The VM-Series firewall for Nutanix AHV allows you to deploy the VM-Series firewall on devices capable of running the Nutanix Acropolis Hypervisor . If you're using Panorama to manage your VM-Series firewalls on Nutanix AHV, you can use the Panorama plugin for Nutanix to perform VM monitoring. This allows you to dynamically inform the firewall of changes in your Nutanix environment and ensure that policy is applied to virtual machines as they join your network.

The Panorama plugin for Nutanix facilitates the use of dynamic address groups by monitoring virtual machines in your Nutanix environment. Prism Central groups entities in your Nutanix environment by categories and filters them further by value. Panorama creates tags based on the categories and values you define in Prism Central. When a virtual machine is placed in a category and assigned a value, Panorama applies the corresponding tag to the virtual machine’s IP address. You can then create a security policy by using the tags as match criteria for Dynamic Address Groups in Panorama.

In the example above, we have two categories—Dev and HR—with two values within each of them. And these categories are within the cluster, which is within Prism Central. After you begin monitoring your Nutanix environment, Panorama uses value, category, cluster, and Prism Central to form tags. When you view the match criteria for Dynamic Address Groups , the tags are listed in the following format.

With the information in the example above, Panorama creates the following tags.

To secure these workloads in these categories, use tags such as these as match criteria in the Dynamic Address Groups. You can then use the Dynamic Address Groups as source and destination address groups in your security policy rules. When a virtual machine joins a Dynamic Address Group, the policy your created is applied automatically.

For information on deploying the VM-Series firewall, see Deploy the VM-Series Firewall on Nutanix AHV