Palo alto networks ® vm-series deployment guide pan-os 6.0
Ii contact information corporate headquarters: palo alto networks 4401 great america parkway santa clara, ca 95054 http://www.Paloaltonetworks.Com/contact/contact/ about this guide this guide describes how to set up and license the vm-series firewall; it is intended for administrators who want to de...
Vm-series deployment guide iii table of contents table of contents about the vm-series firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 vm-series models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Iv vm-series deployment guide table of contents the vm-series nsx edition firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 vm-series nsx edition firewall overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 what are the...
Vm-series deployment guide 1 about the vm-series firewall the palo alto networks vm-series firewall is the virtualized form of the palo alto networks next-generation firewall. It is positioned for use in a virtualized data center environment where it can protect and secure traffic for private and pu...
2 vm-series deployment guide vm-series models the vm-series firewall is available in four models—vm-100, vm-200, vm-300, and vm-1000-hv. All four models can be deployed as guest virtual machines on vmware esxi and on citrix netscaler sdx; on vmware nsx, only the vm-1000-hv is supported. The software...
Vm-series deployment guide 3 vm-series deployments the vm-series firewall can be deployed on the following platforms: vm-series for vmware vsphere hypervisor (esxi) vm-100, vm-200, vm-300, or vm-1000-hv is deployed as guest virtual machine on vmware esxi; ideal for cloud or networks where virtual fo...
4 vm-series deployment guide license the vm-series firewall when you purchase a vm-series firewall, you receive a set of auth-codes over email. Typically the email includes a capacity auth-code for the model purchased (vm-100, vm-200, vm300, vm-1000-hv), a software and support auth-code (for example...
Vm-series deployment guide 5 register the vm-series firewall use the instructions in this section to register your capacity auth-code with your support account. Activate the license to activate the license on your vm-series firewall, you must have deployed the vm-series firewall and completed initia...
6 vm-series deployment guide when you activate the license, the licensing server uses the uuid and the cpu id of the virtual machine to generate a unique serial number for the vm-series firewall. The capacity auth-code in conjunction with the serial number is used to validate your entitlement. Activ...
Vm-series deployment guide 7 upgrade the pan-os software version now that the vm-series firewall has network connectivity and the base pan-os software is installed, you need to upgrade to the latest version of pan-os (a support license is required). Upgrade the vm-series model the licensing process ...
8 vm-series deployment guide step 5 apply the new license. See activate the license . Migrate the license on the vm-series firewall.
Vm-series deployment guide 9 set up a vm-series firewall on an esxi server the vm-series firewall is distributed using the open virtualization format (ovf), which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of runn...
10 vm-series deployment guide supported deployments set up a vm-series firewall on an esxi server supported deployments you can deploy one or more instances of the vm-series firewall on the esxi server. Where you place the vm-series firewall on the network depends on your topology. Choose from the f...
Vm-series deployment guide 11 set up a vm-series firewall on an esxi server system requirements and limitations system requirements and limitations this section lists requirements and limitations for the vm-series firewall. Requirements you can create and deploy multiple instances of the vm-series f...
12 vm-series deployment guide system requirements and limitations set up a vm-series firewall on an esxi server jumbo frames are not supported. Link aggregation is not supported..
Vm-series deployment guide 13 set up a vm-series firewall on an esxi server install a vm-series firewall install a vm-series firewall to install a vm-series firewall you must have access to the open virtualization format ( ovf) template. Use the auth code you received in your order fulfillment email...
14 vm-series deployment guide install a vm-series firewall set up a vm-series firewall on an esxi server step 3 deploy the ovf template. 1. Log in to vcenter using the vsphere client. You can also go directly to the target esxi host if needed. 2. From the vsphere client, select file > deploy ovf tem...
Vm-series deployment guide 15 set up a vm-series firewall on an esxi server install a vm-series firewall perform initial configuration use the virtual appliance console on the esxi server to set up network access to the vm-series firewall. You must first configure the management interface, and then ...
16 vm-series deployment guide install a vm-series firewall set up a vm-series firewall on an esxi server configure the management interface step 1 gather the required information from your network administrator. • ip address for mgt port • netmask • default gateway • dns server ip address step 2 acc...
Vm-series deployment guide 17 set up a vm-series firewall on an esxi server troubleshoot esxi deployments troubleshoot esxi deployments many of the troubleshooting steps for the vm-series firewall are very similar to the hardware versions of pan-os. When problems occur, you should check interface co...
18 vm-series deployment guide troubleshoot esxi deployments set up a vm-series firewall on an esxi server the mf extension is for the ovf manifest file that contains the sha-1 digests of individual files in the package. The vmdk extension is for the virtual disk image file. The virtual disk in the o...
Vm-series deployment guide 19 set up a vm-series firewall on an esxi server troubleshoot esxi deployments alternatively you can deploy the firewall and before you power on the vm-series firewall, edit the memory and virtual cpu allocation directly on the esxi host or the vcenter server. Licensing is...
20 vm-series deployment guide troubleshoot esxi deployments set up a vm-series firewall on an esxi server connectivity issues why is the vm-series firewall not receiving any network traffic? On the vm-series firewall. Check the traffic logs ( monitor > logs ). If the logs are empty, use the followin...
Vm-series deployment guide 21 set up a vm-series firewall on the citrix sdx server to reduce your carbon footprint and consolidate key functions on a single server, you can deploy one or more instances of the vm-series firewall on the citrix sdx server. Deploying the vm-series firewall in conjunctio...
22 vm-series deployment guide about the vm-series firewall on the sdx server set up a vm-series firewall on the citrix sdx server about the vm-series firewall on the sdx server one or more instances of the vm-series firewall can be deployed to secure east-west and/or north-south traffic on the netwo...
Vm-series deployment guide 23 set up a vm-series firewall on the citrix sdx server system requirements and limitations system requirements and limitations this section lists requirements and limitations for the vm-series firewall on the citrix sdx server. Requirements you can deploy multiple instanc...
24 vm-series deployment guide supported deployments set up a vm-series firewall on the citrix sdx server supported deployments in the following scenarios, the vm-series firewall secures traffic destined to the servers on the network. It works in conjunction with the netscaler vpx to manage traffic b...
Vm-series deployment guide 25 set up a vm-series firewall on the citrix sdx server supported deployments vm-series firewall with l3 interfaces deploying the firewall with l3 interfaces allows you to scale more easily as you deploy new servers and new subnets. You can deploy multiple instances of the...
26 vm-series deployment guide supported deployments set up a vm-series firewall on the citrix sdx server for instructions, see deploy the vm-series firewall using l3 interfaces . Vm-series firewall with l2 or virtual wire interfaces deploying the vm-series firewall using l2 interfaces or virtual wir...
Vm-series deployment guide 27 set up a vm-series firewall on the citrix sdx server supported deployments vm-series firewall before the netscaler vpx in this scenario, the perimeter firewall is replaced with the vm-series firewall that can be deployed using l3, l2, or virtual wire interfaces. All tra...
28 vm-series deployment guide install the vm-series firewall set up a vm-series firewall on the citrix sdx server install the vm-series firewall a support account and a valid vm-series license are required to obtain the .Xva base image file that is required to install the vm-series firewall on the s...
Vm-series deployment guide 29 set up a vm-series firewall on the citrix sdx server install the vm-series firewall provision the vm-series firewall continue with activate the license . Provision the vm-series firewall on the sdx server step 1 access the sdx server. Launch the web browser and connect ...
30 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall this section includes information on the following deployments: deploy the vm-series firewall using l3 inte...
Vm-series deployment guide 31 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall topology after adding the vm-series firewall the following table includes the tasks you must perform to deploy the vm-series firewall. For firewall configuration ...
32 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server 8. (optional) to enable you to ping or ssh in to the interface, select advanced > other info , expand the management profile drop-down, and select new management ...
Vm-series deployment guide 33 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall deploy the vm-series firewall using layer 2 (l2) or virtual wire interfaces to secure north-south traffic, this scenario shows you how to deploy the vm-series fir...
34 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server step 2 re-cable the server-side interface assigned to the netscaler vpx. Because the netscaler vpx will reboot when recabled, evaluate whether you would like to p...
Vm-series deployment guide 35 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall deploy the vm-series firewall before the netscaler vpx the following example shows how to deploy the vm-series firewall to process and secure traffic before it re...
36 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server the following table includes the basic configuration tasks you must perform on the vm-series firewall. For firewall configuration instructions refer to the pan-os...
Vm-series deployment guide 37 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall step 3 configure the data interfaces. 1. Launch the web interface of the firewall. 2. Select network > interfaces> ethernet . 3. Click the link for an interface, ...
38 vm-series deployment guide secure east-west traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server secure east-west traffic with the vm-series firewall the following example shows you how to deploy your vm-series firewall to secure the application or database ser...
Vm-series deployment guide 39 set up a vm-series firewall on the citrix sdx server secure east-west traffic with the vm-series firewall when the vm-series firewall is deployed (this example uses l3 interfaces), the flow of traffic is as follows: all incoming requests are authenticated and the ssl co...
40 vm-series deployment guide secure east-west traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server based on protocol, to the internal server ip address 172.16.10.20. The return traffic from 172.168.10.20 is then sent to the netscaler vpx at 172.168.10.3, and the ...
Vm-series deployment guide 41 the vm-series nsx edition firewall the vm-series nsx edition firewall is jointly developed by palo alto networks and vmware. This solution uses the netx api to integrate the palo alto networks next-generation firewalls and panorama with vmware esxi servers to provide co...
42 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall vm-series nsx edition firewall overview nsx, vmware's networking and security platform designed for the software-defined data center (sddc), offers the ability to deploy the palo alto networks fi...
Vm-series deployment guide 43 the vm-series nsx edition firewall vm-series nsx edition firewall overview vcenter server the vcenter server is required to manage the nsx manager and the esxi hosts in your datacenter. This joint solution requires that the esxi hosts be organized into one or more clust...
44 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall nsx manager nsx is vmware’s network virtualization platform that is completely integrated with vsphere. The nsx firewall and the service composer are key features of the nsx manager. The nsx fire...
Vm-series deployment guide 45 the vm-series nsx edition firewall vm-series nsx edition firewall overview how do the components work together? To meet the security challenges in the software-defined datacenter, the nsx manager, esxi servers and panorama work harmoniously to automate the deployment of...
46 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall 3. Establish communication between the vm-series firewall and panorama : the vm-series firewall then initiates a connection to panorama to obtain its license. Panorama retrieves the license from ...
Vm-series deployment guide 47 the vm-series nsx edition firewall vm-series nsx edition firewall overview rules defined on the nsx firewall —the rules for directing traffic from the guests on each esxi host are configured on the nsx manager. The service composer on the nsx manager allows you to defin...
48 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall then enforces security policy by matching on source or destination ip address—the use of dynamic address groups allows the firewall to populate the members of the groups in real time—and forwards...
Vm-series deployment guide 49 the vm-series nsx edition firewall vm-series nsx edition firewall overview on panorama, you can then create three dynamic address groups to match objects that are tagged as database, application and webfrontend. Then, in security policy you can use the dynamic address g...
50 vm-series deployment guide vm-series nsx edition firewall overview the vm-series nsx edition firewall on each firewall, all policy rules that reference these dynamic address groups are updated at runtime. Because the firewall matches on the security group tag to determine the members of a dynamic...
Vm-series deployment guide 51 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall deploy the vm-series nsx edition firewall to deploy the nsx edition of the vm-series firewall, use the following workflow: step 1: set up the components —to deploy the vm-series nsx edition, se...
52 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall create a device group and template on panorama to manage the vm-series nsx edition firewalls using panorama, the firewalls must belong to a device group; adding a firewall to a template is opti...
Vm-series deployment guide 53 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall use panorama to register the vm-series firewall as a service step 1 log in to the panorama web interface. Using a secure connection (https) from a web browser, log in using the ip address and p...
54 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall step 6 set up notification to different device groups as new virtual machines are provisioned or as changes occur on the network. To create context awareness between the virtual and security en...
Vm-series deployment guide 55 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall deploy the vm-series firewall after registering the vm-series firewall as a service (palo alto networks ngfw) on the nsx manager, complete the following tasks on the nsx manager. Define an ip a...
56 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall prepare the esxi host for the vm-series firewall before you deploy the vm-series firewall, each guest in the cluster must have the necessary nsx components that allow the nsx firewall and the v...
Vm-series deployment guide 57 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall deploy the palo alto networks ngfw service use the following steps to automate the process of deploying an instance of the vm-series nsx edition firewall on each esxi host in the specified clus...
58 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall deploy the palo alto networks ngfw service 1. Select networking and security > installation > service deployments . 2. Click new service deployment (green plus icon), and select the palo alto n...
Vm-series deployment guide 59 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall 5. Select the port group that provides management network traffic access to the firewall. 6. Select the ip address pool from which to assign a management ip address for each firewall when it is...
60 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall create policies the following topics describe how to create policies on the nsx manager to redirect traffic to the vm-series firewall and how to create policies on panorama and apply them on th...
Vm-series deployment guide 61 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall define policies on the nsx manager apply policies to the vm-series firewall define policies on the nsx manager in order for the vm-series firewall to secure the traffic, you must first create s...
62 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall define policies to redirect traffic to the vm-series firewall create security policies to steer traffic from the nsx manager to the vm-series firewall. 1. Select networking and security > servi...
Vm-series deployment guide 63 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall do not apply the traffic redirection policies that you created above unless you understand how rules work on the nsx manager as well as on the vm-series firewall and panorama. The default polic...
64 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall define policy on panorama step 1 create dynamic address groups. 1. Log in to the panorama web interface. 2. Select object > address groups . 3. Select the device group that you created for mana...
Vm-series deployment guide 65 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall step 2 create security policies. 1. Select policies > security . 2. Select the device group that you created for managing the vm-series nsx edition firewalls in create a device group and templa...
66 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall step 3 apply the policies to the vm-series nsx edition firewalls. 1. Click commit , and select commit type as device groups . 2. Select the device group, nsx device group in this example and cl...
Vm-series deployment guide 67 the vm-series nsx edition firewall deploy the vm-series nsx edition firewall the last step in the process of deploying the vm-series nsx edition firewall is to apply the redirection policies to the security groups on the nsx manager. Apply the security policies on the n...
68 vm-series deployment guide deploy the vm-series nsx edition firewall the vm-series nsx edition firewall.