Apply Security Policy to the VM-Series Firewall on NSX-T
Now that you have deployed the VM-Series firewall
and created traffic redirection rules to send traffic to the firewall,
you can use Panorama to centrally manage security policy rules on
the VM-Series firewall.
- Log in to Panorama.
- Create security policy rules.By default, the firewall creates a rule that allows Bidirectional Forwarding Detection (BFD). Do not create a rule that blocks BFD. If BFD is blocked, NSX-T thinks that the firewall is unavailable.
- Select.PoliciesSecurityPrerules
- Select theDevice Groupthat you created for managing the VM-Series firewalls on NSX-T in Create Template Stacks and Device Groups on Panorama.
- ClickAddand enter aNameand aDescriptionfor the rule. In this example, the security rule allows all traffic between the WebFrontEnd servers and the Application servers.
- Select theSource ZoneandDestination Zone.
- For theSource AddressandDestination Address, select or type in an address, static address group, or region.The VM-Series firewall on NSX-T does not support dynamic address groups for North-South traffic.
- Select theApplicationto allow. In this example, we create anApplication Groupthat includes a static group of specific applications that are grouped together.
- ClickAddand selectNew Application Group.
- ClickAddto select the application to include in the group.
- ClickOKto create the application group.
- Specify the action—AlloworDeny—for the traffic, and optionally attach the default security profiles for antivirus, anti-spyware, and vulnerability protection, under Profiles.
- ClickCommit, selectCommit to Panorama. ClickOK.
- Apply the policies to the VM-Series firewalls on NSX-T.
- Click.CommitPush to DevicesEdit Selections
- Select the device group and clickOK.
- SelectForce Template Values. By default, Panorama does not override objects on the firewall with objects on Panorama that share a name. You must select Force Template Values to push policy to the managed firewalls.
- ClickYesto confirm force template values.
- ClickOK.
- Verify that the commit is successful.
- (Optional) Use template to push a base configuration for network and device configuration such as DNS server, NTP server, Syslog server, and login banner.Refer to the Panorama Administrator’s Guide for information on using templates.
Recommended For You
Recommended Videos
Recommended videos not found.