Palo alto networks ® vm-series deployment guide pan-os 6.0
Ii contact information corporate headquarters: palo alto networks 4401 great america parkway santa clara, ca 95054 http://www.Paloaltonetworks.Com/contact/contact/ about this guide this guide describes how to set up and license the vm-series firewall; it is intended for administrators who want to de...
Vm-series deployment guide iii table of contents about the vm-series firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 vm-series models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Iv vm-series deployment guide secure north-south traffic with the vm-series firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 deploy the vm-series firewall using l3 interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 dep...
Vm-series deployment guide 1 about the vm-series firewall the palo alto networks vm-series firewall is the virtualized form of the palo alto networks next-generation firewall. It is positioned for use in a virtualized or cloud environment where it can protect and secure east-west and north-south tra...
2 vm-series deployment guide vm-series models about the vm-series firewall vm-series models the vm-series firewall is available in four models—vm-100, vm-200, vm-300, and vm-1000-hv. All four models can be deployed as guest virtual machines on vmware esxi and on citrix netscaler sdx; on vmware nsx, ...
Vm-series deployment guide 3 about the vm-series firewall vm-series deployments vm-series deployments the vm-series firewall can be deployed on the following platforms: vm-series for vmware vsphere hypervisor (esxi) vm-100, vm-200, vm-300, or vm-1000-hv is deployed as guest virtual machine on vmware...
4 vm-series deployment guide vm-series deployments about the vm-series firewall here is a brief look at some of the requirements for deploying pan-os 6.0 on the vm-series firewall: deployment hypervisor versions supported base image required from the palo alto networks support portal relevant capaci...
Vm-series deployment guide 5 about the vm-series firewall license the vm-series firewall license the vm-series firewall when you purchase a vm-series firewall, you receive a set of authorization codes over email. Typically the email includes authorization code(s) to license the vm-series model you p...
6 vm-series deployment guide license the vm-series firewall about the vm-series firewall register the vm-series firewall use the instructions in this section to register your capacity auth-code with your support account. Create a support account 1. Log in to https://support.Paloaltonetworks.Com . 2....
Vm-series deployment guide 7 about the vm-series firewall license the vm-series firewall activate the license to activate the license on your vm-series firewall, you must have deployed the vm-series firewall and completed initial configuration. For instructions to deploy the vm-series firewall, see ...
8 vm-series deployment guide license the vm-series firewall about the vm-series firewall activate the license for the vm-series nsx edition firewall panorama serves as the central point of administration for the vm-series nsx edition firewalls and the license activation process is automated. When a ...
Vm-series deployment guide 9 about the vm-series firewall license the vm-series firewall registered the auth-code to the support account. If you don’t register the auth-code, the licensing server will fail to create a license. Configured the vmware service manager and entered this auth-code on panor...
10 vm-series deployment guide license the vm-series firewall about the vm-series firewall migrating from an evaluation license to a production license. Upgrading the model to allow for increased capacity. For example you want to upgrade from the vm-200 to the vm-1000-hv license. Migrate the license ...
Vm-series deployment guide 11 about the vm-series firewall monitor changes in the virtual environment monitor changes in the virtual environment in a legacy client-server architecture with physical infrastructure resources, security administrators controlled the deployment of servers on the network,...
12 vm-series deployment guide monitor changes in the virtual environment about the vm-series firewall set up the vm monitoring agent step 1 enable the vm monitoring agent. Up to 10 sources can be configured for each firewall, or for each virtual system on a multiple virtual systems capable firewall....
Vm-series deployment guide 13 about the vm-series firewall monitor changes in the virtual environment use dynamic address groups in policy dynamic address groups allow you to create policy that automatically adapts to changes—adds, moves, or deletions of servers. It also enables the flexibility to a...
14 vm-series deployment guide monitor changes in the virtual environment about the vm-series firewall the following example shows how dynamic address groups can simplify network security enforcement. The example workflow shows how to: enable the vm monitoring agent on the firewall, to monitor the vm...
Vm-series deployment guide 15 about the vm-series firewall monitor changes in the virtual environment step 2 create dynamic address groups on the firewall. View the tutorial to see a big picture view of the feature. 1. Log in to the web interface of the firewall. 2. Select object > address groups . ...
16 vm-series deployment guide monitor changes in the virtual environment about the vm-series firewall this example shows how to create two policies: one for all access to ftp servers and the other for access to web servers. Step 4 validate that the members of the dynamic address group are populated ...
Vm-series deployment guide 17 about the vm-series firewall monitor changes in the virtual environment attributes monitored on a vmware source when the firewall is configured to monitor vm information sources, the following metadata elements or attributes are monitored on each vmware source: uuid nam...
18 vm-series deployment guide monitor changes in the virtual environment about the vm-series firewall.
Vm-series deployment guide 9 set up a vm-series firewall on an esxi server the vm-series firewall is distributed using the open virtualization format (ovf), which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of runn...
10 vm-series deployment guide supported deployments on vmware vsphere hypervisor (esxi) set up a vm-series firewall on an esxi server supported deployments on vmware vsphere hypervisor (esxi) you can deploy one or more instances of the vm-series firewall on the esxi server. Where you place the vm-se...
Vm-series deployment guide 11 set up a vm-series firewall on an esxi server system requirements and limitations system requirements and limitations this section lists requirements and limitations for the vm-series firewall on vmware vsphere hypervisor (esxi). To deploy the vm-series firewall, see in...
12 vm-series deployment guide system requirements and limitations set up a vm-series firewall on an esxi server limitations the vm-series firewall functionality is very similar to the palo alto networks hardware firewalls, but with the following limitations: dedicated cpu cores are recommended. Only...
Vm-series deployment guide 13 set up a vm-series firewall on an esxi server install a vm-series firewall on vmware vsphere hypervisor (esxi) install a vm-series firewall on vmware vsphere hypervisor (esxi) to install a vm-series firewall you must have access to the open virtualization format ( ovf) ...
14 vm-series deployment guide install a vm-series firewall on vmware vsphere hypervisor (esxi) set up a vm-series firewall on an esxi server step 2 before deploying the ovf template, set up virtual standard switch(es) and virtual distributed switch(es) that you will need for the vm-series firewall. ...
Vm-series deployment guide 15 set up a vm-series firewall on an esxi server install a vm-series firewall on vmware vsphere hypervisor (esxi) step 3 deploy the ovf template. If you add additional interfaces (vmnics) to the vm-series firewall, a reboot is required because new interfaces are detected d...
16 vm-series deployment guide install a vm-series firewall on vmware vsphere hypervisor (esxi) set up a vm-series firewall on an esxi server perform initial configuration on the vm-series on esxi use the virtual appliance console on the esxi server to set up network access to the vm-series firewall....
Vm-series deployment guide 17 set up a vm-series firewall on an esxi server troubleshoot esxi deployments troubleshoot esxi deployments many of the troubleshooting steps for the vm-series firewall are very similar to the hardware versions of pan-os. When problems occur, you should check interface co...
18 vm-series deployment guide troubleshoot esxi deployments set up a vm-series firewall on an esxi server the vmdk extension is for the virtual disk image file. The virtual disk in the ovf is large for the vm-series; this file is nearly 900mb and must be present on the computer running the vsphere c...
Vm-series deployment guide 19 set up a vm-series firewall on an esxi server troubleshoot esxi deployments alternatively you can deploy the firewall and before you power on the vm-series firewall, edit the memory and virtual cpu allocation directly on the esxi host or the vcenter server. Licensing is...
20 vm-series deployment guide troubleshoot esxi deployments set up a vm-series firewall on an esxi server will moving the vm-series firewall cause license invalidation? If you are manually moving the vm-series firewall from one host to another, be sure to select the option, this guest was moved to p...
Vm-series deployment guide 21 set up a vm-series firewall on the citrix sdx server to reduce your carbon footprint and consolidate key functions on a single server, you can deploy one or more instances of the vm-series firewall on the citrix sdx server. Deploying the vm-series firewall in conjunctio...
22 vm-series deployment guide about the vm-series firewall on the sdx server set up a vm-series firewall on the citrix sdx server about the vm-series firewall on the sdx server one or more instances of the vm-series firewall can be deployed to secure east-west and/or north-south traffic on the netwo...
Vm-series deployment guide 23 set up a vm-series firewall on the citrix sdx server system requirements and limitations system requirements and limitations this section lists requirements and limitations for the vm-series firewall on the citrix sdx server. Requirements limitations requirements you ca...
24 vm-series deployment guide system requirements and limitations set up a vm-series firewall on the citrix sdx server limitations the vm-series firewall deployed on the citrix sdx server has the following limitations: up to 24 total ports can be configured. One port will be used for management traf...
Vm-series deployment guide 25 set up a vm-series firewall on the citrix sdx server supported deployments—vm series firewall on citrix sdx supported deployments—vm series firewall on citrix sdx in the following scenarios, the vm-series firewall secures traffic destined to the servers on the network. ...
26 vm-series deployment guide supported deployments—vm series firewall on citrix sdx set up a vm-series firewall on the citrix sdx server vm-series firewall with l3 interfaces deploying the firewall with l3 interfaces allows you to scale more easily as you deploy new servers and new subnets. You can...
Vm-series deployment guide 27 set up a vm-series firewall on the citrix sdx server supported deployments—vm series firewall on citrix sdx for instructions, see deploy the vm-series firewall using l3 interfaces . Vm-series firewall with l2 or virtual wire interfaces deploying the vm-series firewall u...
28 vm-series deployment guide supported deployments—vm series firewall on citrix sdx set up a vm-series firewall on the citrix sdx server vm-series firewall before the netscaler vpx in this scenario, the perimeter firewall is replaced with the vm-series firewall that can be deployed using l3, l2, or...
Vm-series deployment guide 29 set up a vm-series firewall on the citrix sdx server install the vm-series firewall on the sdx server install the vm-series firewall on the sdx server a support account and a valid vm-series license are required to obtain the .Xva base image file that is required to ins...
30 vm-series deployment guide install the vm-series firewall on the sdx server set up a vm-series firewall on the citrix sdx server provision the vm-series firewall on the sdx server continue with activate the license . Provision the vm-series firewall on the sdx server step 1 access the sdx server....
Vm-series deployment guide 31 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall secure north-south traffic with the vm-series firewall this section includes information on deploying the netscaler vpx and the vm-series firewall on the citrix s...
32 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server topology after adding the vm-series firewall the following table includes the tasks you must perform to deploy the vm-series firewall. For firewall configuration ...
Vm-series deployment guide 33 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall set up the vm-series firewall to process north-south traffic using l3 interfaces step 1 install the vm-series firewall on the sdx server . When provisioning the v...
34 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server go back to secure north-south traffic with the vm-series firewall , or see secure east-west traffic with the vm-series firewall . For an overview of the deploymen...
Vm-series deployment guide 35 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall deploy the vm-series firewall using layer 2 (l2) or virtual wire interfaces to secure north-south traffic, this scenario shows you how to deploy the vm-series fir...
36 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server step 2 re-cable the server-side interface assigned to the netscaler vpx. Because the netscaler vpx will reboot when recabled, evaluate whether you would like to p...
Vm-series deployment guide 37 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall go back to secure north-south traffic with the vm-series firewall , or see secure east-west traffic with the vm-series firewall . For an overview of the deploymen...
38 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server deploy the vm-series firewall before the netscaler vpx the following example shows how to deploy the vm-series firewall to process and secure traffic before it re...
Vm-series deployment guide 39 set up a vm-series firewall on the citrix sdx server secure north-south traffic with the vm-series firewall set up the vm-series firewall before the netscaler vpx with virtual wire interfaces step 1 install the vm-series firewall on the sdx server . On the sdx server, m...
40 vm-series deployment guide secure north-south traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server go back to secure north-south traffic with the vm-series firewall , or see secure east-west traffic with the vm-series firewall . For an overview of the deploymen...
Vm-series deployment guide 41 set up a vm-series firewall on the citrix sdx server secure east-west traffic with the vm-series firewall secure east-west traffic with the vm-series firewall the following example shows you how to deploy your vm-series firewall to secure the application or database ser...
42 vm-series deployment guide secure east-west traffic with the vm-series firewall set up a vm-series firewall on the citrix sdx server it is then handed off to the second instance of the netscaler vpx. This instance of the netscaler vpx load balances the request across the servers in the corporate ...
Vm-series deployment guide 43 set up a vm-series nsx edition firewall the vm-series nsx edition firewall is jointly developed by palo alto networks and vmware. This solution uses the netx api to integrate the palo alto networks next-generation firewalls and panorama with vmware esxi servers to provi...
44 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall vm-series nsx edition firewall overview nsx, vmware's networking and security platform designed for the software-defined data center (sddc), offers the ability to deploy the palo alto networ...
Vm-series deployment guide 45 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview what are the components of the nsx edition solution? Table: vmware components and table: palo alto networks components show the components of this joint palo alto networks and vmware solutio...
46 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall panorama 6.0 panorama is the centralized management tool for the palo alto networks next-generation firewalls. In this solution, panorama works with the nsx manager to deploy, license, and c...
Vm-series deployment guide 47 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview vcenter server the vcenter server is required to manage the nsx manager and the esxi hosts in your datacenter. This joint solution requires that the esxi hosts be organized into one or more ...
48 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall vm-series nsx edition the vm-series nsx edition is the vm-series firewall that is deployed on the esxi hypervisor. The integration with the netx api makes it possible to automate the process...
Vm-series deployment guide 49 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview how do the components in the nsx edition solution work together? To meet the security challenges in the software-defined datacenter, the nsx manager, esxi servers and panorama work harmoniou...
50 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall 3. Establish communication between the vm-series firewall and panorama : the vm-series firewall then initiates a connection to panorama to obtain its license. Panorama retrieves the license ...
Vm-series deployment guide 51 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview integrated policy rules the nsx firewall and the vm-series firewall work in concert to enforce security; each provides a set of traffic management rules that are applied to the traffic on ea...
52 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall traffic that does not need to be inspected by the vm-series firewall, for example network data backup or traffic to an internal domain controller, does not need to be redirected to the vm-se...
Vm-series deployment guide 53 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview if, for example, you have a multi-tier architecture for web applications, on the nsx manager you create three security groups for the webfrontend servers, application servers and the databas...
54 vm-series deployment guide vm-series nsx edition firewall overview set up a vm-series nsx edition firewall when panorama receives the api notification, it verifies/updates the ip address of each guest and the security group to which that guest belongs. Then, panorama pushes these real-time update...
Vm-series deployment guide 55 set up a vm-series nsx edition firewall vm-series nsx edition firewall overview what are the benefits of the nsx edition solution? The nsx edition of the vm-series firewall is focused on securing east-west communication in the software-defined datacenter. Deploying the ...
56 vm-series deployment guide vm-series nsx edition firewall deployment checklist set up a vm-series nsx edition firewall vm-series nsx edition firewall deployment checklist to deploy the nsx edition of the vm-series firewall, use the following workflow: step 1: set up the components —to deploy the ...
Vm-series deployment guide 57 set up a vm-series nsx edition firewall vm-series nsx edition firewall deployment checklist – (on the nsx manager) define the network introspection rules that redirect traffic to the vm-series firewall. Step 4: monitor and maintain network security —panorama provides a ...
58 vm-series deployment guide create a device group and template on panorama set up a vm-series nsx edition firewall create a device group and template on panorama to manage the vm-series nsx edition firewalls using panorama, the firewalls must belong to a device group; adding a firewall to a templa...
Vm-series deployment guide 59 set up a vm-series nsx edition firewall register the vm-series firewall as a service on the nsx manager register the vm-series firewall as a service on the nsx manager to automate the provisioning of the vm-series nsx edition firewall, enable communication between the n...
60 vm-series deployment guide register the vm-series firewall as a service on the nsx manager set up a vm-series nsx edition firewall step 4 add the authorization code. The authorization code must be for the vm-series model nsx bundle; for example, pan-vm-1000-hv-perp- bnd-nsx verify that the order ...
Vm-series deployment guide 61 set up a vm-series nsx edition firewall register the vm-series firewall as a service on the nsx manager step 8 verify the connection status on panorama displays the connection status between panorama and the nsx manager. When the connection is successful, the status dis...
62 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall deploy the vm-series firewall after registering the vm-series firewall as a service (palo alto networks ngfw) on the nsx manager, complete the following tasks on the nsx manager. Enable spoofguard def...
Vm-series deployment guide 63 set up a vm-series nsx edition firewall deploy the vm-series firewall enable spoofguard the nsx distributed firewall can only redirect traffic to the vm-series firewall when it matches an ip address that is known to the vcenter server. This means that any non-ip l2 traf...
64 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall step 2 select the ip protocols to allow. 1. Select networking and security > firewall > ethernet . 2. Add a rule that allows arp , ipv4 and ipv6 traffic. 3. Add a rule that blocks everything else. Ena...
Vm-series deployment guide 65 set up a vm-series nsx edition firewall deploy the vm-series firewall define an ip address pool the ip pool is a range of (static) ip addresses that are reserved for establishing management access to the vm-series firewalls. When the nsx manager deploys a new vm-series ...
66 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall specify the port groups from which to redirect traffic so that the nsx manager can redirect traffic to the vm-series firewall, you must select the port groups or logical networks for which the vm-seri...
Vm-series deployment guide 67 set up a vm-series nsx edition firewall deploy the vm-series firewall prepare the esxi host for the vm-series firewall before you deploy the vm-series firewall, each guest in the cluster must have the necessary nsx components that allow the nsx firewall and the vm-serie...
68 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall deploy the palo alto networks ngfw service use the following steps to automate the process of deploying an instance of the vm-series nsx edition firewall on each esxi host in the specified cluster. De...
Vm-series deployment guide 69 set up a vm-series nsx edition firewall deploy the vm-series firewall step 6 select the ip address pool (you defined in define an ip address pool ) from which to assign a management ip address for each firewall when it is being deployed. Step 7 review the configuration ...
70 vm-series deployment guide deploy the vm-series firewall set up a vm-series nsx edition firewall step 9 access the panorama web interface to make sure that the vm-series firewalls are connected and synchronized with panorama. 1. Select panorama > managed devices to verify that the firewalls are c...
Vm-series deployment guide 71 set up a vm-series nsx edition firewall create policies create policies the following topics describe how to create policies on the nsx manager to redirect traffic to the vm-series firewall and how to create policies on panorama and apply them on the vm-series firewall ...
72 vm-series deployment guide create policies set up a vm-series nsx edition firewall define policies on the nsx manager in order for the vm-series firewall to secure the traffic, you must complete the following tasks: set up security groups on the nsx manager define policies to redirect traffic to ...
Vm-series deployment guide 73 set up a vm-series nsx edition firewall create policies define policies to redirect traffic to the vm-series firewall define policies to redirect traffic to the vm-series firewall step 1 select networking and security > service composer > security policies , and click c...
74 vm-series deployment guide create policies set up a vm-series nsx edition firewall do not apply the traffic redirection policies that you created above unless you understand how rules work on the nsx manager as well as on the vm-series firewall and panorama. The default policy on the vm-series fi...
Vm-series deployment guide 75 set up a vm-series nsx edition firewall create policies apply policies to the vm-series firewall now that you have created the security policies on the nsx manager, the names of the security groups that are referenced in security policy will be available on panorama. Yo...
76 vm-series deployment guide create policies set up a vm-series nsx edition firewall define policy on panorama step 1 create dynamic address groups. 1. Log in to the panorama web interface. 2. Select object > address groups . 3. Select the device group that you created for managing the vm-series ns...
Vm-series deployment guide 77 set up a vm-series nsx edition firewall create policies step 2 create security policies. 1. Select policies > security . 2. Select the device group that you created for managing the vm-series nsx edition firewalls in create a device group and template on panorama . 3. C...
78 vm-series deployment guide create policies set up a vm-series nsx edition firewall step 3 apply the policies to the vm-series nsx edition firewalls. 1. Click commit , and select commit type as device groups . 2. Select the device group, nsx device group in this example and click ok . 3. Verify th...
Vm-series deployment guide 79 set up a vm-series nsx edition firewall create policies apply the redirection policies on the nsx manager the last step in the process of deploying the vm-series nsx edition firewall is to apply the redirection policies to the security groups on the nsx manager. Apply t...
80 vm-series deployment guide steer traffic from guests that are not running vmware tools set up a vm-series nsx edition firewall steer traffic from guests that are not running vmware tools vmware tools contains a utility that allows the nsx manager to collect the ip address(es) of each guest runnin...