: Configure the Panorama Plugin for VMware vCenter
Focus
Focus

Configure the Panorama Plugin for VMware vCenter

Table of Contents

Configure the Panorama Plugin for VMware vCenter

After installing the plugin, complete the following procedure to establish a connection between Panorama and vCenter.
For the plugin to monitor virtual machines in your vCenter environment, you must have VMware tools installed. In vCenter, IP addresses of VMs are not externally retrievable; they are only visible through VMware tools. Additionally, native read-only permissions are required for the plugin to retrieve IP address information from vCenter.
  1. Log in to the Panorama web interface.
  2. Enable monitoring and set the monitoring interval.
    1. Select
      Panorama
      VMware vCenter
      Setup
      General
      .
    2. Select
      Enable Monitoring
      . This enables monitoring for all vCenters in your deployment.
    3. Set the
      Monitoring Interval
      in seconds. The monitoring interval is how often Panorama retrieves updated network information from vCenter. The default value is 60 seconds and has a range of 60 to 84600 seconds.
  3. Create a notify group.
    1. Select
      Panorama
      VMware vCenter
      Setup
      Notify Groups
      .
    2. Click
      Add
      .
    3. Enter a descriptive
      Name
      for your notify group.
    4. Select the device groups in your vCenter deployment.
  4. Add vCenter information. The Panorama plugin for VMware vCenter supports up to 16 vCenter instances.
    1. Select
      Panorama
      VMware vCenter
      Setup
      vCenter
      .
    2. Enter a descriptive
      Name
      for your vCenter.
    3. Enter the IP address or FQDN for vCenter and port, if applicable.
    4. Enter your vCenter username.
    5. Enter and confirm your vCenter password.
    6. Click
      Validate
      to verify that Panorama can connect to vCenter using the login credentials you entered.
    7. Click
      OK
      .
  5. Configure up to 16 Monitoring Definitions.
    A vCenter instance can be assigned to only one Monitoring Definition.
    1. Select
      Panorama
      VMware vCenter
      Monitoring Definition
      and click
      Add
      .
    2. Enter a descriptive
      Name
      and optionally a description to identify the vCenter for which you use this definition.
    3. Select the
      vCenter
      and
      Notify Group
      .
    4. Click
      OK
      .
  6. Commit
    your changes.
  7. Verify that you can view the VM information on Panorama, and define the match criteria for Dynamic Address Groups.
    You must use the OR operator when using more than one tag in the match criteria; using the AND operator does not work.
    Some browser extensions may block API calls between Panorama and vCenter which prevents Panorama from receiving match criteria. If Panorama displays no match criteria and you are using browser extensions, disable the extensions and Synchronize Dynamic Objects to populate the tags available to Panorama.
  8. Verify that addresses in your VMs are added to DAGs.
    1. Select
      Panorama
      Objects
      Address Groups
      .
    2. Click
      More
      in the Addresses column of a DAG.
      Panorama displays a list of IP addresses added to that DAG based on the match criteria you specified.
  9. Use dynamic address groups in policy.
    1. Select
      Policies
      Security
      .
    2. Click
      Add
      and enter a
      Name
      and a
      Description
      for the policy.
    3. Add the
      Source Zone
      to specify the zone from which the traffic originates.
    4. Add the
      Destination Zone
      at which the traffic is terminating.
    5. For the
      Destination Address
      , select the Dynamic address group you just created.
    6. Specify the action—
      Allow
      or
      Deny
      —for the traffic, and optionally attach the default security profiles to the rule.
    7. Repeats Steps 1 through 6 to create another policy rule.
    8. Click
      Commit
      .
  10. You can update the dynamic objects from vCenter at any time by synchronizing dynamic objects. Synchronizing dynamic objects enables you to maintain context on changes in the virtual environment and allows you to enable applications by automatically updating the Dynamic Address Groups used in policy rules.
    1. Select
      Panorama
      VMware vCenter
      Monitoring Definition
      .
    2. Click
      Synchronize Dynamic Objects
      .
  11. If a firewall in your vCenter deployment restarts or disconnects from Panorama, that firewall goes out of sync with the Panorama plugin for vCenter and no receive updates. After the firewall reconnects with Panorama, you must manually synchronize Panorama and the firewall.
    1. Log in to the Panorama CLI.
    2. Execute the following command.
      admin@Panorama> request plugins vmware_vcenter sync

Recommended For You