Panorama serves as the single point of configuration
that provides the NSX-V Manager with the contextual information required
to redirect traffic from the guest virtual machines to the VM-Series
firewall. The traffic steering rules are defined on Panorama and
pushed to NSX-V Manager; these determine what traffic from which guests
in the cluster are steered to the Palo Alto Networks NGFW service.
Security enforcement rules are also defined on Panorama and pushed
to the VM-Series firewalls for the traffic that is steered to the
Palo Alto Networks NGFW service.
—The rules for directing traffic
from the guests on each ESXi host are defined on Panorama and applied
by NSX-V Manager as partner security services rules.
that needs to be inspected and secured by the VM-Series firewall,
the steering rules created on Panorama allow you to redirect the
traffic to the Palo Alto Networks NGFW service. This traffic is
then steered to the VM-Series firewall and is first processed by
the VM-Series firewall before it goes to the virtual switch.
that does not need to be inspected by the VM-Series firewall, for
example network data backup or traffic to an internal domain controller,
does not need to be redirected to the VM-Series firewall and can
be sent to the virtual switch for onward processing.
Rules centrally managed on Panorama and applied by the VM-Series
—The next- generation firewall rules are applied by
the VM-Series firewall. These rules are centrally defined and managed
on Panorama using template stacks and device groups and pushed to
the VM-Series firewalls. The VM-Series firewall then enforces security
policy by matching on source or destination IP address—the use of
dynamic address groups allows the firewall to populate the members
of the groups in real time—and forwards the traffic to the filters
on the NSX-V Firewall.