The ovf template must match your VM-Series model. If you are using the VM-200, select the VM-100 ovf. If using the VM-1000-HV, select the VM-300 ovf.The NSX-V Manager must have network access to this web server so that it can deploy the VM-Series firewall as needed. You cannot host the ovf template on Panorama.Give the ova filename a generic name that does not include a version number. Using a generic naming convention, such ashttps://acme.com/software/PA-VM-NSX.ovaallows you to overwrite the ova each time a newer version becomes available.
- Step 2: Register—Configure Panorama to Register the VM-Series Firewall as a Service on the NSX-V Manager. When registered, the VM-Series firewall is added to the list of network services that can be transparently deployed as a service by the NSX-V Manager. The connection between Panorama and the NSX-V Manager is also required for licensing and configuring the firewall.
- (On Panorama) Create a service manager to enable communication between Panorama and NSX-V Manager.
- Step 3: Deploy the VM-Series Firewall—Before you can deploy the VM-Series firewall in NSX-V, each host in the cluster must have the necessary NSX-V components required to deploy the firewall.
- (On NSX-V Manager) Enable SpoofGuard and define rules to block non-IP protocols.
- (On NSX-V Manager) Define the IP address pool. An IP address from the defined range is assigned to the management interface of each instance of the VM-Series firewall.The NSX-V Manager uses the IP address as a match criterion to steer traffic to the VM-Series firewall. If VMware tools is not installed on the guest, see Steer Traffic from Guests that are not Running VMware Tools. This is not required if you are running NSX-V Manager 6.2.4 or later.
- (On NSX-V Manager) Prepare the ESXi host for the VM-Series firewall.
- (On NSX-V Manager) Deploy the VM-Series firewall. The NSX-V Manager automatically deploys an instance of the VM-Series firewall on each ESXi host in the cluster.
- (On NSX-V Manager) Add VMs to the relevant security groups.
- (On Panorama) Apply policies to the VM-Series firewall. From Panorama, you define, push, and administer policies centrally on all the VM-Series firewalls. This centralized administration mechanism allows you to secure guests/applications with minimal administrative intervention.
- Step 4: Create Security Groups and Steering Rules—How you choose to deploy the security groups and steering rules depends on whether your deployment focus is Security Centric or Operations Centric.In a Security Centric deployment, your security administrator creates the security group and steering rules in Panorama. You might start with an existing set of security policies and a set of named source and destination groups. Any new dynamically deployed applications fit into predefined security policies defined on Panorama. Panorama pushes these named groups to NSX-V Manager, where the virtualization administrator picks up the group names and defines which VMs go into them.In an Operations Centric deployment, security groups are defined by a virtualization administrator based upon the need to classify and categorize VM workloads. In this case, security groups are defined and populated in the NSX-V Manager. Security groups created in NSX-V Manager must be associated with dynamic address groups on Panorama, which is completed after the firewalls are deployed. In this case, NSX-V base functionality is deployed first and the VM-Series firewalls are added later.You must decide whether a Security Centric or an Operations Centric deployment is right for your NSX-V environment before continuing. This document describes the procedure for a Security Centric deployment.Security Centric—Create the service definition(s) that specify the configuration for the VM-Series firewall, create dynamic address groups, and create policies to redirect traffic to the VM-Series firewall. See Create Security Groups and Steering Rules in a Security Centric Deployment.
Operations Centric—On the NSX-V Manager, create security groups and policies to redirect traffic to the VM-Series firewall. See Create Security Groups and Steering Rules in an Operations Centric Deployment.
- (On Panorama) Set up the dynamic address groups that map to security groups on NSX-V Manager. A security group assembles the specified guests/applications so that you can apply policy to the group.
- (On Panorama) Create the security policy rules to redirect traffic to the Palo Alto Networks service profile.
- (On NSX-V Manager) Set up the security groups. A security group assembles the specified guests/applications so that you can apply policy to the group.
- (On NSX-V Manager) Create the NSX-V Firewall policies to redirect traffic to the Palo Alto Networks service profile.
- Step 5: Monitor and Maintain Network Security—Panorama provides a comprehensive, graphical view of network traffic. Using the visibility tools on Panorama—the Application Command Center (ACC), logs, and the report generation capabilities—you can centrally analyze, investigate and report on all network activity, identify areas with potential security impact, and translate them into secure application enablement policies. Refer to the Panorama Administrator’s Guide for more information.
The following additional tasks are not required parts of the main VM-Series for NSX-V deployment procedure and should only be completed if and when necessary for your deployment.
- Upgrade the Software Version—When upgrading the VM-Series firewalls for NSX-V, you must firstupgrade Panorama before upgrading the firewalls. To upgrade the firewalls, see upgrade-the-pan-os-software-version-vm-series-for-nsx.html#id52f0ed19-6cfd-4ac2-bfaf-29a4bcbbcd5f_id8023d0b7-6fed-40c1-a216-088757069a1b.
- For upgrading the PAN-OS version on the firewall, do not modify theVM-Series OVA URLin.PanoramaVMware Service Manager
- Do not use the VMware snapshots functionality on the VM-Series firewall for NSX-V. Snapshots can impact performance and result in intermittent and inconsistent packet loss. See VMware’s best practice recommendation with using snapshots. If you need configuration backups, use Panorama orExport named configuration snapshotfrom the firewall (). Using the Export named configuration snapshot exports the active configuration (running-config.xml) on the firewall and allows you to save it to any network location.DeviceSet upOperations
- Migrate from Operations-Centric configuration to Security-Centric configuration—If you upgrade your existing Operations-Centric VM-Series firewall for NSX-V deployment and plan to use the Security Centric workflow going forward, Migrate Operations-Centric Configuration to Security-Centric Configuration.
If you need to reinstall or remove the VM-Series from your NSX-V deployment, see the How to Remove VM-Series Integration from VMware NSX-V knowledge base article.