VM-Series Firewall for NSX-V Deployment Checklist
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
-
- Activate Credits
- Transfer Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Renew Your Software NGFW Credits
- Amend and Extend a Credit Pool
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- Use Panorama-Based Software Firewall License Management
- What Happens When Licenses Expire?
- Install a Device Certificate on the VM-Series Firewall
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Add a New Host to Your NSX-V Deployment
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on GCP
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Locate VM-Series Firewall Images in the GCP Marketplace
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
End-of-Life (EoL)
VM-Series Firewall for NSX-V Deployment Checklist
To deploy the VM-Series firewall for NSX-V, use the
following workflow:
- Step 1: Set up the Components—To deploy the VM-Series firewall for NSX-V, set up the following components (see What are the Components of the VM-Series for NSX-V Solution?):
- Set up the vCenter server, install and register the NSX-V Manager with the vCenter server.If you have not already set up the virtual switch(es) and grouped the ESXi hosts in to clusters, refer to the VMware documentation for instructions on setting up the vSphere environment. This document does not take you through the process of setting up the VMware components of this solution.Unless you Enable Large Receive Offload, do not modify the default value (1500 bytes) of the MTU on the virtual Distributed Switch (vDS) in the vSphere infrastructure. Modifying the MTU to any other value causes the VM-Series firewall for NSX-V to discard packets.
- Upgrade Panorama. If you are new to Panorama, refer to the Panorama documentation for instructions on setting up and upgrading Panorama. See Migrate Operations-Centric Configuration to Security-Centric Configuration if you choose to migrate your Operations-Centric configuration to a Security-Centric configuration format.
- Configure an SSL/TLS Service Profile. If you are running NSX-V Manager 6.2.3 or earlier, you must configure an SSL/TLS Service profile that allows TLSv1.0 and apply it to the Panorama management interface. If you are running NSX-V Manager 6.2.4 or later, an SSL/TLS Service profile is not required.
- Install a License Deactivation API Key. Deleting the Palo Alto Networks Service Deployment on NSX-V Manager automatically triggers license deactivation. A license deactivation API key is required to successfully deactivate the VM-Series license.
- Download and save the ovf template for the VM-Series firewall for NSX-V on a web server. The ovf template must match your VM-Series model. If you are using the VM-200, select the VM-100 ovf. If using the VM-1000-HV, select the VM-300 ovf.The NSX-V Manager must have network access to this web server so that it can deploy the VM-Series firewall as needed. You cannot host the ovf template on Panorama.Give the ova filename a generic name that does not include a version number. Using a generic naming convention, such as https://acme.com/software/PA-VM-NSX.ova allows you to overwrite the ova each time a newer version becomes available.
- Register the capacity auth-code for the VM-Series firewall for NSX-V with your support account on the Support Portal. For details, see Upgrade the VM-Series Firewall.
- Step 2: Register—Configure Panorama to Register the VM-Series Firewall as a Service on the NSX-V Manager. When registered, the VM-Series firewall is added to the list of network services that can be transparently deployed as a service by the NSX-V Manager. The connection between Panorama and the NSX-V Manager is also required for licensing and configuring the firewall.
- (On Panorama) Create a service manager to enable communication between Panorama and NSX-V Manager.
- (On Panorama) Create the service definition. If you upgrade from an earlier version, your existing service definition is automatically migrated for you. For details, see changes to default behavior.
- Step 3: Deploy the VM-Series Firewall—Before you can deploy the VM-Series firewall in NSX-V, each host in the cluster must have the necessary NSX-V components required to deploy the firewall.
- (On NSX-V Manager) Define the IP address pool. An IP address from the defined range is assigned to the management interface of each instance of the VM-Series firewall.The NSX-V Manager uses the IP address as a match criterion to steer traffic to the VM-Series firewall. If VMware tools is not installed on the guest, see Steer Traffic from Guests that are not Running VMware Tools. This is not required if you are running NSX-V Manager 6.2.4 or later.
- (On NSX-V Manager) Prepare the ESXi host for the VM-Series firewall.
- (On NSX-V Manager) Deploy the VM-Series firewall. The NSX-V Manager automatically deploys an instance of the VM-Series firewall on each ESXi host in the cluster.
- (On NSX-V Manager) Add VMs to the relevant security groups.
- (On Panorama) Apply policies to the VM-Series firewall. From Panorama, you define, push, and administer policies centrally on all the VM-Series firewalls. This centralized administration mechanism allows you to secure guests/applications with minimal administrative intervention.
- Step 4: Create Security Groups and Steering Rules—How you choose to deploy the security groups and steering rules depends on whether your deployment focus is Security Centric or Operations Centric.In a Security Centric deployment, your security administrator creates the security group and steering rules in Panorama. You might start with an existing set of security policies and a set of named source and destination groups. Any new dynamically deployed applications fit into predefined security policies defined on Panorama. Panorama pushes these named groups to NSX-V Manager, where the virtualization administrator picks up the group names and defines which VMs go into them.In an Operations Centric deployment, security groups are defined by a virtualization administrator based upon the need to classify and categorize VM workloads. In this case, security groups are defined and populated in the NSX-V Manager. Security groups created in NSX-V Manager must be associated with dynamic address groups on Panorama, which is completed after the firewalls are deployed. In this case, NSX-V base functionality is deployed first and the VM-Series firewalls are added later.You must decide whether a Security Centric or an Operations Centric deployment is right for your NSX-V environment before continuing. This document describes the procedure for a Security Centric deployment.Security Centric—Create the service definition(s) that specify the configuration for the VM-Series firewall, create dynamic address groups, and create policies to redirect traffic to the VM-Series firewall. See Create Security Groups and Steering Rules in a Security Centric Deployment.
- (On Panorama) Set up the dynamic address groups that map to security groups on NSX-V Manager. A security group assembles the specified guests/applications so that you can apply policy to the group.
- (On Panorama) Create the security policy rules to redirect traffic to the Palo Alto Networks service profile.
Operations Centric—On the NSX-V Manager, create security groups and policies to redirect traffic to the VM-Series firewall. See Create Security Groups and Steering Rules in an Operations Centric Deployment.- (On NSX-V Manager) Set up the security groups. A security group assembles the specified guests/applications so that you can apply policy to the group.
- (On NSX-V Manager) Create the NSX-V Firewall policies to redirect traffic to the Palo Alto Networks service profile.
- Step 5: Monitor and Maintain Network Security—Panorama provides a comprehensive, graphical view of network traffic. Using the visibility tools on Panorama—the Application Command Center (ACC), logs, and the report generation capabilities—you can centrally analyze, investigate and report on all network activity, identify areas with potential security impact, and translate them into secure application enablement policies. Refer to the Panorama Administrator’s Guide for more information.
The following additional tasks are not required parts of the
main VM-Series for NSX-V deployment procedure and should only be completed
if and when necessary for your deployment.
- Upgrade the Software Version—When upgrading the VM-Series firewalls for NSX-V, you must first upgrade Panorama before upgrading the firewalls. To upgrade the firewalls, see Upgrade the PAN-OS Software Version (VM-Series for NSX).
- For upgrading the PAN-OS version on the firewall, do not modify the VM-Series OVA URL in PanoramaVMware Service Manager.
- Do not use the VMware snapshots functionality on the VM-Series firewall for NSX-V. Snapshots can impact performance and result in intermittent and inconsistent packet loss. See VMware’s best practice recommendation with using snapshots. If you need configuration backups, use Panorama or Export named configuration snapshot from the firewall (DeviceSet upOperations). Using the Export named configuration snapshot exports the active configuration (running-config.xml) on the firewall and allows you to save it to any network location.
- Migrate from Operations-Centric configuration to Security-Centric configuration—If you upgrade your existing Operations-Centric VM-Series firewall for NSX-V deployment and plan to use the Security Centric workflow going forward, Migrate Operations-Centric Configuration to Security-Centric Configuration.
If you need to reinstall or remove the VM-Series from your NSX-V
deployment, see the How to Remove VM-Series Integration
from VMware NSX-V knowledge base article.