Configure the Panorama Plugin for VMware vCenter
After installing the plugin, complete the following procedure to establish a connection between Panorama and vCenter.
For the plugin to monitor virtual machines in your vCenter environment, you must have VMware tools installed. In vCenter, IP addresses of VMs are not externally retrievable; they are only visible through VMware tools. Additionally, native read-only permissions are required for the plugin to retrieve IP address information from vCenter.
- Log in to the Panorama web interface.
- Enable monitoring and set the monitoring interval.
- Select.PanoramaVMware vCenterSetupGeneral
- SelectEnable Monitoring. This enables monitoring for all vCenters in your deployment.
- Set theMonitoring Intervalin seconds. The monitoring interval is how often Panorama retrieves updated network information from vCenter. The default value is 60 seconds and has a range of 60 to 84600 seconds.
- Create a notify group.
- Select.PanoramaVMware vCenterSetupNotify Groups
- Enter a descriptiveNamefor your notify group.
- Select the device groups in your vCenter deployment.
- Add vCenter information. The Panorama plugin for VMware vCenter supports up to 16 vCenter instances.
- Select.PanoramaVMware vCenterSetupvCenter
- Enter a descriptiveNamefor your vCenter.
- Enter the IP address or FQDN for vCenter and port, if applicable.
- Enter your vCenter username.
- Enter and confirm your vCenter password.
- ClickValidateto verify that Panorama can connect to vCenter using the login credentials you entered.
- Configure up to 16 Monitoring Definitions.A vCenter instance can be assigned to only one Monitoring Definition.
- Selectand clickPanoramaVMware vCenterMonitoring DefinitionAdd.
- Enter a descriptiveNameand optionally a description to identify the vCenter for which you use this definition.
- Select thevCenterandNotify Group.
- Commityour changes.
- Verify that you can view the VM information on Panorama, and define the match criteria for Dynamic Address Groups.You must use the OR operator when using more than one tag in the match criteria; using the AND operator does not work.Some browser extensions may block API calls between Panorama and vCenter which prevents Panorama from receiving match criteria. If Panorama displays no match criteria and you are using browser extensions, disable the extensions and Synchronize Dynamic Objects to populate the tags available to Panorama.
- Verify that addresses in your VMs are added to DAGs.
- Select.PanoramaObjectsAddress Groups
- ClickMorein the Addresses column of a DAG.Panorama displays a list of IP addresses added to that DAG based on the match criteria you specified.
- Use dynamic address groups in policy.
- ClickAddand enter aNameand aDescriptionfor the policy.
- Add theSource Zoneto specify the zone from which the traffic originates.
- Add theDestination Zoneat which the traffic is terminating.
- For theDestination Address, select the Dynamic address group you just created.
- Specify the action—AlloworDeny—for the traffic, and optionally attach the default security profiles to the rule.
- Repeats Steps 1 through 6 to create another policy rule.
- You can update the dynamic objects from vCenter at any time by synchronizing dynamic objects. Synchronizing dynamic objects enables you to maintain context on changes in the virtual environment and allows you to enable applications by automatically updating the Dynamic Address Groups used in policy rules.
- Select.PanoramaVMware vCenterMonitoring Definition
- ClickSynchronize Dynamic Objects.
- If a firewall in your vCenter deployment restarts or disconnects from Panorama, that firewall goes out of sync with the Panorama plugin for vCenter and no receive updates. After the firewall reconnects with Panorama, you must manually synchronize Panorama and the firewall.
- Log in to the Panorama CLI.
- Execute the following command.admin@Panorama> request plugins vmware_vcenter sync
Recommended For You
Recommended videos not found.