Use Case: Shared Compute Infrastructure and Shared Security Policies
This use case allows you to logically isolate traffic from two tenants that share an ESXi cluster and have a common set of security policies. In order to isolate traffic from each tenant you need to create a service definition with a template stack that includes two zones. Zone-based traffic separation makes it possible to distinguish traffic between virtual machines that belong to separate tenants, when it traverses through the firewall. The firewall is able to distinguish traffic between tenant virtual machines based on a service profiles and security groups created on the NSX Manager, which are available as match criteria in Dynamic Address Groups on the firewall. Therefore, even with overlapping IP addresses, you can segregate traffic from each tenant and secure each tenant’s virtual machines using zone-base policy rules (source and destination zones must be the same) and dynamic address groups.
Communication Between the NSX Manager and Panorama.This is one-time task and is required if you have not enabled access between the NSX Manager and Panorama.
Template(s) and Device Group(s) on Panorama.
- Log in to the Panorama web interface.
- Select PanoramaTemplates to add a template stack. This use case has a template stack named NSX-Template.
- Select PanoramaDevice Groups and add device group. This use case has a device group named NSX-DG.
- Create two zones within the template stack. To isolate
traffic for each tenant, you need two zones in this use case.
- Select NetworkZones.
- Select the correct template stack in the Template drop-down.
- Select Add and enter a zone Name. For example, Tenant1.
- Sets the interface Type to Virtual Wire.
- Click OK.
- Repeat the steps to add another zone, for example, Tenant2.
- Verify that the zones are attached to the correct template stack.
the Service Definitions on Panorama.
- Select PanoramaVMware NSXService Definitions.
- Select Add and fill in the details.
- Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
Security Groups and Steering Rules.
- Select ObjectsAddress Groups and Set Up Dynamic Address Groups on Panorama for each tenant’s virtual machines. For example, this use case has two security groups per tenant; one security group for the web servers and the other security group for the application servers.
- Select PoliciesSecurityPre Rules to set up security policy rules for sending traffic to the VM-Series firewall.
- Select PanoramaVMware NSXSteering Rules and click Auto-Generate Steering Rules.
- Commit your changes
the ESXi Host for the VM-Series Firewall.The ESXi hosts in the cluster must have the necessary NSX components that allow the NSX firewall and the VM-Series firewall to work together. The NSX Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM-Series firewall.
the Palo Alto Networks NGFW Service.
- Select Networking and SecurityInstallationService Deployments.
- Click New Service Deployment (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy, Palo Alto Networks NGFW Test 1 in this example, make your selections including the appropriate ESXi cluster to which you want to deploy the firewall and click Finish.
- Verify that the NSX Manager reports the Installation Status as Successful.
- Verify that the VM-Series firewall is successfully
- On the vCenter server, select Hosts and Clusters to check that every host in the cluster(s) has one instance of the firewall.
- View the management IP address(es) and the PAN-OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN-OS software image and is automatically enabled when you launch the VM-Series firewall.
Security Policies to the VM-Series Firewall.
- Create Dynamic Address groups for each tenant
on Panorama. The dynamic address group(s) that match on the name
of the security group(s) you defined on the NSX Manager.
- On Panorama, select ObjectsAddress Groups.
- Select the correct Device Group from the drop-down and click Add.
- Add a Name for the address group and set Type as Dynamic and Add Match Criteria. Verify that you select the correct tags for each tenant, the tag includes the service profile ID, the security group name and the security group ID. For example, for this use case there are four dynamic address groups:
- On Panorama, create security policy rules and use
the dynamic address groups as source or destination address objects
in security policy rules and push it to the firewalls.
- Select PoliciesSecurityPrerules and click Add.
- Create rules for each tenant. This use case has the following policy rules:
- Click Commit, and select Commit Type as Device Groups. Select the device group, NSX-DG in this example and click OK.
- Create Dynamic Address groups for each tenant on Panorama. The dynamic address group(s) that match on the name of the security group(s) you defined on the NSX Manager.
- Verify that traffic from each tenant is secured.
- Log in to the CLI on the firewall and
enter the following command to view the subinterfaces on the firewall:
show interface all total configured hardware interfaces: 2 name id speed/duplex/state mac address --------------------------------------------------- ethernet1/1 16 auto/auto/up d4:f4:be:c6:af:10 ethernet1/2 17 auto/auto/up d4:f4:be:c6:af:11 aggregation groups: 0 total configured logical interfaces: 6 name id vsys zone forwarding ------------------- ----- ---- ----------------- ethernet1/1 16 1 vwire:ethernet1/2 ethernet1/1.3 4099 1 TENANT-1 vwire:ethernet1/2.3 ethernet1/1.4 4100 1 TENANT-2 vwire:ethernet1/2.4 ethernet1/2 17 1 vwire:ethernet1/1 ethernet1/2.3 4355 1 TENANT-1 vwire:ethernet1/1.3 ethernet1/2.4 4356 1 TENANT-2 vwire:ethernet1/1.4
- On the web interface of the VM-Series firewall, select ObjectsAddress Groups and verify that you can view the IP address for the members of each Dynamic Address Group. The following is an example of duplicate IP addresses in dynamic address groups across both tenants.
- View the ACC and the MonitorLogsTraffic. Filter on the zone name to ensure that traffic from the virtual machines for each tenant is secured.
- Log in to the CLI on the firewall and enter the following command to view the subinterfaces on the firewall:
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
Use Case: Shared Security Policies on Dedicated Compute Infrastructure If you are a Managed Service Provider who needs to secure a large enterprise ( tenant ...
Deploy the VM-Series Firewall in a Multi-NSX Manager Environment
Deploy the VM-Series Firewall in a Multi-NSX Manager Environment Whether you are deploying a single NSX Manager or a multi-NSX Manager environment, set up the ...
Create Steering Rules on Panorama
Create Steering Rules on Panorama Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as ...
How Do the Components in the VM-Series Firewall for NSX Solution Work Together?
How Do the Components in the VM-Series Firewall for NSX Solution Work Together? To meet the security challenges in the software-defined data center, the NSX ...
Panorama Panorama is used to register the VM-Series firewall for NSX as the Palo Alto Networks NGFW service on the NSX Manager. Registering the Palo ...
Apply Security Policies to the VM-Series Firewall
Apply Security Policies to the VM-Series Firewall Now that you have created the steering rules on Panorama and pushed them to the NSX Manager, you ...
Create Service Definitions
Create Service Definitions Panorama > VMware NSX > Service Definitions A service definition allows you to register the VM-Series firewall as a partner security service ...
What is Multi-Tenant Support on the VM-Series Firewall for NSX?
What is Multi-Tenant Support on the VM-Series Firewall for NSX? Multi-tenancy on the VM-Series firewall enables you to secure more than one tenant or more ...
VM-Series Firewall for NSX Deployment Checklist
VM-Series Firewall for NSX Deployment Checklist To deploy the VM-Series firewall for NSX, use the following workflow: Step 1: Set up the Components —To deploy ...