: VM-Series Firewall on NSX-T (East-West) Integration
Focus
Focus

VM-Series Firewall on NSX-T (East-West) Integration

Table of Contents
End-of-Life (EoL)

VM-Series Firewall on NSX-T (East-West) Integration

NSX-T Manager, vCenter, Panorama, and the VM-Series firewall work together to meet the security challenges of your NSX-T Data Center.
  1. Register the VM-Series firewall as a service—Use Panorama to connect to your VMware NSX-T manager. Panorama communicates with NSX-T Manager using the NSX-T API and establishes bi-directional communication. On Panorama, you configure the Service Manager by entering the IP address, username, and password of NSX-T Manager to initiate communication.
    After establishing communication with NSX-T Manager, configure the service definition. The service definition includes the location of the VM-Series firewall base image, the authorization code needed to license the VM-Series firewall, and the device groups and template stack to which the firewall will belong.
    Additionally, NSX-T Manager uses this connection to send updates on the changes in the NSX-T environment with Panorama.
  2. Deploy the VM-Series firewall per host or in a service cluster—NSX-T Manager uses the information pushed from Panorama in the service definition to deploy the VM-Series firewall. Choose a where the VM-Series firewall will be deployed (in a service cluster or on each ESXi host) and how NSX-T provides a management IP address to the VM-Series firewall (DHCP or static IP). When the firewall boots up, NSX-T manager’s API connects the VM-Series firewall to the hypervisor so it that can receive traffic from the vSwitch.
  3. The VM-Series connects to Panorama—The VM-Series firewall then connects to Panorama to obtain its license. Panorama gets the license from the Palo Alto Networks update server and sends it to the firewall. When the firewall gets its license, it reboots and comes back up with a serial number.
    If Panorama does not have internet access, it cannot retrieve licenses and push them to the firewall, so you have to manually license each firewall individually. If the VM-Series firewall does not have internet access, you must manually add the serial numbers to Panorama to register them as managed devices, so Panorama can push template stacks, device groups, and other configuration information. For more information, see Activate the License for the VM-Series Firewall for VMware NSX.
  4. Panorama sends security policy to the VM-Series firewall—When the firewall reconnects to Panorama, it is added to device group and template stack defined in the service definition and Panorama pushes the appropriate security policy to that firewall. The firewall is now ready to secure traffic in your NSX-T data center.
  5. Create network introspection rules to redirect traffic to the VM-Series firewall—On the NSX-T Manager, create a service chain and network introspection rules that redirect traffic in your NSX-T data center.
  6. Send real-time updates from NSX-T Manager—The NSX-T Manager sends real-time updates about changes in the virtual environment to Panorama. These updates include changes in group membership and IP addresses of virtual machines in groups that send traffic to the VM-Series firewall.
  7. Panorama sends dynamic updates—As Panorama receives updates from NSX-T Manager, it sends those updates from its managed VM-Series firewalls. Panorama places virtual machines into dynamic address groups based on criteria that you determine and pushes dynamic address group membership information to the firewalls. This allows firewalls to apply the correct security policy to traffic flowing to and from virtual machines in your NSX-T data center.