PaloAlto Networks VM series Deployment Manual

Page of 94

Download

Print this page

Bookmark us

Palo Alto Networks

VM-Series Deployment Guide

PAN-OS 6.0

1 2 3 4 5 6 7 Next › »

Summary of VM series

Page 1
Palo alto networks ® vm-series deployment guide pan-os 6.0
Page 2: Contact Information
Ii contact information corporate headquarters: palo alto networks 4401 great america parkway santa clara, ca 95054 http://www.Paloaltonetworks.Com/contact/contact/ about this guide this guide describes how to set up and license the vm-series firewall; it is intended for administrators who want to de...
Page 3
Vm-series deployment guide iii table of contents about the vm-series firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 vm-series models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 4
Iv vm-series deployment guide secure north-south traffic with the vm-series firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 deploy the vm-series firewall using l3 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 dep...
Page 5
Vm-series deployment guide 1 about the vm-series firewall the palo alto networks vm-series firewall is the virtualized form of the palo alto networks next-generation firewall. It is positioned for use in a virtualized or cloud environment where it can protect and secure east-west and north-south tra...
Page 6
2 vm-series deployment guide vm-series models about the vm-series firewall vm-series models the vm-series firewall is available in four models—vm-100, vm-200, vm-300, and vm-1000-hv. All four models can be deployed as guest virtual machines on vmware esxi and on citrix netscaler sdx; on vmware nsx, ...
Page 7
Vm-series deployment guide 3 about the vm-series firewall vm-series deployments vm-series deployments the vm-series firewall can be deployed on the following platforms: vm-series for vmware vsphere hypervisor (esxi) vm-100, vm-200, vm-300, or vm-1000-hv is deployed as guest virtual machine on vmware...
Page 8
4 vm-series deployment guide vm-series deployments about the vm-series firewall here is a brief look at some of the requirements for deploying pan-os 6.0 on the vm-series firewall: deployment hypervisor versions supported base image required from the palo alto networks support portal relevant capaci...
Page 9
Vm-series deployment guide 5 about the vm-series firewall license the vm-series firewall license the vm-series firewall when you purchase a vm-series firewall, you receive a set of authorization codes over email. Typically the email includes authorization code(s) to license the vm-series model you p...
Page 10
6 vm-series deployment guide license the vm-series firewall about the vm-series firewall register the vm-series firewall use the instructions in this section to register your capacity auth-code with your support account. Create a support account 1. Log in to https://support.Paloaltonetworks.Com . 2....
Page 11
Vm-series deployment guide 7 about the vm-series firewall license the vm-series firewall activate the license to activate the license on your vm-series firewall, you must have deployed the vm-series firewall and completed initial configuration. For instructions to deploy the vm-series firewall, see ...
Page 12
8 vm-series deployment guide license the vm-series firewall about the vm-series firewall activate the license for the vm-series nsx edition firewall panorama serves as the central point of administration for the vm-series nsx edition firewalls and the license activation process is automated. When a ...
Page 13
Vm-series deployment guide 9 about the vm-series firewall license the vm-series firewall registered the auth-code to the support account. If you don’t register the auth-code, the licensing server will fail to create a license. Configured the vmware service manager and entered this auth-code on panor...
Page 14
10 vm-series deployment guide license the vm-series firewall about the vm-series firewall migrating from an evaluation license to a production license. Upgrading the model to allow for increased capacity. For example you want to upgrade from the vm-200 to the vm-1000-hv license. Migrate the license ...
Page 15
Vm-series deployment guide 11 about the vm-series firewall monitor changes in the virtual environment monitor changes in the virtual environment in a legacy client-server architecture with physical infrastructure resources, security administrators controlled the deployment of servers on the network,...
Page 16
12 vm-series deployment guide monitor changes in the virtual environment about the vm-series firewall set up the vm monitoring agent step 1 enable the vm monitoring agent. Up to 10 sources can be configured for each firewall, or for each virtual system on a multiple virtual systems capable firewall....
Page 17
Vm-series deployment guide 13 about the vm-series firewall monitor changes in the virtual environment use dynamic address groups in policy dynamic address groups allow you to create policy that automatically adapts to changes—adds, moves, or deletions of servers. It also enables the flexibility to a...
Page 18
14 vm-series deployment guide monitor changes in the virtual environment about the vm-series firewall the following example shows how dynamic address groups can simplify network security enforcement. The example workflow shows how to: enable the vm monitoring agent on the firewall, to monitor the vm...
Page 19
Vm-series deployment guide 15 about the vm-series firewall monitor changes in the virtual environment step 2 create dynamic address groups on the firewall. View the tutorial to see a big picture view of the feature. 1. Log in to the web interface of the firewall. 2. Select object > address groups . ...
Page 20
16 vm-series deployment guide monitor changes in the virtual environment about the vm-series firewall this example shows how to create two policies: one for all access to ftp servers and the other for access to web servers. Step 4 validate that the members of the dynamic address group are populated ...
Page 21
Vm-series deployment guide 17 about the vm-series firewall monitor changes in the virtual environment attributes monitored on a vmware source when the firewall is configured to monitor vm information sources, the following metadata elements or attributes are monitored on each vmware source: uuid nam...
Page 22
18 vm-series deployment guide monitor changes in the virtual environment about the vm-series firewall.
Page 23
Vm-series deployment guide 9 set up a vm-series firewall on an esxi server the vm-series firewall is distributed using the open virtualization format (ovf), which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of runn...
Page 24
10 vm-series deployment guide supported deployments on vmware vsphere hypervisor (esxi) set up a vm-series firewall on an esxi server supported deployments on vmware vsphere hypervisor (esxi) you can deploy one or more instances of the vm-series firewall on the esxi server. Where you place the vm-se...
Page 25
Vm-series deployment guide 11 set up a vm-series firewall on an esxi server system requirements and limitations system requirements and limitations this section lists requirements and limitations for the vm-series firewall on vmware vsphere hypervisor (esxi). To deploy the vm-series firewall, see in...
Page 26
12 vm-series deployment guide system requirements and limitations set up a vm-series firewall on an esxi server limitations the vm-series firewall functionality is very similar to the palo alto networks hardware firewalls, but with the following limitations: dedicated cpu cores are recommended. Only...
Page 27
Vm-series deployment guide 13 set up a vm-series firewall on an esxi server install a vm-series firewall on vmware vsphere hypervisor (esxi) install a vm-series firewall on vmware vsphere hypervisor (esxi) to install a vm-series firewall you must have access to the open virtualization format ( ovf) ...
Page 28
14 vm-series deployment guide install a vm-series firewall on vmware vsphere hypervisor (esxi) set up a vm-series firewall on an esxi server step 2 before deploying the ovf template, set up virtual standard switch(es) and virtual distributed switch(es) that you will need for the vm-series firewall. ...
Page 29
Vm-series deployment guide 15 set up a vm-series firewall on an esxi server install a vm-series firewall on vmware vsphere hypervisor (esxi) step 3 deploy the ovf template. If you add additional interfaces (vmnics) to the vm-series firewall, a reboot is required because new interfaces are detected d...
Page 30
16 vm-series deployment guide install a vm-series firewall on vmware vsphere hypervisor (esxi) set up a vm-series firewall on an esxi server perform initial configuration on the vm-series on esxi use the virtual appliance console on the esxi server to set up network access to the vm-series firewall....
Page 31
Vm-series deployment guide 17 set up a vm-series firewall on an esxi server troubleshoot esxi deployments troubleshoot esxi deployments many of the troubleshooting steps for the vm-series firewall are very similar to the hardware versions of pan-os. When problems occur, you should check interface co...
Page 32
18 vm-series deployment guide troubleshoot esxi deployments set up a vm-series firewall on an esxi server the vmdk extension is for the virtual disk image file. The virtual disk in the ovf is large for the vm-series; this file is nearly 900mb and must be present on the computer running the vsphere c...
Page 33
Vm-series deployment guide 19 set up a vm-series firewall on an esxi server troubleshoot esxi deployments alternatively you can deploy the firewall and before you power on the vm-series firewall, edit the memory and virtual cpu allocation directly on the esxi host or the vcenter server. Licensing is...
Page 34
20 vm-series deployment guide troubleshoot esxi deployments set up a vm-series firewall on an esxi server will moving the vm-series firewall cause license invalidation? If you are manually moving the vm-series firewall from one host to another, be sure to select the option, this guest was moved to p...
Page 35
Vm-series deployment guide 21 set up a vm-series firewall on the citrix sdx server to reduce your carbon footprint and consolidate key functions on a single server, you can deploy one or more instances of the vm-series firewall on the citrix sdx server. Deploying the vm-series firewall in conjunctio...
Page 36
22 vm-series deployment guide about the vm-series firewall on the sdx server set up a vm-series firewall on the citrix sdx server about the vm-series firewall on the sdx server one or more instances of the vm-series firewall can be deployed to secure east-west and/or north-south traffic on the netwo...
Page 37
Vm-series deployment guide 23 set up a vm-series firewall on the citrix sdx server system requirements and limitations system requirements and limitations this section lists requirements and limitations for the vm-series firewall on the citrix sdx server. Requirements limitations requirements you ca...
Page 38
24 vm-series deployment guide system requirements and limitations set up a vm-series firewall on the citrix sdx server limitations the vm-series firewall deployed on the citrix sdx server has the following limitations: up to 24 total ports can be configured. One port will be used for management traf...
Page 39
Vm-series deployment guide 25 set up a vm-series firewall on the citrix sdx server supported deployments—vm series firewall on citrix sdx supported deployments—vm series firewall on citrix sdx in the following scenarios, the vm-series firewall secures traffic destined to the servers on the network. ...
Page 40
26 vm-series deployment guide supported deployments—vm series firewall on citrix sdx set up a vm-series firewall on the citrix sdx server vm-series firewall with l3 interfaces deploying the firewall with l3 interfaces allows you to scale more easily as you deploy new servers and new subnets. You can...
Page 41
Vm-series deployment guide 27 set up a vm-series firewall on the citrix sdx server supported deployments—vm series firewall on citrix sdx for instructions, see deploy the vm-series firewall using l3 interfaces . Vm-series firewall with l2 or virtual wire interfaces deploying the vm-series firewall u...
Page 42
28 vm-series deployment guide supported deployments—vm series firewall on citrix sdx set up a vm-series firewall on the citrix sdx server vm-series firewall before the netscaler vpx in this scenario, the perimeter firewall is replaced with the vm-series firewall that can be deployed using l3, l2, or...
Page 43
Vm-series deployment guide 29 set up a vm-series firewall on the citrix sdx server install the vm-series firewall on the sdx server install the vm-series firewall on the sdx server a support account and a valid vm-series license are required to obtain the .Xva base image file that is required to ins...
Page 44
30 vm-series deployment guide install the vm-series firewall on the sdx server set up a vm-series firewall on the citrix sdx server provision the vm-series firewall on the sdx server continue with activate the license . Provision the vm-series firewall on the sdx server step 1 access the sdx server....
Page 45
Vm-series deployment guide 31 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall secure north-south traffic with the vm-series firewall this section includes information on deploying the netscaler vpx and the vm-series firewall on the citrix s...
Page 46
32 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server topology after adding the vm-series firewall the following table includes the tasks you must perform to deploy the vm-series firewall. For firewall configuration ...
Page 47
Vm-series deployment guide 33 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall set up the vm-series firewall to process north-south traffic using l3 interfaces step 1 install the vm-series firewall on the sdx server . When provisioning the v...
Page 48
34 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server go back to secure north-south traffic with the vm-series firewall , or see secure east-west traffic with the vm-series firewall . For an overview of the deploymen...
Page 49
Vm-series deployment guide 35 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall deploy the vm-series firewall using layer 2 (l2) or virtual wire interfaces to secure north-south traffic, this scenario shows you how to deploy the vm-series fir...
Page 50
36 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server step 2 re-cable the server-side interface assigned to the netscaler vpx. Because the netscaler vpx will reboot when recabled, evaluate whether you would like to p...
Page 51
Vm-series deployment guide 37 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall go back to secure north-south traffic with the vm-series firewall , or see secure east-west traffic with the vm-series firewall . For an overview of the deploymen...
Page 52
38 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server deploy the vm-series firewall before the netscaler vpx the following example shows how to deploy the vm-series firewall to process and secure traffic before it re...
Page 53
Vm-series deployment guide 39 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall set up the vm-series firewall before the netscaler vpx with virtual wire interfaces step 1 install the vm-series firewall on the sdx server . On the sdx server, m...
Page 54
40 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server go back to secure north-south traffic with the vm-series firewall , or see secure east-west traffic with the vm-series firewall . For an overview of the deploymen...
Page 55
Vm-series deployment guide 41 set up a vm-series firewall on the citrix sdx server secure east-west traffic with the vm-series firewall secure east-west traffic with the vm-series firewall the following example shows you how to deploy your vm-series firewall to secure the application or database ser...
Page 56
42 vm-series deployment guide secure east-west traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server it is then handed off to the second instance of the netscaler vpx. This instance of the netscaler vpx load balances the request across the servers in the corporate ...
Page 57
Vm-series deployment guide 43 set up a vm-series nsx edition firewall the vm-series nsx edition firewall is jointly developed by palo alto networks and vmware. This solution uses the netx api to integrate the palo alto networks next-generation firewalls and panorama with vmware esxi servers to provi...
Page 58
44 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall vm-series nsx edition firewall overview nsx, vmware's networking and security platform designed for the software-defined data center (sddc), offers the ability to deploy the palo alto networ...
Page 59
Vm-series deployment guide 45 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview what are the components of the nsx edition solution? Table: vmware components and table: palo alto networks components show the components of this joint palo alto networks and vmware solutio...
Page 60
46 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall panorama 6.0 panorama is the centralized management tool for the palo alto networks next-generation firewalls. In this solution, panorama works with the nsx manager to deploy, license, and c...
Page 61
Vm-series deployment guide 47 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview vcenter server the vcenter server is required to manage the nsx manager and the esxi hosts in your datacenter. This joint solution requires that the esxi hosts be organized into one or more ...
Page 62
48 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall vm-series nsx edition the vm-series nsx edition is the vm-series firewall that is deployed on the esxi hypervisor. The integration with the netx api makes it possible to automate the process...
Page 63
Vm-series deployment guide 49 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview how do the components in the nsx edition solution work together? To meet the security challenges in the software-defined datacenter, the nsx manager, esxi servers and panorama work harmoniou...
Page 64
50 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall 3. Establish communication between the vm-series firewall and panorama : the vm-series firewall then initiates a connection to panorama to obtain its license. Panorama retrieves the license ...
Page 65
Vm-series deployment guide 51 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview integrated policy rules the nsx firewall and the vm-series firewall work in concert to enforce security; each provides a set of traffic management rules that are applied to the traffic on ea...
Page 66
52 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall traffic that does not need to be inspected by the vm-series firewall, for example network data backup or traffic to an internal domain controller, does not need to be redirected to the vm-se...
Page 67
Vm-series deployment guide 53 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview if, for example, you have a multi-tier architecture for web applications, on the nsx manager you create three security groups for the webfrontend servers, application servers and the databas...
Page 68
54 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall when panorama receives the api notification, it verifies/updates the ip address of each guest and the security group to which that guest belongs. Then, panorama pushes these real-time update...
Page 69
Vm-series deployment guide 55 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview what are the benefits of the nsx edition solution? The nsx edition of the vm-series firewall is focused on securing east-west communication in the software-defined datacenter. Deploying the ...
Page 70
56 vm-series deployment guide vm-series nsx edition firewall deployment checklist set up a vm-series nsx edition firewall vm-series nsx edition firewall deployment checklist to deploy the nsx edition of the vm-series firewall, use the following workflow: step 1: set up the components —to deploy the ...
Page 71
Vm-series deployment guide 57 set up a vm-series nsx edition firewall vm-series nsx edition firewall deployment checklist – (on the nsx manager) define the network introspection rules that redirect traffic to the vm-series firewall. Step 4: monitor and maintain network security —panorama provides a ...
Page 72
58 vm-series deployment guide create a device group and template on panorama set up a vm-series nsx edition firewall create a device group and template on panorama to manage the vm-series nsx edition firewalls using panorama, the firewalls must belong to a device group; adding a firewall to a templa...
Page 73
Vm-series deployment guide 59 set up a vm-series nsx edition firewall register the vm-series firewall as a service on the nsx manager register the vm-series firewall as a service on the nsx manager to automate the provisioning of the vm-series nsx edition firewall, enable communication between the n...
Page 74
60 vm-series deployment guide register the vm-series firewall as a service on the nsx manager set up a vm-series nsx edition firewall step 4 add the authorization code. The authorization code must be for the vm-series model nsx bundle; for example, pan-vm-1000-hv-perp- bnd-nsx verify that the order ...
Page 75
Vm-series deployment guide 61 set up a vm-series nsx edition firewall register the vm-series firewall as a service on the nsx manager step 8 verify the connection status on panorama displays the connection status between panorama and the nsx manager. When the connection is successful, the status dis...
Page 76
62 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall deploy the vm-series firewall after registering the vm-series firewall as a service (palo alto networks ngfw) on the nsx manager, complete the following tasks on the nsx manager. Enable spoofguard def...
Page 77
Vm-series deployment guide 63 set up a vm-series nsx edition firewall deploy the vm-series firewall enable spoofguard the nsx distributed firewall can only redirect traffic to the vm-series firewall when it matches an ip address that is known to the vcenter server. This means that any non-ip l2 traf...
Page 78
64 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall step 2 select the ip protocols to allow. 1. Select networking and security > firewall > ethernet . 2. Add a rule that allows arp , ipv4 and ipv6 traffic. 3. Add a rule that blocks everything else. Ena...
Page 79
Vm-series deployment guide 65 set up a vm-series nsx edition firewall deploy the vm-series firewall define an ip address pool the ip pool is a range of (static) ip addresses that are reserved for establishing management access to the vm-series firewalls. When the nsx manager deploys a new vm-series ...
Page 80
66 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall specify the port groups from which to redirect traffic so that the nsx manager can redirect traffic to the vm-series firewall, you must select the port groups or logical networks for which the vm-seri...
Page 81
Vm-series deployment guide 67 set up a vm-series nsx edition firewall deploy the vm-series firewall prepare the esxi host for the vm-series firewall before you deploy the vm-series firewall, each guest in the cluster must have the necessary nsx components that allow the nsx firewall and the vm-serie...
Page 82
68 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall deploy the palo alto networks ngfw service use the following steps to automate the process of deploying an instance of the vm-series nsx edition firewall on each esxi host in the specified cluster. De...
Page 83
Vm-series deployment guide 69 set up a vm-series nsx edition firewall deploy the vm-series firewall step 6 select the ip address pool (you defined in define an ip address pool ) from which to assign a management ip address for each firewall when it is being deployed. Step 7 review the configuration ...
Page 84
70 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall step 9 access the panorama web interface to make sure that the vm-series firewalls are connected and synchronized with panorama. 1. Select panorama > managed devices to verify that the firewalls are c...
Page 85
Vm-series deployment guide 71 set up a vm-series nsx edition firewall create policies create policies the following topics describe how to create policies on the nsx manager to redirect traffic to the vm-series firewall and how to create policies on panorama and apply them on the vm-series firewall ...
Page 86
72 vm-series deployment guide create policies set up a vm-series nsx edition firewall define policies on the nsx manager in order for the vm-series firewall to secure the traffic, you must complete the following tasks: set up security groups on the nsx manager define policies to redirect traffic to ...
Page 87
Vm-series deployment guide 73 set up a vm-series nsx edition firewall create policies define policies to redirect traffic to the vm-series firewall define policies to redirect traffic to the vm-series firewall step 1 select networking and security > service composer > security policies , and click c...
Page 88
74 vm-series deployment guide create policies set up a vm-series nsx edition firewall do not apply the traffic redirection policies that you created above unless you understand how rules work on the nsx manager as well as on the vm-series firewall and panorama. The default policy on the vm-series fi...
Page 89
Vm-series deployment guide 75 set up a vm-series nsx edition firewall create policies apply policies to the vm-series firewall now that you have created the security policies on the nsx manager, the names of the security groups that are referenced in security policy will be available on panorama. Yo...
Page 90
76 vm-series deployment guide create policies set up a vm-series nsx edition firewall define policy on panorama step 1 create dynamic address groups. 1. Log in to the panorama web interface. 2. Select object > address groups . 3. Select the device group that you created for managing the vm-series ns...
Page 91
Vm-series deployment guide 77 set up a vm-series nsx edition firewall create policies step 2 create security policies. 1. Select policies > security . 2. Select the device group that you created for managing the vm-series nsx edition firewalls in create a device group and template on panorama . 3. C...
Page 92
78 vm-series deployment guide create policies set up a vm-series nsx edition firewall step 3 apply the policies to the vm-series nsx edition firewalls. 1. Click commit , and select commit type as device groups . 2. Select the device group, nsx device group in this example and click ok . 3. Verify th...
Page 93
Vm-series deployment guide 79 set up a vm-series nsx edition firewall create policies apply the redirection policies on the nsx manager the last step in the process of deploying the vm-series nsx edition firewall is to apply the redirection policies to the security groups on the nsx manager. Apply t...
Page 94
80 vm-series deployment guide steer traffic from guests that are not running vmware tools set up a vm-series nsx edition firewall steer traffic from guests that are not running vmware tools vmware tools contains a utility that allows the nsx manager to collect the ip address(es) of each guest runnin...