Apply Security Policy to the VM-Series Firewall on NSX-T

Now that you have deployed the VM-Series firewall and created traffic redirection rules to send traffic to the firewall, you can use Panorama to centrally manage security policy rules on the VM-Series firewall.
  1. Log in to Panorama.
  2. Create security policy rules.
    By default, the firewall creates a rule that allows Bidirectional Forwarding Detection (BFD). Do not create a rule that blocks BFD. If BFD is blocked, NSX-T thinks that the firewall is unavailable.
    1. Select
      Policies
      Security
      Prerules
      .
    2. Select the
      Device Group
      that you created for managing the VM-Series firewalls on NSX-T in Create Template Stacks and Device Groups on Panorama.
    3. Click
      Add
      and enter a
      Name
      and a
      Description
      for the rule. In this example, the security rule allows all traffic between the WebFrontEnd servers and the Application servers.
    4. Select the
      Source Zone
      and
      Destination Zone
      .
    5. For the
      Source Address
      and
      Destination Address
      , select or type in an address, static address group, or region.
      The VM-Series firewall on NSX-T does not support dynamic address groups for North-South traffic.
    6. Select the
      Application
      to allow. In this example, we create an
      Application Group
      that includes a static group of specific applications that are grouped together.
      1. Click
        Add
        and select
        New Application Group
        .
      2. Click
        Add
        to select the application to include in the group.
      3. Click
        OK
        to create the application group.
    7. Specify the action—
      Allow
      or
      Deny
      —for the traffic, and optionally attach the default security profiles for antivirus, anti-spyware, and vulnerability protection, under Profiles.
    8. Click
      Commit
      , select
      Commit to Panorama
      . Click
      OK
      .
  3. Apply the policies to the VM-Series firewalls on NSX-T.
    1. Click
      Commit
      Push to Devices
      Edit Selections
      .
    2. Select the device group and click
      OK
      .
    3. Select
      Force Template Values
      . By default, Panorama does not override objects on the firewall with objects on Panorama that share a name. You must select Force Template Values to push policy to the managed firewalls.
    4. Click
      Yes
      to confirm force template values.
    5. Click
      OK
      .
    6. Verify that the commit is successful.
      force-template-values.png
  4. (
    Optional
    ) Use template to push a base configuration for network and device configuration such as DNS server, NTP server, Syslog server, and login banner.
    Refer to the Panorama Administrator’s Guide for information on using templates.

Recommended For You