: What’s New in Panorama Plugin for VMware NSX 3.2.0
Focus
Focus

What’s New in Panorama Plugin for VMware NSX 3.2.0

Table of Contents

What’s New in Panorama Plugin for VMware NSX 3.2.0

The Panorama Plugin for VMware NSX 3.2.0 introduces the following features:

Device Certificate Support for the VM-Series Firewall on VMware NSX

The firewall requires a device certificate to retrieve the site license entitlements and securely access cloud services such as WildFire, AutoFocus, Strata Logging Service, etc. There are two methods for applying a site license to your VM-Series firewall—One-Time Password (OTP) and auto-registration PIN. Each password or PIN is generated on the Palo Alto Networks Customer Support website and unique to your Palo Alto Networks support account. For the VM-Series firewall on NSX-V and NSX-T, you can add the auto-registration PIN to your service definition configuration so the device certificate is fetched by the firewall upon initial boot up. Additionally, if you upgrade previously-deployed firewalls to PAN-OS version that supports device certificates, you can apply a device certificate to the those firewalls individually using a one-time password.
You must enable Device Certificates to deploy firewalls successfully when using one of the following VM-Series firewall for NSX OVFs—10.0.1 and later, 9.1.5 and later, 9.0.11 and later, or 8.1.17 and later. However, you are not required to enter a PIN ID and PIN Value. If you do not enable Device Certificates, firewall deployment will fail. You can add an OTP to your firewalls after deployment to have them fetch a device certificate. See the Panorama Admin Guide for more information about installing a device certificate on firewalls manage by Panorama. See the Compatibility Matrix for supported version information.

Security Policy Extension Between NSX-V and NSX-T

If you adding VMware NSX-T to your existing network that includes NSX-V or moving from NSX-V to NSX-T, you can now use your existing NSX-V security policy rules in NSX-T. The Panorama plugin for VMware NSX 3.2.0 allows you to use your existing NSX-V device groups and templates with your new NSX-T firewalls. When you create an NSX-T service definition, select an device group and a template stack used in an NSX-V service definition. After deploying the firewalls in NSX-T, you will see match criteria retrieved from NSX-T available for in dynamic address groups used in NSX-V. If you add NSX-T match criteria to an NSX-V dynamic address group, any security policy referencing the those dynamic address groups will also be applied to traffic matching the NSX-T or NSX-V criteria.