: Configure the Panorama Plugin for VMware vCenter
Focus
Focus

Configure the Panorama Plugin for VMware vCenter

Table of Contents

Configure the Panorama Plugin for VMware vCenter

After installing the plugin, complete the following procedure to establish a connection between Panorama and vCenter.
For the plugin to monitor virtual machines in your vCenter environment, you must have VMware tools installed. In vCenter, IP addresses of VMs are not externally retrievable; they are only visible through VMware tools. Additionally, native read-only permissions are required for the plugin to retrieve IP address information from vCenter.
  1. Log in to the Panorama web interface.
  2. Enable monitoring and set the monitoring interval.
    1. Select PanoramaVMware vCenterSetupGeneral.
    2. Select Enable Monitoring. This enables monitoring for all vCenters in your deployment.
    3. Set the Monitoring Interval in seconds. The monitoring interval is how often Panorama retrieves updated network information from vCenter. The default value is 60 seconds and has a range of 60 to 84600 seconds.
  3. Create a notify group.
    1. Select PanoramaVMware vCenterSetupNotify Groups.
    2. Click Add.
    3. Enter a descriptive Name for your notify group.
    4. Select the device groups in your vCenter deployment.
  4. Add vCenter information. The Panorama plugin for VMware vCenter supports up to 16 vCenter instances.
    1. Select PanoramaVMware vCenterSetupvCenter.
    2. Enter a descriptive Name for your vCenter.
    3. Enter the IP address or FQDN for vCenter and port, if applicable.
    4. Enter your vCenter username.
    5. Enter and confirm your vCenter password.
    6. Click Validate to verify that Panorama can connect to vCenter using the login credentials you entered.
    7. Click OK.
  5. Configure up to 16 Monitoring Definitions.
    A vCenter instance can be assigned to only one Monitoring Definition.
    1. Select PanoramaVMware vCenterMonitoring Definition and click Add.
    2. Enter a descriptive Name and optionally a description to identify the vCenter for which you use this definition.
    3. Select the vCenter and Notify Group.
    4. Click OK.
  6. Commit your changes.
  7. Verify that you can view the VM information on Panorama, and define the match criteria for Dynamic Address Groups.
    You must use the OR operator when using more than one tag in the match criteria; using the AND operator does not work.
    Some browser extensions may block API calls between Panorama and vCenter which prevents Panorama from receiving match criteria. If Panorama displays no match criteria and you are using browser extensions, disable the extensions and Synchronize Dynamic Objects to populate the tags available to Panorama.
  8. Verify that addresses in your VMs are added to DAGs.
    1. Select PanoramaObjectsAddress Groups.
    2. Click More in the Addresses column of a DAG.
      Panorama displays a list of IP addresses added to that DAG based on the match criteria you specified.
  9. Use dynamic address groups in policy.
    1. Select PoliciesSecurity.
    2. Click Add and enter a Name and a Description for the policy.
    3. Add the Source Zone to specify the zone from which the traffic originates.
    4. Add the Destination Zone at which the traffic is terminating.
    5. For the Destination Address, select the Dynamic address group you just created.
    6. Specify the action— Allow or Deny—for the traffic, and optionally attach the default security profiles to the rule.
    7. Repeats Steps 1 through 6 to create another policy rule.
    8. Click Commit.
  10. You can update the dynamic objects from vCenter at any time by synchronizing dynamic objects. Synchronizing dynamic objects enables you to maintain context on changes in the virtual environment and allows you to enable applications by automatically updating the Dynamic Address Groups used in policy rules.
    1. Select PanoramaVMware vCenterMonitoring Definition.
    2. Click Synchronize Dynamic Objects.
  11. If a firewall in your vCenter deployment restarts or disconnects from Panorama, that firewall goes out of sync with the Panorama plugin for vCenter and no receive updates. After the firewall reconnects with Panorama, you must manually synchronize Panorama and the firewall.
    1. Log in to the Panorama CLI.
    2. Execute the following command.
      admin@Panorama> request plugins vmware_vcenter sync