VM-Series Firewall for NSX Deployment Checklist

To deploy the VM-Series firewall for NSX, use the following workflow:
  • Step 1: Set up the Components—To deploy the VM-Series firewall for NSX, set up the following components (see What are the Components of the VM-Series for NSX Solution?):
    • Set up the vCenter server, install and register the NSX Manager with the vCenter server.
      If you have not already set up the virtual switch(es) and grouped the ESXi hosts in to clusters, refer to the VMware documentation for instructions on setting up the vSphere environment. This document does not take you through the process of setting up the VMware components of this solution.
      Unless you Enable Large Receive Offload, do not modify the default value (1500 bytes) of the MTU on the virtual Distributed Switch (vDS) in the vSphere infrastructure. Modifying the MTU to any other value causes the VM-Series firewall for NSX to discard packets.
    • Upgrade Panorama. If you are new to Panorama, refer to the Panorama documentation for instructions on setting up and upgrading Panorama. See Migrate Operations-Centric Configuration to Security-Centric Configuration if you choose to migrate your Operations-Centric configuration to a Security-Centric configuration format.
    • Configure an SSL/TLS Service Profile. If you are running NSX Manager 6.2.3 or earlier, you must configure an SSL/TLS Service profile that allows TLSv1.0 and apply it to the Panorama management interface. If you are running NSX Manager 6.2.4 or later, an SSL/TLS Service profile is not required.
    • Install a License Deactivation API Key. Deleting the Palo Alto Networks Service Deployment on NSX Manager automatically triggers license deactivation. A license deactivation API key is required to successfully deactivate the VM-Series license.
    • Download and save the ovf template for the VM-Series firewall for NSX on a web server. The ovf template must match your VM-Series model. If you are using the VM-200, select the VM-100 ovf. If using the VM-1000-HV, select the VM-300 ovf.
      The NSX Manager must have network access to this web server so that it can deploy the VM-Series firewall as needed. You cannot host the ovf template on Panorama.
      Give the ova filename a generic name that does not include a version number. Using a generic naming convention, such as https://acme.com/software/PA-VM-NSX.ova allows you to overwrite the ova each time a newer version becomes available.
    • Register the capacity auth-code for the VM-Series firewall for NSX with your support account on the Support Portal. For details, see Upgrade the VM-Series Firewall.
  • Step 2: Register—Configure Panorama to Register the VM-Series Firewall as a Service on the NSX Manager. When registered, the VM-Series firewall is added to the list of network services that can be transparently deployed as a service by the NSX Manager. The connection between Panorama and the NSX Manager is also required for licensing and configuring the firewall.
    • (On Panorama) Create a service manager to enable communication between Panorama and NSX Manager.
    • (On Panorama) Create the service definition. If you upgrade from an earlier version, your existing service definition is automatically migrated for you. For details, see changes to default behavior.
  • Step 3: Deploy the VM-Series Firewall—Before you can deploy the VM-Series firewall in NSX, each host in the cluster must have the necessary NSX components required to deploy the firewall.
    • (On NSX Manager) Enable SpoofGuard and define rules to block non-IP protocols.
    • (On NSX Manager) Define the IP address pool. An IP address from the defined range is assigned to the management interface of each instance of the VM-Series firewall.
      The NSX Manager uses the IP address as a match criterion to steer traffic to the VM-Series firewall. If VMware tools is not installed on the guest, see Steer Traffic from Guests that are not Running VMware Tools. This is not required if you are running NSX Manager 6.2.4 or later.
    • (On NSX Manager) Prepare the ESXi host for the VM-Series firewall.
    • (On NSX Manager) Deploy the VM-Series firewall. The NSX Manager automatically deploys an instance of the VM-Series firewall on each ESXi host in the cluster.
    • (On NSX Manager) Add VMs to the relevant security groups.
    • (On Panorama) Apply policies to the VM-Series firewall. From Panorama, you define, push, and administer policies centrally on all the VM-Series firewalls. This centralized administration mechanism allows you to secure guests/applications with minimal administrative intervention.
  • Step 4: Create Security Groups and Steering Rules—How you choose to deploy the security groups and steering rules depends on whether your deployment focus is Security Centric or Operations Centric.
    In a Security Centric deployment, your security administrator creates the security group and steering rules in Panorama. You might start with an existing set of security policies and a set of named source and destination groups. Any new dynamically deployed applications fit into predefined security policies defined on Panorama. Panorama pushes these named groups to NSX Manager, where the virtualization administrator picks up the group names and defines which VMs go into them.
    In an Operations Centric deployment, security groups are defined by a virtualization administrator based upon the need to classify and categorize VM workloads. In this case, security groups are defined and populated in the NSX Manager. Security groups created in NSX Manager must be associated with dynamic address groups on Panorama, which is completed after the firewalls are deployed. In this case, NSX base functionality is deployed first and the VM-Series firewalls are added later.
    You must decide whether a Security Centric or an Operations Centric deployment is right for your NSX environment before continuing. This document describes the procedure for a Security Centric deployment.
    Security Centric—Create the service definition(s) that specify the configuration for the VM-Series firewall, create dynamic address groups, and create policies to redirect traffic to the VM-Series firewall. See Create Security Groups and Steering Rules in a Security Centric Deployment.
    • (On Panorama) Set up the dynamic address groups that map to security groups on NSX Manager. A security group assembles the specified guests/applications so that you can apply policy to the group.
    • (On Panorama) Create the security policy rules to redirect traffic to the Palo Alto Networks service profile.
    Operations Centric—On the NSX Manager, create security groups and policies to redirect traffic to the VM-Series firewall. See Create Security Groups and Steering Rules in an Operations Centric Deployment.
    • (On NSX Manager) Set up the security groups. A security group assembles the specified guests/applications so that you can apply policy to the group.
    • (On NSX Manager) Create the NSX Firewall policies to redirect traffic to the Palo Alto Networks service profile.
  • Step 5: Monitor and Maintain Network Security—Panorama provides a comprehensive, graphical view of network traffic. Using the visibility tools on Panorama—the Application Command Center (ACC), logs, and the report generation capabilities—you can centrally analyze, investigate and report on all network activity, identify areas with potential security impact, and translate them into secure application enablement policies. Refer to the Panorama Administrator’s Guide for more information.
The following additional tasks are not required parts of the main VM-Series for NSX deployment procedure and should only be completed if and when necessary for your deployment.
  • Upgrade the Software Version—When upgrading the VM-Series firewalls for NSX, you must first upgrade Panorama before upgrading the firewalls. To upgrade the firewalls, see Upgrade the PAN-OS Software Version (VM-Series for NSX).
    • For upgrading the PAN-OS version on the firewall, do not modify the VM-Series OVA URL in PanoramaVMware Service Manager.
    • Do not use the VMware snapshots functionality on the VM-Series firewall for NSX. Snapshots can impact performance and result in intermittent and inconsistent packet loss. See VMware’s best practice recommendation with using snapshots. If you need configuration backups, use Panorama or Export named configuration snapshot from the firewall (DeviceSet upOperations). Using the Export named configuration snapshot exports the active configuration (running-config.xml) on the firewall and allows you to save it to any network location.
  • Migrate from Operations-Centric configuration to Security-Centric configuration—If you upgrade your existing Operations-Centric VM-Series firewall for NSX deployment and plan to use the Security Centric workflow going forward, Migrate Operations-Centric Configuration to Security-Centric Configuration.
If you need to reinstall or remove the VM-Series from your NSX deployment, see the How to Remove VM-Series Integration from VMware NSX knowledge base article.

Related Documentation