1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on VMware NSX
    5. Set Up the VM-Series Firewall on VMware NSX-T (North-South)
    6. Deploy the VM-Series Firewall on NSX-T (North-South)
    7. Apply Security Policy to the VM-Series Firewall on NSX-T

    Apply Security Policy to the VM-Series Firewall on NSX-T

    Now that you have deployed the VM-Series firewall and created traffic redirection rules to send traffic to the firewall, you can use Panorama to centrally manage security policy rules on the VM-Series firewall.
    1. Log in to Panorama.
    2. Create security policy rules.
      By default, the firewall creates a rule that allows Bidirectional Forwarding Detection (BFD). Do not create a rule that blocks BFD. If BFD is blocked, NSX-T thinks that the firewall is unavailable.
      1. Select
        Policies
        Security
        Prerules
        .
      2. Select the
        Device Group
         that you created for managing the VM-Series firewalls on NSX-T in Create Template Stacks and Device Groups on Panorama.
      3. Click
        Add
         and enter a
        Name
         and a
        Description
         for the rule. In this example, the security rule allows all traffic between the WebFrontEnd servers and the Application servers.
      4. Select the
        Source Zone
         and
        Destination Zone
        .
      5. For the
        Source Address
         and
        Destination Address
        , select or type in an address, static address group, or region.
        The VM-Series firewall on NSX-T does not support dynamic address groups for North-South traffic.
      6. Select the
        Application
         to allow. In this example, we create an
        Application Group
         that includes a static group of specific applications that are grouped together.
        1. Click
          Add
           and select
          New Application Group
          .
        2. Click
          Add
           to select the application to include in the group.
        3. Click
          OK
           to create the application group.
      7. Specify the action—
        Allow
         or
        Deny
        —for the traffic, and optionally attach the default security profiles for antivirus, anti-spyware, and vulnerability protection, under Profiles.
      8. Click
        Commit
        , select
        Commit to Panorama
        . Click
        OK
        .
    3. Apply the policies to the VM-Series firewalls on NSX-T.
      1. Click
        Commit
        Push to Devices
        Edit Selections
        .
      2. Select the device group and click
        OK
        .
      3. Select
        Force Template Values
        . By default, Panorama does not override objects on the firewall with objects on Panorama that share a name. You must select Force Template Values to push policy to the managed firewalls.
      4. Click
        Yes
         to confirm force template values.
      5. Click
        OK
        .
      6. Verify that the commit is successful.
        force-template-values.png
    4. (
      Optional
      ) Use template to push a base configuration for network and device configuration such as DNS server, NTP server, Syslog server, and login banner.
      Refer to the Panorama Administrator’s Guide for information on using templates.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo