What is Multi-Tenant Support on the VM-Series Firewall for NSX-V?

Multi-tenancy on the VM-Series firewall enables you to secure more than one
tenant
or more than one
sub-tenant
. A tenant is a customer or an organization such as Palo Alto Networks. A sub-tenant is a department or business unit within the organization such as Marketing, Accounting, or Human Resources. To allow you to secure multiple tenants, Panorama provides the flexibility to create multiple sets of security policy rules for each tenant, and multiple zones to isolate traffic from each sub-tenant and redirect traffic to the appropriately configured VM-Series firewall. You can also deploy more than one instance of the VM-Series firewall on each host within an ESXi cluster.
Panorama and managed VM-Series firewalls must be running PAN-OS 7.1 or greater to support multi-tenancy.
To deploy a multi-tenant solution, create one or more
service definition(s)
and
service profile zone(s)
on Panorama. A service definition on Panorama specifies the configuration of the VM-Series firewall using one device group and one template stack. This means that each instance of the VM-Series firewalls that is deployed using a service definition has one common set of policy rules for securing the tenants and sub-tenants in the ESXi cluster.
A service profile zone within a Panorama template stack is used to segment traffic from each sub-tenant using virtual wire subinterfaces. When you create a new service profile zone, Panorama pushes the zone as a part of the template stack configuration to the firewall, and the firewall automatically creates a pair of virtual wire subinterfaces, for example ethernet1/1.3 and ethernet 1/2.3 so that the firewall can isolate traffic for a sub-tenant. Because a template stack supports up to 32 subinterface pairs, you can logically isolate traffic and secure up to 32 sub-tenants.
Panorama registers each service definition as a service definition on the NSX-V Manager and each service profile zone as a service profile within the corresponding service definition. And, when you deploy the service definition from the NSX-V Manager, an instance of the VM-Series firewall is deployed on each host in the ESXi cluster. And you can use the steering rules defined on Panorama and applied to the NSX-V Manager to specify what traffic to redirect to the VM-Series firewall based on NSX-V security groups, and to which tenant or sub-tenant based on the service profile.
Based on your requirements, you can choose from the following multi-tenancy options:
  • Shared cluster with shared VM-Series firewalls
    - Multiple tenants share the cluster and the VM-Series firewall. A single instance of the VM-Series firewall is deployed on each host in the cluster. In order to separate traffic from each tenant, you create a zone for each tenant, and you define a single, common set of policy rules to secure the virtual machines for all tenants. See Use Case: Shared Compute Infrastructure and Shared Security Policies.
  • Dedicated cluster with dedicated VM-Series firewalls
    - A single tenant occupies the cluster, and a single instance of the VM-Series firewall is deployed on each host in the cluster. In this deployment, the tenant can have a single zone and a single policy set, or the tenant can have multiple zones for sub-tenants that require traffic separation (one zone per sub-tenant) and a single policy set with zone-based rules to secure traffic for each sub-tenant. Use Case: Shared Security Policies on Dedicated Compute Infrastructure.
  • Shared cluster with dedicated VM-Series firewalls
    - Multiple tenants share the cluster and multiple instances of the VM-Series firewalls are deployed on each host in a cluster so that each tenant can have a dedicated instance of the VM-Series firewall. This deployment provides scalability and better performance on shared infrastructure for each tenant. Based on each tenant’s needs, you will define two or more service definitions for the cluster.
    When deploying multiple instances of the VM-Series firewall, you must ensure that each ESXi host has the sufficient CPU, memory and hard disk resources required to support the VM-Series firewalls and the other virtual machines that will be running on it.

Related Documentation