VM-Series Firewall on VMware NSX-T (North-South)

• Tier-0 Insertion—Tier-0 insertion deploys a VM-Series firewall to a tier-0 logical router, which processes traffic between logical and physical networks. When you deploy the VM-Series firewall with tier-0 insertion, NSX-T Manager uses the deployment information you configured on Panorama to attach a firewall to a tier-0 logical router in virtual wire mode.
• Tier-1 Insertion—Tier-1 insertion deploys a VM-Series firewall to a tier-1 logical router, which provides downlink connections to segments and uplink connection to tier-0 logical routers. NSX-T Manager attaches VM-Series firewalls deployed with tier-1 insertions to a tier-1 logical router in virtual wire mode.

VM-Series Firewall on NSX-T (East-West)

• Service Cluster—In a clustered deployment, all the VM-Series firewalls are installed on a single cluster. Traffic between VMs and groups are redirected to the VM-Series cluster for policy inspection and enforcement before continuing to its destination. When you configure a clustered deployment, you can specify a particular host within the cluster or select Any and let NSX-T choose a host.

• Host-Based—In a per host deployment, an instance of the VM-Series firewall is installed on each host in the ESXi cluster. Traffic between guests on the same host is inspected by the local firewall, so it does not need to leave the host for inspection. Traffic leaving the host is inspected by the firewall before reaching the vSwitch.

• Operations-centric—in an operations-centric workflow, some portions of the deployment procedure are performed on Panorama and the remainder are performed on NSX-T manager. On Panorama, you must first enable communication between Panorama and NSX-T Manager, configure the service definition, and launch the VM-Series firewall. Then, you must log in to NSX-T Manager to continue the configuration by creating service chains and steering rules. To complete your VM-Series deployment, you must return to Panorama to create security policy.
• Security-centric—in a security-centric workflow, you can use Panorama as a single pane of glass to control and manage security operations. You complete the entire deployment workflow from Panorama. The Panorama plugin for VMware NSX pushes configuration to NSX-T Manager that creates service chains and steering rules.

1. Register the VM-Series firewall as a service—Use Panorama to connect to your VMware NSX-T manager. Panorama communicates with NSX-T Manager using the NSX-T API and establishes bi-directional communication. On Panorama, you configure the Service Manager by entering the IP address, username, and password of NSX-T Manager to initiate communication.
   After establishing communication with NSX-T Manager, configure the service definition. The service definition includes the location of the VM-Series firewall base image, the authorization code needed to license the VM-Series firewall, and the device groups and template stack to which the firewall will belong.
   Additionally, NSX-T Manager uses this connection to send updates on the changes in the NSX-T environment with Panorama.
2. Deploy the VM-Series firewall per host or in a service cluster—NSX-T Manager uses the information pushed from Panorama in the service definition to deploy the VM-Series firewall. Choose a where the VM-Series firewall will be deployed (in a service cluster or on each ESXi host) and how NSX-T provides a management IP address to the VM-Series firewall (DHCP or static IP). When the firewall boots up, NSX-T manager’s API connects the VM-Series firewall to the hypervisor so it that can receive traffic from the vSwitch.
3. The VM-Series connects to Panorama—The VM-Series firewall then connects to Panorama to obtain its license. Panorama gets the license from the Palo Alto Networks update server and sends it to the firewall. When the firewall gets its license, it reboots and comes back up with a serial number.
   If Panorama does not have internet access, it cannot retrieve licenses and push them to the firewall, so you have to manually license each firewall individually. If the VM-Series firewall does not have internet access, you must manually add the serial numbers to Panorama to register them as managed devices, so Panorama can push template stacks, device groups, and other configuration information. For more information, see Activate the License for the VM-Series Firewall for VMware NSX.
4. Panorama sends security policy to the VM-Series firewall—When the firewall reconnects to Panorama, it is added to device group and template stack defined in the service definition and Panorama pushes the appropriate security policy to that firewall. The firewall is now ready to secure traffic in your NSX-T data center.
5. Create network introspection rules to redirect traffic to the VM-Series firewall—On the NSX-T Manager, create a service chain and network introspection rules that redirect traffic in your NSX-T data center.
6. Send real-time updates from NSX-T Manager—The NSX-T Manager sends real-time updates about changes in the virtual environment to Panorama. These updates include changes in group membership and IP addresses of virtual machines in groups that send traffic to the VM-Series firewall.
7. Panorama sends dynamic updates—As Panorama receives updates from NSX-T Manager, it sends those updates from its managed VM-Series firewalls. Panorama places virtual machines into dynamic address groups based on criteria that you determine and pushes dynamic address group membership information to the firewalls. This allows firewalls to apply the correct security policy to traffic flowing to and from virtual machines in your NSX-T data center.