- DL manuals
- PaloAlto Networks
- Firewall
- VM-100
- Deployment Manual
PaloAlto Networks VM-100 Deployment Manual
Summary of VM-100
Page 1
Palo alto networks ® vm-series deployment guide pan-os 6.0
Page 2: Contact Information
Ii contact information corporate headquarters: palo alto networks 4401 great america parkway santa clara, ca 95054 http://www.Paloaltonetworks.Com/contact/contact/ about this guide this guide describes how to set up and license the vm-series firewall; it is intended for administrators who want to de...
Page 3: Table of Contents
Vm-series deployment guide iii table of contents table of contents about the vm-series firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 vm-series models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 4
Iv vm-series deployment guide table of contents the vm-series nsx edition firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 vm-series nsx edition firewall overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 what are the...
Page 5
Vm-series deployment guide 1 about the vm-series firewall the palo alto networks vm-series firewall is the virtualized form of the palo alto networks next-generation firewall. It is positioned for use in a virtualized data center environment where it can protect and secure traffic for private and pu...
Page 6
2 vm-series deployment guide vm-series models the vm-series firewall is available in four models—vm-100, vm-200, vm-300, and vm-1000-hv. All four models can be deployed as guest virtual machines on vmware esxi and on citrix netscaler sdx; on vmware nsx, only the vm-1000-hv is supported. The software...
Page 7
Vm-series deployment guide 3 vm-series deployments the vm-series firewall can be deployed on the following platforms: vm-series for vmware vsphere hypervisor (esxi) vm-100, vm-200, vm-300, or vm-1000-hv is deployed as guest virtual machine on vmware esxi; ideal for cloud or networks where virtual fo...
Page 8
4 vm-series deployment guide license the vm-series firewall when you purchase a vm-series firewall, you receive a set of auth-codes over email. Typically the email includes a capacity auth-code for the model purchased (vm-100, vm-200, vm300, vm-1000-hv), a software and support auth-code (for example...
Page 9
Vm-series deployment guide 5 register the vm-series firewall use the instructions in this section to register your capacity auth-code with your support account. Activate the license to activate the license on your vm-series firewall, you must have deployed the vm-series firewall and completed initia...
Page 10
6 vm-series deployment guide when you activate the license, the licensing server uses the uuid and the cpu id of the virtual machine to generate a unique serial number for the vm-series firewall. The capacity auth-code in conjunction with the serial number is used to validate your entitlement. Activ...
Page 11
Vm-series deployment guide 7 upgrade the pan-os software version now that the vm-series firewall has network connectivity and the base pan-os software is installed, you need to upgrade to the latest version of pan-os (a support license is required). Upgrade the vm-series model the licensing process ...
Page 12
8 vm-series deployment guide step 5 apply the new license. See activate the license . Migrate the license on the vm-series firewall.
Page 13
Vm-series deployment guide 9 set up a vm-series firewall on an esxi server the vm-series firewall is distributed using the open virtualization format (ovf), which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of runn...
Page 14
10 vm-series deployment guide supported deployments set up a vm-series firewall on an esxi server supported deployments you can deploy one or more instances of the vm-series firewall on the esxi server. Where you place the vm-series firewall on the network depends on your topology. Choose from the f...
Page 15
Vm-series deployment guide 11 set up a vm-series firewall on an esxi server system requirements and limitations system requirements and limitations this section lists requirements and limitations for the vm-series firewall. Requirements you can create and deploy multiple instances of the vm-series f...
Page 16
12 vm-series deployment guide system requirements and limitations set up a vm-series firewall on an esxi server jumbo frames are not supported. Link aggregation is not supported..
Page 17
Vm-series deployment guide 13 set up a vm-series firewall on an esxi server install a vm-series firewall install a vm-series firewall to install a vm-series firewall you must have access to the open virtualization format ( ovf) template. Use the auth code you received in your order fulfillment email...
Page 18
14 vm-series deployment guide install a vm-series firewall set up a vm-series firewall on an esxi server step 3 deploy the ovf template. 1. Log in to vcenter using the vsphere client. You can also go directly to the target esxi host if needed. 2. From the vsphere client, select file > deploy ovf tem...
Page 19
Vm-series deployment guide 15 set up a vm-series firewall on an esxi server install a vm-series firewall perform initial configuration use the virtual appliance console on the esxi server to set up network access to the vm-series firewall. You must first configure the management interface, and then ...
Page 20
16 vm-series deployment guide install a vm-series firewall set up a vm-series firewall on an esxi server configure the management interface step 1 gather the required information from your network administrator. • ip address for mgt port • netmask • default gateway • dns server ip address step 2 acc...
Page 21
Vm-series deployment guide 17 set up a vm-series firewall on an esxi server troubleshoot esxi deployments troubleshoot esxi deployments many of the troubleshooting steps for the vm-series firewall are very similar to the hardware versions of pan-os. When problems occur, you should check interface co...
Page 22
18 vm-series deployment guide troubleshoot esxi deployments set up a vm-series firewall on an esxi server the mf extension is for the ovf manifest file that contains the sha-1 digests of individual files in the package. The vmdk extension is for the virtual disk image file. The virtual disk in the o...
Page 23
Vm-series deployment guide 19 set up a vm-series firewall on an esxi server troubleshoot esxi deployments alternatively you can deploy the firewall and before you power on the vm-series firewall, edit the memory and virtual cpu allocation directly on the esxi host or the vcenter server. Licensing is...
Page 24
20 vm-series deployment guide troubleshoot esxi deployments set up a vm-series firewall on an esxi server connectivity issues why is the vm-series firewall not receiving any network traffic? On the vm-series firewall. Check the traffic logs ( monitor > logs ). If the logs are empty, use the followin...
Page 25
Vm-series deployment guide 21 set up a vm-series firewall on the citrix sdx server to reduce your carbon footprint and consolidate key functions on a single server, you can deploy one or more instances of the vm-series firewall on the citrix sdx server. Deploying the vm-series firewall in conjunctio...
Page 26
22 vm-series deployment guide about the vm-series firewall on the sdx server set up a vm-series firewall on the citrix sdx server about the vm-series firewall on the sdx server one or more instances of the vm-series firewall can be deployed to secure east-west and/or north-south traffic on the netwo...
Page 27
Vm-series deployment guide 23 set up a vm-series firewall on the citrix sdx server system requirements and limitations system requirements and limitations this section lists requirements and limitations for the vm-series firewall on the citrix sdx server. Requirements you can deploy multiple instanc...
Page 28
24 vm-series deployment guide supported deployments set up a vm-series firewall on the citrix sdx server supported deployments in the following scenarios, the vm-series firewall secures traffic destined to the servers on the network. It works in conjunction with the netscaler vpx to manage traffic b...
Page 29
Vm-series deployment guide 25 set up a vm-series firewall on the citrix sdx server supported deployments vm-series firewall with l3 interfaces deploying the firewall with l3 interfaces allows you to scale more easily as you deploy new servers and new subnets. You can deploy multiple instances of the...
Page 30
26 vm-series deployment guide supported deployments set up a vm-series firewall on the citrix sdx server for instructions, see deploy the vm-series firewall using l3 interfaces . Vm-series firewall with l2 or virtual wire interfaces deploying the vm-series firewall using l2 interfaces or virtual wir...
Page 31
Vm-series deployment guide 27 set up a vm-series firewall on the citrix sdx server supported deployments vm-series firewall before the netscaler vpx in this scenario, the perimeter firewall is replaced with the vm-series firewall that can be deployed using l3, l2, or virtual wire interfaces. All tra...
Page 32
28 vm-series deployment guide install the vm-series firewall set up a vm-series firewall on the citrix sdx server install the vm-series firewall a support account and a valid vm-series license are required to obtain the .Xva base image file that is required to install the vm-series firewall on the s...
Page 33
Vm-series deployment guide 29 set up a vm-series firewall on the citrix sdx server install the vm-series firewall provision the vm-series firewall continue with activate the license . Provision the vm-series firewall on the sdx server step 1 access the sdx server. Launch the web browser and connect ...
Page 34
30 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall this section includes information on the following deployments: deploy the vm-series firewall using l3 inte...
Page 35
Vm-series deployment guide 31 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall topology after adding the vm-series firewall the following table includes the tasks you must perform to deploy the vm-series firewall. For firewall configuration ...
Page 36
32 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server 8. (optional) to enable you to ping or ssh in to the interface, select advanced > other info , expand the management profile drop-down, and select new management ...
Page 37
Vm-series deployment guide 33 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall deploy the vm-series firewall using layer 2 (l2) or virtual wire interfaces to secure north-south traffic, this scenario shows you how to deploy the vm-series fir...
Page 38
34 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server step 2 re-cable the server-side interface assigned to the netscaler vpx. Because the netscaler vpx will reboot when recabled, evaluate whether you would like to p...
Page 39
Vm-series deployment guide 35 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall deploy the vm-series firewall before the netscaler vpx the following example shows how to deploy the vm-series firewall to process and secure traffic before it re...
Page 40
36 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server the following table includes the basic configuration tasks you must perform on the vm-series firewall. For firewall configuration instructions refer to the pan-os...
Page 41
Vm-series deployment guide 37 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall step 3 configure the data interfaces. 1. Launch the web interface of the firewall. 2. Select network > interfaces> ethernet . 3. Click the link for an interface, ...
Page 42
38 vm-series deployment guide secure east-west traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server secure east-west traffic with the vm-series firewall the following example shows you how to deploy your vm-series firewall to secure the application or database ser...
Page 43
Vm-series deployment guide 39 set up a vm-series firewall on the citrix sdx server secure east-west traffic with the vm-series firewall when the vm-series firewall is deployed (this example uses l3 interfaces), the flow of traffic is as follows: all incoming requests are authenticated and the ssl co...
Page 44
40 vm-series deployment guide secure east-west traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server based on protocol, to the internal server ip address 172.16.10.20. The return traffic from 172.168.10.20 is then sent to the netscaler vpx at 172.168.10.3, and the ...
Page 45
Vm-series deployment guide 41 the vm-series nsx edition firewall the vm-series nsx edition firewall is jointly developed by palo alto networks and vmware. This solution uses the netx api to integrate the palo alto networks next-generation firewalls and panorama with vmware esxi servers to provide co...
Page 46
42 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall vm-series nsx edition firewall overview nsx, vmware's networking and security platform designed for the software-defined data center (sddc), offers the ability to deploy the palo alto networks fi...
Page 47
Vm-series deployment guide 43 the vm-series nsx edition firewall vm-series nsx edition firewall overview vcenter server the vcenter server is required to manage the nsx manager and the esxi hosts in your datacenter. This joint solution requires that the esxi hosts be organized into one or more clust...
Page 48
44 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall nsx manager nsx is vmware’s network virtualization platform that is completely integrated with vsphere. The nsx firewall and the service composer are key features of the nsx manager. The nsx fire...
Page 49
Vm-series deployment guide 45 the vm-series nsx edition firewall vm-series nsx edition firewall overview how do the components work together? To meet the security challenges in the software-defined datacenter, the nsx manager, esxi servers and panorama work harmoniously to automate the deployment of...
Page 50
46 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall 3. Establish communication between the vm-series firewall and panorama : the vm-series firewall then initiates a connection to panorama to obtain its license. Panorama retrieves the license from ...
Page 51
Vm-series deployment guide 47 the vm-series nsx edition firewall vm-series nsx edition firewall overview rules defined on the nsx firewall —the rules for directing traffic from the guests on each esxi host are configured on the nsx manager. The service composer on the nsx manager allows you to defin...
Page 52
48 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall then enforces security policy by matching on source or destination ip address—the use of dynamic address groups allows the firewall to populate the members of the groups in real time—and forwards...
Page 53
Vm-series deployment guide 49 the vm-series nsx edition firewall vm-series nsx edition firewall overview on panorama, you can then create three dynamic address groups to match objects that are tagged as database, application and webfrontend. Then, in security policy you can use the dynamic address g...
Page 54
50 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall on each firewall, all policy rules that reference these dynamic address groups are updated at runtime. Because the firewall matches on the security group tag to determine the members of a dynamic...
Page 55
Vm-series deployment guide 51 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall deploy the vm-series nsx edition firewall to deploy the nsx edition of the vm-series firewall, use the following workflow: step 1: set up the components —to deploy the vm-series nsx edition, se...
Page 56
52 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall create a device group and template on panorama to manage the vm-series nsx edition firewalls using panorama, the firewalls must belong to a device group; adding a firewall to a template is opti...
Page 57
Vm-series deployment guide 53 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall use panorama to register the vm-series firewall as a service step 1 log in to the panorama web interface. Using a secure connection (https) from a web browser, log in using the ip address and p...
Page 58
54 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall step 6 set up notification to different device groups as new virtual machines are provisioned or as changes occur on the network. To create context awareness between the virtual and security en...
Page 59
Vm-series deployment guide 55 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall deploy the vm-series firewall after registering the vm-series firewall as a service (palo alto networks ngfw) on the nsx manager, complete the following tasks on the nsx manager. Define an ip a...
Page 60
56 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall prepare the esxi host for the vm-series firewall before you deploy the vm-series firewall, each guest in the cluster must have the necessary nsx components that allow the nsx firewall and the v...
Page 61
Vm-series deployment guide 57 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall deploy the palo alto networks ngfw service use the following steps to automate the process of deploying an instance of the vm-series nsx edition firewall on each esxi host in the specified clus...
Page 62
58 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall deploy the palo alto networks ngfw service 1. Select networking and security > installation > service deployments . 2. Click new service deployment (green plus icon), and select the palo alto n...
Page 63
Vm-series deployment guide 59 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall 5. Select the port group that provides management network traffic access to the firewall. 6. Select the ip address pool from which to assign a management ip address for each firewall when it is...
Page 64
60 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall create policies the following topics describe how to create policies on the nsx manager to redirect traffic to the vm-series firewall and how to create policies on panorama and apply them on th...
Page 65
Vm-series deployment guide 61 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall define policies on the nsx manager apply policies to the vm-series firewall define policies on the nsx manager in order for the vm-series firewall to secure the traffic, you must first create s...
Page 66
62 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall define policies to redirect traffic to the vm-series firewall create security policies to steer traffic from the nsx manager to the vm-series firewall. 1. Select networking and security > servi...
Page 67
Vm-series deployment guide 63 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall do not apply the traffic redirection policies that you created above unless you understand how rules work on the nsx manager as well as on the vm-series firewall and panorama. The default polic...
Page 68
64 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall define policy on panorama step 1 create dynamic address groups. 1. Log in to the panorama web interface. 2. Select object > address groups . 3. Select the device group that you created for mana...
Page 69
Vm-series deployment guide 65 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall step 2 create security policies. 1. Select policies > security . 2. Select the device group that you created for managing the vm-series nsx edition firewalls in create a device group and templa...
Page 70
66 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall step 3 apply the policies to the vm-series nsx edition firewalls. 1. Click commit , and select commit type as device groups . 2. Select the device group, nsx device group in this example and cl...
Page 71
Vm-series deployment guide 67 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall the last step in the process of deploying the vm-series nsx edition firewall is to apply the redirection policies to the security groups on the nsx manager. Apply the security policies on the n...
Page 72
68 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall.