Dynamically Quarantine Infected Guests
Threat and traffic logs in PAN-OS include the source or destination universally unique identifier (UUID) of guest VMs in your NSX deployment. This allows the VM-Series for NSX to support the tagging of guest VMs with NSX security tags. With the guest VMs’ UUID now included in the log events, the firewall, based on the filtered log events, can tag the affected guest VM via NSX Manager API. This allows for automatic location of compromised VMs in the NSX environments. NSX can then put all associated UUIDs under policies to quarantine those VMs from the rest of the network.
Panorama includes predefined payload formats for threat and traffic logs in the HTTP Server Profile. These payload formats correspond to predefined security tags in NSX. When a guest VM is found in the threat or traffic logs, Panorama makes an API call to NSX Manager telling NSX Manager to tag the guest VM with the tag specified in the HTTP Server Profile. When the guest VM becomes tagged, NSX Manager dynamically moves the tagged guest VM into the quarantine security group, which places the guest VM into the quarantine dynamic address group.
- Confirm that you have content update version 636 or later installed on Panorama.
- Create a dynamic address group to be your quarantine dynamic address group.
an HTTP Server Profile to send API calls to NSX Manager.
- Select PanoramaServer ProfilesHTTP and Add a new HTTP Server Profile.
- Enter a descriptive Name.
- Select Add to provide the details of NSX Manager.
- Enter a Name for NSX Manager.
- Enter the IP Address of NSX Manager.
- Select the Protocol (HTTP or HTTPS). The default Port is 80 or 443 respectively.
- Select PUT under the HTTP Method column.
- Enter the username and password for NSX Manager.
- Select Payload Format and choose an NSX payload format from the Pre-defined Formats drop-down. This populates the URI Format, HTTP Headers, and Payload fields with the correct information to send the HTTP API call to NSX Manager. Additionally, the chosen format determines which security tag NSX Manager applies to infected guest VMs. In the example below, NSX Anti-Virus Threat High is selected which corresponds to the ANTI_VIRUS.VirusFound.threat=high security tag on NSX Manager.
- Define the match criteria for when Panorama will forward
logs to the NSX Manager, and attach the HTTP server profile to use.
- Select PanoramaCollector GroupsCollector Log Forwarding for Threat or Traffic logs.
- Click Traffic or Threat and Add.
- Enter a descriptive name for the new log settings.
- (Optional) Under Filter, you can add filters such as severity to narrow the logs that are forwarded to NSX Manager. If All Logs is selected, all threat or traffic logs that meet the criteria set in the HTTP Server profile are sent to NSX Manager.
- Click Add under HTTP and select the HTTP Server Profile configured in Step 3.
- Click OK.
- Configure an NSX server certificate for Panorama to forward
logs to NSX manager.
- Select PanoramaCertificate ManagementCertificates.
- Create a root CA certificate with CN=IP address of Panorama.
- Create a signed certificate with CN=IP address of NSX Manager.
- Export the root CA certificate in PEM format without a private key.
- Export the signed certificate in PEM format with a private key.
- Using a tool such as OpenSSL, concatenate the exported
certificates into a single PEM file for upload to NSX manager. Use
the following commands in OpenSSL to complete this step.
cat cert_NSX_Root_CA.crt cert_NSX_Signed1.pem > cert_NSX_cert_chain.pemopenssl pkcs12 -export -in cert_NSX_cert_chain.pem -out cert_NSX_cert.p12
- Log in to NSX Manager and select Manage Appliance SettingsSSL CertificatesUpload PKC#12 Keystore. Click Choose File, locate the p12 file you created in the previous step, and click Import.
- Associate a security group with a security tag in vCenter.
- Log in to vCenter.
- Select Networking & SecurityService ComposerSecurity Groups.
- Select a security group that is counterpart to the quarantine dynamic address group you created previously and click Edit Security Group.
- Select Define dynamic membership and click the + icon.
- Click Add.
- Set the criteria details to Security Tag Contains
and then enter the NSX security tag that corresponds to the NSX
payload format you chose in 3. Each of the predefined
NSX payload formats corresponds to an NSX security tag. To view
the NSX security tags in NSX, select Networking
& SecurityNSX ManagersNSX Manager IPManageSecurity Tags.In this example, NSX Anti-Virus Threat High is used in the HTTP Server Profile so ANTI_VIRUS.VirusFound.threat=high is the NSX Security Tag that is used here.
- Click Finish.
- After the guest VM is cleared for removal from quarantine,
manually remove the NSX security tag from the guest VM in NSX.
Source and destination UUID fields in threat and traffic logs may be blank after a guest VM is removed from quarantine. This can occur when running NSX 6.2.3 or earlier or if NSX steering rules do not use the inout direction. You can resolve this by upgrading NSX to 6.2.4 or issue an NSX Config-sync under PanoramaVMware NSXService Manager and reboot the PA-VM to resolve this issue.
- Log in to vCenter.
- Select VMs and Templates and choose the quarantined guest.
- Select SummarySecurity TagsManage.
- Uncheck the security tag used by the quarantine security group and click OK.
- Refresh the page and the quarantine security will no longer be listed under SummarySecurity Group Membership.
Set Up the VM-Series Firewall on VMware NSX
Set Up the VM-Series Firewall on VMware NSX The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. This solution ...
Create the Service Definitions on Panorama
Create the Service Definitions on Panorama A service definition specifies the configuration for the VM-Series firewalls installed on each host in an ESXi cluster. The ...
Enable Communication Between the NSX Manager and Panorama
Enable Communication Between the NSX Manager and Panorama To automate the provisioning of the VM-Series firewall for NSX, enable communication between the NSX Manager and ...
Policy Enforcement using Dynamic Address Groups
Policy Enforcement using Dynamic Address Groups Unlike the other versions of the VM-Series firewall, because both virtual wire interfaces (and subinterfaces) belong to the same ...
VM-Series Firewall for NSX Deployment Checklist
VM-Series Firewall for NSX Deployment Checklist To deploy the VM-Series firewall for NSX, use the following workflow: Step 1: Set up the Components —To deploy ...
Configure Access to the NSX Manager
Configure Access to the NSX Manager Panorama > VMware NSX > Service Managers To enable Panorama to communicate with the NSX Manager, Add and configure ...
Set Up Security Groups on the NSX Manager
Set Up Security Groups on the NSX Manager A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. ...
Deploy the VM-Series Firewall in a Multi-NSX Manager Environment
Deploy the VM-Series Firewall in a Multi-NSX Manager Environment Whether you are deploying a single NSX Manager or a multi-NSX Manager environment, set up the ...
How Do the Components in the VM-Series Firewall for NSX Solution Work Together?
How Do the Components in the VM-Series Firewall for NSX Solution Work Together? To meet the security challenges in the software-defined data center, the NSX ...