Professional Documents
Culture Documents
Deployment
Guide
Version8.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribeshowtosetupandlicensetheVMSeriesfirewall;itisintendedforadministratorswhowantto
deploytheVMSeriesfirewall.
Formoreinformation,refertothefollowingsources:
Forinformationontheadditionalcapabilitiesofandinstructionsforconfiguringthefeaturesonyourfirewall,
refertohttps://www.paloaltonetworks.com/documentation.
Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOS8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:June12,2017
2 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
TableofContents
AbouttheVMSeriesFirewall .......................................... 9
VMSeriesModels .................................................................10
VMSeriesSystemRequirements ................................................10
CPUOversubscription..........................................................11
VMSeriesDeployments ...........................................................13
VMSeriesinHighAvailability.......................................................15
UpgradetheVMSeriesFirewall.....................................................16
UpgradethePANOSSoftwareVersion(StandaloneVersion) .......................16
UpgradethePANOSSoftwareVersion(VMSeriesforNSX)........................17
UpgradetheVMSeriesModel ..................................................19
UpgradetheVMSeriesModelinanHAPair......................................21
UpgradePanorama7.1toPanorama8.0 ..........................................22
EnableJumboFramesontheVMSeriesFirewall ......................................23
HypervisorAssignedMACAddresses ................................................24
LicensetheVMSeriesFirewall........................................ 25
LicenseTypesVMSeriesFirewalls .................................................26
VMSeriesFirewallforNSXLicenses .............................................26
VMSeriesFirewallinAmazonWebServices(AWS)andAzureLicenses..............26
SerialNumberandCPUIDFormatfortheVMSeriesFirewall ..........................28
CreateaSupportAccount..........................................................29
RegistertheVMSeriesFirewall .....................................................30
RegistertheVMSeriesFirewall(withauthcode) ..................................30
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauth
code)31
SwitchBetweentheBYOLandthePAYGLicenses ....................................33
ActivatetheLicense...............................................................35
ActivatetheLicensefortheVMSeriesFirewall(StandaloneVersion).................35
ActivatetheLicensefortheVMSeriesFirewallforVMwareNSX....................36
DeactivatetheLicense(s) ...........................................................39
InstallaLicenseDeactivationAPIKey ............................................39
DeactivateaFeatureLicenseorSubscriptionUsingtheCLI.........................40
DeactivateVM................................................................41
LicensingAPI .....................................................................45
ManagetheLicensingAPIKey ..................................................45
UsetheLicensingAPI..........................................................46
LicensingAPIErrorCodes ......................................................49
LicensesforCloudSecurityServiceProviders(CSSPs)..................................50
GettheAuthCodesforCSSPLicensePackages ...................................50
RegistertheVMSeriesFirewallwithaCSSPAuthCode ............................51
AddEndCustomerInformationforaRegisteredVMSeriesFirewall .................52
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 3
TableofContents
SetUpaVMSeriesFirewallonanESXiServer ..........................55
SupportedDeploymentsonVMwarevSphereHypervisor(ESXi) ......................... 56
VMSeriesonESXiSystemRequirementsandLimitations............................... 57
Requirements ................................................................. 57
Limitations.................................................................... 58
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi) ....................... 59
PlantheInterfacesfortheVMSeriesforESXi ..................................... 59
ProvisiontheVMSeriesFirewallonanESXiServer ................................ 60
PerformInitialConfigurationontheVMSeriesonESXi ............................. 63
AddAdditionalDiskSpacetotheVMSeriesFirewall ............................... 64
UseVMwareToolsontheVMSeriesFirewallonESXiandvCloudAir ................ 65
TroubleshootESXiDeployments..................................................... 68
BasicTroubleshooting.......................................................... 68
InstallationIssues.............................................................. 68
LicensingIssues................................................................ 70
ConnectivityIssues............................................................. 71
PerformanceTuningoftheVMSeriesforESXi ........................................ 73
InstalltheNICDriveronESXi.................................................... 73
EnableDPDKonESXi .......................................................... 75
EnableSRIOVonESXi ......................................................... 75
EnableMultiQueueSupportforNICsonESXi ..................................... 76
SetUptheVMSeriesFirewallonvCloudAir ............................77
AbouttheVMSeriesFirewallonvCloudAir .......................................... 78
DeploymentsSupportedonvCloudAir ............................................... 79
DeploytheVMSeriesFirewallonvCloudAir ......................................... 80
SetUpaVMSeriesFirewallontheCitrixSDXServer....................87
AbouttheVMSeriesFirewallontheSDXServer...................................... 88
SystemRequirementsandLimitations ................................................ 89
Requirements ................................................................. 89
Limitations.................................................................... 89
SupportedDeploymentsVMSeriesFirewallonCitrixSDX ............................. 91
Scenario1SecureNorthSouthTraffic........................................... 91
Scenario2SecureEastWestTraffic(VMSeriesFirewallonCitrixSDX) ............. 94
InstalltheVMSeriesFirewallontheSDXServer ...................................... 95
UploadtheImagetotheSDXServer ............................................. 95
ProvisiontheVMSeriesFirewallontheSDXServer................................ 95
SecureNorthSouthTrafficwiththeVMSeriesFirewall ................................ 97
DeploytheVMSeriesFirewallUsingL3Interfaces ................................. 97
DeploytheVMSeriesFirewallUsingLayer2(L2)orVirtualWireInterfaces ..........101
DeploytheVMSeriesFirewallBeforetheNetScalerVPX ..........................103
SecureEastWestTrafficwiththeVMSeriesFirewall .................................106
4 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
TableofContents
SetUptheVMSeriesFirewallonVMwareNSX........................109
VMSeriesforNSXFirewallOverview .............................................. 110
WhataretheComponentsoftheVMSeriesforNSXSolution?..................... 110
HowDotheComponentsintheVMSeriesFirewallforNSXSolutionWorkTogether? 113
WhataretheBenefitsoftheNSXVMSeriesfirewallforNSXSolution?............. 118
WhatisMultiTenantSupportontheVMSeriesFirewallforNSX?.................. 119
VMSeriesFirewallforNSXDeploymentChecklist ................................... 121
InstalltheVMwareNSXPlugin ..................................................... 123
RegistertheVMSeriesFirewallasaServiceontheNSXManager ...................... 124
EnableCommunicationBetweentheNSXManagerandPanorama .................. 124
CreateTemplate(s)andDeviceGroup(s)onPanorama ............................. 126
CreatetheServiceDefinitionsonPanorama ..................................... 127
CreateSteeringRules ............................................................. 133
DeploytheVMSeriesFirewall ..................................................... 137
EnableSpoofGuard ........................................................... 137
DefineanIPAddressPool ..................................................... 138
PreparetheESXiHostfortheVMSeriesFirewall................................. 139
DeploythePaloAltoNetworksNGFWService ................................... 140
ApplyPoliciestotheVMSeriesFirewall ......................................... 145
EnableLargeReceiveOffload .................................................. 148
SteerTrafficfromGueststhatarenotRunningVMwareTools......................... 150
DynamicallyQuarantineInfectedGuests............................................ 151
UseCase:SharedComputeInfrastructureandSharedSecurityPolicies ................. 156
UseCase:SharedSecurityPoliciesonDedicatedComputeInfrastructure................ 161
DynamicAddressGroupsInformationRelayfromNSXManagertoPanorama .......... 168
SetUptheVMSeriesFirewallonAWS ................................175
AbouttheVMSeriesFirewallonAWS .............................................. 176
VMSeriesFirewallonAWSGovCloud .......................................... 176
AWSTerminology ............................................................ 176
ManagementInterfaceMappingforUsewithAmazonELB ........................ 178
DeploymentsSupportedonAWS................................................... 180
DeploytheVMSeriesFirewallonAWS ............................................. 183
ObtaintheAMI............................................................... 183
ReviewSystemRequirementsandLimitationsforVMSeriesonAWS ............... 185
PlanningWorksheetfortheVMSeriesintheAWSVPC ........................... 185
LaunchtheVMSeriesFirewallonAWS ......................................... 187
UsetheVMSeriesFirewallCLItoSwaptheManagementInterface................. 194
EnableCloudWatchMonitoringontheVMSeriesFirewall......................... 195
HighAvailabilityforVMSeriesFirewallonAWS..................................... 198
OverviewofHAonAWS...................................................... 198
IAMRolesforHA ............................................................. 199
HALinks..................................................................... 200
HeartbeatPollingandHelloMessages........................................... 200
DevicePriorityandPreemption ................................................ 201
HATimers................................................................... 201
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 5
TableofContents
ConfigureActive/PassiveHAonAWS ...........................................202
UseCase:SecuretheEC2InstancesintheAWSCloud................................207
UseCase:UseDynamicAddressGroupstoSecureNewEC2InstanceswithintheVPC....219
UseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailableInternetFacingApplica
tionsonAWS223
SolutionOverviewSecureHighlyAvailableInternetFacingApplications ............223
DeploytheSolutionComponentsforHighlyAvailableInternetFacingApplicationsonAWS
225
SetUptheVPC ...............................................................226
DeploytheVMSeriesFirewallsintheVPC.......................................228
LaunchtheVMSeriesFirewallsandtheNetScalerVPX ............................229
ConfiguretheVMSeriesFirewallforSecuringOutboundAccessfromtheVPC.......232
ConfiguretheFirewallsthatSecuretheWebFarm................................234
ConfiguretheFirewallthatSecurestheRDS......................................236
DeploytheWebFarmintheVPC ...............................................237
SetUptheAmazonRelationalDatabaseService(RDS) .............................239
ConfiguretheCitrixNetScalerVPX..............................................241
SetupAmazonRoute53.......................................................243
VerifyTrafficEnforcement .....................................................244
PortTranslationforServiceObjects .............................................245
UseCase:VMSeriesFirewallsasGlobalProtectGatewaysonAWS .....................247
ComponentsoftheGlobalProtectInfrastructure ..................................248
DeployGlobalProtectGatewaysonAWS ........................................248
AutoScaleVMSeriesFirewallswiththeAmazonELB .................................250
WhatComponentsDoestheVMSeriesAutoScalingTemplateforAWSDeploy? .....251
HowDoestheVMSeriesAutoScalingTemplateforAWSEnableDynamicScaling?...253
PlantheVMSeriesAutoScalingTemplateforAWS ...............................254
LaunchtheVMSeriesAutoScalingTemplateforAWS ............................261
CustomizetheBootstrap.xmlFile ...............................................275
UsetheGitHubBootstrapFilesasSeed..........................................275
CreateanewBootstrapFilefromScratch ........................................276
NATPolicyRuleandAddressObjectsintheAutoScalingTemplate .................278
StackUpdatewithVMSeriesAutoScalingTemplateforAWS(v1.2) ................279
ModifyAdministrativeAccountandUpdateStack.................................283
TroubleshoottheVMSeriesAutoScalingTemplateforAWS .......................283
ListofAttributesMonitoredontheAWSVPC........................................290
IAMPermissionsRequiredforMonitoringtheAWSVPC...........................290
6 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
TableofContents
VerifyPCIIDforOrderingofNetworkInterfacesontheVMSeriesFirewall......... 306
UseanISOFiletoDeploytheVMSeriesFirewall................................. 307
PerformanceTuningoftheVMSeriesforKVM...................................... 311
InstallKVMandOpenvSwitchonUbuntu16.04.1LTS ............................ 311
EnableOpenvSwitchonKVM.................................................. 311
IntegrateOpenvSwitchwithDPDK ............................................. 312
EnableSRIOVonKVM ....................................................... 316
EnableMultiQueueSupportforNICsonKVM ................................... 317
IsolateCPUResourcesinaNUMANodeonKVM ................................ 317
SetUptheVMSeriesFirewallonHyperV.............................321
SupportedDeploymentsonHyperV ............................................... 322
SecureTrafficonaSingleHyperVHost ......................................... 322
SecureTrafficAcrossMultipleHyperVHosts .................................... 322
SystemRequirementsonHyperV .................................................. 324
LinuxIntegrationServices...................................................... 324
InstalltheVMSeriesFirewallonHyperV........................................... 325
BeforeYouBegin ............................................................. 325
PerformanceTuningoftheVMSeriesFirewallonHyperV........................ 326
ProvisiontheVMSeriesFirewallonaHyperVhostwithHyperVManager ......... 326
ProvisiontheVMSeriesFirewallonaHyperVhostwithPowerShell ............... 328
PerformInitialConfigurationontheVMSeriesFirewall ........................... 329
SetuptheVMSeriesFirewallonAzure ...............................333
AbouttheVMSeriesFirewallonAzure............................................. 334
AzureNetworkingandVMSeries............................................... 334
VMSeriesFirewallTemplatesonAzure ......................................... 335
MinimumSystemRequirementsfortheVMSeriesonAzure....................... 335
DeploymentsSupportedonAzure .................................................. 337
DeploytheVMSeriesFirewallfromtheAzureMarketplace(SolutionTemplate) ......... 338
UsetheARMTemplatetoDeploytheVMSeriesFirewall............................. 344
DeploytheVMSeriesandAzureApplicationGatewayTemplate ....................... 348
VMSeriesandAzureApplicationGatewayTemplate.............................. 349
StartUsingtheVMSeries&AzureApplicationGatewayTemplate.................. 350
DeploytheTemplatetoAzure.................................................. 350
VMSeriesandAzureApplicationGatewayTemplateParameters ................... 354
SampleConfigurationFile...................................................... 355
AdapttheTemplate ........................................................... 356
SetUptheVMSeriesFirewallonOpenStack ..........................357
VMSeriesFirewallforOpenStack .................................................. 358
ComponentsoftheVMSeriesforOpenStackSolution............................ 358
OrchestrationwiththeHeatTemplate .......................................... 359
VMSeriesFirewallonOpenStackDeploymentChecklist .............................. 362
InstalltheVMSeriesFirewallinOpenStack.......................................... 363
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 7
TableofContents
BootstraptheVMSeriesFirewall.................................... 367
VMSeriesFirewallBootstrapWorkflow .............................................368
BootstrapPackage ................................................................369
BootstrapConfigurationFiles ......................................................371
GeneratetheVMAuthKeyonPanorama ............................................372
Createtheinitcfg.txtFile..........................................................374
Createthebootstrap.xmlFile.......................................................377
PreparetheLicensesforBootstrapping ..............................................378
PreparetheBootstrapPackage .....................................................379
BootstraptheVMSeriesFirewallonESXi ...........................................380
BootstraptheVMSeriesFirewallonESXiwithanISO .............................380
BootstraptheVMSeriesFirewallonESXiwithaBlockStorageDevice..............380
BootstraptheVMSeriesFirewallonHyperV ........................................382
BootstraptheVMSeriesFirewallonHyperVwithanISO.........................382
BootstraptheVMSeriesFirewallonHyperVwithaBlockStorageDevice...........382
BootstraptheVMSeriesFirewallonKVM ...........................................384
BootstraptheVMSeriesFirewallonKVMwithanISO ............................384
BootstraptheVMSeriesFirewallonKVMWithaBlockStorageDevice.............385
BootstraptheVMSeriesFirewallonKVMinOpenStack ...........................385
BootstraptheVMSeriesFirewallinAWS............................................389
BootstraptheVMSeriesFirewallinAzure ...........................................391
VerifyBootstrapCompletion .......................................................393
BootstrapErrors ..................................................................394
8 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
AbouttheVMSeriesFirewall
ThePaloAltoNetworksVMSeriesfirewallisthevirtualizedformofthePaloAltoNetworksnextgeneration
firewall.Itispositionedforuseinavirtualizedorcloudenvironmentwhereitcanprotectandsecure
eastwestandnorthsouthtraffic.
VMSeriesModels
VMSeriesDeployments
VMSeriesinHighAvailability
UpgradetheVMSeriesFirewall
EnableJumboFramesontheVMSeriesFirewall
HypervisorAssignedMACAddresses
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 9
VMSeriesModels AbouttheVMSeriesFirewall
VMSeriesModels
TheVMSeriesfirewallisavailableinthefollowingmodelsVM50,VM100,VM200,VM300,VM500,
VM700,andVM1000HV.
AllmodelscanbedeployedasguestvirtualmachinesonVMwareESXiandvCloudAir,CitrixNetScalerSDX,
AmazonWebServices,KVMandKVMinOpenStack,andMicrosoftHyperVandAzure;onVMwareNSX,
onlytheVM100,VM200,VM300,VM500,andVM1000HVfirewallsaresupported.Thesoftware
package(.xva,.ova,or.vhdxfile)thatisusedtodeploytheVMSeriesfirewalliscommonacrossallmodels.
WhenyouapplythecapacitylicenseontheVMSeriesfirewall,themodelnumberandtheassociated
capacitiesareimplementedonthefirewall.Capacityisdefinedintermsofthenumberofsessions,rules,
securityzones,addressobjects,IPSecVPNtunnels,andSSLVPNtunnelsthattheVMSeriesfirewallis
optimizedtohandle.Tomakesurethatyoupurchasethecorrectmodelforyournetworkrequirements,use
thefollowingtabletounderstandthemaximumcapacityforeachmodelandthecapacitydifferencesby
model:
ForinformationontheplatformsonwhichyoucandeploytheVMSeriesfirewall,seeVMSeries
Deployments.FormoreinformationabouttheVMSeriesfirewallmodels,seethePaloAltoNetworks
Firewallcomparisontool.YoucanalsoreviewgeneralinformationAbouttheVMSeriesFirewall.
VMSeriesSystemRequirements
CPUOversubscription
VMSeriesSystemRequirements
EachinstanceoftheVMSeriesfirewallrequiresaminimumresourceallocationnumberofCPUs,memory,
anddiskspace,onitshostserver.Usethetablebelowtoverifythatyouallocatethenecessaryhardware
resourcesforyourVMSeriesmodel.
Whenupgradingto8.0ortheVMSeriesmodellicense,youmayberequiredtoallocateadditionalhardware
resourcesbeforecompletingyourupgrade.
10 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
AbouttheVMSeriesFirewall VMSeriesModels
Toachievethebestperformance,alloftheneededcoresshouldbeavailableonasingleCPUsocket.
Foroperation,theVM50firewallrequiresminimum32GBofharddrivespace.However,becausetheVMSeries
baseimageiscommontoallmodels,youmustallocate60GBofharddrivespaceuntilyoulicensetheVM50.
ThenumberofvCPUsassignedtothemanagementplaneandthoseassignedtothedataplanediffers
dependingonthetotalnumberofvCPUsassignedtotheVMSeriesfirewall.IfyouassignmorevCPUsthan
thoseofficiallysupportedbythelicense,anyadditionalvCPUsareassignedtothemanagementplane.
2 1 1
4 2 2
8 2 6
16 4 12
CPUOversubscription
TheVMSeriesfirewallsupportsCPUoversubscriptiononallmodels.CPUoversubscriptionallowsyou
deployahigherdensityofVMSeriesfirewallsonhypervisorsrunningonx86architecture.Youcandeploy
two(2:1)tofive(5:1)VMSeriesfirewallsperrequiredallocationofCPUs.Whenplanningyourdeployment,
usethefollowingformulatocalculatethenumberofVMSeriesfirewallsyourhardwarecansupport.
(TotalCPUsxOversubRatio)/CPUsperfirewall=totalnumberofVMSeriesfirewalls
Forexample,ata5:1ratio,ahostmachinewith16physicalCPUandatleast180GBofmemory(404.5GB)
cansupportupto40instancestotheVM50.EachVM50requirestwovCPUsandfiveVM50scanbe
associatedtoeachpairofvCPUs.
(16CPUsx5)/2=40VM50firewalls
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 11
VMSeriesModels AbouttheVMSeriesFirewall
BeyondmeetingtheminimumVMSeriesSystemRequirements,noadditionalconfigurationisrequiredto
takeadvantageofoversubscription.DeployVMSeriesfirewallsnormallyandresourceoversubscription
occursautomatically.Whenplanningyourdeployment,considerotherfunctions,suchasvirtualswitches,
andguestmachinesonthehostthatrequirehardwareresourcesoftheirown.
12 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
AbouttheVMSeriesFirewall VMSeriesDeployments
VMSeriesDeployments
TheVMSeriesfirewallcanbedeployedonthefollowingplatforms:
VMSeriesforVMwarevSphereHypervisor(ESXi)andvCloudAir
YoucandeployanyVMSeriesmodelasaguestvirtualmachineonVMwareESXi;idealforcloudor
networkswherevirtualformfactorisrequired.
Fordetails,seeSetUpaVMSeriesFirewallonanESXiServerandSetUptheVMSeriesFirewallon
vCloudAir.
VMSeriesforVMwareNSX
TheVM100,VM200,VM300,VM500,orVM1000HVisdeployedasanetworkintrospection
servicewithVMwareNSX,andPanorama.Thisdeploymentisidealforeastwesttrafficinspection,and
italsocansecurenorthsouthtraffic.
Fordetails,seeSetUptheVMSeriesFirewallonVMwareNSX
VMSeriesforCitrixSDX
VM100,VM200,VM300,orVM1000HVisdeployedasguestvirtualmachineonCitrixNetScaler
SDX;consolidatesADCandsecurityservicesformultitenantandCitrixXenApp/XenDesktop
deployments.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 13
VMSeriesDeployments AbouttheVMSeriesFirewall
Fordetails,seeSetUpaVMSeriesFirewallontheCitrixSDXServer
VMSeriesforAmazonWebServices(AWS)
YoucandeployanyVMSeriesmodel,excepttheVM50,onEC2instancesontheAWSCloud.
Fordetails,seeSetUptheVMSeriesFirewallonAWS.
VMSeriesforKernelVirtualizationModule(KVM)
YoucandeployanyVMSeriesmodelonaLinuxserverthatisrunningtheKVMhypervisor.Fordetails,
seeSetUptheVMSeriesFirewallonKVM.
VMSeriesforMicrosoftHyperV
YoucandeployanyVMSeriesmodelonaWindowsServer2012R2serverwiththeHyperVroleaddon
enabledorastandaloneHyperV2012R2server.Fordetails,seeSetUptheVMSeriesFirewallon
HyperV.
VMSeriesforMicrosoftAzure
YoucandeployanyVMSeriesmodel,excepttheVM50,ontheAzureVNet.
Fordetails,seeSetuptheVMSeriesFirewallonAzure.
VMSeriesforOpenStack
YoucandeployanyVMSeriesmodelonKVMinyourOpenStackenvironment.Fordetails,seeSetUp
theVMSeriesFirewallonOpenStack.
14 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
AbouttheVMSeriesFirewall VMSeriesinHighAvailability
VMSeriesinHighAvailability
Highavailability(HA)isaconfigurationinwhichtwofirewallsareplacedinagroupandtheirconfiguration
issynchronizedtopreventasinglepointoffailureonyournetwork.Aheartbeatconnectionbetweenthe
firewallpeersensuresseamlessfailoverintheeventthatapeergoesdown.Settingupthefirewallsina
twodeviceclusterprovidesredundancyandallowsyoutoensurebusinesscontinuity.InanHA
configurationontheVMSeriesfirewalls,bothpeersmustbedeployedonthesametypeofhypervisor,have
identicalhardwareresources(suchasCPUcores/networkinterfaces)assignedtothem,andhavetheset
sameoflicenses/subscriptions.ForgeneralinformationaboutHAonPaloAltoNetworksfirewalls,seeHigh
Availability.
TheVMSeriesfirewallssupportstatefulactive/passiveoractive/activehighavailabilitywithsessionand
configurationsynchronization.Theonlyexceptionsarethefollowing:
TheVMSeriesfirewallontheAmazonWebServices(AWS)cloudsupportsactive/passiveHAonly.For
details,seeHighAvailabilityforVMSeriesFirewallonAWS.
HAisnotrelevantfortheVMSeriesfirewallforVMwareNSX.
Theactive/activedeploymentissupportedinvirtualwireandLayer3deployments,andisonlyrecommendedfor
networkswithasymmetricrouting.
ForinstructionsonconfiguringtheVMSeriesfirewallasanHApair,seeConfigureActive/PassiveHAand
ConfigureActive/ActiveHA.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 15
UpgradetheVMSeriesFirewall AbouttheVMSeriesFirewall
UpgradetheVMSeriesFirewall
UpgradethePANOSSoftwareVersion(StandaloneVersion)
UpgradethePANOSSoftwareVersion(VMSeriesforNSX)
UpgradetheVMSeriesModel
UpgradetheVMSeriesModelinanHAPair
UpgradePanorama7.1toPanorama8.0
ForinstructionsoninstallingyourVMSeriesfirewall,seeVMSeriesDeployments.
UpgradethePANOSSoftwareVersion(StandaloneVersion)
NowthattheVMSeriesfirewallhasnetworkconnectivityandthebasePANOSsoftwareisinstalled,
considerupgradingtothelatestversionofPANOS.Usethefollowinginstructionsforfirewallsthatarenot
deployedinahighavailability(HA)configuration.ForfirewallsdeployedinHA,refertothePANOS8.0New
FeaturesGuide.
UpgradePANOSVersion(StandaloneVersion)
Step1 VerifythatthereenoughhardwareresourcesavailabletotheVMSeriesfirewall.Refertothe
VMSeriesSystemRequirementstoseethenewresourcerequirementsforeachVMSeriesmodel.
Allocateadditionalhardwareresourcesbeforecontinuingtheupgradeprocess.Theprocessfor
assigningadditionalhardwareresourcesdiffersoneachhypervisor.
Step3 (Requiredforafirewallthatisinproduction)Saveabackupofthecurrentconfigurationfile.
1. SelectDevice > Setup > OperationsandclickExport named configuration snapshot.
2. SelecttheXMLfilethatcontainsyourrunningconfiguration(forexample,running-config.xml)and
clickOKtoexporttheconfigurationfile.
3. Savetheexportedfiletoalocationexternaltothefirewall.Youcanusethisbackuptorestorethe
configurationifyouhaveproblemswiththeupgrade.
Step4 ChecktheReleaseNotestoverifytheContentReleaseversionrequiredforthePANOSversion.The
firewallsyouplantoupgrademustberunningtheContentReleaseversionrequiredforthePANOS
version.
1. SelectDevice > Dynamic Updates.
2. ChecktheApplications and ThreatsorApplicationssectiontodeterminewhatupdateiscurrently
running.
3. Ifthefirewallisnotrunningtherequiredupdateorlater,clickCheck Nowtoretrievealistof
availableupdates.
4. LocatethedesiredupdateandclickDownload.
5. Afterthedownloadcompletes,clickInstall.
16 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
AbouttheVMSeriesFirewall UpgradetheVMSeriesFirewall
UpgradePANOSVersion(StandaloneVersion)
Step5 UpgradethePANOSversionontheVMSeriesfirewall.
1. SelectDevice > Software.
2. ClickRefreshtoviewthelatestsoftwarereleaseandalsoreviewtheRelease Notestoviewa
descriptionofthechangesinareleaseandtoviewthemigrationpathtoinstallthesoftware.
3. ClickDownloadtoretrievethesoftwarethenclickInstall.
Step6 IfyouareupgradingfromPANOS7.1toPANOS8.0,transitionyourVMSeriesfirewallfroma40GB
harddisktoa60GBharddisk.
1. Onyourhypervisor,attachanew60GBharddrivetotheVMSeriesfirewall.Thisnewdiskmustbe
60GB.Thefirewallwillreturnanerrorifanothervalueisassigned.
2. AccessthefirewallCLI.
3. UsethefollowingCLIcommandtocreateanewdiskpartitiontocopythedatafromtheoriginal
systemdisktothenewsystemdisk.
> request system clone-system-disk target sdb
4. ReturntoyourhypervisorandpowerofftheVMSeriesfirewall.
5. Removetheoriginalsystemdisk.
6. PowerontheVMSeriesfirewall.
UpgradethePANOSSoftwareVersion(VMSeriesforNSX)
FortheVMSeriesFirewallNSXedition,usePanoramatoupgradethesoftwareversiononthefirewalls.
UpgradeVMSeriesNSXEditionFirewallsUsingPanorama
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 17
UpgradetheVMSeriesFirewall AbouttheVMSeriesFirewall
UpgradeVMSeriesNSXEditionFirewallsUsingPanorama(Continued)
3. ClickDownloadtodownloadaselectedversion.After
successfuldownload,thelinkintheAction columnchanges
fromDownload toInstall.
4. ClickInstall andselectthedevicesonwhichyouwantto
installtheupdate.Whentheinstallationcompletes,acheck
markdisplaysintheCurrently Installedcolumn.
18 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
AbouttheVMSeriesFirewall UpgradetheVMSeriesFirewall
UpgradetheVMSeriesModel
ThelicensingprocessfortheVMSeriesfirewallusestheUUIDandtheCPUIDtogenerateauniqueserial
numberforeachVMSeriesfirewall.Hence,whenyougeneratealicense,thelicenseismappedtoaspecific
instanceoftheVMSeriesfirewallandcannotbemodified.
Usetheinstructionsinthissection,ifyouare:
Migratingfromanevaluationlicensetoaproductionlicense.
Upgradingthemodeltoallowforincreasedcapacity.ForexampleyouwanttoupgradefromtheVM100
totheVM300license.
UpgradetheVMSeriesCapacity
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 19
UpgradetheVMSeriesFirewall AbouttheVMSeriesFirewall
UpgradetheVMSeriesCapacity(Continued)
20 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
AbouttheVMSeriesFirewall UpgradetheVMSeriesFirewall
UpgradetheVMSeriesCapacity(Continued)
UpgradetheVMSeriesModelinanHAPair
Becausealicenseupgraderequiressomecriticalprocessestorestart,pairingfirewallsintoHAmodeis
recommendedtominimizetheimpacttoservice.ThisprocessissimilartothatofupgradingthePANOS
versionofanHApair.Duringtheupgradeprocess,sessionsynchronizationcontinues,ifyouhaveitenabled.
Configurationsyncisautomaticallydisabledwhenacapacitymismatchisdetectedandremainsdisableduntilthe
mismatchisresolved.Therefore,configurationchangesduringtheupgradeprocessarenotrecommended.
IfthefirewallsintheHApairhavedifferentmajorsoftwareversions(suchas7.1and8.0)anddifferentcapacities,
bothdeviceswillentertheSuspendstate.Therefore,itisrecommendedthatyoumakesurebothfirewallsare
runningthesameversionofPANOSbeforeupgradingthecapacity.
UpgradetheCapacityLicenseinanActivePassiveHAPair
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 21
UpgradetheVMSeriesFirewall AbouttheVMSeriesFirewall
UpgradePanorama7.1toPanorama8.0
WhenyouupgradePanoramainyourVMwareNSXdeploymentfrom7.1to8.0,allyourexisting
configurationismaintained.However,thatconfigurationwillremaininpre8.0formatsandany
configurationyoucreateafterupgradingwillbeinpost8.0formats.Completethefollowingprocedureto
moveyourpre8.0configurationintopost8.0formats.
MovePre8.0ConfigurationtoPost8.0Configuration
Step6 Deletetheoldsteeringrulesfrom 1. SelectNetworking & Security > Firewall > Configuration >
vCenter. Partner security services.
2. Deletetheoldsteeringrules.
22 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
AbouttheVMSeriesFirewall EnableJumboFramesontheVMSeriesFirewall
EnableJumboFramesontheVMSeriesFirewall
Bydefault,themaximumtransmissionunit(MTU)sizeforpacketssentonaLayer3interfaceis1500bytes.
Thissizecanbemanuallysettoanysizefrom512to1500bytesonaperinterfacebasis.Some
configurationsrequireEthernetframeswithanMTUvaluegreaterthan1500bytes.Thesearecalledjumbo
frames.
Tousejumboframesonafirewallyoumustspecificallyenablejumboframesatthegloballevel.Whenthis
isenabled,thedefaultMTUsizeforallLayer3interfacesissettoavalueof9192bytes.Thisdefaultvalue
canthenbesettoanyvalueintherangeof512to9216bytes.
AftersettingaglobaljumboframesizeitbecomesthedefaultvalueforallLayer3interfacesthathavenot
explicitlyhadanMTUvaluesetattheinterfaceconfigurationlevel.Thiscanbecomeaproblemifyouonly
wanttoexchangejumboframesonsomeinterfaces.Inthesesituations,youmustsettheMTUvalueatevery
Layer3interfacethatyoudonotwanttousethedefaultvalue.
Thefollowingproceduredescribeshowtoenablejumboframesonafirewall,setthedefaultMTUvaluefor
allLayer3interfacesandtothensetadifferentvalueforaspecificinterface.
EnableJumboFramesandSetMTUValues
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 23
HypervisorAssignedMACAddresses AbouttheVMSeriesFirewall
HypervisorAssignedMACAddresses
Bydefault,theVMSeriesfirewallusestheMACaddressassignedtothephysicalinterfacebythe
host/hypervisorandusethatMACaddressontheVMSeriesfirewalldeployedwithLayer3interfaces.The
firewallcanthenusethehypervisorassignedMACaddressinitsARPresponses.Thiscapabilityallows
nonlearningswitches,suchastheVMwarevSwitchtoforwardtraffictothedataplaneinterfaceonthe
firewallwithoutrequiringthatpromiscuousmodebeenabledonthevSwitch.Ifneitherpromiscuousmode
northeuseofhypervisorassignedMACaddressisenabled,thehostwilldroptheframewhenitdetectsa
mismatchbetweenthedestinationMACaddressforaninterfaceandthehostassignedMACaddress.
ThereisnooptiontoenableordisabletheuseofhypervisorassignedMACaddressesonAWSandAzure.Itis
enabledbydefaultforbothplatformsandcannotbedisabled.
IfyouaredeployingtheVMSeriesfirewallinLayer2,virtualwire,ortapinterfacemodes,youmustenable
promiscuousmodeonthevirtualswitchtowhichthefirewallisconnected.Theuseofhypervisorassigned
MACaddressisonlyrelevantforLayer3deploymentswherethefirewallistypicallythedefaultgatewayfor
theguestvirtualmachines.
WhenyouenablehypervisorassignedMACaddressfunctionalityontheVMSeriesfirewall,makenoteof
thefollowingrequirements:
IPv6AddressonanInterfaceInanactive/passiveHAconfiguration,Layer3interfacesusingIPv6
addressesmustnotusetheEUI64generatedaddressastheinterfaceidentifier(InterfaceID).Because
theEUI64usesthe48bitMACaddressoftheinterfacetoderivetheIPv6addressfortheinterface,the
IPaddressisnotstatic.ThisresultsinachangeintheIPaddressfortheHApeerwhenthehardware
hostingtheVMSeriesfirewallchangesonfailover,andleadstoanHAfailure.
LeaseonanIPAddressWhentheMACaddresschanges,DHCPclient,DHCPrelayandPPPoE
interfacesmightreleasetheIPaddressbecausetheoriginalIPaddressleasecouldterminate.
MACaddressandGratuitousARPVMSeriesfirewallswithhypervisorassignedMACaddressesina
highavailabilityconfigurationbehavedifferentlythanthehardwareapplianceswithrespecttoMAC
addressing.HardwarefirewallsuseselfgeneratedfloatingMACaddressesbetweendevicesinanHA
pair,andtheuniqueMACaddressusedoneachdataplaneinterface(sayeth1/1)isreplacedwithavirtual
MACaddressthatiscommontothedataplaneinterfaceonbothHApeers.Whenyouenabletheuseof
thehypervisorassignedMACaddressontheVMSeriesfirewallinHA,thevirtualMACaddressisnot
used.ThedataplaneinterfaceoneachHApeerisuniqueandasspecifiedbythehypervisor.
BecauseeachdataplaneinterfacehasauniqueMACaddress,whenafailoveroccurs,thenowactive
VMSeriesfirewallmustsendagratuitousARPsothatneighboringdevicescanlearntheupdated
MAC/IPaddresspairing.Hence,toenableastatefulfailover,theinternetworkingdevicesmustnotblock
orignoregratuitousARPs;makesuretodisabletheantiARPpoisoningfeatureontheinternetworking
devices,ifrequired.
DisableUseofHypervisorAssignedMACAddress
ToallowtheVMSeriesfirewalltousetheinterfaceMACaddressesprovidedbythehost/hypervisor:
Step1 SelectDevice > Management > Setup.
Step2 Disable(clear)theoptiontoUse Hypervisor Assigned MAC Address.
WhentheMACaddresschangeoccurs,thefirewallgeneratesasystemlogtorecordthistransitionandthe
interfacegeneratesagratuitousARP.
Step3 Committhechangeonthefirewall.Youdonotneedtorebootthefirewall.
24 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall
BeforeyoucanstartusingyourVMSeriesfirewalltosecureeastwestandnorthsouthtrafficonyour
network,youmustactivatethelicensesfortheservicesyoupurchasedtosecureyournetwork.
IfyouareanauthorizedCSSPpartner,seeLicensesforCloudSecurityServiceProviders(CSSPs)for
informationthatpertainstoyou.
Fordetailsoncreatingasupportaccountandactivatingthelicenses:
LicenseTypesVMSeriesFirewalls
SerialNumberandCPUIDFormatfortheVMSeriesFirewall
CreateaSupportAccount
RegistertheVMSeriesFirewall
SwitchBetweentheBYOLandthePAYGLicenses
ActivatetheLicense
DeactivatetheLicense(s)(toreleasethelicensesattributedtoafirewall)
LicensingAPI
LicensesforCloudSecurityServiceProviders(CSSPs)
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 25
LicenseTypesVMSeriesFirewalls LicensetheVMSeriesFirewall
LicenseTypesVMSeriesFirewalls
ThefollowinglicensesandsubscriptionsareavailablefortheVMSeriesfirewall:
CapacityLicenseTheVMSeriesfirewallrequiresabaselicense,alsocalledacapacitylicense,toenable
themodelnumber(VM100,VM200,VM300,orVM1000HV)andtheassociatedcapacitiesonthe
firewall.Capacitylicensescanbeperpetualortermbased:
PerpetualLicenseAlicensewithnoexpirationdate,itallowsyoutousetheVMSeriesfirewallat
thelicensedcapacity,indefinitely.PerpetuallicensesareavailablefortheVMSeriescapacitylicense
only.
TermBasedLicenseAtermbasedlicenseallowsyoutousetheVMSeriesfirewallforaspecified
periodoftime.Ithasanexpirationdateandyouwillbepromptedtorenewthelicensebeforeit
expires.Termbasedlicensesareavailableforthecapacitylicenses,supportentitlements,and
subscriptions.
Further,capacitylicensesareavailableasanIndividualversionoranEnterpriseversion.TheIndividual
versionisinmultiplesof1.TheorderableSKU,forexamplePAVM300,includesanauthcodetolicense
oneinstanceoftheVMSeriesfirewall.TheEnterpriseversionisavailableinmultiplesof25.Forexample,
theorderableSKUPANVM100ENThasasingleauthcodethatallowsyoutoregister25instancesof
theVM100.
SupportInadditiontothecapacitylicense,youneedasupportentitlementthatprovidesaccessto
technicalsupportandsoftwareupdates.
SubscriptionsOptionally,youmaypurchaseoneormoresubscriptionlicensesforThreatPrevention,
PANDBURLFiltering,AutoFocus,GlobalProtect,andWildFire.Thesesubscriptionsallowyouto
enforcepoliciesthatsafelyenableapplicationsandcontentonthenetwork.Forexample,theThreat
Preventionsubscription,allowsyoutoobtaincontentupdatesthatincludethemostuptodatethreat
informationformalwaredetection.
VMSeriesFirewallforNSXLicenses
InordertoautomatetheprovisioningandlicensingoftheVMSeriesfirewallforNSXintheVMware
integratedNSXsolution,twolicensebundlesareavailable:
OnebundleincludestheVMSeriescapacitylicense(VM100,VM200,VM300,VM500,or
VM1000HVonly),ThreatPreventionlicenseandapremiumsupportentitlement.
AnotherbundleincludestheVMSeriescapacitylicense(VM100,VM200,VM300,VM500,or
VM1000HVonly)withthecompletesuiteoflicensesthatincludesThreatPrevention,GlobalProtect,
WildFire,PANDBURLFiltering,andapremiumsupportentitlement.
VMSeriesFirewallinAmazonWebServices(AWS)andAzureLicenses
YoucanlicensetheVMSeriesfirewallinAWSandAzureintwoways:
BringYourOwnLicense(BYOL)Alicensethatispurchasedfromapartner,reseller,ordirectlyfrom
PaloAltoNetworks.Capacitylicense,supportlicense,andsubscriptionlicensesaresupportedforBYOL.
Withthisoption,youmustapplythelicenseafteryoudeploytheVMSeriesfirewall.
26 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall LicenseTypesVMSeriesFirewalls
UsageBasedLicenseAlsocalledapayperuseorpayasyougo(PAYG)license.Thistypeoflicensecan
bepurchasedfromtheAWSMarketplaceandtheAzurepublicMarketplace.Usagebasedlicensesare
notavailableontheAzureGovernmentCloudMarketplace.
AWSsupportshourlyandannualPAYGoptions;AzuresupportsthehourlyPAYGoptiononly.
Withtheusagebasedlicenses,thefirewallisprelicensedandreadyforuseassoonasyoudeployit;you
donotreceiveanauthcode.WhenthefirewallisstoppedorterminatedontheAWSorAzureconsole,
theusagebasedlicensesaresuspendedorterminated.
Usagebasedlicensesareavailableinthefollowingpricingbundles:
Bundle1:IncludestheVMSeriescapacitylicense(VM300only),ThreatPreventionlicensethat
includesIPS,AV,malwareprevention,andapremiumsupportentitlement.
Bundle2:IncludestheVMSeriescapacitylicense(VM300only),ThreatPrevention(includesIPS,
AV,malwareprevention),GlobalProtect,WildFire,PANDBURLFilteringlicenses,andapremium
supportentitlement.
IfyouhaveanevaluationcopyoftheVMSeriesfirewallandwouldliketoconvertittoafullylicensed(purchased)
copy,cloneyourVMSeriesfirewallandusetheinstructionstoregisterandlicensethepurchasedcopyofyour
VMSeriesfirewall.Forinstructions,seeUpgradetheVMSeriesFirewall.
YoucannotswitchbetweenthePAYGandtheBYOLlicenses.TomovefromPAYGtoBYOL,contactyour
PaloAltoNetworkschannelpartnerorsalesrepresentativetopurchaseaBYOLlicenseandgetaBYOLauth
codethatyoucanusetolicenseyourfirewall.Ifyouhavedeployedyourfirewallandwanttoswitchthe
license,seeSwitchBetweentheBYOLandthePAYGLicenses.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 27
SerialNumberandCPUIDFormatfortheVMSeriesFirewall LicensetheVMSeriesFirewall
SerialNumberandCPUIDFormatfortheVMSeries
Firewall
WhenyoulaunchaninstanceoftheVMSeriesfirewall,eachinstanceofthefirewallisuniquelyidentified
usingtheCPUIDandserialnumberofthefirewall.TheformatoftheCPUIDandtheserialnumberinclude
informationonthehypervisorandthelicensetypeforeachinstanceoftheVMSeriesfirewall.
WiththeusagebasedlicensingmodeloftheVMSeriesfirewalls,atlaunchthefirewallgeneratesaserial
numberandCPUID,andyouusethesedetailstoRegistertheUsageBasedModeloftheVMSeries
FirewallinAWSandAzure(noauthcode).
WiththeBYOLmodel,youmustRegistertheVMSeriesFirewall(withauthcode)ontheCustomer
Supportportal(CSP).Forafirewallwithdirectinternetaccess,youcanapplytheauthcodeonthefirewall
togeneratealicensefilethatincludestheserialnumber.Forafirewallthatisoffline,youmustusethe
CSPtoinputtheCPUID,UUID,andtheauthcodetogeneratealicensefilethatincludestheserial
numberandinstallthelicenseonthefirewall.
28 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall CreateaSupportAccount
CreateaSupportAccount
Asupportaccountisrequiredtoaccesssoftwareupdatesandtogettechnicalsupportoropenacasewith
PaloAltoNetworkstechnicalsupport.
ForalllicensingoptionsexceptforusagebasedlicensesthatarecurrentlyonlyavailableinAWS,yourequire
asupportaccountsothatyoucandownloadthesoftwarepackagerequiredtoinstalltheVMSeriesfirewall.
Thesupportaccountalsoallowsyoutoviewandmanageallassetsappliances,licenses,andsubscriptions
thatyouhaveregisteredwithPaloAltoNetworks.
Ifyouhaveanexistingsupportaccount,continuewithRegistertheVMSeriesFirewall.
CreateaSupportAccount
Step1 Gotohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Step2 ClicktheRegisterlink(bottomofthepage),andenterthecorporateemailaddresstoassociatewiththe
supportaccount.
Step3 Pickoneofthefollowingoptionsandfillinthedetailsintheuserregistrationform:
(FortheusagebasedlicenseinAWS)
1. ClickRegister your Amazon Web Services VM-Series Instance
2. OntheAWSManagementConsole,findtheAWSInstanceID,AWSProductCode,andtheAWSZonein
whichyoudeployedthefirewall.
3. Fillintheotherdetails.
(Forallotherlicenses)
1. Click Register device using Serial Number or Authorization Code
2. EnterthecapacityauthcodeandthesalesordernumberorcustomerID.
3. Fillintheotherdetails.
Step4 Submittheform.Youwillreceiveanemailwithalinktoactivatetheuseraccount;completethestepsto
activatetheaccount.
Afteryouraccountisverifiedandtheregistrationiscomplete,youcanlogintothesupportportal.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 29
RegistertheVMSeriesFirewall LicensetheVMSeriesFirewall
RegistertheVMSeriesFirewall
WhenyoupurchaseaVMSeriesfirewall,youreceiveanemailthatincludesanauthcodeforacapacity
licensefortheVMSeriesmodel,asupportentitlementauthcode(forexample,PANSVCPREMVM100
SKU),andoneormoreauthcodesforthesubscriptionlicenses.Tousetheauthcode(s),youmustregister
thecodetothesupportaccountonthePaloAltoNetworksCustomerSupportwebsite.Inthecaseofthe
VMwareintegratedNSXsolution,theemailcontainsasingleauthorizationcodethatbundlesthecapacity
licenseforoneormoreinstancesoftheVM1000HVmodel,thesupportentitlement,andoneormore
subscriptionlicenses.
FortheusagebasedlicensesinAWS,youdonotreceiveanauthcode.However,inordertoactivateyour
premiumsupportentitlementwithPaloAltoNetworks,youmustcreateasupportaccountandregisterthe
VMSeriesfirewallonthePaloAltoNetworksCustomerSupportwebsite.
Usetheinstructionsinthissectiontoregisterthecapacityauthcodeorfirewallwithyoursupportaccount:
RegistertheVMSeriesFirewall(withauthcode)
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauthcode)
RegistertheVMSeriesFirewall(withauthcode)
RegistertheVMSeriesFirewall(withauthcode)
Step1 LogintothePaloAltoNetworksCustomerSupportwebsitewithyouraccountcredentials.Ifyouneeda
newaccount,seeCreateaSupportAccount.
30 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall RegistertheVMSeriesFirewall
RegistertheVMSeriesFirewall(withauthcode)
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSand
Azure(noauthcode)
Beforeyoubegintheregistrationprocess,logintotheVMSeriesfirewallandjotdowntheserialnumber
andtheCPUID(UUIDisoptional)fromthedashboard.
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauthcode)
Step1 OntheAssetstab(afteryoulogintothePaloAltoNetworksCustomerSupportwebsite),clickRegister
New Device.
Step2 SelectRegister usage-based VM-Series models (hourly/annual) purchased from public cloud
Marketplace.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 31
RegistertheVMSeriesFirewall LicensetheVMSeriesFirewall
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauthcode)(Continued)
Ifyouplantousethefirewalloffline,pleaseselecttheOfflinecheckboxandenterthePANOS
versionyouplantouse.
Step6 VerifythatthedetailsonthelicensesyoupurchasedaredisplayedontheAssetspageofthesupport
portal.
32 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall SwitchBetweentheBYOLandthePAYGLicenses
SwitchBetweentheBYOLandthePAYGLicenses
ThereisnomigrationpathbetweentheBYOLandPAYGlicensingoptions.Ifyouhavealreadydeployedand
configuredaVMSeriesfirewallwiththePAYGorBYOLoptioninAWSorAzure,andnowwanttoswitch
totheotheroption,usethefollowinginstructionstosaveandexporttheconfigurationonyourexisting
firewall,deployanewfirewall,andthenrestoretheconfigurationonthenewfirewall.
SwitchBetweenthePAYGLicenseandtheBYOLLicense
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 33
SwitchBetweentheBYOLandthePAYGLicenses LicensetheVMSeriesFirewall
SwitchBetweenthePAYGLicenseandtheBYOLLicense
34 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall ActivatetheLicense
ActivatetheLicense
ToactivatethelicenseonyourVMSeriesfirewall,youmusthavedeployedtheVMSeriesfirewalland
completedinitialconfiguration.Todeploythefirewall,seeVMSeriesDeployments.
UsetheinstructionsinthissectionforalltheBYOLmodelsincludingAWSandAzure;forusagebased
licensinginAWSandAzure,youdonotneedtoactivatethelicense.Fortheusagebasedlicenses,youmust
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauthcode)inorderto
activateyourpremiumsupportentitlement.
ForusagebasedmodelsoftheVMSeriesfirewallintheAWSMarketplace,instanceswithshortandlongAWS
instanceIDsaresupported.
UntilyouactivatethelicenseontheVMSeriesfirewall,thefirewalldoesnothaveaserialnumber,theMAC
addressofthedataplaneinterfacesarenotunique,andonlyaminimalnumberofsessionsaresupported.
BecausetheMACaddressesarenotuniqueuntilthefirewallislicensed,topreventissuescausedby
overlappingMACaddresses,makesurethatyoudonothavemultiple,unlicensedVMSeriesfirewalls.
Whenyouactivatethelicense,thelicensingserverusestheUUIDandtheCPUIDofthevirtualmachineto
generateauniqueserialnumberfortheVMSeriesfirewall.Thecapacityauthcodeinconjunctionwiththe
serialnumberisusedtovalidateyourentitlement.
AfteryoulicenseaVMSeriesfirewall,ifyouneedtodeleteandredeploytheVMSeriesfirewall,makesureto
DeactivatetheLicense(s)onthefirewall.Deactivatingthelicenseallowsyoutotransfertheactivelicensestoanew
instanceoftheVMSeriesfirewallwithouthelpfromtechnicalsupport.
ActivatetheLicensefortheVMSeriesFirewall(StandaloneVersion)
ActivatetheLicensefortheVMSeriesFirewallforVMwareNSX
ActivatetheLicensefortheVMSeriesFirewall(StandaloneVersion)
ToactivatethelicenseonyourVMSeriesfirewall,youmusthavedeployedtheVMSeriesfirewalland
completedinitialconfiguration.
ActivatetheLicense
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 35
ActivatetheLicense LicensetheVMSeriesFirewall
ActivatetheLicense(Continued)
ActivatetheLicensefortheVMSeriesFirewallforVMwareNSX
PanoramaservesasthecentralpointofadministrationfortheVMSeriesfirewallsforVMwareNSXandthe
licenseactivationprocessisautomatedwhenPanoramahasdirectinternetaccess.Panoramaconnectsto
thePaloAltoNetworksupdateservertoretrievethelicenses,andwhenanewVMSeriesfirewallforNSX
isdeployed,itcommunicateswithPanoramatoobtainthelicense.IfPanoramaisnotconnectedtothe
internet,youneedtomanuallylicenseeachinstanceoftheVMSeriesfirewallsothatthefirewallcan
connecttoPanorama.ForanoverviewofthecomponentsandrequirementsfordeployingtheVMSeries
firewallforNSX,seeVMSeriesforNSXFirewallOverview.
36 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall ActivatetheLicense
Forthisintegratedsolution,theauthcode(forexample,PANVM1000HVSUBBNDNSX2)includes
licensesforthreatprevention,URLfilteringandWildFiresubscriptionsandpremiumsupportforthe
requestedperiod.
Inordertoactivatethelicense,youmusthavecompletedthefollowingtasks:
Registeredtheauthcodetothesupportaccount.Ifyoudontregistertheauthcode,thelicensingserver
willfailtocreatealicense.
EnteredtheauthcodeintheServiceDefinitiononPanorama.OnPanorama,selectVMware Service
Manager toaddtheAuthorization Code totheVMware Service Definition.
Ifyouhavepurchasedanevaluationauthcode,youcanlicenseupto5VMSeriesfirewallswith
theVM1000HVcapacitylicenseforaperiodof30or60days.Becausethissolutionallowsyou
todeployoneVMSeriesfirewallperESXihost,theESXiclustercanincludeamaximumof5ESXi
hostswhenusinganevaluationlicense.
Thefollowingprocessofactivatingthelicensesismanual.Ifyouhaveacustomscriptoranorchestration
service,youcanusetheLicensingAPItoautomatetheprocessofretrievingthelicensesfortheVMSeries
firewalls.
ActivatetheLicensesontheVMSeriesFirewallforNSX
WhenPanoramahasinternetaccess(Online)
Step1 VerifythattheVMSeriesfirewallis 1. LogintoPanorama.
connectedtoPanorama. 2. SelectPanorama > Managed Devicesandcheckthatthe
firewalldisplaysasConnected.
WhenPanoramadoesnothaveinternetaccess(Offline)
Step1 LocatetheCPUIDandUUIDofthe 1. FromthevCenterserverobtaintheIPaddressofthe
VMSeriesfirewall. firewall.
2. LogintothewebinterfaceandselectDashboard.
3. GettheCPU IDandtheUUIDforthefirewallfromtheGeneral
Informationwidget.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 37
ActivatetheLicense LicensetheVMSeriesFirewall
ActivatetheLicensesontheVMSeriesFirewallforNSX
4. Repeattheprocesstoinstalleachkeyonthefirewall.
5. SelectDashboardandverifythatyoucanseetheSerial #in
theGeneralInformationwidget.
38 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall DeactivatetheLicense(s)
DeactivatetheLicense(s)
Thelicensedeactivationprocessenablesyoutoselfmanagelicenses.Whetheryouwanttoremoveoneor
moreactivelicensesorsubscriptionsattributedtoafirewall(hardwarebasedorVMSeriesfirewall)oryou
wanttodeactivatetheVMSeriesfirewallandunassignallactivelicensesandsubscriptions,beginthe
deactivationprocessonthefirewallorPanorama(notonthePaloAltoNetworksCustomerSupportweb
site).
Tosuccessfullydeactivatealicense,youmustinstallalicensedeactivationAPIkeyandenableverification
oftheupdateserveridentity(enabledbydefault).PANOSusesthisdeactivationAPIkeytoauthenticate
withallupdatealicenseservices.ThedeactivationAPIiskeyisnotrequiredformanuallicensedeactivation,
wherethereisnotconnectivitybetweenthefirewallandlicenseserver.
Ifthefirewall/PanoramahasinternetaccessandcancommunicatewiththePaloAltoNetworksLicensing
servers,thelicenseremovalprocesscompletesautomaticallywithaclickofabutton.Ifthe
firewall/Panoramadoesnothaveinternetaccess,youmustcompletetheprocessmanuallyinatwostep
process.Inthefirststep,fromthefirewallorPanorama,yougenerateandexportalicensetokenfilethat
includesinformationonthedeactivatedkeys.Inthesecondstep,whileloggedintothePaloAltoNetworks
CustomerSupportwebsite,uploadthetokenfiletodissociatethelicensekeysfromthefirewall.
InstallaLicenseDeactivationAPIKey
DeactivateaFeatureLicenseorSubscriptionUsingtheCLI
DeactivateVM
InstallaLicenseDeactivationAPIKey
RetrieveyourlicenseAPIkeyfromtheCustomerSupportPortalandinstallitusingtheCLIonthefirewall
andPanorama.YoumusthavesuperuserprivilegesonthefirewallorPanoramatoinstallthelicenseAPIkey.
WhenyouinstallalicenseAPIkeyonPanorama,PanoramapushestheAPIkeytoitsmanageddevices.Ifthe
manageddevicehasanAPIkeyinstalled,PanoramaoverwritestheoldAPIkeywiththenewone.
InstalltheAPIKey
Step1 RetrievethelicensedeactivationAPIkeyfromtheCustomerSupportPortal.
1. LogintotheCustomerSupportPortal.
2. FromtheGoTodropdown,selectLicense API.
3. CopytheAPIkey.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 39
DeactivatetheLicense(s) LicensetheVMSeriesFirewall
InstalltheAPIKey
Step2 UsetheCLItoinstalltheAPIkeycopiedinthepreviousstep.
request license api-key set key <key>
Step3 AfterinstallingthelicensedeactivationAPIkey,DeactivateVMasnormal.
DeactivatingaVMSerieslicenserequiresasoftwarerestart.
IfyouneedtoreplaceanlicensedeactivationAPIkey,usethefollowingCLIcommandtodeleteaninstalledAPIkey.
request license api-key delete
TodeactivateaVMSeriesfirewallafterdeletingtheAPIkey,youmustinstallanewone.
DeactivateaFeatureLicenseorSubscriptionUsingtheCLI
Ifyouaccidentallyinstalledalicense/subscriptiononafirewallandneedtoreassignthelicensetoanother
firewall,youcandeactivateanindividuallicenseandreusethesameauthorizationcodeonanotherfirewall
withouthelpfromTechnicalSupport.ThiscapabilityissupportedontheCLIonly;thisprocessissupported
bothonthehardwarebasedfirewallsandontheVMSeriesfirewall.
DeactivateaFeatureLicenseorSubscriptionUsingtheCLI
Step1 LogintotheCLIonthefirewall.
Ifyourfirewallhasdirectinternetaccess,usethefollowingcommands:
Step2 Viewthenameofthelicensekeyfileforthefeatureyouwanttodeactivate.
request license deactivate key features ?
Step3 Deactivatethelicenseorsubscription.
request license deactivate key features <name> mode auto
where,nameisthefullnameforthelicensekeyfile.
Forexample:
admin@vmPAN2> request license deactivate key features
WildFire_License_2015_01_28_I5820573.key mode auto
007200002599 WildFire License Success
Successfully removed license keys
Ifyourfirewalldoesnothavedirectinternetaccess,usethefollowingcommands:
Step4 Viewthenameofthelicensekeyfileforthefeatureyouwanttodeactivate.
request license deactivate key features
Step5 Deactivatethelicensemanually.
requestlicensedeactivatekeyfeatures<name>modemanual
Forexample:
admin@PA-VM> request license deactivate key features
PAN_DB_URL_Filtering_2015_01_28_I6134084.key mode manual
40 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall DeactivatetheLicense(s)
DeactivateaFeatureLicenseorSubscriptionUsingtheCLI(Continued)
Step6 Verifythatthetokenfilewasgenerated.
showlicensetokenfiles
Step7 ExportthetokenfiletoanSCPorTFTPserverandsaveittoyourcomputer.
scpexportlicensetokenfileto<username@serverIP>from<token_filename>
Forexample:
scp export license-token-file to admin@10.1.10.55:/tmp/ from
dact_lic.01282015.100502.tok
Step8 LogintothePaloAltoNetworksCustomerSupportwebsite.
Step10 WhileloggedintothePaloAltoNetworksCustomerSupportwebsite,uploadthetokenfiletocompletethe
deactivation.
DeactivateVM
WhenyounolongerneedaninstanceoftheVMSeriesfirewall,youcanfreeupallactivelicenses
subscriptionlicenses,VMCapacitylicenses,andsupportentitlementsusingthewebinterface,CLI,orthe
XMLAPIonthefirewallorPanorama.Thelicensesarecreditedbacktoyouraccountandyoucanusethe
sameauthorizationcodesonadifferentinstanceoftheVMSeriesfirewall.
DeactivatingaVMremovesallthelicenses/entitlementsandplacestheVMSeriesfirewallinanunlicensed
state;thefirewallwillnothaveaserialnumberandcansupportonlyaminimalnumberofsessions.Because
theconfigurationonthefirewallisleftintact,youcanreapplyasetoflicensesandrestorecomplete
functionalityonthefirewall,ifneeded.
MakesuretodeactivatelicensesbeforeyoudeletetheVMSeriesfirewall.Ifyoudeletethefirewallbefore
deactivatingthelicensesyouhavetwooptions:
IfthedevicewasmanagedbyPanorama,youcandeactivatethelicensefromPanorama.
IfthedevicewasnotmanagedbyPanorama,youmustcontactPaloAltoNetworksCustomerSupport.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 41
DeactivatetheLicense(s) LicensetheVMSeriesFirewall
DeactivateVM
42 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall DeactivatetheLicense(s)
DeactivateVM(Continued)
3. PickoneofthefollowingoptionstodeactivatetheVM:
ClickContinue,ifPanoramacancommunicatedirectlywith
thePaloAltoNetworksLicensingserversandcanregister
thechanges.Toverifythatthelicenseshavebeen
deactivatedonthefirewall,clickRefreshonPanorama >
Device Deployment > Licenses.Thefirewallis
automaticallyrebooted.
ClickComplete Manually,ifPanoramadoesnothave
internetaccess.Panoramageneratesatokenfile.Clickthe
Export license tokenlinktosavethetokenfiletoyourlocal
computer.Thesuccessfulcompletionmessageisdisplayed
onscreen,andthefirewallwillbeautomaticallyrebooted.
4. (Forthemanualprocessonly)Tousethetokenfileregisterthe
changeswiththelicensingserver,seestep5above.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 43
DeactivatetheLicense(s) LicensetheVMSeriesFirewall
DeactivateVM(Continued)
5. RemovethedeactivatedVMSeriesfirewallasamanaged
deviceonPanorama.
a. SelectPanorama > Managed Devices.
b. Selectthefirewallthatyoudeactivatedfromthelistof
manageddevices,andclickDelete.
Insteadofdeletingthefirewalls,ifyouprefer,youcan
createaseparatedevicegroupandassignthe
deactivatedVMSeriesfirewallstothisdevicegroup.
44 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall LicensingAPI
LicensingAPI
Tosuccessfullylicensefirewallsthatdonothavedirectinternetaccess,PaloAltoNetworksprovidesa
licensingAPI.YoucanusethisAPIwithacustomscriptoranorchestrationservicetoregisterauthcodes,
retrievelicensesattachedtoanauthcode,renewlicenses,andtodeactivatealllicensesonaVMSeries
firewall(DeactivateVM).
TheAPIalsoallowsyoutoviewthedetailsofanauthcodesothatyoucantrackthenumberofunused
licensesattachedtoanauthcodeorauthcodebundlethatenablesyoutolicensemorethanoneinstance
ofthefirewall.AnauthcodebundleincludestheVMSeriesmodel,subscriptionsandsupportinasingle,
easytoorderformat;youcanusethisbundlemultipletimestolicenseVMSeriesfirewallsasyoudeploy
them.
TousetheAPI,eachsupportaccountisassignedauniquekey.EachAPIcallisaPOSTrequest,andthe
requestmustincludetheAPIkeytoauthenticatetherequesttothelicensingserver.Whenauthenticated,
thelicensingserversendstheresponseinjson(contenttypeapplication/json).
ManagetheLicensingAPIKey
UsetheLicensingAPI
LicensingAPIErrorCodes
ManagetheLicensingAPIKey
TogettheAPIkeyrequiredtousethelicensingAPI,youraccountmusthavesuperuserprivilegesonthesupportportal.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 45
LicensingAPI LicensetheVMSeriesFirewall
ManagetheLicensingAPIKey
UsetheLicensingAPI
ThebaseURIforaccessingthelicensingAPIishttps://api.paloaltonetworks.com/api/license;basedonthe
taskyouwanttoperform,forexampleactivatelicenses,deactivatelicenses,ortracklicenseusetheURL
willchange.
AnAPIrequestmustusetheHTTPPOSTmethod,andyoumustincludetheAPIkeyintheapikeyHTTP
requestheaderandpasstherequestparametersasURLencodedformdatawithcontenttype
application/xwwwformurlencoded.
TheAPIVersionisoptionalandcanincludethefollowingvalues0or1.Ifspecified,itmustbeincludedin
theversionHTTPrequestheader.ThecurrentAPIversionis1;ifyoudonotspecifyaversion,orspecify
version0,therequestusesthecurrentAPIversion.
AllAPIresponsesarerepresentedinjson.
UsetheLicensingAPI
Step1 GetyourLicensingAPIkey.
Step2 Selectthetaskyouwanttoperform.
ActivateLicenses
DeactivateLicenses
TrackLicenseUsage
46 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall LicensingAPI
UsetheLicensingAPI(Continued)
ActivateLicenses
URL:https://api.paloaltonetworks.com/api/license/activate
Parameters:uuid,cpuid,authCode,andserialNumber.
Usetheseparameterstoaccomplishthefollowing:
Forfirsttimeorinitiallicenseactivation,providethecpuid,uuid,authcodeintheAPIrequest.
Ifyoudidnotsavethelicensekeysorhadanetworkconnectiontroubleduringinitiallicenseactivation,to
retrievethelicense(s)againforafirewallthatyouhavepreviouslyactivated,youcaneitherprovidethecpuid
anduuidintheAPIrequest,orprovidetheserialnumberofthefirewallintheAPIrequest.
Header:apikey
SamplerequestforinitiallicenseactivationusingCurl:
curl -i -H "apikey:$APIKEY" --data-urlencode cpuid=51060400FFFBAB1F
--data-urlencode uuid=564D0E5F-3F22-5FAD-DA58-47352C6229FF --data-urlencode
authCode=I7115398 https://api.paloaltonetworks.com/api/license/activate
SampleAPIresponse:
[{"lfidField":"13365773","partidField":"PAN-SVC-PREM-VM-300","featureField":"Premi
um","feature_descField":"24 x 7 phone support; advanced replacement hardware
service","keyField":"m4iZEL1t3n6Oa+6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAx
anB\nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw\nkRGR3cYG+j6
o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk\nluz47AUMXauuqwpMipouQYjk0ZL
7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI\n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQX
KvaThuR8YyHr1Pdw/lAjs\npyyIVFa6FufPacfB2RHApQ==\n","auth_codeField":"","errmsgFiel
d":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5
/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseFiel
d":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00
AM","PropertyChanged":null},{"lfidField":"13365774","partidField":"PAN-VM-300-TP",
"featureField":"Threat Prevention","feature_descField":"Threat
Prevention","keyField":"NqaXoaFG+9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K
2yXtrl\n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b\ndZBRH5AQ
jPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O\ndey1jmGoiBZ9wBkesvukg3dV
Z7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF\ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2
HGo1uo2eq1XMxL9mE5t025im\nblMnhL06smrCdtXmb4jjtg==\n","auth_codeField":"","errmsgF
ield":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField"
:"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseF
ield":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00 AM","PropertyChanged":null}
...<truncated>
Thefeature_FieldintheresponseindicatesthetypeofkeythatfollowsinthekeyField.Copyeachkeytoa
textfileandsaveitwiththe.keyextension.Becausethekeyisinjsonformat,itdoesnothavenewlines;
makesuretoconvertittonewlinesifneededforyourparser.Makesuretonameeachkeyappropriately
andsaveittothe/licensefolderofthebootstrappackage.Forexample,includetheauthcodewiththetype
ofkeytonameitasI3306691_1pavm.key(forthecapacitylicensekey),I3306691_1threat.key(forthe
ThreatPreventionlicensekey),I3306691_1wildfire.key(fortheWildFiresubscriptionlicensekey).
SampleAPIrequestforretrievingpreviouslyactivatedlicensesusingCurl:
curl -i -H "apikey:$APIKEY" --data-urlencode serialNumber=007200006142
https://api/paloaltonetworks.com/api/license/activate
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 47
LicensingAPI LicensetheVMSeriesFirewall
UsetheLicensingAPI(Continued)
SampleAPIresponse:
[{"lfidField":"13365773","partidField":"PAN-SVC-PREM-VM-300","featureField":"Premi
um","feature_descField":"24 x 7 phone support; advanced replacement hardware
service","keyField":"m4iZEL1t3n6Oa+6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAx
anB\nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw\nkRGR3cYG+j6
o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk\nluz47AUMXauuqwpMipouQYjk0ZL
7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI\n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQX
KvaThuR8YyHr1Pdw/lAjs\npyyIVFa6FufPacfB2RHApQ==\n","auth_codeField":"","errmsgFiel
d":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5
/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseFiel
d":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00
AM","PropertyChanged":null},{"lfidField":"13365774","partidField":"PAN-VM-300-TP",
"featureField":"Threat Prevention","feature_descField":"Threat
Prevention","keyField":"NqaXoaFG+9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K
2yXtrl\n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b\ndZBRH5AQ
jPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O\ndey1jmGoiBZ9wBkesvukg3dV
Z7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF\ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2
HGo1uo2eq1XMxL9mE5t025im\nblMnhL06smrCdtXmb4jjtg==\n","auth_codeField":"","errmsgF
ield":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField"
:"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseF
ield":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00 AM","PropertyChanged":null}
...<truncated>
DeactivateLicenses
URL:https://api.paloaltonetworks.com/api/license/deactivate
Parameters:encryptedToken
Todeactivatethelicense(s)onafirewallthatdoesnothavedirectinternetaccess,youmustgeneratethelicense
tokenfilelocallyonthefirewallandthenusethistokenfileintheAPIrequest.Fordetailsongeneratingthelicense
tokenfile,seeDeactivateVMorDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.
Header:apikey
Request:https://api.paloaltonetworks.com/api/license/deactivate?encryptedtoken@<token>
SampleAPIrequestforlicensedeactivationusingCurl:
curl -i -H "apikey:$APIKEY" --data-urlencode
encryptedtoken@dact_lic.05022016.100036.tok
https://api.paloaltonetworks.com/api/license/deactivate
SampleAPIresponse:
[{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","succe
ssField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"seri
alNumField":"007200006150","featureNameField":"","issueDateField":"","successField
":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumFi
eld":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","
errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"0
07200006150","featureNameField":"","issueDateField":"","successField":"Y","errorFi
eld":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"00720000
6150","featureNameField":"","issueDateField":"","successField":"Y","errorField":nu
ll,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"007200006150","
featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isB
undleField":null,"PropertyChanged":null}]$
48 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall LicensingAPI
UsetheLicensingAPI(Continued)
TrackLicenseUsage
URL:https://api.paloaltonetworks.com/api/license/get
Parameters:authCode
Header:apikey
Request:https://api.paloaltonetworks.com/api/license/get?authCode=<authcode>
SampleAPIrequestfortrackinglicenseusageusingCurl:
curl -i -H "apikey:$APIKEY" --data-urlencode authcode=I9875031
https://api.paloaltonetworks.com/api/license/get
SampleAPIresponse:
HTTP/1.1 200 OK
Date: Thu, 05 May 2016 20:07:16 GMT
Content-Length: 182
{"AuthCode":"I9875031","UsedCount":4,"TotalVMCount":10,"UsedDeviceDetails":[{"UUID
":"420006BD-113D-081B-F500-2E7811BE80C
9","CPUID":"D7060200FFFBAB1F","SerialNumber":"007200006142"}]}.....
LicensingAPIErrorCodes
TheHTTPErrorCodesthatthelicensingserverreturnsareasfollows:
200Success
400Error
401InvalidAPIKey
500ServerError
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 49
LicensesforCloudSecurityServiceProviders(CSSPs) LicensetheVMSeriesFirewall
LicensesforCloudSecurityServiceProviders(CSSPs)
ThePaloAltoNetworksCSSPpartnersprogramallowsserviceproviderstoprovidesecurityasaserviceor
asahostedapplicationtotheirendcustomers.ThelicenseofferingsthatPaloAltoNetworksprovidesfor
authorizedCloudSecurityServiceProvider(CSSP)partnersisdifferentfromtheofferingsforenterprise
users.
ForCSSPpartners,PaloAltoNetworkssupportsausagebasedmodelfortheVMSeriesfirewallsbundled
withsubscriptionsandsupport.ForCSSPpartners,youcancombineatermbasedcapacitylicenseforthe
VMSeriesModelsalongwithachoiceofsubscriptionlicensesforThreatPrevention,URLFiltering,
AutoFocus,GlobalProtect,andWildFire,andsupportentitlementsthatprovideaccesstotechnicalsupport
andsoftwareupdates.Forcosteffectiveness,youcanalsooptforahighavailability(HA)option,ifyouplan
ondeployingthefirewallsinanHAconfiguration.
GettheAuthCodesforCSSPLicensePackages
RegistertheVMSeriesFirewallwithaCSSPAuthCode
AddEndCustomerInformationforaRegisteredVMSeriesFirewall
GettheAuthCodesforCSSPLicensePackages
TobeaCSSPPartner,youhavetoenrollinthePaloAltoNetworksCSSPpartnersprogram.Forinformation
onenrollingintheCSSPprogram,contactyourPaloAltoNetworksChannelBusinessManager.Ifyouare
enrolled,thePaloAltoNetworkSupportportalprovidestoolsthatallowyoutoselectalicensepackage,
tracklicenseusage,andapplylicenseentitlements.
Alicensepackageisacombinationofthefollowingoptions:
UsagetermThepayperuseoptionsarehourly,monthly,1year,and3years.
VMSeriesfirewallmodelTheVM100,VM200,VM300,andVM1000HVthatgiveyouthemodel
numberandthecapacitiesassociatedwitheachmodel.
SubscriptionbundleThethreeoptionsarebasic,bundle1,andbundle2.Thebasicoptiondoesnot
includeanysubscriptions;bundle1hastheThreatPreventionlicensethatincludesIPS,AV,malware
prevention;bundle2hastheThreatPrevention(includesIPS,AV,malwareprevention),GlobalProtect,
WildFire,andPANDBURLFilteringlicenses.
LevelofsupportPremiumsupportorbacklinesupport.
RedundantfirewallsTheoptionareeitherhighavailability(HA)orwithoutHA.Thisoptionisa
costeffectiveoptionifyouplantodeployapairofredundantfirewalls.
TheofferingPANVM300SPPREMBND1YU,forexample,isaoneyeartermpackagethatincludesthe
VM300withpremiumsupportandthesubscriptionbundle1.Eachpackagesupportsuptoamaximumof
10,000instancesoftheVMSeriesfirewall.
Afteryouselectyourlicensepackage,youreceiveanemailwithyourauthcode;thefulfillmentprocesscan
takeupto48hours.
GettheAuthCodesfortheCSSPLicensePackages
Step1 LogintothePaloAltoNetworksCustomerSupportwebsitewithyouraccountcredentials.Ifyouneeda
newaccount,seeCreateaSupportAccount.
50 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall LicensesforCloudSecurityServiceProviders(CSSPs)
GettheAuthCodesfortheCSSPLicensePackages
RegistertheVMSeriesFirewallwithaCSSPAuthCode
ToactivatethelicenseonyourVMSeriesfirewall,youmusthavedeployedtheVMSeriesfirewalland
completedinitialconfiguration.AsaCSSPpartner,youcanchoosefromthefollowingoptionstoregistera
firewall:
APIUsetheLicensingAPIifyouhaveacustomscriptoranorchestrationservice.Withthisoption,the
firewalldoesnotneeddirectinternetaccess.
BootstrapUsethisoptiontoautomaticallyconfigurethefirewallandlicenseitonfirstboot.See
BootstraptheVMSeriesFirewall.
FirewallwebinterfaceYoucanActivatetheLicensefortheVMSeriesFirewall(StandaloneVersion)
usingthefirewallwebinterface.Thisworkflowisbothforfirewallswithorwithoutinternetaccess.
CustomerSupportPortalUsethisoptiontomanuallyregisterthefirewallonthePaloAltoNetworks
CustomerSupportportal,asshownbelow.
RegistertheVMSeriesFirewallontheCustomerSupportPortalforCSSPs
Step1 LogintothePaloAltoNetworksCustomerSupportwebsitewithyouraccountcredentials.Ifyouneeda
newaccount,seeCreateaSupportAccount.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 51
LicensesforCloudSecurityServiceProviders(CSSPs) LicensetheVMSeriesFirewall
RegistertheVMSeriesFirewallontheCustomerSupportPortalforCSSPs
Step4 EntertheUUIDandCPUIDoftheVMinstanceandclickSubmit.Theportalwillgenerateaserialnumber
forthefirewall.
YoucantrackthenumberofVMSeriesfirewallsthathavebeendeployedandthenumberoflicensesthat
arestillavailableforuseagainsteachauthcode.Toviewallthetotalnumberoffirewallsregisteredagainsta
specificauthcode,selectCSSP > VM Provisioning Auth Codes, thenselectanAuthorization Codeandclick
Provisioned Devices.
AddEndCustomerInformationforaRegisteredVMSeriesFirewall
FortheCSSPlicenses,afteryouregisterthefirewall,youcanusethePaloAltoNetworksSupportportalto
linktheserialnumberoftheVMSeriesfirewallwiththecustomerforwhomyouprovisionedthefirewall.
AddEndCustomerInformationforaRegisteredVMSeriesFirewall(CustomerSupportPortal)
AddEndCustomerInformationforaRegisteredVMSeriesFirewall(API)
AddEndCustomerInformationforaRegisteredVMSeriesFirewall(CustomerSupport
Portal)
AddEndUserInformationforaRegisteredVMSeriesFirewall(CustomerSupportPortal)
Step1 LogintothePaloAltoNetworksCustomerSupportwebsitewithyouraccountcredentials.
52 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
LicensetheVMSeriesFirewall LicensesforCloudSecurityServiceProviders(CSSPs)
AddEndUserInformationforaRegisteredVMSeriesFirewall(CustomerSupportPortal)
AddEndCustomerInformationforaRegisteredVMSeriesFirewall(API)
TheURLforaccessingtheAPIishttps://api.paloaltonetworks.com/api/license/ReportEndUserInfo.
AnAPIrequestmustusetheHTTPPOSTmethod,andyoumustincludeHTTPrequestsheadersthatinclude
theAPIkeyandspecifythecontenttypeasJSON.APIresponsesareinJSONformat.
AddEndUserInformationforaRegisteredVMSeriesFirewall(ReportEndUserInfoAPI)
Step1 GetyourLicensingAPIkey.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 53
LicensesforCloudSecurityServiceProviders(CSSPs) LicensetheVMSeriesFirewall
AddEndUserInformationforaRegisteredVMSeriesFirewall(ReportEndUserInfoAPI)
Step2 UsetheReportEndUserInfoAPItoaddenduserinformationforaVMSeriesFirewallthatisregistered
toaCSSP.
URL:https://api.paloaltonetworks.com/api/license/ReportEndUserInfo
Headers:
ContentType:application/json
apiKey:APIKey
Parameters:
SerialNumbers:Required,provideatleastonevalidfirewallserialnumber
CustomerAccountId:Required
CompanyName:Required,endusercompanyname
EndUserContactEmail:Required,enduseremailaddress
Address:Required,enduseraddress
Country:Required,2digitendusercountrycode,currentlyUSistheonlyvalidvalue
Region:Required,AWSregionoftheVMSeriesfirewalldeployment
City:Required,endusercityname
State:Required,2digitstatecode,currentlyCAistheonlyvalidvalue
PostalCode:Required,enduserpostalcode
DnBNumber:DataUniversalNumberingSystem(DUNS)number
Industry:Enduserindustrytype,suchasnetworkingorconsultancy
PhoneNumber:Enduserphonenumber
WebSite:EnduserwebsiteURL
CreatedBy:Systemorpersonsubmittingthisinformation
SamplerequesttoaddenduserinformationforaregisteredVMSeriesfirewallusingCurl:
curl -X POST -H "Content-Type: application/json" -H
"apiKey:921d4450e988397138ca8a68vf2fc5d687870b3f11cb9439946a521dc4dc7cd8"
"http://api.paloaltonetworks.com/api/license/ReportEndUserInfo?serialNumbers=0001A
101234&CustomerAccountId=12345&CompanyName=ExampleInc&DnBNumber=123456789&Address=
123 Main
St&Country=US&Region=CA&City=Sunnydale&State=CA&PostalCode=12345&Industry=Medical&
PhoneNumber=4081234567&WebSite=example.com&EndUserContactEmail=admin@example.com&C
reatedBy=Jane Doe"
SampleAPIresponse:
"{"Message": "End User Information Updated Successfully"}"
Ifyoureceiveanerror,seeLicensingAPIErrorCodes.
54 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXi
Server
TheVMSeriesfirewallisdistributedusingtheOpenVirtualizationAlliance(OVA)format,whichisa
standardmethodofpackaginganddeployingvirtualmachines.Youcaninstallthissolutiononanyx86device
thatiscapableofrunningVMwareESXi.
InordertodeployaVMSeriesfirewallyoumustbefamiliarwithVMwareandvSphereincludingvSphere
networking,ESXihostsetupandconfiguration,andvirtualmachineguestdeployment.
IfyouwouldliketoautomatetheprocessofdeployingaVMSeriesfirewall,youcancreateagoldstandard
templatewiththeoptimalconfigurationandpolicies,andusethevSphereAPIandthePANOSXMLAPIto
rapidlydeploynewVMSeriesfirewallsinyournetwork.Formoreinformation,seethearticle:VMSeries
DataCenterAutomation.
Seethefollowingtopicsforinformationon:
SupportedDeploymentsonVMwarevSphereHypervisor(ESXi)
VMSeriesonESXiSystemRequirementsandLimitations
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi)
TroubleshootESXiDeployments
PerformanceTuningoftheVMSeriesforESXi
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 55
SupportedDeploymentsonVMwarevSphereHypervisor(ESXi) SetUpaVMSeriesFirewallonanESXiServer
SupportedDeploymentsonVMwarevSphereHypervisor
(ESXi)
YoucandeployoneormoreinstancesoftheVMSeriesfirewallontheESXiserver.Whereyouplacethe
VMSeriesfirewallonthenetworkdependsonyourtopology.Choosefromthefollowingoptions(for
environmentsthatarenotusingVMwareNSX):
OneVMSeriesfirewallperESXihostEveryVMserverontheESXihostpassesthroughthefirewall
beforeexitingthehostforthephysicalnetwork.VMserversattachtothefirewallviavirtualstandard
switches.Theguestservershavenoothernetworkconnectivityandthereforethefirewallhasvisibility
andcontroltoalltrafficleavingtheESXihost.Onevariationofthisusecaseistoalsorequirealltraffic
toflowthroughthefirewall,includingservertoserver(eastwesttraffic)onthesameESXihost.
OneVMSeriesfirewallpervirtualnetworkDeployaVMSeriesfirewallforeveryvirtualnetwork.If
youhavedesignedyournetworksuchthatoneormoreESXihostshasagroupofvirtualmachinesthat
belongtotheinternalnetwork,agroupthatbelongstotheexternalnetwork,andsomeotherstothe
DMZ,youcandeployaVMSeriesfirewalltosafeguardtheserversineachgroup.Ifagrouporvirtual
networkdoesnotshareavirtualswitchorportgroupwithanyothervirtualnetwork,itiscompletely
isolatedfromallothervirtualnetworkswithinoracrossthehost(s).Becausethereisnootherphysicalor
virtualpathtoanyothernetwork,theserversoneachvirtualnetwork,mustusethefirewalltotalktoany
othernetwork.Therefore,itallowsthefirewallvisibilityandcontroltoalltrafficleavingthevirtual
(standardordistributed)switchattachedtoeachvirtualnetwork.
HybridenvironmentBothphysicalandvirtualhostsareused,theVMSeriesfirewallcanbedeployed
inatraditionalaggregationlocationinplaceofaphysicalfirewallappliancetoachievethebenefitsofa
commonserverplatformforalldevicesandtounlinkhardwareandsoftwareupgradedependencies.
ContinuewithVMSeriesonESXiSystemRequirementsandLimitationsandInstallaVMSeriesfirewallon
VMwarevSphereHypervisor(ESXi).
56 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer VMSeriesonESXiSystemRequirementsandLimitations
VMSeriesonESXiSystemRequirementsandLimitations
ThissectionlistsrequirementsandlimitationsfortheVMSeriesfirewallonVMwarevSphereHypervisor
(ESXi).TodeploytheVMSeriesfirewall,seeInstallaVMSeriesfirewallonVMwarevSphereHypervisor
(ESXi).
Requirements
Limitations
Requirements
YoucancreateanddeploymultipleinstancesoftheVMSeriesfirewallonanESXiserver.Becauseeach
instanceofthefirewallrequiresaminimumresourceallocationnumberofCPUs,memoryanddiskspace
ontheESXiserver,makesuretoconformtothespecificationsbelowtoensureoptimalperformance.
TheVMSeriesfirewallhasthefollowingrequirements:
ThehostCPUmustbeax86basedIntelorAMDCPUwithvirtualizationextension.
VMwareESXiwithvSphere5.1,5.5,6.0,or6.5forVMSeriesrunningPANOS8.0.Notethatthe
minimumsupportedversionofthevirtualhardwarefamilytype(alsoknownastheVMwarevirtual
hardwareversion)ontheESXiserverisvmx09.
SeeVMSeriesSystemRequirementsfortheminimumhardwarerequirementsforyourVMSeries
model.
Minimumoftwonetworkinterfaces(vmNICs).OnewillbeadedicatedvmNICforthemanagement
interfaceandoneforthedatainterface.YoucanthenadduptoeightmorevmNICsfordatatraffic.For
additionalinterfaces,useVLANGuestTagging(VGT)ontheESXiserverorconfiguresubinterfaceson
thefirewall.
TheuseofhypervisorassignedMACaddressisenabledbydefault.vSphereassignsauniquevmNICMAC
addresstoeachdataplaneinterfaceoftheVMSeriesfirewall.Ifyoudisabletheusehypervisorassigned
MACaddresses,theVMSeriesfirewallassignseachinterfaceofaMACaddressfromitsownpool.
BecausethiscausestheMACaddressesoneachinterfacetodiffer,youmustenablepromiscuousmode
(seeStep 2)ontheportgroupofthevirtualswitchtowhichthedataplaneinterfacesofthefirewallare
attachedtoallowthefirewalltoreceiveframes.Ifneitherpromiscuousmodenorhypervisorassigned
MACaddressisenabled,thefirewallwillnotreceiveanytraffic.ThisisbecausevSpherewillnotforward
framestoavirtualmachinewhenthedestinationMACaddressoftheframedoesnotmatchthevmNIC
MACaddress.
DataPlaneDevelopmentKit(DPDK)isenabledbydefaultonVMSeriesfirewallsonESXi.Formore
informationaboutDPDK,seeEnableDPDKonESXi.
ToachievethebestperformanceoutoftheVMSeriesfirewall,youcanmakethefollowingadjustments
tothehostbeforedeployingtheVMSeriesfirewall.SeePerformanceTuningoftheVMSeriesforESXi
formoreinformation.
EnableDPDK.DPDKallowsthehosttoprocesspacketsfasterbybypassingtheLinuxkernel.
Instead,interactionswiththeNICareperformedusingdriversandtheDPDKlibraries.
EnableSRIOV.SinglerootI/Ovirtualization(SRIOV)allowsasinglePCIephysicaldeviceundera
singlerootporttoappeartobemultipleseparatephysicaldevicestothehypervisororguest.
EnablemultiqueuesupportforNICs.Multiqueueallowsnetworkperformancetoscalewiththe
numberofvCPUsandallowsforparallelpacketprocessingbycreatingmultipleTXandRXqueues.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 57
VMSeriesonESXiSystemRequirementsandLimitations SetUpaVMSeriesFirewallonanESXiServer
DonotusetheVMwaresnapshotsfunctionalityontheVMSeriesonESXi.Snapshotscanimpact
performanceandresultinintermittentandinconsistentpacketloss.SeeVMwaresbestpractice
recommendationwithusingsnapshots.
Ifyouneedconfigurationbackups,usePanoramaorExport named configuration snapshot
fromthefirewall(Device>Setup>Operations).UsingtheExportnamedconfigurationsnapshot
exportstheactiveconfiguration(runningconfig.xml)onthefirewallandallowsyoutosaveitto
anynetworklocation.
Limitations
TheVMSeriesfirewallfunctionalityisverysimilartothePaloAltoNetworkshardwarefirewalls,butwith
thefollowinglimitations:
DedicatedCPUcoresarerecommended.
HighAvailability(HA)LinkMonitoringisnotsupportedonVMSeriesfirewallsonESXi.UsePath
MonitoringtoverifyconnectivitytoatargetIPaddressortothenexthopIPaddress.
Upto10totalportscanbeconfigured;thisisaVMwarelimitation.Oneportwillbeusedformanagement
trafficandupto9canbeusedfordatatraffic.
Onlythevmxnet3driverissupported.
Virtualsystemsarenotsupported.
vMotionoftheVMSeriesfirewallisnotsupported.However,theVMSeriesfirewallcansecureguest
virtualmachinesthathavemigratedtoanewdestinationhost,ifthesourceanddestinationhostsare
membersofallvSphereDistributedSwitchesthattheguestvirtualmachineusedfornetworking.
VLANtrunkingmustbeenabledontheESXivSwitchportgroupsthatareconnectedtotheinterfaces(if
configuredinvwiremode)ontheVMSeriesfirewall.
TousePCIdeviceswiththeVMSeriesfirewallonESXi,memorymappedI/O(MMIO)mustbebelow
4GB.YoucandisableMMIOabove4GBinyourserversBIOS.ThisisanESXilimitation.
58 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi)
InstallaVMSeriesfirewallonVMwarevSphereHypervisor
(ESXi)
ToinstallaVMSeriesfirewallyoumusthaveaccesstotheOpenVirtualizationAllianceformat(OVA)
template.UsetheauthcodeyoureceivedinyourorderfulfillmentemailtoregisteryourVMSeriesfirewall
andgainaccesstotheOVAtemplate.TheOVAisdownloadedasaziparchivethatisexpandedintothree
files:the.ovfextensionisfortheOVFdescriptorfilethatcontainsallmetadataaboutthepackageandits
contents;the.mfextensionisfortheOVFmanifestfilethatcontainstheSHA1digestsofindividualfilesin
thepackage;andthe.vmdkextensionisforthevirtualdiskimagefilethatcontainsthevirtualizedversionof
thefirewall.
PlantheInterfacesfortheVMSeriesforESXi
ProvisiontheVMSeriesFirewallonanESXiServer
PerformInitialConfigurationontheVMSeriesonESXi
(Optional)AddAdditionalDiskSpacetotheVMSeriesFirewall
UseVMwareToolsontheVMSeriesFirewallonESXiandvCloudAir
PlantheInterfacesfortheVMSeriesforESXi
ByplanningthemappingofVMSeriesFirewallvNICsandinterfaces,youcanavoidrebootsand
configurationissues.ThefollowingtabledescribesthedefaultmappingbetweenVMwarevNICsand
VMSeriesinterfaceswhenall10vNICsareenabledonESXi.
VMwarevNIC VMSeriesInterfaces
1 Ethernet1/0(mgmt)
2 Ethernet1/1(eth1)
3 Ethernet1/2(eth2)
4 Ethernet1/3(eth3)
5 Ethernet1/4(eth4)
6 Ethernet1/5(eth5)
7 Ethernet1/6(eth6)
8 Ethernet1/7(eth7)
9 Ethernet1/8(eth8)
10 Ethernet1/9(eth9)
ThemappingontheVMSeriesFirewallremainsthesamenomatterwhichvNICsyouaddonESXi.No
matterwhichinterfacesyouactivateonthefirewall,theyalwaystakethenextavailablevNIConESXi.Inthe
followingexample,eth3andeth4ontheVMSeriesFirewallarepairedtovNICs2and3onESXi
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 59
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi) SetUpaVMSeriesFirewallonanESXiServer
respectively.Ifyouaddwanttoaddtwoadditionalinterfaces,youmustactivatevNICs4and5;doingthis
requiresyoutopowerdowntheVMSeriesfirewall.Ifyouactivateeth1andeth2ontheVMSeriesFirewall,
theinterfaceswillreorderthemselves.Thiscanresultinamappingmismatchandimpacttraffic.
Toavoidissueslikethosedescribedintheprecedingexample,youcandothefollowing:
ActivateallninevNICsbeyondthefirstwhenprovisioningyourESXihost.AddingallninevNICsas
placeholdersbeforepoweringontheVMSeriesFirewallallowsyoutouseanyVMSeriesinterfaces
regardlessoforder.
ByactivatingthevNICsbeforepoweringontheVMSeriesFirewall,addingadditionalinterfacesinthe
futurenolongerrequiresareboot.BecauseeachvNIConESXirequiresthatyouchooseanetwork,you
cancreateanemptyportgroupasanetworkplaceholder.
DonotremoveVMSeriesFirewallvNICstoavoidmappingmismatches.
ProvisiontheVMSeriesFirewallonanESXiServer
UsetheseinstructiontodeploytheVMSeriesfirewallona(standalone)ESXiserver.Fordeployingthe
VMSeriesNSXeditionfirewall,seeSetUptheVMSeriesFirewallonVMwareNSX.
ProvisionaVMSeriesFirewall
60 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi)
ProvisionaVMSeriesFirewall(Continued)
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 61
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi) SetUpaVMSeriesFirewallonanESXiServer
ProvisionaVMSeriesFirewall(Continued)
DonotconfigureCPUaffinityfortheVMSeries
firewall.ThevCenter/ESXiserveroptimizestheCPU
placementfortheVMSeriesandthefirewallperforms
bestwhenyoudonotmodifythenonuniformmemoryaccess
(NUMA)configuration.
8. SelectthenetworkstouseforthetwoinitialvmNICs.Thefirst
vmNICwillbeusedforthemanagementinterfaceandthe
secondvmNICforthefirstdataport.Makesurethatthe
Source NetworksmapstothecorrectDestination Networks.
Toviewtheprogressofthe
installation,monitortheRecent
Taskslist.
9. Reviewthedetailswindow,selectthePower on after
deploymentcheckboxandthenclickNext.
10. Whenthedeploymentiscomplete,clicktheSummarytabto
62 VMSeries8.0DeploymentGuide reviewthecurrentstatus. PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi)
PerformInitialConfigurationontheVMSeriesonESXi
UsethevirtualapplianceconsoleontheESXiservertosetupnetworkaccesstotheVMSeriesfirewall.By
default,theVMSeriesfirewallusesDHCPtoobtainanIPaddressforthemanagementinterface.However,
youcanassignastaticIPaddress.Aftercompletingtheinitialconfiguration,accessthewebinterfaceto
completefurtherconfigurationstasks.IfyouhavePanoramaforcentralmanagement,refertothePanorama
AdministratorsGuideforinformationonmanagingthedeviceusingPanorama.
IfyouareusingbootstrappingtoperformtheconfigurationofyourVMSeriesfirewallonESXi,referto
BootstraptheVMSeriesFirewallonESXi.Formoreinformationaboutbootstrapping,seeBootstrapthe
VMSeriesFirewall.
ConfiguretheManagementInterfaceWithaStaticIPAddress
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 63
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi) SetUpaVMSeriesFirewallonanESXiServer
ConfiguretheManagementInterfaceWithaStaticIPAddress
2. UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.
AnunlicensedVMSeriesfirewallcanprocessuptoapproximately1230concurrentsessions.
Dependingontheenvironment,thesessionlimitcanbereachedveryquickly.Therefore,apply
thecapacityauthcodeandretrievealicensebeforeyoubegintestingtheVMSeriesfirewall;
otherwise,youmighthaveunpredictableresults,ifthereisothertrafficontheportgroup(s).
AddAdditionalDiskSpacetotheVMSeriesFirewall
TheVMSeriesfirewallrequiresavirtualdisk40GB,ofwhich17GBisusedforlogging.Forlarger
deployments,toaggregatedatafromallnextgenerationfirewallsandprovidevisibilityacrossallthetraffic
onyournetwork,usePanoramaforcentralizedloggingandreporting.Insmallerdeployments,whereyoudo
notusePanoramabutrequiremorelogstoragecapacity,usethefollowingproceduretoaddanewvirtual
diskthatcansupport40GBto2TBofstoragecapacityforlogs.
Whenconfiguredtouseavirtualdisk,thevirtualappliancedoesnotusethedefault17GBstorage
forlogging.Therefore,ifitlosesconnectivitytothevirtualdisk,logscouldbelostduringthe
failureinterval.
Toallowforredundancy,placethenewlycreatedvirtualdiskonadatastorethatprovidesRAID
redundancy.RAID10providesthebestwriteperformanceforapplicationswithhighlogging
characteristics.
64 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi)
AddaVirtualDisktotheVMSeriesFirewall
Step1 PowerofftheVMSeriesfirewall.
Ifyoureuseavirtualdisk,thatisifthediskwaspreviously
usedforstoringPANOSlogs,alllogsfromtheexistingdisk
willnotbemovedovertothevirtualdisk.
UseVMwareToolsontheVMSeriesFirewallonESXiandvCloudAir
VMwareToolsisautilitythatimprovestheabilitytomanagetheVMSeriesfirewallfromvCenterserverand
vCloudDirector.VMwareToolsisbundledwiththesoftwareimagefortheVMSeriesfirewallandall
updateswillbemadeavailablewithanewovfimage;youcannotmanuallyinstallorupgradeVMwareTools
usingthevCenterserverorvCloudDirector.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 65
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi) SetUpaVMSeriesFirewallonanESXiServer
UseVMwareToolsontheVMSeriesFirewallonESXiandvCloudAir
ViewtheIPaddress(es)onthemanagement IntheHostsandClustersectiononthevCenterserver,selectthe
interfaceandthesoftwareversiononthe firewallorPanoramaandviewtheSummarytabforinformationon
firewallandPanorama. theIPaddress(es)assignedtothemanagementinterfaceandthe
softwareversioncurrentlyinstalled.
Viewresourceutilizationmetricsonharddisk, IntheHostsandClustersectiononthevCenterserver,selectthe
memory,andCPU. firewallorPanoramaandviewtheMonitor > Utilizationtabfor
Usethesemetricstoenablealarmsonthe informationonharddisk,memory,andCPUusage.
vCenterserver. s
Gracefullyshutdownorrestartthefirewalland IntheHostsandClustersectiononthevCenterserver,selectthe
PanoramafromthevCenterserver. firewallorPanoramaandselecttheActions > Powerdropdown.
s
66 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi)
UseVMwareToolsontheVMSeriesFirewallonESXiandvCloudAir
Createalarmdefinitionsforeventsyouwantto IntheHostsandClustersectiononthevCenterserver,selectthe
benotifiedon,orforwhichyouwanttospecify firewallorPanoramaandselecttheManage > Alarm Definitions to
anautomatedaction. addanewtriggerandspecifyanactionwhenathresholdismet.
RefertotheVMwaredocumentationfordetailson Forexample,missingheartbeatsforaspecifiedduration,orwhen
creatingalarmdefinitions. memoryresourceusageexceedsathreshold.Thefollowing
screenshotshowsyouhowtousenotificationsforheartbeat
monitoringonthefirewallorPanorama.
s
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 67
TroubleshootESXiDeployments SetUpaVMSeriesFirewallonanESXiServer
TroubleshootESXiDeployments
ManyofthetroubleshootingstepsfortheVMSeriesfirewallareverysimilartothehardwareversionsof
PANOS.Whenproblemsoccur,youshouldcheckinterfacecounters,systemlogfiles,andifnecessary,use
debugtocreatecaptures.FormoredetailsonPANOStroubleshooting,refertothearticleonPacketBased
Troubleshooting.
Thefollowingsectionsdescribehowtotroubleshootsomecommonproblems:
BasicTroubleshooting
InstallationIssues
LicensingIssues
ConnectivityIssues
BasicTroubleshooting
RecommendationforNetworkTroubleshootingTools
Itisusefultohaveaseparatetroubleshootingstationtocapturetrafficorinjecttestpacketsin
thevirtualizedenvironment.ItcanbehelpfultobuildafreshOSfromscratchwithcommon
troubleshootingtoolsinstalledsuchastcpdump,nmap,hping,traceroute,iperf,tcpedit,netcat,
etc.Thismachinecanthenbepowereddownandconvertedtoatemplate.Eachtimethetools
areneeded,thetroubleshootingclient(virtualmachine)canbequicklydeployedtothevirtual
switch(es)inquestionandusedtoisolatenetworkingproblems.Whenthetestingiscomplete,the
instancecansimplybediscardedandthetemplateusedagainthenexttimeitisrequired.
Forperformancerelatedissuesonthefirewall,firstchecktheDashboardfromthefirewallwebinterface.To
viewalertsorcreateatechsupportorstatsdumpfilesnavigatetoDevice > Support.
ForinformationinthevSphereclientgotoHome > Inventory > VMs and Templates,selecttheVMSeries
firewallinstanceandclicktheSummarytab.UnderResources,checkthestatisticsforconsumedmemory,
CPUandstorage.Forresourcehistory,clickthePerformancetabandmonitorresourceconsumptionover
time.
InstallationIssues
IssueswithdeployingtheOVA
Whydoesthefirewallbootintomaintenancemode?
HowdoImodifythebaseimagefilefortheVM1000HVlicense?
68 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer TroubleshootESXiDeployments
IssueswithdeployingtheOVA
TheVMSeriesisdeliveredasafileintheOpenVirtualizationAlliance(OVA)format.TheOVAimageis
downloadedasaziparchivethatisexpandedintothreefiles.IfyouarehavingtroubledeployingtheOVA
image,makesurethethreefilesareunpackedandpresentand,ifnecessary,downloadandextracttheOVA
imageagain.
TheovfextensionisfortheOVFdescriptorfilethatcontainsallmetadataaboutthepackageandits
contents.
ThemfextensionisfortheOVFmanifestfilethatcontainstheSHA1digestsofindividualfilesinthe
package.
Thevmdkextensionisforthevirtualdiskimagefile.
ThevirtualdiskintheOVAimageislargefortheVMSeries;thisfileisnearly900MBandmustbepresent
onthecomputerrunningthevSphereclientormustbeaccessibleasaURLfortheOVAimage.Makesure
thenetworkconnectionissufficientbetweenthevSphereclientcomputerandthetargetESXihost.Any
firewallsinthepathwillneedtoallowTCPports902and443fromthevSphereclienttotheESXi
host(s).ThereneedstobesufficientbandwidthandlowlatencyontheconnectionotherwisetheOVA
deploymentcantakehoursortimeoutandfail.
Whydoesthefirewallbootintomaintenancemode?
IfyouhavepurchasedtheVM1000HVlicenseandaredeployingtheVMSeriesfirewallinstandalone
modeonaVMwareESXiserveroronaCitrixSDXserver,youmustallocatetheminimummemoryrequiredby
youVMSeriesmodel.
Tofixthisissue,youmusteithermodifythebaseimagefile(seeHowdoImodifythebaseimagefileforthe
VM1000HVlicense?)oreditthesettingsontheESXihostorthevCenterserverbeforeyoupoweronthe
VMSeriesfirewall.
Also,verifythattheinterfaceisVMXnet3;settingtheinterfacetypetoanyotherformatwillcausethe
firewalltobootintomaintenancemode.
HowdoImodifythebaseimagefilefortheVM1000HVlicense?
IfyouhavepurchasedtheVM1000HVlicenseandaredeployingtheVMSeriesfirewallinstandalone
modeonaVMwareESXiserveroronaCitrixSDXserver,usetheseinstructionstomodifythefollowing
attributesthataredefinedinthebaseimagefile(.ovaor.xva)oftheVMSeriesfirewall.
Important:Modifyingthevaluesotherthanthoselistedhereunderwillinvalidatethebaseimagefile.
Modifythebaseimagefile(onlyifusingtheVM1000HVlicenseinstandalonemode)
Step1 Openthebaseimagefile,forexample7.0.0,withatexteditingtoolsuchasnotepad.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 69
TroubleshootESXiDeployments SetUpaVMSeriesFirewallonanESXiServer
Modifythebaseimagefile(onlyifusingtheVM1000HVlicenseinstandalonemode)
Step2 Searchfor4096andchangethememoryallocatedto5012(thatis5GB)here:
<Item>
<rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
<rasd:Description>Memory Size</rasd:Description>
<rasd:ElementName>4096MB of memory</rasd:ElementName>
<rasd:InstanceID>2</rasd:InstanceID>
<rasd:ResourceType>4</rasd:ResourceType>
<rasd:VirtualQuantity>4096</rasd:VirtualQuantity>
<Item>
<rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
<rasd:Description>Memory Size</rasd:Description>
<rasd:ElementName>5120MB of memory</rasd:ElementName>
<rasd:InstanceID>2</rasd:InstanceID>
<rasd:ResourceType>5</rasd:ResourceType>
<rasd:VirtualQuantity>5120</rasd:VirtualQuantity>
Step3 ChangethenumberofvirtualCPUcoresallottedfrom2to4or8asdesiredforyourdeployment:
<Item>
<rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
<rasd:Description>Number of Virtual CPUs</rasd:Description>
<rasd:ElementName>2 virtual CPU(s)</rasd:ElementName>
<rasd:InstanceID>1</rasd:InstanceID>
<rasd:ResourceType>3</rasd:ResourceType>
<rasd:VirtualQuantity>2</rasd:VirtualQuantity>
<vmw:CoresPerSocket ova:required="false">2</vmw:CoresPerSocket>
</Item>
<Item>
<rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
<rasd:Description>Number of Virtual CPUs</rasd:Description>
<rasd:ElementName>4 virtual CPU(s)</rasd:ElementName>
<rasd:InstanceID>1</rasd:InstanceID>
<rasd:ResourceType>3</rasd:ResourceType>
<rasd:VirtualQuantity>4</rasd:VirtualQuantity>
<vmw:CoresPerSocket ova:required="false">2</vmw:CoresPerSocket>
</Item>
AlternativelyyoucandeploythefirewallandbeforeyoupowerontheVMSeriesfirewall,editthememory
andvirtualCPUallocationdirectlyontheESXihostorthevCenterserver.
LicensingIssues
WhyamIunabletoapplythesupportorfeaturelicense?
WhydoesmyclonedVMSeriesfirewallnothaveavalidlicense?
WillmovingtheVMSeriesfirewallcauselicenseinvalidation?
70 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer TroubleshootESXiDeployments
WhyamIunabletoapplythesupportorfeaturelicense?
HaveyouappliedthecapacityauthcodeontheVMSeriesfirewall?Beforeyoucanactivatethesupportor
featurelicense,youmustapplythecapacityauthcodesothatthedevicecanobtainaserialnumber.This
serialnumberisrequiredtoactivatetheotherlicensesontheVMSeriesfirewall.
WhydoesmyclonedVMSeriesfirewallnothaveavalidlicense?
VMwareassignsauniqueUUIDtoeachvirtualmachineincludingtheVMSeriesfirewall.So,whena
VMSeriesfirewalliscloned,anewUUIDisassignedtoit.Becausetheserialnumberandlicenseforeach
instanceoftheVMSeriesfirewallistiedtotheUUID,cloningalicensedVMSeriesfirewallwillresultina
newfirewallwithaninvalidlicense.Youwillneedanewauthcodetoactivatethelicenseonthenewly
deployedfirewall.Youmustapplythecapacityauthcodeandanewsupportlicenseinordertoobtainfull
functionality,support,andsoftwareupgradesontheVMSeriesfirewall.
WillmovingtheVMSeriesfirewallcauselicenseinvalidation?
IfyouaremanuallymovingtheVMSeriesfirewallfromonehosttoanother,besuretoselecttheoption,
This guest was movedtopreventlicenseinvalidation.
ConnectivityIssues
WhyistheVMSeriesfirewallnotreceivinganynetworktraffic?
--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------
InthevSphereenvironment,checkforthefollowingissues:
Checktheportgroupsandconfirmthatthefirewallandthevirtualmachine(s)areonthecorrectport
group
Makesurethattheinterfacesaremappedcorrectly.
Networkadapter1=management
Networkadapter2=Ethernet1/1
Networkadapter3=Ethernet1/2
Foreachvirtualmachine,checkthesettingstoverifytheinterfaceismappedtothecorrectportgroup.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 71
TroubleshootESXiDeployments SetUpaVMSeriesFirewallonanESXiServer
Verifythateitherpromiscuousmodeisenabledforeachportgrouporfortheentireswitchorthatyou
haveconfiguredthefirewalltoHypervisorAssignedMACAddresses.
SincethedataplanePANOSMACaddressesaredifferentthantheVMNICMACaddressesassignedby
vSphere,theportgroup(ortheentirevSwitch)mustbeinpromiscuousmodeifnotenabledtousethe
hypervisorassignedMACaddress:
ChecktheVLANsettingsonvSphere.
TheuseoftheVLANsettingforthevSphereportgroupservestwopurposes:Itdetermineswhich
portgroupssharealayer2domain,anditdetermineswhethertheuplinkportsaretagged(802.1Q).
Checkthephysicalswitchportsettings
IfaVLANIDisspecifiedonaportgroupwithuplinkports,thenvSpherewilluse802.1Qtotag
outboundframes.Thetagmustmatchtheconfigurationonthephysicalswitchorthetrafficwillnot
pass.
Checktheportstatisticsifusingvirtualdistributedswitches(vDS);Standardswitchesdonotprovide
anyportstatistics
72 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer PerformanceTuningoftheVMSeriesforESXi
PerformanceTuningoftheVMSeriesforESXi
TheVMSeriesfirewallforESXiisahighperformanceappliancebutmayrequiretuningofthehypervisorto
achievethebestresults.Thissectiondescribessomebestpracticesandrecommendationsforfacilitatingthe
bestperformanceoftheVMSeriesfirewall.Forthebestperformance,ESXi6.0.0.0orlaterisrecommended.
InstalltheNICDriveronESXi
EnableDPDKonESXi
EnableSRIOVonESXi
EnableMultiQueueSupportforNICsonESXi
InstalltheNICDriveronESXi
Forthebestperformance,useSRIOVwithIntel10GBnetworkinterfaceswhichrequirestheixgbe4.4.1
drivertosupportmultiplequeuesforeachinterface.
VerifytheDriverVersion
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 73
PerformanceTuningoftheVMSeriesforESXi SetUpaVMSeriesFirewallonanESXiServer
VerifytheDriverVersion
74 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonanESXiServer PerformanceTuningoftheVMSeriesforESXi
EnableDPDKonESXi
DataPlaneDevelopmentKit(DPDK)enhancesVMSeriesperformancebyincreasingnetworkinterfacecard
(NIC)packetprocessingspeed.OntheVMSeriesfirewall,DPDKisenabledbydefaultonESXi.Ifyoudisable
DPDK,theNICusespacketmmapinsteadofDPDK.TotakeadvantageofDPDK,youmustuseaNICwith
oneofthefollowingdrivers:
AlldatainterfacesmustbeusingthesamedrivertosupportDPDK.
SupportedDrivers
VirtualDriver VMXNET3
IntelDriver ixgbe,ixgbevf,i40e,i40evf
EnableSRIOVonESXi
SinglerootI/Ovirtualization(SRIOV)allowsasinglePCIephysicaldeviceunderasinglerootporttoappear
tobemultipleseparatephysicaldevicestothehypervisororguest.EnableSRIOVbyenablingvirtual
functiondevicesontheSRIOVNICandthemodifytheguestsettingsinvCenter.
SRIOVontheVMSeriesforESXirequiresoneofthefollowingIntelNICdrivers.
DriverFilename Version
ixgbe/ixgbe.ko 4.2.0.4.1
ixgbevf/ixgbevf.ko 2.14.2
i40e/i40e.ko 1.3.49
i49evf/i40evf.ko 1.2.25
CompletethefollowingproceduretoenableSRIOV.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 75
PerformanceTuningoftheVMSeriesforESXi SetUpaVMSeriesFirewallonanESXiServer
EnableSRIOVontheGuestMachine
Step3 ReboottheESXihostforyourchangestotakeeffect.
EnableMultiQueueSupportforNICsonESXi
MultiqueueallowsnetworkperformancetoscalewiththenumberofvCPUsandallowsforparallelpacket
processingbycreatingmultipleTXandRXqueues.Modifythe.vmxfileoraccessAdvancedSettingsto
enablemultiqueue.
EnableMultiQueue
76 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUptheVMSeriesFirewallon
vCloudAir
TheVMSeriesfirewallcanbedeployedinavirtualdatacenter(vDC)onvCloudAirusingthevCloudAir
portal,fromthevCloudDirectorportalorusingthevCloudAirAPI.
AbouttheVMSeriesFirewallonvCloudAir
DeploymentsSupportedonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 77
AbouttheVMSeriesFirewallonvCloudAir SetUptheVMSeriesFirewallonvCloudAir
AbouttheVMSeriesFirewallonvCloudAir
YoucandeploytheVMSeriesfirewallinavirtualdatacenter(vDC)onVMwarevCloudAirusingthevCloud
AirportalorfromthevCloudDirectorportal.AndtocentrallymanageallyourphysicalandVMSeries
firewalls,youcanuseanexistingPanoramaordeployanewPanoramaonpremiseoronvCloudAir.
TheVMSeriesfirewallonvCloudAirrequiresthefollowing:
ESXiversionofthesoftwareimage,anOpenVirtualizationAlliance(OVA)file,fromthePaloAlto
NetworksCustomerSupportwebsite.Currently,thevCloudAirMarketplacedoesnothostthesoftware
image.
InordertoefficientlydeploytheVMSeriesfirewall,includethefirewallsoftwareimageinavApp.A
vAppisacontainerforpreconfiguredvirtualappliances(virtualmachinesandoperatingsystemimages)
thatismanagedasasingleobject.Forexample,ifyourvAppincludesasetofmultitieredapplications
andtheVMSeriesfirewall,eachtimeyoudeploythevApp,theVMSeriesfirewallautomaticallysecures
thewebserveranddatabaseserverthatgetdeployedwiththevApp.
Licenseandsubscriptionspurchasedfromapartner,reseller,ordirectlyfromPaloAltoNetworks,inthe
BringYourOwnLicense(BYOL)model;theusagebasedlicensingfortheVMSeriesonvCloudAirisnot
available.
DuetothesecurityrestrictionsimposedonvCloudAir,theVMSeriesfirewallonvCloudAirisbest
deployedwithLayer3interfacesandtheinterfacesmustbeenabledtousethehypervisorassignedMAC
address.IfyoudonotenablehypervisorassignedMACaddress,theVMwarevSwitchcannotforward
traffictothedataplaneinterfacesontheVMSeriesfirewallbecausethevSwitchonvCloudAirdoesnot
supportpromiscuousmodeorMACforgedtransmits.TheVMSeriesfirewallcannotbedeployedwith
tapinterfaces,Layer2interfaces,orvirtualwireinterfaces.
TheVMSeriesfirewallonvCloudAircanbedeployedinanactive/passivehighavailabilityconfiguration.
However,theVMSeriesfirewallonvCloudAirdoesnotsupportVMMonitoringcapabilitiesforvirtual
machinesthatarehostedonvCloudAir.
TolearnallaboutvCloudAir,refertotheVMwarevCloudAirdocumentation
78 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUptheVMSeriesFirewallonvCloudAir DeploymentsSupportedonvCloudAir
DeploymentsSupportedonvCloudAir
Toenableapplicationssafely,blockknownandunknownthreats,andtokeeppacewithchangesinyour
environment,youcandeploytheVMSeriesfirewallonvCloudAirwithLayer3interfacesinthefollowing
ways:
SecurethevirtualdatacenterperimeterDeploytheVMSeriesfirewallasavirtualmachinethat
connectsisolatedandroutednetworksonvCloudAir.Inthisdeploymentthefirewallsecuresall
northsouthtraffictraversingtheinfrastructureonvCloudAir.
SetupahybridcloudExtendyourdatacenterandprivatecloudintovCloudAiranduseaVPN
connectiontoenablecommunicationbetweenthecorporatenetworkandthedatacenter.Inthis
deployment,theVMSeriesfirewallusesIPSectoencrypttrafficandsecureusersaccessingthecloud.
SecuretrafficbetweenapplicationsubnetsinthevDCToimprovesecurity,segmentyournetworkand
isolatetrafficbycreatingapplicationtiers,andthendeploytheVMSeriesfirewalltoprotectagainst
lateralthreatsbetweensubnetsandapplicationtiers.
ThefollowingillustrationcombinesallthreedeploymentsscenariosandincludesPanorama.Panorama
streamlinespolicyupdates,centralizespolicymanagement,andprovidescentralizedloggingandreporting.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 79
DeploytheVMSeriesFirewallonvCloudAir SetUptheVMSeriesFirewallonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir
UsetheinstructionsinthissectiontodeployyourVMSeriesfirewallinanondemandordedicatedvDCon
vCloudAir.ThisprocedureassumesthatyouhavesetupyourvDC,includingthegatewaysrequiredtoallow
trafficinandoutofthevDC,andthenetworksrequiredforroutingmanagementtrafficanddatatraffic
throughthevDC.
DeploytheVMSeriesFirewallonvCloudAir
80 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUptheVMSeriesFirewallonvCloudAir DeploytheVMSeriesFirewallonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir(Continued)
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 81
DeploytheVMSeriesFirewallonvCloudAir SetUptheVMSeriesFirewallonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir(Continued)
82 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUptheVMSeriesFirewallonvCloudAir DeploytheVMSeriesFirewallonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir(Continued)
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 83
DeploytheVMSeriesFirewallonvCloudAir SetUptheVMSeriesFirewallonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir(Continued)
2. SelectVirtual MachineandclickontheNameofthe
VMSeriesfirewalltoaccesstheVirtualMachineProperties.
3. AddadditionalHardwareresourcesfortheVMSeries
firewall:
SeeVMSeriesSystemRequirementsfortheminimum
vCPU,memory,anddiskrequirementsforyourVMSeries
model.
NICs:Onemanagementanduptosevendataplane
interfaces.
Step8 PowerontheVMSeriesfirewall.
84 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUptheVMSeriesFirewallonvCloudAir DeploytheVMSeriesFirewallonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir(Continued)
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 85
DeploytheVMSeriesFirewallonvCloudAir SetUptheVMSeriesFirewallonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir(Continued)
86 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallonthe
CitrixSDXServer
Toreduceyourcarbonfootprintandconsolidatekeyfunctionsonasingleserver,youcandeployoneor
moreinstancesoftheVMSeriesfirewallontheCitrixSDXserver.DeployingtheVMSeriesfirewallin
conjunctionwiththeNetScalerVPXsecuresapplicationdeliveryalongwithnetworksecurity,availability,
performance,andvisibility.
AbouttheVMSeriesFirewallontheSDXServer
SystemRequirementsandLimitations
SupportedDeploymentsVMSeriesFirewallonCitrixSDX
InstalltheVMSeriesFirewallontheSDXServer
SecureNorthSouthTrafficwiththeVMSeriesFirewall
SecureEastWestTrafficwiththeVMSeriesFirewall
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 87
AbouttheVMSeriesFirewallontheSDXServer SetUpaVMSeriesFirewallontheCitrixSDXServer
AbouttheVMSeriesFirewallontheSDXServer
OneormoreinstancesoftheVMSeriesfirewallcanbedeployedtosecureeastwestand/ornorthsouth
trafficonthenetwork;virtualwireinterfaces,Layer2interfaces,andLayer 3interfacesaresupported.To
deploythefirewall,seeInstalltheVMSeriesFirewallontheSDXServer.
OncedeployedtheVMSeriesfirewallworksharmoniouslywiththeNetScalerVPX(ifneeded),whichisa
virtualNetScalerappliancedeployedontheSDXserver.TheNetScalerVPXprovidesloadbalancingand
trafficmanagementfunctionalityandistypicallydeployedinfrontofaserverfarmtofacilitateefficient
accesstotheservers.ForacompleteoverviewofNetScalerfeature/functionality,referto
http:www.citrix.com/netscaler.WhentheVMSeriesispairedtoworkwiththeNetScalerVPX,the
complementarycapabilitiesenhanceyourtrafficmanagement,loadbalancing,andapplication/network
securityneeds.
ThisdocumentassumesthatyouarefamiliarwiththenetworkingandconfigurationontheNetScalerVPX.
Inordertoprovidecontextforthetermsusedinthissection,hereisabriefrefresherontheNetScaler
ownedIPaddressesthatarereferredtointhisdocument:
NetScalerIPaddress(NSIP):TheNSIPistheIPaddressformanagementandgeneralsystemaccessto
theNetScaleritself,andforHAcommunication.
MappedIPaddress(MIP):AMIPisusedforserversideconnections.ItisnottheIPaddressofthe
NetScaler.Inmostcases,whentheNetScalerreceivesapacket,itreplacesthesourceIPaddresswitha
MIPbeforesendingthepackettotheserver.Withtheserversabstractedfromtheclients,theNetScaler
managesconnectionsmoreefficiently.
VirtualserverIPaddress(VIP):AVIPistheIPaddressassociatedwithavserver.ItisthepublicIPaddress
towhichclientsconnect.ANetScalermanagingawiderangeoftrafficmayhavemanyVIPsconfigured.
SubnetIPaddress(SNIP):WhentheNetScalerisattachedtomultiplesubnets,SNIPscanbeconfigured
foruseasMIPsprovidingaccesstothosesubnets.SNIPsmaybeboundtospecificVLANsandinterfaces.
ForexamplesondeployingtheVMSeriesfirewallandtheNetScalerVPXtogether,seeSupported
DeploymentsVMSeriesFirewallonCitrixSDX.
88 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallontheCitrixSDXServer SystemRequirementsandLimitations
SystemRequirementsandLimitations
ThissectionlistsrequirementsandlimitationsfortheVMSeriesfirewallontheCitrixSDXserver.
Requirements
Limitations
Requirements
YoucandeploymultipleinstancesoftheVMSeriesfirewallontheCitrixSDXserver.Becauseeachinstance
ofthefirewallrequiresaminimumresourceallocationnumberofCPUs,memoryanddiskspaceonthe
SDXserver,makesuretoconformtothespecificationsbelowtoensureoptimalperformance.
Requirement Details
SDXplatforms 11500,11515,11520,11530,11540,11542
13500,14500,16500,18500,20500
22040,22060,22080,22100,22120
24100,24150
17550,19550,20550,21550
SDXversion 10.1+
10.1isnotsupported;asoftwareversionhigherthan10.1.is
required.
CitrixXenServerversion 6.0.2orlater
MinimumSystemResources ThehostCPUmustbeax86basedIntelorAMDCPUwith
Planandallocatethetotalnumberofdata virtualizationextension.
interfacesthatyoumightrequireonthe Twonetworkinterfaces:onededicatedformanagementtraffic
VMSeriesfirewall.Thistaskisessential andonefordatatraffic.Formanagementtraffic,youcanusethe
duringinitialdeployment,becauseadding 0/xinterfacesonthemanagementplaneorthe10/xinterfaceson
orremovinginterfacestotheVMSeries thedataplane.Assignadditionalnetworkinterfacesfordata
firewallafterinitialdeploymentwillcause traffic,asrequiredforyournetworktopology.
thedatainterfaces(Eth1/1andEth1/2) SeeVMSeriesSystemRequirementsfortheminimumhardware
ontheVMSeriesfirewalltoremaptothe requirementsforyourVMSeriesmodel.
adaptersontheSDXserver.Eachdata
interfacesequentiallymapstotheadapter
withthelowestnumericalvalue,andthis
remappingcancauseaconfiguration
mismatchonthefirewall.
Limitations
TheVMSeriesfirewalldeployedontheCitrixSDXserverhasthefollowinglimitations:
Upto24totalportscanbeconfigured.Oneportwillbeusedformanagementtrafficandupto23can
beusedfordatatraffic.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 89
SystemRequirementsandLimitations SetUpaVMSeriesFirewallontheCitrixSDXServer
Linkaggregationisnotsupported.
Forthesupporteddeployments,seeSupportedDeploymentsVMSeriesFirewallonCitrixSDX.
Todeploythefirewall,seeInstalltheVMSeriesFirewallontheSDXServer.
90 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallontheCitrixSDXServer SupportedDeploymentsVMSeriesFirewallonCitrixSDX
SupportedDeploymentsVMSeriesFirewallonCitrixSDX
Inthefollowingscenarios,theVMSeriesfirewallsecurestrafficdestinedtotheserversonthenetwork.It
worksinconjunctionwiththeNetScalerVPXtomanagetrafficbeforeorafteritreachestheNetScalerVPX.
Scenario1SecureNorthSouthTraffic
Scenario2SecureEastWestTraffic(VMSeriesFirewallonCitrixSDX)
Scenario1SecureNorthSouthTraffic
TosecurenorthsouthtrafficusingaVMSeriesfirewallonanSDXserver,youhavethefollowingoptions:
VMSeriesFirewallBetweentheNetScalerVPXandtheServers
VMSeriesFirewallBeforetheNetScalerVPX
VMSeriesFirewallBetweentheNetScalerVPXandtheServers
Theperimeterfirewallgatesalltrafficintothenetwork.Alltrafficpermittedintothenetworkflowsthrough
theNetScalerVPXandthenthroughtheVMSeriesfirewallbeforetherequestisforwardedtotheservers.
Inthisscenario,theVMSeriesfirewallsecuresnorthsouthtrafficandcanbedeployedusingvirtualwire,
L2,orL3interfaces.
VMSeriesFirewallwithL3Interfaces
VMSeriesFirewallwithL2orVirtualWireInterfaces
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 91
SupportedDeploymentsVMSeriesFirewallonCitrixSDX SetUpaVMSeriesFirewallontheCitrixSDXServer
VMSeriesFirewallwithL3Interfaces
DeployingthefirewallwithL3interfacesallowsyoutoscalemoreeasilyasyoudeploynewserversand
newsubnets.Youcandeploymultipleinstancesofthefirewalltomanagetraffictoeachnewsubnetand
thenconfigurethefirewallsasahighavailabilitypair,ifneeded.
UsinganL3interfaceallowsyoumakeminimalchangestotheSDXserver/networkconfiguration
becausetheSNIPtoreachtheserversisremovedfromtheNetScalerVPXandisconfiguredonthe
VMSeriesfirewall.Withthisapproach,onlyonedatainterfaceisusedontheVMSeriesfirewall,hence
onlyonezonecanbedefined.Asaresult,whendefiningthepolicyrulesyoumustspecifythesourceand
destinationIPaddress/subnetsacrosswhichtoenforcesecurityrules.Fordetails,seeDeploythe
VMSeriesFirewallUsingL3Interfaces.
TopologyAfterAddingtheVMSeriesFirewallwithL3Interfaces
Inthisexample,thepublicIPaddressthattheclientsconnectto(VIPontheNetScalerVPX),is192.168.1.10.
Forprovidingaccesstotheserversonsubnet192.168.2.x,theconfigurationontheVPXreferencesthe
subnets(SNIP)192.168.1.1and192.168.2.1.Basedonyournetworkconfigurationanddefaultroutes,the
routingonserversmightneedtobechanged.
WhenyousetuptheVMSeriesfirewall,youmustaddadatainterface(forexampleeth1/1),andassigntwo
IPaddressestotheinterface.OneIPaddressmustbeonthesamesubnetastheVIPandtheothermustbe
onthesamesubnetastheservers.Inthisexample,theIPaddressesassignedtothedatainterfacesare
192.168.1.2and192.168.2.1.BecauseonlyonedatainterfaceisusedontheVMSeriesfirewall,alltraffic
belongstoasinglezone,andallintrazonetrafficisimplicitlyallowedinpolicy.Therefore,whendefiningthe
policyrulesyoumustspecifythesourceanddestinationIPaddress/subnetsacrosswhichtoenforcesecurity
rules.
EvenafteryouaddtheVMSeriesfirewallontheSDXserver,theIPaddressthattheclientscontinueto
connecttoistheVIPoftheNetScalerVPX(192.168.1.10).However,toroutealltrafficthroughthefirewall,
ontheNetScalerVPXyoumustdefinearoutetothesubnet192.168.2.x.Inthisexample,toaccessthe
serversthisroutemustreferencetheIPaddress192.168.1.2assignedtothedatainterfaceontheVMSeries
firewall.NowalltrafficdestinedfortheserversisroutedfromtheNetScalerVPXtothefirewallandthenon
totheservers.Thereturntrafficusestheinterface192.168.2.1ontheVMSeriesandusestheSNIP
192.168.1.1asitsnexthop.
92 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallontheCitrixSDXServer SupportedDeploymentsVMSeriesFirewallonCitrixSDX
Forsecuritycompliance,ifUSIP(UseclientSourceIP)isenabledontheNetScalerVPX,thenthe
VMSeriesfirewallrequiresadefaultroutethatpointstotheSNIP192.168.1.1,inthisexample.
IfadefaultNAT(mapped/SNIP)IPaddressisused,thenyoudonotneedtodefineadefaultroute
ontheVMSeriesfirewall.
Forinstructions,seeDeploytheVMSeriesFirewallUsingL3Interfaces.
VMSeriesFirewallwithL2orVirtualWireInterfaces
DeployingtheVMSeriesfirewallusingL2interfacesorvirtualwireinterfacesrequiresreconfiguration
ontheNetScalerVPXtoremovedirectconnectiontotheservers.TheVMSeriesfirewallcanthenbe
cabledandconfiguredtotransparentlyinterceptandenforcepolicyontrafficdestinedtotheservers.In
thisapproachtwodatainterfacesarecreatedonthefirewallandeachbelongstoadistinctzone.The
securitypolicyisdefinedtoallowtrafficbetweenthesourceanddestinationzones.Fordetails,see
DeploytheVMSeriesFirewallUsingLayer2(L2)orVirtualWireInterfaces.
TopologyAfterAddingtheVMSeriesFirewallwithL2orVirtualWireInterfaces
VMSeriesFirewallBeforetheNetScalerVPX
Inthisscenario,theperimeterfirewallisreplacedwiththeVMSeriesfirewallthatcanbedeployedusingL3,
L2,orvirtualwireinterfaces.AlltrafficonyournetworkissecuredbytheVMSeriesfirewallbeforethe
requestreachestheNetScalerVPXandisforwardedtotheservers.Fordetails,seeDeploytheVMSeries
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 93
SupportedDeploymentsVMSeriesFirewallonCitrixSDX SetUpaVMSeriesFirewallontheCitrixSDXServer
FirewallBeforetheNetScalerVPX.
Scenario2SecureEastWestTraffic(VMSeriesFirewallonCitrixSDX)
TheVMSeriesfirewallisdeployedalongwithtwoNetScalerVPXsystemsthatservicedifferentserver
segmentsonyournetworkoroperateasterminationpointsforSSLtunnels.Inthisscenario,theperimeter
firewallsecuresincomingtraffic.Then,thetrafficdestinedtotheDMZserversflowstoaNetScalerVPXthat
loadbalancestherequest.Toaddanextralayerofsecuritytotheinternalnetwork,alleastwesttraffic
betweentheDMZandthecorporatenetworkareroutedthroughtheVMSeriesfirewall.Thefirewallcan
enforcenetworksecurityandvalidateaccessforthattraffic.Fordetails,seeSecureEastWestTrafficwith
theVMSeriesFirewall.
94 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallontheCitrixSDXServer InstalltheVMSeriesFirewallontheSDXServer
InstalltheVMSeriesFirewallontheSDXServer
AsupportaccountandavalidVMSerieslicensearerequiredtoobtainthe.xvabaseimagefilethatis
requiredtoinstalltheVMSeriesfirewallontheSDXserver.Ifyouhavenotalreadyregisteredthecapacity
authcodethatyoureceivedwiththeorderfulfillmentemail,withyoursupportaccount,seeRegisterthe
VMSeriesFirewall.Afterregistrationiscompleted,continuetothefollowingtasks:
UploadtheImagetotheSDXServer
ProvisiontheVMSeriesFirewallontheSDXServer
UploadtheImagetotheSDXServer
ToprovisiontheVMSeriesfirewall,youneedtoobtainthe.xvaimagefileanduploadittotheSDXserver.
UploadtheXVAImagetotheSDXServer
ProvisiontheVMSeriesFirewallontheSDXServer
ProvisiontheVMSeriesFirewallontheSDXServer
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 95
InstalltheVMSeriesFirewallontheSDXServer SetUpaVMSeriesFirewallontheCitrixSDXServer
ProvisiontheVMSeriesFirewallontheSDXServer
7. ReviewthesummaryandclickFinishtobegintheinstallation
process.Ittakes58minutestoprovisionthefirewall.When
completed,usethemanagementIPaddresstolaunchtheweb
interfaceofthefirewall.
ContinuewithActivatetheLicense.
96 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallontheCitrixSDXServer SecureNorthSouthTrafficwiththeVMSeriesFirewall
SecureNorthSouthTrafficwiththeVMSeriesFirewall
ThissectionincludesinformationondeployingtheNetScalerVPXandtheVMSeriesfirewallontheCitrix
SDXserver:
DeploytheVMSeriesFirewallUsingL3Interfaces
DeploytheVMSeriesFirewallUsingLayer2(L2)orVirtualWireInterfaces
DeploytheVMSeriesFirewallBeforetheNetScalerVPX(UsingVirtualWireInterfaces)
DeploytheVMSeriesFirewallUsingL3Interfaces
Tosecurenorthsouthtraffic,thisscenarioshowsyouhowtodeploytheVMSeriesfirewallasaL3
deployment;theVMSeriesfirewallisplacedtosecuretrafficbetweentheNetScalerVPXandtheservers
onyournetwork.
TopologyBeforeAddingtheVMSeriesFirewall
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 97
SecureNorthSouthTrafficwiththeVMSeriesFirewall SetUpaVMSeriesFirewallontheCitrixSDXServer
TopologyAfterAddingtheVMSeriesFirewall
ThefollowingtableincludesthetasksyoumustperformtodeploytheVMSeriesfirewall.Forfirewall
configurationinstructionsrefertothePANOSDocumentation.Theworkflowandconfigurationonthe
NetScalerVPXisbeyondthescopeofthisdocument;fordetailsonconfiguringtheNetScalerVPX,referto
theCitrixdocumentation.
98 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
SetUpaVMSeriesFirewallontheCitrixSDXServer SecureNorthSouthTrafficwiththeVMSeriesFirewall
SetuptheVMSeriesFirewalltoProcessNorthSouthTrafficUsingL3interfaces
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 99
SecureNorthSouthTrafficwiththeVMSeriesFirewall SetUpaVMSeriesFirewallontheCitrixSDXServer
SetuptheVMSeriesFirewalltoProcessNorthSouthTrafficUsingL3interfaces(Continued)
5. IntheDestinationtab,selectAddintheDestinationAddress
sectionandselecttheNewAddresslink.
6. Createanewaddressobjectthatspecifiesthesubnetofthe
webservers.Inthisexample,thissubnethostsalltheweb
serversthatservicetherequests.
7. IntheApplication tab,selectwebbrowsing.
8. IntheActionstab,completethesetasks:
a. SettheAction SettingtoAllow.
b. Attachthedefaultprofilesforantivirus,antispyware,and
vulnerabilityprotection,underProfile Setting.
9. Verifythatloggingisenabledattheendofasessionunder
Options.Onlytrafficthatmatchesasecurityrulewillbe
logged.
10. Createanotherruletodenyallothertrafficfromanysource
andanydestinationIPaddressonthenetwork.
Becauseallintrazonetrafficisallowedbydefault,inorderto
denytrafficotherthatwebbrowsing,youmustcreateadeny
rulethatexplicitlyblocksallothertraffic.
GobacktoSecureNorthSouthTrafficwiththeVMSeriesFirewall,orseeSecureEastWestTrafficwith
theVMSeriesFirewall.
Foranoverviewofthedeployments,seeSupportedDeploymentsVMSeriesFirewallonCitrixSDX.
DeploytheVMSeriesFirewallUsingLayer2(L2)orVirtualWireInterfaces
Tosecurenorthsouthtraffic,thisscenarioshowsyouhowtodeploytheVMSeriesfirewallinaL2ora
virtualwiredeployment.TheVMSeriesfirewallsecurestrafficdestinedtotheservers.Therequestarrives
attheVIPaddressoftheNetScalerVPXandisprocessedbytheVMSeriesfirewallbeforeitreachesthe
servers.Onthereturnpath,thetrafficisdirectedtotheSNIPontheNetScalerVPXandisprocessedbythe
VMSeriesfirewallbeforeitissentbacktotheclient.
ForthetopologybeforeaddingtheVMSeriesfirewall,seeTopologyBeforeAddingtheVMSeriesFirewall.
TopologyAfterAddingtheVMSeriesFirewall
ThefollowingtableincludesthebasicconfigurationtasksyoumustperformtodeploytheVMSeries
firewall.ForfirewallconfigurationinstructionsrefertothePANOSdocumentation.Theworkflowand
configurationontheNetScalerVPXisbeyondthescopeofthisdocument;fordetailsonconfiguringthe
NetScalerVPX,refertotheCitrixdocumentation.
SetuptheVMSeriesFirewalltoProcessNorthSouthTrafficUsingL2orVirtualWireInterfaces
SetuptheVMSeriesFirewalltoProcessNorthSouthTrafficUsingL2orVirtualWireInterfaces(Continued)
VirtualWireConfiguration
Eachvirtualwireinterface(ethernet1/1andethernet1/2)mustbe
connectedtoasecurityzoneandavirtualwire.Toconfigurethese
settings,selecttheConfigtabandcompletethefollowingtasks:
a. IntheVirtualwiredropdownclickNew Virtual Wire,define
aNameandassignthetwodatainterfaces(ethernet1/1
andethernet1/2)toit,andthenclickOK.
Whenconfiguringethernet1/2,selectthisvirtualwire.
b. SelectNew ZonefromtheSecurity Zonedropdown,define
aNamefornewzone,forexampleclient,andthenclickOK.
Layer2Configuration
ForeachLayer2interface,yourequireasecurityzone.Selectthe
Configtabandcompletethefollowingtasks:
a. SelectNew ZonefromtheSecurity Zonedropdown,define
aNamefornewzone,forexampleclient,andthenclickOK.
4. Repeatsteps2and3abovefortheotherinterface.
5. ClickCommittosavechangestothefirewall.
GobacktoSecureNorthSouthTrafficwiththeVMSeriesFirewall,orseeSecureEastWestTrafficwith
theVMSeriesFirewall.
Foranoverviewofthedeployments,seeSupportedDeploymentsVMSeriesFirewallonCitrixSDX.
DeploytheVMSeriesFirewallBeforetheNetScalerVPX
ThefollowingexampleshowshowtodeploytheVMSeriesfirewalltoprocessandsecuretrafficbeforeit
reachestheNetScalerVPX.Inthisexample,theVMSeriesfirewallisdeployedwithvirtualwireinterfaces,
andtheclientconnectionrequestsaredestinedtotheVIPontheNetScalerVPX.Notethatyoucandeploy
theVMSeriesfirewallusingL2orL3interfaces,basedonyourspecificneeds.
TopologyBeforeAddingtheVMSeriesFirewall
TopologyafteraddingtheVMSeriesfirewall
ThefollowingtableincludesthebasicconfigurationtasksyoumustperformontheVMSeriesfirewall.For
firewallconfigurationinstructionsrefertothePANOSdocumentation.Theworkflowandconfigurationon
theNetScalerVPXisbeyondthescopeofthisdocument;fordetailsonconfiguringtheNetScalerVPX,refer
totheCitrixdocumentation.
SetuptheVMSeriesFirewallBeforetheNetScalerVPXwithVirtualWireInterfaces
GobacktoSecureNorthSouthTrafficwiththeVMSeriesFirewall,orseeSecureEastWestTrafficwith
theVMSeriesFirewall.
Foranoverviewofthedeployments,seeSupportedDeploymentsVMSeriesFirewallonCitrixSDX.
SecureEastWestTrafficwiththeVMSeriesFirewall
ThefollowingexampleshowsyouhowtodeployyourVMSeriesfirewalltosecuretheapplicationor
databaseserversonyournetwork.ThisscenarioisrelevanttoyouifyouhavetwoNetScalerVPXinstances,
whereoneinstanceauthenticatesusersandterminatesSSLconnectionsandthenloadbalancesrequeststo
theDMZserversandtheotherVPXinstanceloadbalancesconnectionstothecorporateserversthathost
theapplicationanddatabaseserversonyournetwork.
TopologyBeforeAddingtheVMSeriesFirewall
ThecommunicationbetweentheserversintheDMZandtheserversinthecorporatedatacenteris
processedbybothinstancesoftheNetScalerVPX.Forcontentthatresidesinthecorporatedatacenter,a
newrequestinhandedofftotheotherinstanceoftheNetScalerVPXwhichforwardstherequesttothe
appropriateserver.
WhentheVMSeriesfirewallisdeployed(thisexampleusesL3interfaces),theflowoftrafficisasfollows:
AllincomingrequestsareauthenticatedandtheSSLconnectionisterminatedonthefirstinstanceofthe
NetScalerVPX.ForcontentthatresidesintheDMZ,theNetScalerVPXinitiatesanewconnectiontothe
servertofetchtherequestedcontent.Notethatthenorthsouthtrafficdestinedtothecorporate
datacenterortotheserversintheDMZarehandledbytheedgefirewallandnotbytheVMSeries
firewall.
Forexample,whenauser(sourceIP1.1.1.1)requestscontentfromaserverontheDMZ,thedestination
IPis20.5.5.1(VIPoftheNetScalerVPX).TheNetScalerVPXthenreplacesthedestinationIPaddress,
basedontheprotocoltotheinternalserverIPaddress,say192.168.10.10.Thereturntrafficfromthe
serverissentbacktotheNetScalerVPXat20.5.5.1andsenttotheuserwithIPaddress1.1.1.1.
AllrequestsbetweentheDMZserversandtheCorporatedatacenterareprocessedbytheVMSeries
firewall.Forcontentthatresidesinthecorporatedatacenter,therequestistransparentlyprocessed(if
deployedusingL2orvirtualwireinterfaces)orrouted(usingLayer3interfaces)bytheVMSeriesfirewall.
ItisthenhandedofftothesecondinstanceoftheNetScalerVPX.ThisinstanceoftheNetScalerVPX
loadbalancestherequestacrosstheserversinthecorporatedatacenterandservicestherequest.The
returntrafficusesthesamepathastheincomingrequest.
Forexample,whenaserverontheDMZ(say192.168.10.10)needscontentfromaserverinthe
corporatedatacenter(say172.16.10.20),thedestinationIPaddressis172.168.10.3(theVIPonthe
secondNetScaler).TherequestissenttotheVMSeriesfirewallat192.168.10.2,wherethefirewall
performsapolicylookupandroutestherequestto172.168.10.3.ThesecondNetScalerVPXreplaces
thedestinationIPaddress,basedonprotocol,totheinternalserverIPaddress172.16.10.20.Thereturn
trafficfrom172.168.10.20isthensenttotheNetScalerVPXat172.168.10.3,andthesourceIPaddress
fortherequestissetas172.168.10.3andisroutedtotheVMSeriesfirewallat172.168.10.2.Onthe
VMSeriesfirewall,apolicylookupisagainperformedandthetrafficisroutedtotheserverintheDMZ
(192.168.10.10).
Inordertofilterandreportonuseractivityonyournetwork,becauseallrequestsareinitiated
fromtheNetScalerVPX,youmustenableHTTP Header insertion ortheTCP Option for IP
Insertion onthefirstinstanceoftheNetScalerVPX.
.
SetuptheVMSeriesFirewalltoSecureEastWestTraffic
Forsecuringnorthsouthtraffic,seeSecureNorthSouthTrafficwiththeVMSeriesFirewall.
Foranoverviewofthedeployments,seeSupportedDeploymentsVMSeriesFirewallonCitrixSDX.
VMSeriesforNSXFirewallOverview
NSX,VMware'sNetworkingandSecurityplatformdesignedforthesoftwaredefineddatacenter(SDDC),
offerstheabilitytodeploythePaloAltoNetworksfirewallasaserviceonaclusterofESXiservers.Theterm
SDDCisaVMwaretermthatreferstoadatacenterwhereinfrastructurecomputeresources,networkand
storageisvirtualizedusingVMwareNSX.
TokeeppacewiththechangesintheagileSDDC,theVMSeriesfirewallforNSXsimplifiestheprocessof
deployingaPaloAltoNetworksnextgenerationfirewallandcontinuallyenforcingsecurityandcompliance
fortheeastwesttrafficintheSDDC.FordetailsontheVMSeriesforNSX,seethefollowingtopics:
WhataretheComponentsoftheVMSeriesforNSXSolution?
HowDotheComponentsintheVMSeriesFirewallforNSXSolutionWorkTogether?
WhataretheBenefitsoftheNSXVMSeriesfirewallforNSXSolution?
WhatisMultiTenantSupportontheVMSeriesFirewallforNSX?
WhataretheComponentsoftheVMSeriesforNSXSolution?
Table:VMwareComponentsandTable:PaloAltoNetworksComponentsshowthecomponentsofthisjoint
PaloAltoNetworksandVMwaresolution.Thefollowingtopicsdescribeeachcomponentinmoredetail:
vCenterServer
NSXManager
Panorama
VMSeriesFirewallforNSX
Ports/ProtocolsusedNetworkCommunication
Table:VMwareComponents
Component Description
vCenterServer ThevCenterserveristhecentralizedmanagementtoolforthevSpheresuite.
NSXManager VMware'sNetworkingandSecurityplatformmustbeinstalledandregisteredwiththe
vCenterserver.TheNSXManagerisrequiredtodeploytheVMSeriesfirewallonthe
ESXihostswithinaESXicluster.
ESXiServer ESXiisahypervisorthatenablescomputevirtualization.
Table:PaloAltoNetworksComponents
Component Description
PANOS TheVMSeriesbaseimage(PAVMNSX8.0.zip)isusedfordeployingtheVMSeries
firewallforNSXwithPANOS8.0.
TheminimumsystemrequirementfordeployingtheVMSeriesfirewallforNSXonthe
ESXiserverdependsonyourVMSeriesmodel.SeeVMSeriesSystemRequirementsfor
theminimumhardwarerequirementsforyourVMSeriesmodel.
Component Description
Panorama PanoramaisthecentralizedmanagementtoolforthePaloAltoNetworks
Panoramamustberunning nextgenerationfirewalls.Inthissolution,PanoramaworkswiththeNSXManagerto
thesamereleaseversionor deploy,license,andcentrallyadministerconfigurationandpoliciesontheVMSeries
laterversionthatthe firewallforNSX.
firewallsthatitwillmanage. PanoramamustbeabletoconnecttotheNSXManager,thevCenterserver,the
VMSeriesfirewallsandthe PaloAltoNetworksupdateserver.
TheresourcesrequiredbyPanoramadependonthemodePanoramawillrunin:Legacy
orPanorama(recommended).New8.0PanoramainstallationsruninPanoramamode
whileaPanoramaupgradedto8.0runsinLegacymode.Formoreinformationaboutthe
modesandtherequirementsassociatedwitheachmode,seeSetUpthePanorama
VirtualAppliance.
InPanoramaMode,setthememory,numberofCPUs,andstoragebasedonthelog
storagecapacityofPanorama:
2TBstorage8CPUsand16GBmemory
4TBstorage8CPUsand32GBmemory
6to8TBstorage12CPUsand32GBmemory
10to16TBstorage12CPUsand64GBmemory
18to24TBstorage16CPUsand64GBmemory
SystemDiskSpace:81GB
LogStorageCapacity:2TBto24TB
InLegacyMode,setthememoryandthenumberofcoresbasedonthenumberof
firewallsthatPanoramawillmanage:
1to10firewalls:4coresand4GBmemory
11to50firewalls:8coresand8GBmemory
51to1,000firewalls:8coresand16GBmemory
SystemDiskSpace:52GB
LogStorageCapacity:11GB(defaultlogstorageonthesystemdisk)to8TB(ifyouadd
avirtualloggingdisk)
VMSeriesFirewallforNSX TheVM100,VM200,VM300,VM500,andVM1000HVsupportNSX.
Table:VersionsSupported
Component VersionsSupported
vCenterServer 5.5
6.0(recommended)
ESXiServer 5.5
6.0
6.5a(requiresPanoramaVMwareNSXPlugin1.0.1)
NSXManager 6.1
6.2
6.3(requiresPanoramaVMwareNSXPlugin1.0.1)
vCenterServer
ThevCenterserverisrequiredtomanagetheNSXManagerandtheESXihostsinyourdatacenter.Thisjoint
solutionrequiresthattheESXihostsbeorganizedintooneormoreclustersonthevCenterserverandmust
beconnectedtoadistributedvirtualswitch.
Forinformationonclusters,distributedvirtualswitch,DRS,andthevCenterserver,refertoyourVMware
documentation:http://www.vmware.com/support/vcenterserver.html.
NSXManager
NSXisVMwaresnetworkvirtualizationplatformthatiscompletelyintegratedwithvSphere.TheNSX
FirewallandtheServiceComposerarekeyfeaturesoftheNSXManager.TheNSXfirewallisalogicalfirewall
thatallowsyoutoattachnetworkandsecurityservicestothevirtualmachines,andtheServiceComposer
allowsyoutogroupvirtualmachinesandcreatepolicytoredirecttraffictotheVMSeriesfirewall(calledthe
PaloAltoNetworksNGFWserviceontheNSXManager).
Panorama
PanoramaisusedtoregistertheVMSeriesfirewallforNSXasthePaloAltoNetworksNGFWserviceonthe
NSXManager.RegisteringthePaloAltoNetworksNGFWserviceontheNSXManagerallowstheNSX
ManagertodeploytheVMSeriesfirewallforNSXoneachESXihostintheESXicluster.
PanoramaservesasthecentralpointofadministrationfortheVMSeriesfirewallsrunningonNSX.Whena
newVMSeriesfirewallisdeployedinNSX,itcommunicateswithPanoramatoobtainthelicenseand
receivesitsconfiguration/policiesfromPanorama.Allconfigurationelements,policies,anddynamicaddress
groupsontheVMSeriesfirewallscanbecentrallymanagedonPanoramausingDeviceGroupsand
Templates.TheRESTbasedXMLAPIintegrationinthissolution,enablesPanoramatosynchronizewiththe
NSXManagerandtheVMSeriesfirewallstoallowtheuseofdynamicaddressgroupsandsharecontext
betweenthevirtualizedenvironmentandsecurityenforcement.Formoreinformation,seePolicy
EnforcementusingDynamicAddressGroups.
VMSeriesFirewallforNSX
TheVMSeriesfirewallforNSXistheVMSeriesfirewallthatisdeployedontheESXihypervisor.The
integrationwiththeNetXAPImakesitpossibletoautomatetheprocessofinstallingtheVMSeriesfirewall
directlyontheESXihypervisor,andallowsthehypervisortoforwardtraffictotheVMSeriesfirewall
withoutusingthevSwitchconfiguration;ittherefore,requiresnochangetothevirtualnetworktopology.
TheVMSeriesfirewallforNSXonlysupportsvirtualwireinterfaces.Onthisfirewall,ethernet 1/1and
ethernet 1/2areboundtogetherthroughavirtualwireandusetheNetXdataplaneAPItocommunicate
withthehypervisor.Layer2orLayer3interfacesareneitherrequirednorsupportedontheVMSeries
firewallforNSX,andthereforenoswitchingorroutingactionscanbeperformedbythefirewall.Forenabling
trafficseparationinamultitenancyenvironment,youcancreateadditionalzonesthatinternallymaptoa
pairofvirtualwiresubinterfacesontheparentvirtualwireinterfaces,ethernet 1/1andethernet 1/2.
Ports/ProtocolsusedNetworkCommunication
InordertoenablethenetworkcommunicationrequiredtodeploytheVMSeriesfirewallforNSX,youmust
allowtheuseofthefollowingprotocols/portsandapplications.
PanoramaToobtainsoftwareupdatesanddynamicupdates,PanoramausesSSLtoaccess
updates.paloaltonetworks.comonTCP/443;thisURLleveragestheCDNinfrastructure.Ifyouneeda
singleIPaddress,usestaticupdates.paloaltonetworks.com.TheAppIDforupdatesispaloaltoupdates.
TheNSXManagerandPanoramauseSSLtocommunicateonTCP/443.
VMSeriesFirewallforNSXIfyouplantouseWildFire,theVMSeriesfirewallsmustbeabletoaccess
wildfire.paloaltonetworks.comonport443.ThisisanSSLconnectionandtheAppIDis
paloaltowildfirecloud.
ThemanagementinterfaceontheVMSeriesfirewallusesSSLtocommunicatewithPanoramaover
TCP/3789.
vCenterServerThevCenterServermustbeabletoreachthedeploymentwebserverthatishostingthe
VMSeriesOVA.TheportisTCP/80bydefaultorAppIDwebbrowsing.
HowDotheComponentsintheVMSeriesFirewallforNSXSolutionWork
Together?
Tomeetthesecuritychallengesinthesoftwaredefineddatacenter,theNSXManager,ESXiserversand
PanoramaworkharmoniouslytoautomatethedeploymentoftheVMSeriesfirewall.
1.RegisterthePaloAltoNetworksNGFWserviceThefirststepistoregisterthePaloAltoNetworks
NGFWasaserviceontheNSXManager.TheregistrationprocessusestheNetXmanagementplaneAPIto
enablebidirectionalcommunicationbetweenPanoramaandtheNSXManager.Panoramaisconfigured
withtheIPaddressandaccesscredentialstoinitiateaconnectionandregisterthePaloAltoNetworks
NGFWserviceontheNSXManager.TheservicedefinitionincludestheURLforaccessingtheVMSeries
baseimagethatisrequiredtodeploytheVMSeriesfirewallforNSX,theauthorizationcodeforretrieving
thelicenseandthedevicegroupandtemplatetowhichtheVMSeriesfirewallswillbelong.TheNSX
managerusesthismanagementplaneconnectiontoshareupdatesonthechangesinthevirtualenvironment
withPanorama.
2.DeploytheVMSeriesautomaticallyfromNSXTheNSXManagercollectstheVMSeriesbaseimage
fromtheURLspecifiedduringregistrationandinstallsaninstanceoftheVMSeriesfirewalloneachESXi
hostintheESXicluster.FromastaticmanagementIPpooloraDHCPservice(thatyoudefineontheNSX
Manager),amanagementIPaddressisassignedtotheVMSeriesfirewallandthePanoramaIPaddressis
providedtothefirewall.Whenthefirewallbootsup,theNetXdataplaneintegrationAPIconnectsthe
VMSeriesfirewalltothehypervisorsothatitcanreceivetrafficfromthevSwitch.
3.EstablishcommunicationbetweentheVMSeriesfirewallandPanorama:TheVMSeriesfirewallthen
initiatesaconnectiontoPanoramatoobtainitslicense.Panoramaretrievesthelicensefromtheupdate
serverandpushesittothefirewall.TheVMSeriesfirewallreceivesthelicenseandrebootswithavalidserial
number.
IfyourPanoramaisoffline,whichmeansthatitdoesnothavedirectInternetaccesstoretrieve
thelicensesandpushthemtothefirewalls,youmustmanuallylicenseeachfirewall.When
Panoramadoesnothaveinternetaccess(Offline),youmustaddtheserialnumberofthefirewall
toPanoramasothatitisregisteredasamanageddevice,sothatyoucanpushtheappropriate
templateanddevicegroupsettingsfromPanorama.
4.Installconfiguration/policyfromPanoramatotheVMSeriesfirewall:TheVMSeriesfirewallreconnects
withPanoramaandprovidesitsserialnumber.Panoramanowaddsthefirewalltothedevicegroupand
templatethatwasdefinedintheservicedefinitionandpushestheconfigurationandpolicyrulestothe
firewall.TheVMSeriesfirewallisnowavailableasasecurityvirtualmachinethatcanbefurtherconfigured
tosafelyenableapplicationsonthenetwork.
5.PushtrafficredirectionrulestoNSXManager:OnPanorama,createsecuritygroupsanddefinenetwork
introspectionrulesthatspecifytheguestsfromwhichtrafficwillbesteeredtotheVMSeriesfirewall.See
IntegratedPolicyRulesfordetails.
ToensurethattrafficfromtheguestsissteeredtotheVMSeriesfirewall,youmusthave
VMwareToolsinstalledoneachguest.IfVMwareToolsisnotinstalled,theNSXManagerdoes
notknowtheIPaddressoftheguestandtherefore,thetrafficcannotbesteeredtotheVMSeries
firewall.Formoreinformation,seeSteerTrafficfromGueststhatarenotRunningVMwareTools.
6.ReceiverealtimeupdatesfromNSXManager:TheNSXManagersendsrealtimeupdatesonthechanges
inthevirtualenvironmenttoPanorama.TheseupdatesincludeinformationonthesecuritygroupsandIP
addressesofgueststhatarepartofthesecuritygroupfromwhichtrafficisredirectedtotheVMSeries
firewall.SeeIntegratedPolicyRulesfordetails.
7.UsedynamicaddressgroupsinpolicyandpushdynamicupdatesfromPanoramatotheVMSeries
firewalls:OnPanorama,usetherealtimeupdatesonsecuritygroupstocreatedynamicaddressgroups,bind
themtosecuritypoliciesandthenpushthesepoliciestotheVMSeriesfirewalls.EveryVMSeriesfirewall
inthedevicegroupwillhavethesamesetofpoliciesandisnowcompletelymarshaledtosecuretheSDDC.
SeePolicyEnforcementusingDynamicAddressGroupsfordetails.
IntegratedPolicyRules
PanoramaservesasthesinglepointofconfigurationthatprovidestheNSXManagerwiththecontextual
informationrequiredtoredirecttrafficfromtheguestvirtualmachinestotheVMSeriesfirewall.Thetraffic
steeringrulesaredefinedonPanoramaandpushedtoNSXManager;thesedeterminewhattrafficfrom
whichguestsintheclusteraresteeredtothePaloAltoNetworksNGFWservice.Securityenforcementrules
arealsodefinedonPanoramaandpushedtotheVMSeriesfirewallsforthetrafficthatissteeredtothePalo
AltoNetworksNGFWservice.
SteeringRulesTherulesfordirectingtrafficfromtheguestsoneachESXihostaredefinedonPanorama
andappliedbyNSXManageraspartnersecurityservicesrules.
FortrafficthatneedstobeinspectedandsecuredbytheVMSeriesfirewall,thesteeringrulescreated
onPanoramaallowyoutoredirectthetraffictothePaloAltoNetworksNGFWservice.Thistrafficisthen
steeredtotheVMSeriesfirewallandisfirstprocessedbytheVMSeriesfirewallbeforeitgoestothe
virtualswitch.
TrafficthatdoesnotneedtobeinspectedbytheVMSeriesfirewall,forexamplenetworkdatabackup
ortraffictoaninternaldomaincontroller,doesnotneedtoberedirectedtotheVMSeriesfirewalland
canbesenttothevirtualswitchforonwardprocessing.
RulescentrallymanagedonPanoramaandappliedbytheVMSeriesfirewallThenextgeneration
firewallrulesareappliedbytheVMSeriesfirewall.Theserulesarecentrallydefinedandmanagedon
PanoramausingtemplatesanddevicegroupsandpushedtotheVMSeriesfirewalls.TheVMSeries
firewallthenenforcessecuritypolicybymatchingonsourceordestinationIPaddresstheuseof
dynamicaddressgroupsallowsthefirewalltopopulatethemembersofthegroupsinrealtimeand
forwardsthetraffictothefiltersontheNSXFirewall.
TounderstandhowtheNSXManagerandPanoramastaysynchronizedwiththechangesintheSDDC
andensurethattheVMSeriesfirewallconsistentlyenforcespolicy,seePolicyEnforcementusing
DynamicAddressGroups.
PolicyEnforcementusingDynamicAddressGroups
UnliketheotherversionsoftheVMSeriesfirewall,becausebothvirtualwireinterfaces(andsubinterfaces)
belongtothesamezone,theVMSeriesfirewallforNSXusesdynamicaddressgroupsasthetraffic
segmentationmechanism.AsecuritypolicyruleontheVMSeriesfirewallforNSXmusthavethesame
sourceanddestinationzone,thereforetoimplementdifferenttreatmentoftraffic,youusedynamicaddress
groupsassourceordestinationobjectsinsecuritypolicyrules.
Dynamicaddressgroupsofferawaytoautomatetheprocessofreferencingsourceand/ordestination
addresseswithinsecuritypoliciesbecauseIPaddressesareconstantlychanginginadatacenter
environment.Unlikestaticaddressobjectsthatmustbemanuallyupdatedinconfigurationandcommitted
wheneverthereisanaddresschange(addition,deletion,ormove),dynamicaddressgroupsautomatically
adapttochanges.
AnydynamicaddressgroupscreatedinadevicegroupbelongingtoNSXconfigurationandconfiguredwith
thematchcriterion_nsx_<dynamicaddressgroupname>triggerthecreationoncorrespondingsecurity
groupsontheNSXManager.InanESXiclusterwithmultiplecustomersortenants,theabilitytofilter
securitygroupsforaserviceprofile(zoneonPanorama)ontheNSXManagerallowsyoutoenforcepolicy
whenyouhaveoverlappingIPaddressesacrossdifferentsecuritygroupsinyourvirtualenvironment.
If,forexample,youhaveamultitierarchitectureforwebapplications,onPanoramayoucreatethree
dynamicaddressgroupsfortheWebFrontEndservers,ApplicationserversandtheDatabaseservers.When
youcommitthesechangesonPanorama,ittriggersthecreationofthreecorrespondingsecuritygroupson
NSXManager.
OnNSXManager,youcanthenaddguestVMstotheappropriatesecuritygroups.Then,insecuritypolicy
youcanusethedynamicaddressgroupsassourceordestinationobjects,definetheapplicationsthatare
permittedtotraversetheseservers,andpushtherulestotheVMSeriesfirewalls.
EachtimeaguestisaddedormodifiedintheESXiclusterorasecuritygroupisupdatedorcreated,theNSX
ManagerusesthePANOSRESTbasedXMLAPItoupdatePanoramawiththeIPaddress,andthesecurity
grouptowhichtheguestbelongs.Totracetheflowofinformation,seeDynamicAddressGroups
InformationRelayfromNSXManagertoPanorama.
Toensurethatthenameofeachsecuritygroupisunique,thevCenterserverassignsaManaged
ObjectReference(MOB)IDtothenameyoudefineforthesecuritygroup.Thesyntaxusedto
displaythenameofasecuritygrouponPanoramais
serviceprofileidspecified_namesecuritygroupnumber;forexample,
serviceprofile13WebFrontEndsecuritygroup47.
WhenPanoramareceivestheAPInotification,itverifies/updatestheIPaddressofeachguestandthe
securitygroupandtheserviceprofiletowhichthatguestbelongs.Then,Panoramapushestheserealtime
updatestoallthefirewallsthatareincludedinthedevicegroupandnotifiesdevicegroupsintheservice
managerconfigurationonPanorama.
Oneachfirewall,allpolicyrulesthatreferencethesedynamicaddressgroupsareupdatedatruntime.
Becausethefirewallmatchesonthesecuritygrouptagtodeterminethemembersofadynamicaddress
group,youdonotneedtomodifyorupdatethepolicywhenyoumakechangesinthevirtualenvironment.
Thefirewallmatchesthetagstofindthecurrentmembersofeachdynamicaddressgroupandappliesthe
securitypolicytothesource/destinationIPaddressthatareincludedinthegroup.
WhataretheBenefitsoftheNSXVMSeriesfirewallforNSXSolution?
TheVMSeriesfirewallforVMwareNSXisfocusedonsecuringeastwestcommunicationinthe
softwaredefineddatacenter.Deployingthefirewallhasthefollowingbenefits:
SturdierCentralizedManagementThefirewallsdeployedusingthissolutionarelicensedandmanaged
byPanorama,thePaloAltoNetworkscentralmanagementtool.Panoramaservesasasinglepointof
configurationforintegrationwithNSX.ItgivestheNSXManagertheinformationisitneedstosteer
redirecttraffictotheVMSeriesfirewallforinspectionandenforcement.UsingPanoramatomanage
boththeperimeteranddatacenterfirewalls(thehardwarebasedandvirtualfirewalls)allowsyouto
centralizepolicymanagementandmaintainagilityandconsistencyinpolicyenforcementthroughoutthe
network.
AutomatedDeploymentTheNSXManagerautomatestheprocessofdeliveringnextgeneration
firewallsecurityservicesandtheVMSeriesfirewallallowsfortransparentsecurityenforcement.When
anewESXihostisaddedtoacluster,anewVMSeriesfirewallisautomaticallydeployed,provisioned
andavailableforimmediatepolicyenforcementwithoutanymanualintervention.Theautomated
workflowallowsyoutokeeppacewiththevirtualmachinedeploymentsinyourdatacenter.The
hypervisormodeonthefirewallremovestheneedtoreconfiguretheports/vswitches/network
topology;becauseeachESXihosthasaninstanceofthefirewall,thetrafficdoesnotneedtotraversethe
networkorbebackhauledforinspectionandconsistentenforcementofpolicies.
EaseinAdministeringTenantsinSharedandDedicatedComputeInfrastructureThisintegration
providestheflexibilityinconfiguringthefirewalltohandlemultiplezonesfortrafficsegmentation,
definingsharedorspecificpolicysetsforeachtenantorsubtenant,andincludessupportforoverlapping
IPaddressesacrosstenantsorsubtenants.Whetheryouhaveasharedclusterandneedtodefinetenant
specificpoliciesandlogicallyisolatetrafficforeachtenant(orsubtenant),oryouhaveadedicated
clusterforeachtenant,thissolutionenablesyoutoconfigurethefirewallforyourneeds.Andifyouneed
adedicatedinstanceoftheVMSeriesfirewallforeachtenantinaclusterthathoststheworkloadsfor
multipletenants,youcandeploymultipleinstancesoftheVMSeriesfirewalloneachhostinanESXi
cluster.Formoreinformation,seeWhatisMultiTenantSupportontheVMSeriesFirewallforNSX?
TighterIntegrationBetweenVirtualEnvironmentandSecurityEnforcementforDynamicSecurity
Dynamicaddressgroupsmaintainawarenessofchangesinthevirtualmachines/applicationsandensure
thatsecuritypolicystaysintandemwiththechangesinthenetwork.Thisawarenessprovidesvisibility
andprotectionofapplicationsinanagileenvironment.
Insummary,thissolutionensuresthatthedynamicnatureofthevirtualnetworkissecuredwithminimal
administrativeoverhead.Youcansuccessfullydeployapplicationswithgreaterspeed,efficiency,and
security.
WhatisMultiTenantSupportontheVMSeriesFirewallforNSX?
MultitenancyontheVMSeriesfirewallenablesyoutosecuremorethanonetenantormorethanone
subtenant.AtenantisacustomeroranorganizationsuchasPaloAltoNetworks.Asubtenantisa
departmentorbusinessunitwithintheorganizationsuchasMarketing,Accounting,orHumanResources.
Toallowyoutosecuremultipletenants,Panoramaprovidestheflexibilitytocreatemultiplesetsofsecurity
policyrulesforeachtenant,andmultiplezonestoisolatetrafficfromeachsubtenantandredirecttrafficto
theappropriatelyconfiguredVMSeriesfirewall.Youcanalsodeploymorethanoneinstanceofthe
VMSeriesfirewalloneachhostwithinanESXicluster.
PanoramaandtheVMSeriesfirewallsmustberunningPANOS7.1orgreatertosupportmultitenancy.
Todeployamultitenantsolution,createoneormoreservicedefinition(s)andserviceprofilezone(s)on
Panorama.AservicedefinitiononPanoramaspecifiestheconfigurationoftheVMSeriesfirewallusingone
devicegroupandonetemplate.ThismeansthateachinstanceoftheVMSeriesfirewallsthatisdeployed
usingaservicedefinitionhasonecommonsetofpolicyrulesforsecuringthetenantsandsubtenantsinthe
ESXicluster.
AserviceprofilezonewithinaPanoramatemplateisusedtosegmenttrafficfromeachsubtenantusing
virtualwiresubinterfaces.Whenyoucreateanewserviceprofilezone,Panoramapushesthezoneasapart
ofthetemplateconfigurationtothefirewall,andthefirewallautomaticallycreatesapairofvirtualwire
subinterfaces,forexampleethernet1/1.3andethernet1/2.3sothatthefirewallcanisolatetrafficfora
subtenant.Becauseatemplatesupportsupto32subinterfacepairs,youcanlogicallyisolatetrafficand
secureupto32subtenants.
PanoramaregisterseachservicedefinitionasaservicedefinitionontheNSXManagerandeachservice
profilezoneasaserviceprofilewithinthecorrespondingservicedefinition.And,whenyoudeploythe
servicedefinitionfromtheNSXManager,aninstanceoftheVMSeriesfirewallisdeployedoneachhostin
theESXicluster.AndyoucanusethesteeringrulesdefinedonPanoramaandappliedtotheNSXManager
tospecifywhattraffictoredirecttotheVMSeriesfirewallbasedonNSXsecuritygroups,andtowhich
tenantorsubtenantbasedontheserviceprofile.
Basedonyourrequirements,youcanchoosefromthefollowingmultitenancyoptions:
SharedclusterwithsharedVMSeriesfirewallsMultipletenantssharetheclusterandtheVMSeries
firewall.AsingleinstanceoftheVMSeriesfirewallisdeployedoneachhostinthecluster.Inorderto
separatetrafficfromeachtenant,youcreateazoneforeachtenant,andyoudefineasingle,commonset
ofpolicyrulestosecurethevirtualmachinesforalltenants.SeeUseCase:SharedCompute
InfrastructureandSharedSecurityPolicies.
DedicatedclusterwithdedicatedVMSeriesfirewallsAsingletenantoccupiesthecluster,andasingle
instanceoftheVMSeriesfirewallisdeployedoneachhostinthecluster.Inthisdeployment,thetenant
canhaveasinglezoneandasinglepolicyset,orthetenantcanhavemultiplezonesforsubtenantsthat
requiretrafficseparation(onezonepersubtenant)andasinglepolicysetwithzonebasedrulesto
securetrafficforeachsubtenant.UseCase:SharedSecurityPoliciesonDedicatedCompute
Infrastructure.
SharedclusterwithdedicatedVMSeriesfirewallsMultipletenantssharetheclusterandmultiple
instancesoftheVMSeriesfirewallsaredeployedoneachhostinaclustersothateachtenantcanhave
adedicatedinstanceoftheVMSeriesfirewall.Thisdeploymentprovidesscalabilityandbetter
performanceonsharedinfrastructureforeachtenant.Basedoneachtenantsneeds,youwilldefinetwo
ormoreservicedefinitionsforthecluster.
WhendeployingmultipleinstancesoftheVMSeriesfirewall,youmustensurethateachESXihosthas
thesufficientCPU,memoryandharddiskresourcesrequiredtosupporttheVMSeriesfirewallsandthe
othervirtualmachinesthatwillberunningonit.
VMSeriesFirewallforNSXDeploymentChecklist
TodeploytheVMSeriesfirewallforNSX,usethefollowingworkflow:
Step1:SetuptheComponentsTodeploytheVMSeriesfirewallforNSX,setupthefollowing
components(seeWhataretheComponentsoftheVMSeriesforNSXSolution?):
SetupthevCenterserver,installandregistertheNSXManagerwiththevCenterserver.
Ifyouhavenotalreadysetupthevirtualswitch(es)andgroupedtheESXihostsintoclusters,refer
totheVMwaredocumentationforinstructionsonsettingupthevSphereenvironment.This
documentdoesnottakeyouthroughtheprocessofsettinguptheVMwarecomponentsofthis
solution.
Donotmodifythedefaultvalue(1500bytes)oftheMTUonthevirtualDistributedSwitch(vDS)inthevSphere
infrastructure.ModifyingtheMTUtoanyothervaluecausestheVMSeriesfirewallforNSXtodiscardpackets.
UpgradePanoramatoversion8.0.IfyouarenewtoPanorama,refertothePanorama
documentationforinstructionsonsettingupandupgradingPanorama.SeeUpgradePanorama7.1
toPanorama8.0forinformationaboutconvertingyour7.1configurationformatsto8.0
configurationformats.
InstalltheVMwareNSXPlugin.
InstallaLicenseDeactivationAPIKey.DeletingthePaloAltoNetworksServiceDeploymentonNSX
Managerautomaticallytriggerslicensedeactivation.AlicensedeactivationAPIkeyisrequiredto
successfullydeactivatetheVMSerieslicense.
DownloadandsavetheovftemplatefortheVMSeriesfirewallforNSXonawebserver.Theovf
templatemustmatchyourVMSeriesmodel.IfyouareusingtheVM200,selecttheVM100ovf
(PAVMNSX8.0.0.vm100.ovf).IfusingtheVM1000HV,selecttheVM300ovf
(PAVMNSX8.0.0.vm300.ovf)
TheNSXManagermusthavenetworkaccesstothiswebserversothatitcandeploytheVMSeries
firewallasneeded.YoucannothosttheovftemplateonPanorama.
Givetheovafilenameagenericnamethatdoesnotincludeaversionnumber.Usinga
genericnamingconvention,suchashttps://acme.com/software/PA-VM-NSX.ova allowsyouto
overwritetheovaeachtimeanewerversionbecomesavailable.
RegisterthecapacityauthcodefortheVMSeriesfirewallforNSXwithyoursupportaccounton
theSupportPortal.Fordetails,seeUpgradetheVMSeriesFirewall.
Step2:RegisterConfigurePanoramatoRegistertheVMSeriesFirewallasaServiceontheNSX
Manager.Whenregistered,theVMSeriesfirewallisaddedtothelistofnetworkservicesthatcanbe
transparentlydeployedasaservicebytheNSXManager.TheconnectionbetweenPanoramaandthe
NSXManagerisalsorequiredforlicensingandconfiguringthefirewall.
IfyouhadconfiguredPanoramatoregistertheVMSeriesfirewallasaserviceontheNSX
Managerinanearlierversion,seeChangestodefaultbehaviortolearnaboutthechangesupon
upgradetoversion8.0.
Step3:DeploytheFirewallsandCreatePoliciesOnPanorama,createtheservicedefinition(s)that
specifytheconfigurationfortheVMSeriesfirewallcreatepoliciestoredirecttraffictotheVMSeries
firewall.OntheNSXManager,installthePaloAltoNGFWservice.SeeDeploytheVMSeriesFirewall
andCreateSteeringRules.
(OnPanorama)Createtheservicedefinition.
Ifyouupgradefromanearlierversion,yourexistingservicedefinitionisautomaticallymigratedfor
you.Fordetails,seechangestodefaultbehavior.
(OnPanorama)SetupthedynamicaddressgroupsthatmaptosecuritygroupsonNSXManager.A
securitygroupassemblesthespecifiedguests/applicationssothatyoucanapplypolicytothegroup.
(OnPanorama)CreatethesecuritypolicyrulestoredirecttraffictothePaloAltoNetworksservice
profile.
(OntheNSXManager)EnableSpoofGuardanddefinerulestoblocknonIPprotocols.
(OntheNSXManager)DefinetheIPaddresspool.AnIPaddressfromthedefinedrangeisassigned
tothemanagementinterfaceofeachinstanceoftheVMSeriesfirewall.
(OntheNSXManager)DeploytheVMSeriesfirewall.TheNSXManagerautomaticallydeploysan
instanceoftheVMSeriesfirewalloneachESXihostinthecluster.
TheNSXManagerusestheIPaddressasamatchcriteriontosteertraffictotheVMSeriesfirewall.IfVMwaretools
isnotinstalledontheguest,seeSteerTrafficfromGueststhatarenotRunningVMwareTools.
(OnPanorama)ApplypoliciestotheVMSeriesfirewall.FromPanorama,youdefine,push,and
administerpoliciescentrallyonalltheVMSeriesfirewalls.
Thiscentralizedadministrationmechanismallowsyoutosecureguests/applicationswithminimal
administrativeintervention.
Step4:MonitorandMaintainNetworkSecurityPanoramaprovidesacomprehensive,graphicalview
ofnetworktraffic.UsingthevisibilitytoolsonPanoramatheApplicationCommandCenter(ACC),logs,
andthereportgenerationcapabilitiesyoucancentrallyanalyze,investigateandreportonallnetwork
activity,identifyareaswithpotentialsecurityimpact,andtranslatethemintosecureapplication
enablementpolicies.RefertothePanoramaAdministratorsGuideformoreinformation.
Step5:UpgradethesoftwareversionWhenupgradingtheVMSeriesfirewallsforNSX,youmustfirst
upgradePanoramabeforeupgradingthefirewalls.Toupgradethefirewalls,seeUpgradethePANOS
SoftwareVersion(VMSeriesforNSX).
IfyouneedtoreinstallorremovetheVMSeriesfromyourNSXdeployment,seetheHowtoRemove
VMSeriesIntegrationfromVMwareNSXknowledgebasearticle.
InstalltheVMwareNSXPlugin
TodeploytheVMSeriesforNSXsolution,youmustinstalltheVMwareNSXpluginonPanorama.Ifyouare
upgradingtoPANOS8.0andalreadyhaveintegratedVMwareNSXandthePaloAltoNetworksVMSeries
firewallsconfiguredinyourenvironment,thepluginwillbeinstalledautomaticallyandyourexisting
configurationismaintained.IfyouareconfiguringNSXintegrationforthefirsttime,completethefollowing
proceduretoinstalltheNSXplugin.
Ifanotherversionofthepluginiscurrentlyinstalled,selectingInstalluninstallremovesitandinstallstheselected
version.
InstalltheVMwareNSXPlugin
Step1 DownloadtheVMwareNSXpluginfromthePaloAltoNetworksCustomerSupportwebsite.
Step3 IfyouareupgradingyourversionoftheNSXplugin,completeamanualconfigurationsync.
1. SelectPanorama > VMware NSX > Service Managers.
2. SelectNSX Config-SyncintheActioncolumn.
3. ClickYes.
4. Whenthesynciscomplete,clickOK.
RegistertheVMSeriesFirewallasaServiceontheNSX
Manager
YouneedtoenablecommunicationbetweenPanoramaandtheNSXManagerandthenregisterthe
VMSeriesfirewallasaserviceontheNSXManager.Whenregistered,theVMSeriesfirewallisaddedto
thelistofnetworkservicesthatcanbetransparentlydeployedasaservicebytheNSXManager.
EnableCommunicationBetweentheNSXManagerandPanorama
CreateTemplate(s)andDeviceGroup(s)onPanorama
CreatetheServiceDefinitionsonPanorama
EnableCommunicationBetweentheNSXManagerandPanorama
ToautomatetheprovisioningoftheVMSeriesfirewallforNSX,enablecommunicationbetweentheNSX
ManagerandPanorama.Thisisaonetimesetup,andonlyneedstobemodifiediftheIPaddressoftheNSX
ManagerchangesorifthecapacitylicensefordeployingtheVMSeriesfirewallisexceeded.
UsePanoramatoRegistertheVMSeriesFirewallasaService
Step2 SetupaccesstotheNSXManager. 1. SelectPanorama > VMware NSX > Service Managers and
clickAdd.
2. EntertheService Manager Name.
OntheNSXManager,thisnamedisplaysintheService
ManagercolumnonNetworking & Security > Service
Definitions > Service Managers.
3. (Optional)AddaDescriptionthatidentifiestheVMSeries
firewallasaservice.
4. EntertheNSX Manager URLIPaddressorFQDNat
whichtoaccesstheNSXManager.
5. EntertheNSX Manager Logincredentialsusernameand
password,sothatPanoramacanauthenticatetotheNSX
Manager.
Theampersand(&)specialcharacterisnotsupportedin
theNSXmanageraccountpassword.Ifapassword
includesanampersand,theconnectionbetween
PanoramaandNSXmanagerfails.
6. ClickOK.
UsePanoramatoRegistertheVMSeriesFirewallasaService(Continued)
UsePanoramatoRegistertheVMSeriesFirewallasaService(Continued)
Step5 VerifythatthefirewallisregisteredasaserviceontheNSXManager.
1. OnthevSpherewebclient,selectNetworking & Security > Service Definitions > Service
Managers.
CreateTemplate(s)andDeviceGroup(s)onPanorama
TomanagetheVMSeriesfirewallsforNSXusingPanorama,thefirewallsmustbelongtoadevicegroupand
atemplate.Devicegroupsallowyoutoassemblefirewallsthatneedsimilarpoliciesandobjectsasalogical
unit;theconfigurationisdefinedusingtheObjectsandPoliciestabsonPanorama.Usetemplatestoconfigure
thesettingsthatarerequiredfortheVMSeriesfirewallstooperateonthenetworkandassociate;the
configurationisdefinedusingtheDeviceandNetworktabsonPanorama.Andeachtemplatecontainingzones
usedinyourNSXconfigurationonPanoramamustbeassociatedwithaservicedefinition;ataminimum,you
mustcreateazonewithinthetemplatesothattheNSXManagercanredirecttraffictotheVMSeries
firewall.
EachvirtualwirezonebelongingtotheNSXrelatedtemplatebecomesavailableasaserviceprofileonthe
ServiceComposerontheNSXManager.WhenyoucreateNSXrelatedzoneonPanorama,Panorama
pushesthezoneasapartofthetemplateconfigurationtothefirewall,andthefirewallautomaticallycreates
apairofvirtualwiresubinterfaces,forexampleethernet1/1.3andethernet1/2.3,toisolatetrafficfora
tenantorsubtenant.Onthefirewall,youcanthenCreateSteeringRulestosecuretrafficthatarrivesonthe
virtualwiresubinterfacepairthatmapstothezone.
IfyouarenewtoPanorama,refertothePanoramaAdministratorsGuideforinstructionsonsettingup
Panorama.
CreateaDeviceGroupandaTemplateonPanorama
CreatetheServiceDefinitionsonPanorama
AservicedefinitionspecifiestheconfigurationfortheVMSeriesfirewallsinstalledoneachhostinanESXi
cluster.Theservicedefinitionmustincludethedevicegroup,thelicenseauthcodesfordeployingthe
VMSeriesfirewalls,andatemplatewithoneormoreNSXserviceprofilezones.Typically,youcreatea
servicedefinitionfortheVMSeriesfirewallinanESXicluster.IfyouhavedifferentESXiclustersthathave
workloadsthatrequiretheVMSeriesfirewalltohandletrafficdifferently,youcancreatemultipleservice
definitionsonPanorama.
OnaPanoramacommit,eachservicedefinitionisregisteredontheNSXManager.Onregistrationwiththe
NSXManager,theNetXAPIimplementationmakeseachzone(definedwithinthetemplate)availablefor
redirectingtraffic.WhenyoudeploytheVMSeriesfirewalls,youcanselecttheprofilenameforthe
VMSeriesfirewall(s)towhichyouwanttoredirecttrafficfromtheobjectsinNSXsecuritygroups.The
appropriatelyconfiguredfirewallcantheninspectthetrafficandenforcepolicyfromthevirtualmachines
thatbelongtotheNSXsecuritygroups.
CreatetheServiceDefinitiononPanorama
CreatetheServiceDefinitiononPanorama
CreatetheServiceDefinitiononPanorama
CreatetheServiceDefinitiononPanorama
2. ToverifythatthezonesareavailableontheNSXManager:
a. SelectNetworking and Security > Service Composer >
Security Policies,andclickCreate Security Policy.
b. SelectNetwork Introspection Services,andclick Add.
c. IntheService Namedropdown,selectaPaloAlto
Networksservicethatyouverifiedinthestepabove.
d. IntheProfiledropdown,verifythatyoucanviewallthe
zonesyoudefinedforthatservicedefinitiononPanorama.
CreatetheServiceDefinitiononPanorama
CreateSteeringRules
ThefollowingtopicsdescribehowtocreatepoliciesonPanoramatosteertraffictotheVMSeriesfirewall.
InorderfortheVMSeriesfirewalltosecurethetraffic,youmustcompletethefollowingtasks:
SetUpDynamicAddressGroupsonPanorama
RedirectTraffictotheVMSeriesFirewall
SetUpDynamicAddressGroupsonPanorama
AsecuritygroupisalogicalcontainerthatassemblesguestsacrossmultipleESXihostsinthecluster.When
youcreateadynamicaddressgroupthatmeetstherightcriteriaandcommityourchanges,acorresponding
securitygroupiscreatedontheNSXManager.Creatingsecuritygroupsarerequiredtomanageandsecure
theguests;tounderstandhowsecuritygroupsenablepolicyenforcement,seePolicyEnforcementusing
DynamicAddressGroups.
SetupDynamicAddressGroupsonPanorama
Step2 Verifythatthecorrespondingsecurity 1. SelectNetwork and Security > Service Composer > Security
groupsarecreatedontheNSXManager. Groups.
2. Verifythatyourdynamicaddressgroupsappearassecurity
groupsontheSecurityGroupslist.Eachsecuritygroupis
prefixedwithyourservicedefinitionfollowedbyan
underscoreandthedynamicaddressgroupname.
RedirectTraffictotheVMSeriesFirewall
DonotapplythetrafficredirectionpoliciesunlessyouunderstandhowrulesworkontheNSXManageras
wellasontheVMSeriesfirewallandPanorama.ThedefaultpolicyontheVMSeriesfirewallissettodeny
alltraffic,whichmeansthatalltrafficredirectedtotheVMSeriesfirewallwillbedropped.Tocreatepolicies
onPanoramaandpushthemtotheVMSeriesfirewall,seeApplyPoliciestotheVMSeriesFirewall.
Createsecuritypolicyrulesintheassociateddevicegroup.Foreachsecurityruleselectonezoneinthe
associatedtemplate,makethesourceanddestinationzonesidentical,andselectthedynamicaddressgroups
asthesourceanddestination.CreatingaqualifyingsecuritypolicyinPanoramaresultsinthecreationofa
correspondingsteeringruleonNSXManageruponcommitinPanorama.
DefineSteeringRulestoRedirectTraffictotheVMSeriesFirewall
DefineSteeringRulestoRedirectTraffictotheVMSeriesFirewall(Continued)
3. (Optional)ModifytheNSXTrafficDirectionandaddNSX
ServicestoaSteeringRule.
Bydefault,theNSXTrafficDirectionissettoinoutandnoNSX
Servicesareselected.
a. Selecttheautogeneratedsteeringtobemodified.
b. Tochangethetrafficdirection,selectthedirectionfromthe
NSX Traffic Directiondropdown.
c. ClickAddunderNSXServicesandchooseaservicefromthe
Servicesdropdown.Repeatthissteptoaddadditional
services.
d. ClickOK.
4. Commityourchanges.
Step3 Verifythatthecorrespondingtraffic 1. SelectNetwork and Security > Firewall > Configuration >
steeringruleswerecreatedontheNSX Partner Security Services.
Manager. 2. Confirmthatthetrafficsteeringrulesyourcreatedon
Panoramaarelisted.
DeploytheVMSeriesFirewall
AfterregisteringtheVMSeriesfirewallasaservice(PaloAltoNetworksNGFW)ontheNSXManager,
completethefollowingtasksontheNSXManager.
EnableSpoofGuard
DefineanIPAddressPool(RequiredonlyifthemanagementinterfaceisnotconfiguredforDHCP)
PreparetheESXiHostfortheVMSeriesFirewall
DeploythePaloAltoNetworksNGFWService
ApplyPoliciestotheVMSeriesFirewall
EnableLargeReceiveOffload
SupportforvMotionofguestvirtualmachinesinthevSphere/NSXEnvironment
WhenaguestVMisvMotionedfromonehosttoanotherwithinacluster,thetargethostNSXdistributedfirewall
willsteerallnewsessionstotheVMSeriesfirewallonthedestinationhost.Toensurethatallactive(existing
sessions)remainuninterruptedduringandaftertheguestvMotion,theNSXManagerpollstheVMSeries
firewallforexistingallowedsessionsandthensharesthesesessionswiththeNSXdistributedfirewallonthe
destinationhost.AllexistingsessionsthatwereallowedbytheoriginalVMSerieswillbeallowed bytheNSX
distributedfirewall(filteringmodule)onthedestinationhostwithoutsteeringtothetargethostVMSeries
firewalltopreventsessionloss.
TheVMSeriesfirewallrunsasaserviceoneachhostoftheclusterandthereforeisnevervMotioned.
EnableSpoofGuard
TheNSXdistributedfirewallcanonlyredirecttraffictotheVMseriesfirewallwhenitmatchesanIPaddress
thatisknowntothevCenterServer.ThismeansthatanynonIPL2traffic,orIPtrafficthatdoesnotmatch
theIPaddressesknowntothevCenterServer,willnotmatchtheredirectionrulesdefinedontheNSX
ManagerandbesteeredtotheVMSeriesfirewall.Therefore,toensurethatalltrafficiscorrectlyfiltered,
youneedtoperformthefollowingsteps:
EnableSpoofGuardtopreventunknownIPtrafficthatmightotherwisebypasstheVMseriesfirewall.
WhenSpoofGuardisenablediftheIPaddressofavirtualmachinechanges,trafficfromthevirtual
machinewillbeblockeduntilyouinspectandapprovethechangeinIPaddressintheNSXSpoofGaurd
interface.
ConfiguretheNSXfirewallrulestoblocknonIPL2trafficthatcannotbesteeredtotheVMSeries
firewall.
vCenterusesVMwareToolstolearntheIPaddress(es)ofeachguest. IfVMwareToolsisnot
installedonsomeofyourguests,seeSteerTrafficfromGueststhatarenotRunningVMware
Tools.
EnableSpoofGuardandBlockNonIPL2Traffic
Step1 EnableSpoofGuardfortheportgroup(s)containingtheguests.
Whenenabled,foreachnetworkadapter,SpoofGuardinspectspacketsfortheprescribedMACandits
correspondingIPaddress.
1. SelectNetworking and Security > SpoofGuard.
2. ClickAddtocreateanewpolicy,andselectthefollowingoptions:
SpoofGuard:Enabled
OperationMode:Automatically trust IP assignments on their first use.
Allow local address as valid address in this namespace.
SelectNetworks:Selecttheportgroupstowhichtheguestsareconnected.
Step2 SelecttheIPprotocolstoallow.
1. SelectNetworking and Security > Firewall > Ethernet.
2. AddarulethatallowsARP,IPv4andIPv6traffic.
3. Addarulethatblockseverythingelse.
DefineanIPAddressPool
YoucanconfigurethemanagementinterfaceontheVMSeriesfirewalltouseanIPaddressfromastaticIP
poolortobeaDHCPclient.
IfyouopttouseanIPpool,whichisarangeof(static)IPaddressesthatarereservedforestablishing
managementaccesstotheVMSeriesfirewalls,whentheNSXManagerdeploysanewVMSeriesfirewall,
thefirstavailableIPaddressfromthisrangeisassignedtothemanagementinterfaceofthefirewall.
DefineanIPAddressPool
DefineanIPAddressPool
PreparetheESXiHostfortheVMSeriesFirewall
BeforeyoudeploytheVMSeriesfirewall,eachhostintheclustermusthavethenecessaryNSXcomponents
thatallowtheNSXfirewallandtheVMSeriesfirewalltoworktogether.TheNSXManagerwillinstallthe
componentstheEthernetAdapterModule(.eam)andtheSDKrequiredtodeploytheVMSeriesfirewall.
PreparetheESXiHostsfortheVMSeriesFirewall
AsnewESXihostsareaddedtoacluster,thisprocessisautomatedandthenecessaryNSX
componentsareautomaticallyinstalledoneachguestontheESXihost.
Step3 IftheInstallationStatusisnotreadyorawarningdisplaysonscreen,clicktheResolvelink.Tomonitorthe
progressofthereinstallationattempt,clicktheMore Taskslinkandlookforthesuccessfulcompletionof
thefollowingtasks:
DeploythePaloAltoNetworksNGFWService
UsethefollowingstepstoautomatetheprocessofdeployinganinstanceoftheVMSeriesfirewallforNSX
oneachESXihostinthespecifiedcluster.
DeploythePaloAltoNetworksNGFWService
DeploythePaloAltoNetworksNGFWService(Continued)
Step3 SelecttheDatacenterandthecluster(s)onwhichtheservicewillbedeployed.Oneinstanceofthefirewall
willbedeployedoneachhostintheselectedcluster(s).
Step4 Selectthedatastorefromwhichtoallocatediskspaceforthefirewall.Selectoneofthefollowingoptions
dependingonyourdeployment:
Ifyouhaveallocatedsharedstorageforthecluster,selectanavailableshareddatastore.
Ifyouhavenotallocatedsharedstorageforthecluster,selecttheSpecified-on-hostoption.Besureto
selectthestorageoneachESXihostinthecluster.Alsoselectthenetworkthatwillbeusedforthe
managementtrafficontheVMSeriesfirewall.
Step5 Selecttheportgroupthatprovidesmanagementnetworktrafficaccesstothefirewall.
DeploythePaloAltoNetworksNGFWService(Continued)
Step6 SelecttheIPaddresspoolassignment.
Use IP Pool(DefineanIPAddressPool)fromwhichtoassignamanagementIPaddressforeachfirewall
whenitisbeingdeployed.
Use DHCPonthemanagementinterface.
IfyouuseanIPpool,ondeployment,thedisplaynamefortheVMSeriesfirewallonPanorama
includesthehostnameoftheESXihost.Forexample:PAVM:10.5.1.120.
IfyouuseDHCP,thedisplaynamefortheVMSeriesfirewalldoesnotincludethenameoftheESXi
host.
Step7 ReviewtheconfigurationandclickFinish.
IftheinstallationofVMSeriesfails,theerrormessageisdisplayedontheInstallationStatuscolumn.
YoucanalsousetheTaskstabandtheLog BrowserontheNSXManagertoviewthedetailsforthe
failureandrefertotheVMwaredocumentationfortroubleshootingsteps.
DeploythePaloAltoNetworksNGFWService(Continued)
Step9 Verifythatthefirewallissuccessfullydeployed.
1. OnthevCenterserver,selectHosts and Clusterstocheckthateveryhostinthecluster(s)hasoneinstance
ofthefirewall.
2. ViewthemanagementIPaddress(es)andthePANOSversionrunningonthefirewalldirectlyfromvCenter
server.VMwareToolsisbundledwiththePANOSsoftwareimageandisautomaticallyenabledwhenyou
launchtheVMSeriesfirewall.
WithVMwareTools,youcanviewresourceutilizationmetricsonharddisk,memory,andCPU,anduse
thesemetricstoenablealarmsoractionsonthevCenterserver.Theheartbeatsallowyoutoverifythatthe
firewallisliveandtriggeractionstoensurehighavailability.Youcanalsoperformagracefulshutdownand
restartofthefirewallusingthepowerofffunctiononvCenter.
Step10 AccessthePanoramawebinterfacetomakesurethattheVMSeriesfirewallsareconnectedand
synchronizedwithPanorama.
1. SelectPanorama > Managed Devices toverifythatthefirewallsareconnectedandsynchronized.
IfthefirewallgetsitsIPaddressfromanIPPool,theDisplay Nameforthefirewallincludesthehostname
oftheESXiserveronwhichitisdeployed,forexamplePAVM:ESX1.Sydney.IfthefirewallgetsaDHCP
assignedIPaddress,thehostnameoftheESXiserverdoesnotdisplay.
2. ClickCommit,andselectCommitTypeasPanorama.
AperiodicPanoramacommitisrequiredtoensurethatPanoramasavesthedeviceserialnumbers
toconfiguration.IfyourebootPanoramawithoutcommittingthechanges,themanageddeviceswill
notconnectbacktoPanorama;althoughtheDeviceGroupwilldisplaythelistofdevices,the
deviceswillnotdisplayinPanorama > Managed Devices.
DeploythePaloAltoNetworksNGFWService(Continued)
Step11 Verifythatthecapacitylicenseisappliedandapplyanyadditionallicensesthatyouhavepurchased.Ata
minimum,youmustactivatethesupportlicenseoneachfirewall.
WhenPanoramadoesnothaveinternetaccess(Offline),youmustmanuallylicenseeachfirewall,and
thenaddtheserialnumberofthefirewalltoPanoramasothatitisregisteredasamanageddevice,
andcanreceivethetemplateanddevicegroupsettingsfromPanorama.
1. SelectPanorama > Device Deployment > LicensestoverifythattheVMSeriescapacitylicenseisapplied.
2. ToapplyadditionallicensesontheVMSeriesfirewalls:
ClickActivateonPanorama > Device Deployment > Licenses.
Findorfilterforthefirewall,andintheAuth Code column,entertheauthorizationcodeforthelicense
toactivate.Onlyoneauthorizationcodecanbeenteredatatime,foreachfirewall.
3. ClickActivate,andverifythattheresultofthelicenseactivationwassuccessful.
Step12 (Optional)UpgradethePANOSversionontheVMSeriesfirewalls,seeUpgradethePANOSSoftware
Version(VMSeriesforNSX).
DeploythePaloAltoNetworksNGFWService(Continued)
Step13 AddguestVMstotherightsecuritygroupsfortrafficfromthoseVMstoberedirectedtotheVMSeries
firewall.
1. LogintovCenter.
2. SelectNetworking & Security > Service Composer > Security Groups.
3. HighlightthesecuritygroupyouwanttowhichyouwanttoassignguestVMsandclicktheEdit Security
Groupicon.
4. SelectDefine dynamic membershipandclickthe+icon.
5. ClickAdd.
6. DefinethedynamicmembershipcriteriathattheguestVMsmustmeettobepartoftheselectedsecurity
group.Thecriteriayouusedependsonyournetworkdeployment.Forexample,youmightchoosetogroup
VMsbyanEntitysuchasLogicalSwitchorDistributedPortGroup.
7. ClickFinish.
8. RepeatthisprocedureforeachsecuritygroupthatshouldhaveitstrafficredirectedtotheVMSeries
firewall.
ApplyPoliciestotheVMSeriesFirewall
NowthatyouhavecreatedthesteeringrulesonPanoramaandpushedthemtotheNSXManager,youcan
nowusePanoramaforcentrallyadministeringpoliciesontheVMSeriesfirewalls.
Tomanagecentralizedpolicy,attachthedynamicaddressgroupasasourceordestinationaddressin
securitypolicyandpushittothefirewalls;thefirewallscandynamicallyretrievetheIPaddressesofthe
virtualmachinesthatareincludedineachsecuritygrouptoenforcecompliancefortrafficthatoriginates
fromorisdestinedtothevirtualmachinesinthespecifiedgroup.
DefinePolicyonPanorama
6. SelecttheApplicationtoallow.Inthisexample,wecreatean
Application Groupthatincludesastaticgroupofspecific
applicationsthataregroupedtogether.
a. ClickAdd andselect New Application Group.
b. ClickAddtoselecttheapplicationtoincludeinthegroup.In
thisexample,weselectthefollowing:
c. ClickOKtocreatetheapplicationgroup.
7. SpecifytheactionAlloworDenyforthetraffic,and
optionallyattachthedefaultsecurityprofilesforantivirus,
antispyware,andvulnerabilityprotection,underProfiles.
8. RepeatsSteps37abovetocreatethepertinentpolicyrules.
9. ClickCommit,selectCommitTypeasPanorama.ClickOK.
DefinePolicyonPanorama(Continued)
4. ClickthemorelinkandverifythatthelistofregisteredIP
addressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongtothis
addressgroup,andaredisplayedhere.
DefinePolicyonPanorama(Continued)
EnableLargeReceiveOffload
Largereceiveoffload(LRO)isatechniqueforincreasingtheinboundthroughputonhighbandwidth
networkconnectionsbydecreasingCPUoverhead.WithoutLRO,thefirewalldropspacketslargerthanthe
configuredmaximumtransmissionunitMTU,whichisamaximumof9216byteswhenthefirewallisenabled
forjumboframes.WithLROenabled,thefirewallacceptspacketsupto64KBinsizeandthedoesnotdrop
packetslargerthantheconfiguredMTU.Instead,itsegmentsthelargerpacketsintosmallerchunksof9000
bytes.Forexample,iftheVM1sendsa64KBpackettoVM2andthepacketisdividedintoeightsegments.
LROisdisabledbydefaultonnewNSXdeploymentsandonupgradeto8.0.YoucanenableordisableLRO
andviewtheLROstatusonthroughtheCLI.EnablingLROontheVMSeriesfirewallautomaticallyenables
jumboframes.Additionally,LROandTCPSegmentationOffload(TSO)mustbeenabledonVMXNET3
networkadapterontheVMSeriesfirewallhostmachine.
EnableLROontheVMSeriesforNSX
SteerTrafficfromGueststhatarenotRunningVMware
Tools
VMwareToolscontainsautilitythatallowstheNSXManagertocollecttheIPaddress(es)ofeachguest
runninginthecluster.NSXManagerusestheIPaddressasamatchcriteriontosteertraffictotheVMSeries
firewall.IfyoudonothaveVMwaretoolsinstalledoneachguest,theIPaddress(es)oftheguestis
unavailabletotheNSXManagerandtrafficcannotbesteeredtotheVMSeriesfirewall.
ThefollowingstepsallowyoutomanuallyprovisionguestswithoutVMwareToolssothattrafficfromeach
oftheseguestscanbemanagedbytheVMSeriesfirewall.
SteerTrafficfromGueststhatarenotRunningVMwareTools
Step1 CreateanIPsetthatincludesthegueststhatneedtobesecuredbytheVMSeriesfirewall.ThisIPsetwillbe
usedasthesourceordestinationobjectinanNSXdistributedfirewallruleinStep 4below.
1. SelectNSX Managers > Manage > Grouping Objects > IP Sets.
2. ClickAddandentertheIPaddressofeachguestthatdoesnothaveVMwaretoolsinstalled,andneedsto
besecuredbytheVMSeriesfirewall.UsecommastoseparateindividualIPaddresses;IPrangesorsubnets
arenotvalid.
Step2 VerifythatSpoofGaurdisenabled.Ifnotenabled,seeEnableSpoofGuard.
Step3 ManuallyapprovetheIPaddress(es)foreachguestinSpoofGuard;thisvalidatesthattheapprovedIP
addressesistheaccurateaddressforthatnetworkadapter.ForamanuallyconfiguredIPaddress,makesure
toaddtheIPaddresstotheIPsetbeforeapprovingitinSpoofGuard.
1. SelectthenewSpoofGuardpolicyyoucreatedtoearlierandView: Inactive Virtual NICs.
2. SelecttheguestandaddtheIPaddressintheApprovedIPfieldandPublishchanges.
3. ReviewandapproveallpreviouslyapprovedIPaddressestoo.
Step4 AttachtheIPsetstotheSecurityGroupsonNSX,toenforcepolicy.
1. SelectNetworking and Security > Service Composer > Security Groups.
2. SelectSelect objects to include > IP Sets,addtheIPsetobjecttoinclude.
DynamicallyQuarantineInfectedGuests
ThreatandtrafficlogsinPANOSincludethesourceordestinationuniversallyuniqueidentifier(UUID)of
guestVMsinyourNSXdeployment.ThisallowstheVMSeriesforNSXtosupportthetaggingofguestVMs
withNSXsecuritytags.WiththeguestVMsUUIDnowincludedinthelogevents,thefirewall,basedonthe
filteredlogevents,cantagtheaffectedguestVMviaNSXManagerAPI.Thisallowsforautomaticlocation
ofcompromisedVMsintheNSXenvironments.NSXcanthenputallassociatedUUIDsunderpoliciesto
quarantinethoseVMsfromtherestofthenetwork.
PanoramaincludespredefinedpayloadformatsforthreatandtrafficlogsintheHTTPServerProfile.These
payloadformatscorrespondtopredefinedsecuritytagsinNSX.WhenaguestVMisfoundinthethreator
trafficlogs,PanoramamakesanAPIcalltoNSXManagertellingNSXManagertotagtheguestVMwiththe
tagspecifiedintheHTTPServerProfile.WhentheguestVMbecomestagged,NSXManagerdynamically
movesthetaggedguestVMintothequarantinesecuritygroup,whichplacestheguestVMintothe
quarantinedynamicaddressgroup.
ConfigurePanoramatoDynamicallyQuarantineInfectedGuests
Step1 Confirmthatyouhavecontentupdateversion636orlaterinstalledonPanorama.
Step2 Createadynamicaddresstobeyourquarantinedynamicaddressgroup.
ConfigurePanoramatoDynamicallyQuarantineInfectedGuests
Step3 CreateanHTTPServerProfiletosendAPIcallstoNSXManager.
1. SelectPanorama > Server Profiles > HTTPandAddanewHTTPServerProfile.
2. EnteradescriptiveName.
3. Select AddtoprovidethedetailsofNSXManager.
4. EnteraNameforNSXManager.
5. EntertheIPAddressofNSXManager.
6. SelecttheProtocol(HTTPorHTTPS).ThedefaultPortis80or443respectively.
7. SelectPUTundertheHTTPMethodcolumn.
8. EntertheusernameandpasswordforNSXManager.
9. SelectPayload FormatandchooseanNSXpayloadformatfromthePredefinedFormatsdropdown.This
populatestheURIFormat,HTTPHeaders,andPayloadfieldswiththecorrectinformationtosendthe
HTTPAPIcalltoNSXManager.Additionally,thechosenformatdetermineswhichsecuritytagNSX
ManagerappliestoinfectedguestVMs.Intheexamplebelow,NSXAntiVirusThreatHighisselected
whichcorrespondstotheANTI_VIRUS.VirusFound.threat=highsecuritytagonNSXManager.
ConfigurePanoramatoDynamicallyQuarantineInfectedGuests
Step4 DefinethematchcriteriaforwhenPanoramawillforwardlogstotheNSXManager,andattachtheHTTP
serverprofiletouse.
1. SelectPanorama > Log SettingsforThreatorTrafficlogs.
2. Enteradescriptivenameforthenewlogsettings.
3. (Optional)UnderFilter,youcanaddfilterssuchasseveritytonarrowthelogsthatareforwardedtoNSX
Manager.IfAllLogsisselected,allthreatortrafficlogsthatmeetthecriteriasetintheHTTPServerprofile
aresenttoNSXManager.
4. ClickAddunderHTTPandselecttheHTTPServerProfileconfiguredinStep 3.
5. ClickOK.
Step5 ConfigureanNSXservercertificateforPanoramatoforwardlogstoNSXmanager.
1. SelectPanorama > Certificate Management > Certificates.
2. CreatearootCAcertificatewithCN=IPaddressofPanorama.
3. CreateasignedcertificatewithCN=IPaddressofNSXManager.
4. ExporttherootCAcertificateinPEMformatwithoutaprivatekey.
5. ExportthesignedcertificateinPEMformatwithaprivatekey.
6. UsingatoolsuchasOpenSSL,concatenatetheexportedcertificatesintoasinglePEMfileforuploadto
NSXmanager.UsethefollowingcommandsinOpenSSLtocompletethisstep.
cat cert_NSX_Root_CA.crt cert_NSX_Signed1.pem > cert_NSX_cert_chain.pem
openssl pkcs12 -export -in cert_NSX_cert_chain.pem -out cert_NSX_cert.p12
7. LogintoNSXManagerandselectManage Appliance Settings > SSL Certificates > Upload PKC#12
Keystore.ClickChoose File,locatethep12fileyoucreatedinthepreviousstep,andclickImport.
ConfigurePanoramatoDynamicallyQuarantineInfectedGuests
Step6 AssociateasecuritygroupwithasecuritytaginvCenter.
1. LogintovCenter.
2. SelectNetworking & Security > Service Composer > Security Groups.
3. Selectasecuritygroupthatiscounterparttothequarantinedynamicaddressgroupyoucreatedpreviously
andclickEdit Security Group.
4. SelectDefinedynamicmembershipandclickthe+icon.
5. ClickAdd.
6. SetthecriteriadetailstoSecurityTagContainsandthenentertheNSXsecuritytagthatcorrespondsto
theNSXpayloadformatyouchoseinStep 3.EachofthepredefinedNSXpayloadformatscorrespondsto
anNSXsecuritytag.ToviewtheNSXsecuritytagsinNSX,selectNetworking & Security > NSX Managers
> NSX Manager IP > Manage > Security Tags.
Inthisexample,NSXAntiVirusThreatHighisusedintheHTTPServerProfileso
ANTI_VIRUS.VirusFound.threat=highistheNSXSecurityTagthatisusedhere.
7. ClickFinish.
ConfigurePanoramatoDynamicallyQuarantineInfectedGuests
Step7 AftertheguestVMisclearedforremovalfromquarantine,manuallyremovetheNSXsecuritytagfromthe
guestVMinNSX.
1. LogintovCenter.
2. SelectVMs and Templatesandchoosethequarantinedguest.
3. SelectSummary > Security Tags > Manage.
4. UncheckthesecuritytagusedbythequarantinesecuritygroupandclickOK.
5. RefreshthepageandthequarantinesecuritywillnolongerbelistedunderSummary > Security Group
Membership.
SourceanddestinationUUIDfieldsinthreatandtrafficlogsmaybeblankafteraguestVMisremovedfromquarantine.
ThiscanoccurwhenrunningNSX6.2.3orearlierorifNSXsteeringrulesdonotusetheinoutdirection.Youcanresolve
thisbyupgradingNSXto6.2.4orissueanNSXConfigsyncunderPanorama > VMware NSX > Service Manager and
rebootthePAVMtoresolvethisissue.
UseCase:SharedComputeInfrastructureandShared
SecurityPolicies
ThisusecaseallowsyoutologicallyisolatetrafficfromtwotenantsthatshareanESXiclusterandhavea
commonsetofsecuritypolicies.Inordertoisolatetrafficfromeachtenantyouneedtocreateaservice
definitionwithatemplatethatincludestwozones.Zonebasedtrafficseparationmakesitpossibleto
distinguishtrafficbetweenvirtualmachinesthatbelongtoseparatetenants,whenittraversesthroughthe
firewall.Thefirewallisabletodistinguishtrafficbetweentenantvirtualmachinesbasedonaserviceprofiles
andsecuritygroupscreatedontheNSXManager,whichareavailableasmatchcriteriainDynamicAddress
Groupsonthefirewall.Therefore,evenwithoverlappingIPaddresses,youcansegregatetrafficfromeach
tenantandsecureeachtenantsvirtualmachinesusingzonebasepolicyrules(sourceanddestinationzones
mustbethesame)anddynamicaddressgroups.
VMSeriesFirewallforNSXPerTenantZonewithUnifiedSecurityPolicyonSharedInfrastructure
VMSeriesFirewallforNSXPerTenantZonewithUnifiedSecurityPolicyonSharedInfrastructure(Continued)
VMSeriesFirewallforNSXPerTenantZonewithUnifiedSecurityPolicyonSharedInfrastructure(Continued)
3. VerifythattheNSXManagerreportstheInstallation Status
asSuccessful.
4. VerifythattheVMSeriesfirewallissuccessfullydeployed.
a. OnthevCenterserver,selectHosts and Clusterstocheck
thateveryhostinthecluster(s)hasoneinstanceofthe
firewall.
b. ViewthemanagementIPaddress(es)andthePANOS
versionrunningonthefirewalldirectlyfromvCenter
server.VMwareToolsisbundledwiththePANOS
softwareimageandisautomaticallyenabledwhenyou
launchtheVMSeriesfirewall.
VMSeriesFirewallforNSXPerTenantZonewithUnifiedSecurityPolicyonSharedInfrastructure(Continued)
2. OnPanorama,createsecuritypolicyrulesandusethedynamic
addressgroupsassourceordestinationaddressobjectsin
securitypolicyrulesandpushittothefirewalls.
a. SelectPolicies > Security > PrerulesandclickAdd.
b. Createrulesforeachtenant.Thisusecasehasthefollowing
policyrules:
3. ClickCommit,andselectCommitTypeasDevice Groups.
Selectthedevicegroup,NSXDGinthisexampleandclickOK.
VMSeriesFirewallforNSXPerTenantZonewithUnifiedSecurityPolicyonSharedInfrastructure(Continued)
aggregation groups: 0
ethernet1/2 17 1 vwire:ethernet1/1
2. OnthewebinterfaceoftheVMSeriesfirewall,selectObjects
> Address GroupsandverifythatyoucanviewtheIPaddress
forthemembersofeachDynamicAddressGroup.The
followingisanexampleofduplicateIPaddressesindynamic
addressgroupsacrossbothtenants.
UseCase:SharedSecurityPoliciesonDedicatedCompute
Infrastructure
IfyouareaManagedServiceProviderwhoneedstosecurealargeenterprise(tenant)withmultiple
departments(subtenants),andeachtenantrequiresdedicatedcomputeinfrastructureandsecuritypolicy
rules,youneedtocreateaservicedefinitionforeachtenant.
Inthisusecase,eachtenantBMWandToyotahasadedicatedESXicluster.Andeachtenanthas
subtenantsDev,QA,andProdwhoseworkloadsaredeployedinthecluster.Youneedtodefinetwo
servicedefinitionstoallowtheVMSeriesfirewallsforeachtenanttohaveSecuritypoliciesfortheir
respectiveESXiclusters.Theservicedefinitionforeachtenantincludesmultiplezones(withcorresponding
virtualwiresubinterfacepairs)forisolatingtrafficfromeachsubtenant.Eachzoneismappedtoaservice
profileontheNSXManager,whichallowsthefirewalltodistinguishtrafficfromthevirtualmachinesfor
eachsubtenantandtoenforcezonebasedsecuritypolicyruleswithinthecommonsetofpolicyrulesfor
thetenant.ZonebasedpoliciesincombinationwiththeDynamicAddressgroupsalsoallowyoutosecure
subtenantswhomayhaveoverlappingnetworks,andhencehaveduplicateIPaddresses.Touniquely
identifyvirtualmachinesassignedtoeachsubtenantandsuccessfullyenforcepolicy,theNSXManager
providestheserviceprofileandsecuritygrouptowhichavirtualmachinebelongsasmatchcriteriain
dynamicaddressgroupsonPanorama.Formoreinformation,seePolicyEnforcementusingDynamic
AddressGroups.
YoucanalsoconfigurerolebasedaccesscontrolusingaccessdomainsonPanorama.Accessdomainsallow
youtocontroladministrativeaccesstospecificdevicegroups(tomanagepoliciesandobjects)andtemplates
(tomanagenetworkanddevicesettings),sothateachtenantadministratorcanmanagetheconfiguration
fortheirVMSeriesfirewalls.Rolebasedaccessalsoallowsyoutolimitlogvisibilityfortherespectivetenant
only.
VMSeriesFirewallforNSXPerTenantSecurityPolicyonDedicatedInfrastructure
5. Repeatstep4fortheothertemplate.
VMSeriesFirewallforNSXPerTenantSecurityPolicyonDedicatedInfrastructure(Continued)
VMSeriesFirewallforNSXPerTenantSecurityPolicyonDedicatedInfrastructure(Continued)
4. VerifythattheVMSeriesfirewallissuccessfullydeployed.
a. OnthevCenterserver,selectHosts and Clusterstocheck
thateveryhostineachclusterhasoneinstanceofthe
firewall.
b. ViewthemanagementIPaddress(es)andthePANOS
versionrunningonthefirewalldirectlyfromvCenter
server.VMwareToolsisbundledwiththePANOS
softwareimageandisautomaticallyenabledwhenyou
launchtheVMSeriesfirewall.
VMSeriesFirewallforNSXPerTenantSecurityPolicyonDedicatedInfrastructure(Continued)
d. Createthedynamicaddressgroupsforthesubtenantsfor
theothertenant,BMWinthisexample.
2. OnPanorama,createSecuritypoliciesandusethedynamic
addressgroupsassourceordestinationaddressobjectsin
securitypolicyrulesandpushittothefirewalls.
a. SelectPolicies > Security > Pre Rules.
b. SelectaDevice GroupfromthedropdownandclickAdd.
c. Createrulesforeachsubtenant.Makesuretokeepthe
sourceanddestinationzonethesameinapolicyrule.To
ensurethatonlytheapplicationthatisrunningonthe
serverisallowed,allowtheserviceonthe
applicationdefaultportonly.
Thisusecasehasthefollowingpolicyrulesforthetenant
Toyota:
VMSeriesFirewallforNSXPerTenantSecurityPolicyonDedicatedInfrastructure(Continued)
3. SelecttheotherDevice Groupfromthedropdownandcreate
theSecuritypoliciesfortheeachsubtenantfortheother
tenant,BMWinthisexample.
4. ClickCommit,andselectCommitTypeasDevice Groups.
Selectthedevicegroups,NSXDGBMWand
NSXDGTOYOTAinthisexampleandclickOK.
ThecommitpushestheSecuritypoliciestothefirewallsthat
belongtoeachdevicegroup,andtheycanenforcepolicyon
thetrafficredirectedbytheNSXManager.
Step8 Verifythattrafficfromeachtenantis 1. OnPanorama,gotoMonitor > Logs > Traffic and Monitor >
secured. Logs > Threat toviewtheTrafficlogsandThreatlogs.Select
thedevicegroupforatenantandsortontheZonenamefor
fullvisibilityintotrafficfromeachsubtenant.
2. OnPanorama,usetheACCforvisibilityintotrafficpatterns
andactionableinformationonthreats.Usethewidgetsand
filterstointeractwiththedataontheACC.
3. OntheVMSeriesfirewall,selectObjects > Address Groupsto
viewtheIPaddressforthemembersofeachDynamicAddress
Group.
VMSeriesFirewallforNSXPerTenantSecurityPolicyonDedicatedInfrastructure(Continued)
DynamicAddressGroupsInformationRelayfromNSX
ManagertoPanorama
ToenforcesecuritypoliciesinaVMSeriesandNSXintegrateddatacenter,Panoramamustbeabletoobtain
informationonthechangesinthevirtuallandscape.Asnewvirtualmachinesaredeployed,changed,or
deleted,theNSXManagerinformsPanoramaofIPaddressesadded,removedfromsecuritygroupsonthe
NSXManager.Panoramainturnthen,pushesthisinformationtotheVMSeriesfirewalls.Dynamicaddress
groupsreferencedinfirewallpoliciesmatchagainstthisinformationtodeterminethemembersthatbelong
tothegroup.Thisprocessallowsthefirewalltoenforcecontextawaresecuritypolicy,whichsecurestraffic
toandfromthesevirtualmachines.Fordetailsondynamicaddressgroups,seePolicyEnforcementusing
DynamicAddressGroups.
ThefollowingdiagramillustrateshowtheinformationisrelayedfromtheNSXManagertoPanorama.
Tounderstandthisprocess,letstracetheinformationupdatesentfromtheNSXManagertoPanorama
whenanewserverisaddedtoasecuritygroup.Usetheelementshighlightedwithintheoutputineach
phaseofthisexample,totroubleshootwheretheprocessfailed.
InformationRelayfromtheNSXManagertoPanorama
InformationRelayfromtheNSXManagertoPanorama(Continued)
InformationRelayfromtheNSXManagertoPanorama(Continued)
2. FromtheCLI,enterthefollowingcommandtoviewthelogs
generatedbythePHPserver:
admin@Panorama> tailfollowyesmplogphp.debug.log
[2014/12/03 14:24:11]
<request cmd="op" cookie="0604879067249569"
refresh="no">
<operations xml="yes">
<show>
<cli>
...
<request>
<partner>
<vmware-service-manager>
<update>
<method>PUT</method>
<type>update</type>
<username>_vsm_admin</username>
<password>4006474760514053</password>
<url>/vmware/2.0/si/serviceprofile/serviceprofile-
1/containerset</url>
<data><![CDATA[
<containerSet><container><id>securitygroup10</id><name>Web
Servers</name><description></description><revision>8</revision
><type>IP</type><address>10.3.4.185</address><address>10.3.4.
186</address><address>15.0.0.203</address><address>15.0.0.20
2</address></container></containerSet>]]></data>
</update>
</vmware-service-manager>
</partner>
</request>
</operations>
</request>
InformationRelayfromtheNSXManagertoPanorama(Continued)
InformationRelayfromtheNSXManagertoPanorama(Continued)
4. LookforthelistofIPaddressesandsecuritygrouptags
2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip:10.3.4.185
2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag:
WebServerssecuritygroup10
2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip:15.0.0.202
2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag:
WebServerssecuritygroup10
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag:
DomainControllerssecuritygroup16
2014-12-03 14:24:11.647 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip:15.0.0.201
2014-12-03 14:24:11.648 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag:
SQLServerssecuritygroup11
2014-12-03 14:24:11.665 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag:
SharePointServerssecuritygroup13
2014-12-03 14:24:11.665 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip:10.3.4.187
2014-12-03 14:24:11.665 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag:
SharePointServerssecuritygroup13
...
InformationRelayfromtheNSXManagertoPanorama(Continued)
5. Finally,verifythattheupdatewasrelayedfromthe
managementserverdaemontothemanagedfirewalls.
Sendtodevice:007900002079[UNREG:0;REG:2]with
dynamicaddressupdate:<requestcmd='op'
cookie='0604879067249569'target
.
<register>
<entryip="15.0.0.203">
<tag>
<member>WebServerssecuritygroup10</member>
</tag>
</entry>
<entryip="10.3.4.186">
<tag>
<member>WebServerssecuritygroup10</member>
</tag>
</entry>
</register>
AbouttheVMSeriesFirewallonAWS
TheAmazonWebService(AWS)isapubliccloudservicethatenablesyoutorunyourapplicationsona
sharedinfrastructuremanagedbyAmazon.Theseapplicationscanbedeployedonscalablecomputing
capacityorEC2instancesindifferentAWSregionsandaccessedbyusersovertheinternet.
FornetworkingconsistencyandeaseofmanagementofEC2instances,AmazonofferstheVirtualPrivate
Cloud(VPC).AVPCisapportionedfromtheAWSpubliccloud,andisassignedaCIDRblockfromtheprivate
networkspace(RFC1918).WithinaVPC,youcancarvepublic/privatesubnetsforyourneedsanddeploy
theapplicationsonEC2instanceswithinthosesubnets.Tothenenableaccesstotheapplicationswithinthe
VPC,youcandeploytheVMSeriesfirewallonanEC2instance.TheVMSeriesfirewallcanthenbe
configuredtosecuretraffictoandfromtheEC2instanceswithintheVPC.
TheVMSeriesfirewallisavailableinboththepublicAWScloudandonAWSGovCloud.TheVMSeries
firewallinpublicAWSsupportstheBringYourOwnLicense(BYOL)modelandthehourlyPayAsYouGo
(PAYG),theusagebasedlicensingmodelthatyoucanavailfromtheAWSMarketplace.BecausetheAWS
GovClouddoesnothaveaMarketplace,theVMSeriesfirewallisavailableinthebringyourownlicense
(BYOL)optiononAWSGovCloud;theusagebased(hourlyorannual)optionsarenotavailableonAWS
GovCloud.Forlicensingdetails,seeVMSeriesFirewallinAmazonWebServices(AWS)andAzureLicenses.
VMSeriesFirewallonAWSGovCloud
AWSTerminology
ManagementInterfaceMappingforUsewithAmazonELB
VMSeriesFirewallonAWSGovCloud
AWSGovCloudisanisolatedAWSregionthatmeetstheregulatoryandcompliancerequirementsoftheUS
governmentagenciesandcustomers.
TosecureyourworkloadsthatcontainallcategoriesofControlledUnclassifiedInformation(CUI)dataand
governmentoriented,publiclyavailabledataintheAWSGovCloud(US)Region,theVMSeriesfirewall
providesthesamerobustsecurityfeaturesinthestandardAWSpubliccloudandonAWSGovCloud.The
onlydifferenceishowyouobtaintheAMIonAWSGovCloudtoDeploytheVMSeriesFirewallonAWS.
BecausetheAWSGovClouddoesnothaveaMarketplace,theVMSeriesfirewallisavailableinthebring
yourownlicense(BYOL)optiononAWSGovCloud;theusagebased(hourlyorannual)optionsarenot
availableonAWSGovCloud.
AWSTerminology
ThisdocumentassumesthatyouarefamiliarwiththenetworkingandconfigurationoftheAWSVPC.In
ordertoprovidecontextforthetermsusedinthissection,hereisabriefrefresherontheAWSterms(some
definitionsaretakendirectlyfromtheAWSglossary)thatarereferredtointhisdocument:
Term Description
EC2 ElasticComputeCloud
AwebservicethatenablesyoutolaunchandmanageLinux/UNIXandWindows
serverinstancesinAmazon'sdatacenters.
AMI AmazonMachineImage
AnAMIprovidestheinformationrequiredtolaunchaninstance,whichisavirtual
serverinthecloud.
TheVMSeriesAMIisanencryptedmachineimagethatincludestheoperating
systemrequiredtoinstantiatetheVMSeriesfirewallonanEC2instance.
ELB ElasticLoadBalancing
ELBisanAmazonwebservicethathelpsyouimprovetheavailabilityandscalability
ofyourapplicationsbyroutingtrafficacrossmultipleElasticComputeCloud(EC2)
instances.ELBdetectsunhealthyEC2instancesandreroutestraffictohealthy
instancesuntiltheunhealthyinstancesarerestored.ELBcansendtrafficonlytothe
primaryinterfaceofthenexthoploadbalancedEC2instance.So,touseELBwitha
VMSeriesfirewallonAWS,thefirewallmustbeabletousetheprimaryinterfacefor
dataplanetraffic.
ENI ElasticNetworkInterface
AnadditionalnetworkinterfacethatcanbeattachedtoanEC2instance.ENIscan
includeaprimaryprivateIPaddress,oneormoresecondaryprivateIPaddresses,a
publicIPaddress,anelasticIPaddress(optional),aMACaddress,membershipin
specifiedsecuritygroups,adescription,andasource/destinationcheckflag.
IPaddresstypesforEC2 AnEC2instancecanhavedifferenttypesofIPaddresses.
instances PublicIPaddress:AnIPaddressthatcanberoutedacrosstheinternet.
PrivateIPaddress:AIPaddressintheprivateIPaddressrangeasdefinedinthe
RFC1918.YoucanchoosetomanuallyassignanIPaddressortoautoassignan
IPaddresswithintherangeintheCIDRblockforthesubnetinwhichyoulaunch
theEC2instance.
IfyouaremanuallyassigninganIPaddress,Amazonreservesthefirstfour(4)IP
addressesandthelastone(1)IPaddressineverysubnetforIPnetworking
purposes.
ElasticIPaddress(EIP):AstaticIPaddressthatyouhaveallocatedinAmazonEC2
orAmazonVPCandthenattachedtoaninstance.ElasticIPaddressesare
associatedwithyouraccount,notwithaspecificinstance.Theyareelastic
becauseyoucaneasilyallocate,attach,detach,andfreethemasyourneeds
change.
AninstanceinapublicsubnetcanhaveaPrivateIPaddress,aPublicIPaddress,and
anElasticIPaddress(EIP);aninstanceinaprivatesubnetwillhaveaprivateIP
addressandoptionallyhaveanEIP.
Instancetype Amazondefinedspecificationsthatstipulatethememory,CPU,storagecapacity,and
hourlycostforaninstance.Someinstancetypesaredesignedforstandard
applications,whereasothersaredesignedforCPUintensive,memoryintensive
applications,andsoon.
VPC VirtualPrivateCloud
Anelasticnetworkpopulatedbyinfrastructure,platform,andapplicationservices
thatsharecommonsecurityandinterconnection.
Term Description
IGW InternetgatewayprovidedbyAmazon.
Connectsanetworktotheinternet.YoucanroutetrafficforIPaddressesoutside
yourVPCtotheinternetgateway.
IAMRole IdentityandAccessManagement
RequiredforenablingHighAvailabilityfortheVMSeriesfirewallonAWS.TheIAM
roledefinestheAPIactionsandresourcestheapplicationcanuseafterassumingthe
role.Onfailover,theIAMRoleallowstheVMSeriesfirewalltosecurelymakeAPI
requeststoswitchthedataplaneinterfacesfromtheactivepeertothepassivepeer.
AnIAMroleisalsorequiredforVMMonitoring.SeeListofAttributesMonitoredon
theAWSVPC.
Subnets AsegmentoftheIPaddressrangeofaVPCtowhichEC2instancescanbeattached.
EC2instancesaregroupedintosubnetsbasedonyoursecurityandoperational
needs.
Therearetwotypesofsubnets:
Privatesubnet:TheEC2instancesinthissubnetcannotbereachedfromthe
internet.
Publicsubnet:Theinternetgatewayisattachedtothepublicsubnet,andtheEC2
instancesinthissubnetcanbereachedfromtheinternet.
Securitygroups AsecuritygroupisattachedtoanENIanditspecifiesthelistofprotocols,ports,and
IPaddressrangesthatareallowedtoestablishinbound/outboundconnectionson
theinterface.
IntheAWSVPC,securitygroupsandnetworkACLscontrolinboundand
outboundtraffic;securitygroupsregulateaccesstotheEC2instance,while
networkACLsregulateaccesstothesubnet.Becauseyouaredeployingthe
VMSeriesfirewall,setmorepermissiverulesinyoursecuritygroupsand
networkACLsandallowthefirewalltosafelyenableapplicationsintheVPC.
Routetables Asetofroutingrulesthatcontrolsthetrafficleavinganysubnetthatisassociated
withtheroutetable.Asubnetcanbeassociatedwithonlyoneroutetable.
Keypair Asetofsecuritycredentialsyouusetoproveyouridentityelectronically.Thekey
pairconsistsofaprivatekeyandapublickey.AttimeoflaunchingtheVMSeries
firewall,youmustgenerateakeypairorselectanexistingkeypairfortheVMSeries
firewall.Theprivatekeyisrequiredtoaccessthefirewallinmaintenancemode.
CloudWatch AmazonCloudWatchisamonitoringservicethatallowsyoutocollectandtrack
metricsfortheVMSeriesfirewallsonAWS.Whenenabled,thefirewallsuseAWS
APIstopublishnativePANOSmetricstoCloudWatch.
ManagementInterfaceMappingforUsewithAmazonELB
Bydefault,theelasticnetworkinterface(ENI)eth0mapstotheMGTinterfaceonthefirewallandENIeth1
mapstoethernet1/1onthefirewall.BecausetheELBcansendtrafficonlytotheprimaryinterfaceofthe
nexthoploadbalancedEC2instance,theVMSeriesfirewallmustbeabletousetheprimaryinterfacefor
dataplanetraffic.
Thefirewallcanreceivedataplanetrafficontheprimaryinterfaceinthefollowingscenarioswherethe
VMSeriesfirewallisbehindtheAmazonELB(foratopologydiagram,seeVMSerieswithELB):
TheVMSeriesfirewall(s)issecuringtrafficoutbounddirectlytotheinternetwithouttheneedforusing
aVPNlinkoraDirectConnectlinkbacktothecorporatenetwork.
TheVMSeriesfirewallsecuresaninternetfacingapplicationwhenthereisexactlyonebackendserver,
suchasawebserver,foreachfirewall.TheVMSeriesfirewallsandwebserverscanscalelinearly,in
pairs,behindELB.
Atpresent,forusecasesthatrequireanELBsandwichtypedeploymenttoscaleoutfirewallsandapplication
layerEC2instances,swappingthemanagementinterfacewillnotallowyoutoseamlesslydeploytheELB
solution.TheabilitytoswapthemanagementinterfaceonlypartiallysolvestheintegrationwithELB.
Toallowthefirewalltosendandreceivedataplanetrafficoneth0insteadofeth1,youmustswapthe
mappingoftheENIswithinthefirewallsuchthatENIeth0mapstoethernet1/1andENIeth1mapstothe
MGTinterfaceonthefirewallasshownbelow.
SwappinghowtheinterfacesaremappedallowsELBtodistributeandroutetraffictohealthyinstancesof
theVMSeriesfirewalllocatedinthesameordifferentAvailabilityZonesonAWSforincreasedcapacityand
faulttolerance.
Toswaptheinterfaces,youhavethefollowingoptions:
AtlaunchWhenyoulaunchthefirewall,youcaneitherenterthe mgmt-interface-swap=enable
commandintheUser data fieldontheAWSmanagementconsole(seeLaunchtheVMSeriesFirewallon
AWS)orCLIoryoucanincludethenew mgmt-interface-swap operationalcommandinthebootstrap
configuration.
AfterlaunchAfteryoulaunchthefirewall,UsetheVMSeriesFirewallCLItoSwaptheManagement
Interface(set system setting mgmt-interface-swap enable yes operationalcommand)onthefirewall.
Pickonemethodtoconsistentlyspecifytheinterfaceswapsettinginthebootstrapconfiguration,fromtheCLIonthe
firewall,orusingtheAmazonEC2 User datafieldontheAWSconsoletopreventunpredictablebehavioronthe
firewall.
EnsurethatyouhaveaccesstotheAWSconsole(managementconsoleorCLI)toviewtheIPaddressoftheeth1
interface.Also,verifythattheAWSSecurityGrouprulesallowconnections(HTTPSandSSH)tothenewmanagement
interface.
Swapthemanagementinterfacebeforeyouconfigurethefirewallordefinepolicyrules.Ifyouhavealreadyconfigured
theVMSeriesfirewall,checkwhetheranyIPaddresschangesforeth0andeth1impactpolicyrules.
DeploymentsSupportedonAWS
TheVMSeriesfirewallsecuresinboundandoutboundtraffictoandfromEC2instanceswithintheAWS
VirtualPrivateCloud(VPC).BecausetheAWSVPConlysupportsanIPnetwork(Layer3networking
capabilities),theVMSeriesfirewallcanonlybedeployedwithLayer3interfaces.
DeploytheVMSeriesfirewalltosecuretheEC2instanceshostedintheAWSVirtualPrivateCloud.
IfyouhostyourapplicationsintheAWScloud,deploytheVMSeriesfirewalltoprotectandsafelyenable
applicationsforuserswhoaccesstheseapplicationsovertheinternet.Forexample,thefollowing
diagramshowstheVMSeriesfirewalldeployedintheEdgesubnettowhichtheinternetgatewayis
attached.Theapplication(s)aredeployedintheprivatesubnet,whichdoesnothavedirectaccesstothe
internet.
Whenusersneedtoaccesstheapplicationsintheprivatesubnet,thefirewallreceivestherequestand
directsittotheappropriateapplication,afterverifyingsecuritypolicyandperformingDestinationNAT.
Onthereturnpath,thefirewallreceivesthetraffic,appliessecuritypolicyandusesSourceNATtodeliver
thecontenttotheuser.SeeUseCase:SecuretheEC2InstancesintheAWSCloud.
VMSeriesforEC2Instances
DeploytheVMSeriesfirewallforVPNaccessbetweenthecorporatenetworkandtheEC2instances
withintheAWSVirtualPrivateCloud.
ToconnectyourcorporatenetworkwiththeapplicationsdeployedintheAWSCloud,youcanconfigure
thefirewallasaterminationpointforanIPSecVPNtunnel.ThisVPNtunnelallowsusersonyournetwork
tosecurelyaccesstheapplicationsinthecloud.
Forcentralizedmanagement,consistentenforcementofpolicyacrossyourentirenetwork,andfor
centralizedloggingandreporting,youcanalsodeployPanoramainyourcorporatenetwork.Ifyouneed
tosetupVPNaccesstomultipleVPCs,usingPanoramaallowsyoutogroupthefirewallsbyregionand
administerthemwithease.
VMSeriesforVPNAccess
DeploytheVMSeriesfirewallasaGlobalProtectgatewaytosecureaccessforremoteusersusing
laptops.TheGlobalProtectagentonthelaptopconnectstothegateway,andbasedontherequest,the
gatewayeithersetsupaVPNconnectiontothecorporatenetworkorroutestherequesttotheinternet.
Toenforcesecuritycomplianceforusersonmobiledevices(usingtheGlobalProtectApp),the
GlobalProtectgatewayisusedinconjunctionwiththeGlobalProtectMobileSecurityManager.The
GlobalProtectMobileSecurityManagerensuresthatmobiledevicesaremanagedandconfiguredwith
thedevicesettingsandaccountinformationforusewithcorporateapplicationsandnetworks.
Ineachoftheusecasesabove,youcandeploytheVMSeriesfirewallinanactive/passivehigh
availability(HA)pair.ForinformationonsettinguptheVMSeriesfirewallinHA,seeUseCase:
UseDynamicAddressGroupstoSecureNewEC2InstanceswithintheVPC.
DeploytheVMSeriesfirewallwiththeAmazonElasticLoadBalancing(ELB)service,wherebythe
firewallcanreceivedataplanetrafficontheprimaryinterfaceinthefollowingscenarioswherethe
VMSeriesfirewallisbehindtheAmazonELB:
TheVMSeriesfirewall(s)issecuringtrafficoutbounddirectlytotheinternetwithouttheneedfor
usingaVPNlinkoraDirectConnectlinkbacktothecorporatenetwork.
TheVMSeriesfirewallsecuresaninternetfacingapplicationwhenthereisexactlyonebackend
server,suchasawebserver,foreachfirewall.TheVMSeriesfirewallsandwebserverscanscale
linearly,inpairs,behindELB.
IfyouwanttoAutoScaleVMSeriesFirewallswiththeAmazonELB,usetheCloudFormationTemplate
availableintheGitHubrepositorytodeploytheVMSeriesinanELBsandwichtopologywithan
internetfacingclassicELBandaneitheraninternalclassicloadbalanceroraninternalapplicationload
balancer(internalELB).
VMSerieswithELB
Youcannotconfigurethefirewalltosendandreceivedataplanetrafficoneth0whenthefirewall
isinfrontofELB.TheVMSeriesfirewallmustbeplacedbehindtheAmazonELB.
YoucaneitherUsetheVMSeriesFirewallCLItoSwaptheManagementInterfaceorenableiton
bootstrap.Fordetails,seeManagementInterfaceMappingforUsewithAmazonELB.
Ifyouwanttodeployaloadbalancersandwichtopology,seeAutoScaleVMSeriesFirewallswith
theAmazonELB.
DeploytheVMSeriesFirewallonAWS
ObtaintheAMI
ReviewSystemRequirementsandLimitationsforVMSeriesonAWS
PlanningWorksheetfortheVMSeriesintheAWSVPC
LaunchtheVMSeriesFirewallonAWS
UsetheVMSeriesFirewallCLItoSwaptheManagementInterface
EnableCloudWatchMonitoringontheVMSeriesFirewall
TheVMSeriesfirewallhasbeenoptimizedandexpandedtodeliverimprovedperformanceandexpanded
capacities,whichnecessitatesachangeinthenumberofcoresandmemoryallocatedtotheEC2instance.For
thenewresourcefootprint,youneedtomatchtheappropriateInstancesizesavailableonAWSbeforeyou
upgradeyourVMSeriesfirewallsonAWSrunningPANOS7.1orearlierversions.;Fordetails,referto
UpgradingtheVMSerieswithPANOS8.0onAWS.
ObtaintheAMI
BecausetheAWSGovClouddoesnothaveaMarketplace,theprocessofobtainingtheAMIisdifferentin
thepublicAWScloudandintheAWSGovCloud.
AMIinthePublicAWSCloud
AMIonAWSGovCloud
AMIinthePublicAWSCloud
TheAMIfortheVMSeriesfirewallisavailableintheAWSMarketplaceforboththeBringYourOwnLicense
(BYOL)andtheUsagebasedpricingoptions.
ForpurchasinglicenseswiththeBYOLoption,contactyourPaloAltoNetworkssalesengineerorreseller.
AMIonAWSGovCloud
TheBringYourOwnLicense(BYOL)modeloftheVMSeriesfirewallisavailableasasharedAMIonAWS
GovCloud.
WithaGovCloudaccountyoucanfindtheAMIfortheVMSeriesfirewallontheEC2console(Instances >
Launch Instance > Community AMIs)usingtheAMIID(ami4add672b)orbysearchingforPaloAltoNetworks.
Alternatively,youcanalsousethelinktodirectlylaunchtheAMIinyourGovCloudaccount.Makesureto
reviewthesupportedEC2instancetypesbeforeyoulaunchthefirewall.Fordetails,seeLaunchthe
VMSeriesFirewallonAWS.
ReviewSystemRequirementsandLimitationsforVMSeriesonAWS
Requirement Details
EC2instancetypes TheEC2instancetypeyouselectmustmeettheVMSeriesSystemRequirementsfor
theVMSeriesfirewallmodel.IfyoudeploytheVMSeriesfirewallonanEC2
instancetypethatdoesnotmeettheserequirements,thefirewallwillbootinto
maintenancemode
TosupportVMMonitoringandhighavailabilityonAWS,theVMSeries
firewallmustbeabletodirectlyreachtheAWSAPIserviceendpoints
withoutanyproxyserversbetweenthefirewallmanagementinterfaceand
theAWSAPIendpoints(suchasec2.uswest2.amazonaws.com).
AmazonElasticBlock TheVMSeriesfirewallmustusetheAmazonElasticBlockStorage(EBS)volumefor
Storage(EBS) storage.EBSoptimizationprovidesanoptimizedconfigurationstackandadditional,
dedicatedcapacityforAmazonEBSI/O.
Networking BecausetheAWSonlysupportsLayer3networkingcapabilities,theVMSeries
firewallcanonlybedeployedwithLayer3interfaces.Layer2interfaces,virtualwire,
VLANs,andsubinterfacesarenotsupportedontheVMSeriesfirewalldeployedin
theAWSVPC.
Interfaces Supportforatotalofeightinterfacesisavailableonemanagementinterfaceanda
maximumofsevenElasticNetworkInterfaces(ENIs)fordatatraffic.TheVMSeries
firewalldoesnotsupporthotattachmentofENIs;todetecttheadditionorremoval
ofanENIyoumustrebootthefirewall.
YourEC2instancetypeselectiondeterminesthetotalnumberofENIsyou
canenable.Forexample,thec3.8xlargesupportseight(8)ENIs.
Supportentitlementand FortheBringYourOwnLicensemodel,asupportaccountandavalidVMSeries
Licenses licensearerequiredtoobtaintheAmazonMachineImage(AMI)file,whichisrequired
toinstalltheVMSeriesfirewallintheAWSVPC.Thelicensesrequiredforthe
VMSeriesfirewallcapacitylicense,supportlicense,andsubscriptionsforThreat
Prevention,URLFiltering,WildFire,etcmustbepurchasedfromPaloAlto
Networks.Topurchasethelicensesforyourdeployment,contactyoursales
representative.SeeVMSeriesFirewallinAmazonWebServices(AWS)andAzure
Licenses.
Fortheusagebasedlicensingmodel,hourlyandannualpricingbundlescanbe
purchasedandbilleddirectlytoAWS.Youmusthowever,registeryoursupport
entitlementwithPaloAltoNetworks.Fordetailssee,RegistertheUsageBased
ModeloftheVMSeriesFirewallinAWSandAzure(noauthcode).
PlanningWorksheetfortheVMSeriesintheAWSVPC
Foreaseofdeployment,planthesubnetswithintheVPCandtheEC2instancesthatyouwanttodeploy
withineachsubnet.Beforeyoubegin,usethefollowingtabletocollatethenetworkinformationrequiredto
deployandinserttheVMSeriesfirewallintothetrafficflowintheVPC:
ConfigurationItem Value
VPCCIDR
SecurityGroups
Subnet(public)CIDR
Subnet(private)CIDR
Subnet(public)RouteTable
Subnet(private)RouteTable
SecurityGroups
RulesforManagementAccessto
thefirewall(eth0/0)
Rulesforaccesstothedataplane
interfacesofthefirewall
Rulesforaccesstotheinterfaces
assignedtotheapplication
servers.
VMSeriesfirewallbehindELB
EC2Instance1(VMSeriesfirewall) Subnet:
Instancetype:
MgmtinterfaceIP:
MgmtinterfaceEIP:
AnEIPisonlyrequiredforthe Dataplaneinterfaceeth1/1
dataplaneinterfacethatis PrivateIP:
attachedtothepublicsubnet. EIP(ifrequired):
SecurityGroup:
Dataplaneinterfaceeth1/2
PrivateIP:
EIP(ifrequired):
SecurityGroup:
EC2Instance2(Applicationtobe Subnet:
secured) Instancetype:
Repeatthesesetofvaluesforadditional MgmtinterfaceIP:
application(s)beingdeployed. Defaultgateway:
Dataplaneinterface1
PrivateIP
ConfigurationItem Value
RequirementsforHA IfyouaredeployingtheVMSeriesfirewallsinahighavailability
(active/passive)configuration,youmustensurethefollowing:
CreateanIAMroleandassigntheroletotheVMSeriesfirewall
whenyouaredeployingtheinstance.SeeIAMRolesforHA.
DeploytheHApeersinthesameAWSavailabilityzone.
TheactivefirewallintheHApairmusthaveataminimumthreeENIs:
twodataplaneinterfacesandonemanagementinterface.
ThepassivefirewallintheHApair,musthaveoneENIfor
management,andoneENIthatfunctionsasdataplaneinterface;you
willconfigurethedataplaneinterfaceasanHA2interface.
Donotattachadditionaldataplaneinterfacestothepassive
firewallintheHApair.Onfailover,thedataplaneinterfaces
fromthepreviouslyactivefirewallaremoveddetachedand
thenattachedtothenowactive(previouslypassive)firewall.
LaunchtheVMSeriesFirewallonAWS
Ifyouhavenotalreadyregisteredthecapacityauthcodethatyoureceivedwiththeorderfulfillmentemail,
withyoursupportaccount,seeRegistertheVMSeriesFirewall.Afterregistering,deploytheVMSeries
firewallbylaunchingitintheAWSVPCasfollows:
LaunchtheVMSeriesFirewallintheAWSVPC
LaunchtheVMSeriesFirewallintheAWSVPC(Continued)
LaunchtheVMSeriesFirewallintheAWSVPC(Continued)
g. AcceptthedefaultStoragesettings.
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 189
DeploytheVMSeriesFirewallonAWS SetUptheVMSeriesFirewallonAWS
LaunchtheVMSeriesFirewallintheAWSVPC(Continued)
h. (Optional)Tagging.Addoneormoretagstocreateyour
ownmetadatatoidentifyandgrouptheVMSeriesfirewall.
Forexample,addaNametagwithaValuethathelpsyou
rememberthattheENIinterfaceshavebeenswappedon
thisVMSeriesfirewall.
i. SelectanexistingSecurity Group orcreateanewone.This
securitygroupisforrestrictingaccesstothemanagement
interfaceofthefirewall.Ataminimumconsiderenabling
httpsandsshaccessforthemanagementinterface.
j. Ifprompted,selectanappropriateSSDoptionforyour
setup.
k. Select Review and Launch.Reviewthatyourselectionsare
accurateandclickLaunch.
Thiskeypairisrequiredforfirsttime
accesstothefirewall.Itisalsorequiredto l. Selectanexistingkeypairorcreateanewone,and
accessthefirewallinmaintenancemode. acknowledgethekeydisclaimer.
m.Downloadandsavetheprivatekeytoasafelocation;the
fileextensionis.pem.Youcannotregeneratethiskey,if
lost.
Ittakes57minutestolaunchtheVMSeriesfirewall.You
canviewtheprogressontheEC2Dashboard.Whenthe
processcompletes,theVMSeriesfirewalldisplaysonthe
InstancespageoftheEC2Dashboard.
LaunchtheVMSeriesFirewallintheAWSVPC(Continued)
7. ToattachtheENItotheVMSeriesfirewall,selectthe
interfaceyoujustcreated,andclickAttach.
8. SelecttheInstance IDoftheVMSeriesfirewall,andclick
Attach.
9. Repeatthestepsaboveforcreatingandattachingatleastone
moreENItothefirewall.
LaunchtheVMSeriesFirewallintheAWSVPC(Continued)
3. ClickDisabledandSaveyourchanges.
4. RepeatSteps13foreachfirewalldataplaneinterface.
LaunchtheVMSeriesFirewallintheAWSVPC(Continued)
LaunchtheVMSeriesFirewallintheAWSVPC(Continued)
UsetheVMSeriesFirewallCLItoSwaptheManagementInterface
Ifyoudidnotswapthemanagementinterface(MGT)withthedataplaneinterface(ethernet1/1)when
deployingthefirewall,youcanusetheCLItoenablethefirewalltoreceivedataplanetrafficontheprimary
interfaceafterlaunchingthefirewall.
ManagementInterfaceSwapUsingtheVMSeriesFirewallCLI
Step1 CompleteSteps1through7inLaunchtheVMSeriesFirewallonAWS.
Beforeyouproceed,verifythatthefirewallhasaminimumoftwoENIs(eth0andeth1).Ifyoulaunch
thefirewallwithonlyoneENI,theinterfaceswapcommandwillcausethefirewalltobootinto
maintenancemode.
Step2 OntheEC2Dashboard,viewtheIPaddressoftheeth1interfaceandverifythattheAWSSecurityGroup
rulesallowconnections(HTTPSandSSH)tothenewmanagementinterface(eth1).
Step3 LogintotheVMSeriesfirewallCLIandenterthefollowingcommand:
set system setting mgmt-interface-swap enable yes
Step4 Confirmthatyouwanttoswaptheinterfaceandusetheeth1dataplaneinterfaceasthemanagement
interface.
Step5 Rebootthefirewallfortheswaptotakeeffect.Usethefollowingcommand:
request restart system
Step6 Verifythattheinterfaceshavebeenswapped.Usethefollowingcommand:
debug show vm-series interfaces all
Phoenix_interface Base-OS_port Base-OS_MAC PCI-ID Driver
mgt(interface-swap) eth0 0e:53:96:91:ef:29 0000:00:04.0 ixgbevf
Ethernet1/1 eth1 0e:4d:84:5f:7f:4d 0000:00:03.0 ixgbevf
EnableCloudWatchMonitoringontheVMSeriesFirewall
TheVMSeriesfirewallonAWScanpublishnativePANOSmetricstoAWSCloudWatch,whichyoucanuse
tomonitorthefirewalls.Thesemetricsallowyoutoassessperformanceandusagepatternsthatyoucanuse
totakeactionforlaunchingorterminatinginstancesoftheVMSeriesfirewalls.
ThefirewallsuseAWSAPIstopublishthemetrictoanamespaceonAWSataspecifiedtimeinterval.The
namespaceisthelocationtowhichCloudWatchcollectsandaggregatestheselectedmetricforallinstances
configuredtousethenamespace.YoucanthenmonitorthemetricinCloudWatchorcreateautoscaling
policiestotriggeralarmsandtakeanactiontomanuallydeployanewinstanceofthefirewallwhenthe
monitoredmetricreachesathresholdvalue.RefertotheAWSCloudWatchandAutoScalingGroups(ASG)
documentationonbestpracticesforsettingthealarmconditionsforascaleoutorscaleinaction.
TheVMSeriesfirewallcanpublishanyofthefollowingPANOSmetricstoCloudWatch:
Metric Description
DataplaneCPUUtilization MonitorsthedataplaneCPUusagetomeasurethetrafficloadonthefirewall.
(%)
DataplanePacketBuffer Monitorsthedataplanebufferusagetomeasurebufferutilization.Ifyouhavea
Utilization(%) suddenburstintraffic,monitoringbufferutilizationallowsyoutoensurethatthe
firewalldoesnotdepletethedataplanebufferandcausedroppedpackets.
SessionUtilization(%) MonitorsthesessionsarecurrentlyactiveforTCP,UDP,ICMPandSSLandthe
packetrate,newconnectionestablishrate,andthroughputonthefirewallto
determinesessionutilization.
SSLProxyUtilization(%) MonitorsthepercentageofSSLforwardproxysessionswithclientsforSSL/TLS
decryption.
GlobalProtectGateway MonitorstheactiveGlobalProtecttunnelssetuponagatewaytomeasuretunnel
TunnelUtilization(%) utilization.UsethismetriciftheVMSeriesfirewallisdeployedasaVPNgatewayon
AWStosecureremoteusers.
DeviceStatus Monitorstheoverallhealthstateofthedevice.
TotalActiveSessions Monitorsthetotalnumberofsessionsthatareactiveonthefirewall.Anactive
sessionisasessionthatisonthefirewallsflowlookuptableforwhich
packetswillbeinspectedandforwarded,asrequiredbypolicy.
GlobalProtectGateway MonitorsthenumberofactiveGlobalProtectsessionsonafirewalldeployedasa
ActiveTunnels GlobalProtectgateway.UsethismetriciftheVMSeriesfirewallisdeployedaVPN
gatewayonAWStosecureremoteusers;checkthedatasheetforthemaximum
numberofactivetunnelssupportedforyourfirewallmodel.
EnableCloudWatchMonitoringontheVMSeriesFirewall
EnableCloudWatchMonitoringontheVMSeriesFirewall(Continued)
HighAvailabilityforVMSeriesFirewallonAWS
TheVMSeriesfirewallonAWSsupportsactive/passiveHAonly;ifitisdeployedwithAmazonElasticLoad
Balancing(ELB),itdoesnotsupportHA(inthiscaseELBprovidesthefailovercapabilities).
OverviewofHAonAWS
IAMRolesforHA
HALinks
HeartbeatPollingandHelloMessages
DevicePriorityandPreemption
HATimers
ConfigureActive/PassiveHAonAWS
OverviewofHAonAWS
Toensureredundancy,youcandeploytheVMSeriesfirewallsonAWSinanactive/passivehighavailability
(HA)configuration.Theactivepeercontinuouslysynchronizesitsconfigurationandsessioninformationwith
theidenticallyconfiguredpassivepeer.Aheartbeatconnectionbetweenthetwodevicesensuresfailoverif
theactivedevicegoesdown.WhenthepassivepeerdetectsthisfailureitbecomesactiveandtriggersAPI
callstotheAWSinfrastructuretomoveallthedataplaneinterfaces(ENIs)fromthefailedpeertoitself.The
failovertimecanvaryfrom20secondstooveraminutedependingontheresponsivenessfromtheAWS
infrastructure.
IAMRolesforHA
AWSrequiresthatallAPIrequestsmustbecryptographicallysignedusingcredentialsissuedbythem.In
ordertoenableAPIpermissionsfortheVMSeriesfirewallsthatwillbedeployedasanHApair,youmust
createapolicyandattachthatpolicytoaroleintheAWSIdentityandAccessManagement(IAM)service.
TherolemustbeattachedtotheVMSeriesfirewallsatlaunch.ThepolicygivestheIAMrolepermissions
forinitiatingAPIactionsfordetachingandattachingnetworkinterfacesfromtheactivepeerinanHApair
tothepassivepeerwhenafailoveristriggered.
Fordetailedinstructionsoncreatingpolicy,refertotheAWSdocumentationonCreatingCustomer
ManagedPolices.FordetailedinstructionsoncreatinganIAMrole,definingwhichaccountsorAWSservices
canassumetherole,definingwhichAPIactionsandresourcestheapplicationcanuseuponassumingthe
role,refertotheAWSdocumentationonIAMRolesforAmazonEC2.
TheIAMpolicy,whichisconfiguredintheAWSconsole,musthavepermissionsforthefollowingactions
andresources(ataminimum):
AttachNetworkInterfaceForpermissiontoattachanENItoaninstance.
DescribeNetworkInterfaceForfetchingtheENIparametersinordertoattachaninterfacetothe
instance.
DetachNetworkInterfaceForpermissiontodetachtheENIfromtheEC2instance.
DescribeInstancesForpermissiontoobtaininformationontheEC2instancesintheVPC.
Wildcard(*)IntheAmazonResourceName(ARN)fieldusethe*asawildcard.
ThefollowingscreenshotshowstheaccessmanagementsettingsfortheIAMroledescribedabove:
HALinks
ThedevicesinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.onAWS,the
VMSeriesfirewallusesthefollowingports:
ControlLinkTheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforroutingandUserIDinformation.Thislinkisalsousedtosynchronize
configurationchangesoneithertheactiveorpassivedevicewithitspeer.
TheManagementportisusedforHA1.TCPport28769and28260forcleartextcommunication;port28
forencryptedcommunication(SSHoverTCP).
DataLinkTheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurityassociations
andARPtablesbetweendevicesinanHApair.DataflowontheHA2linkisalwaysunidirectional(except
fortheHA2keepalive);itflowsfromtheactivedevicetothepassivedevice.
Ethernet1/1mustbeassignedastheHA2link.TheHAdatalinkcanbeconfiguredtouseeitherIP
(protocolnumber99)orUDP(port29281)asthetransport.
TheVMSeriesonAWSdoesnotsupportbackuplinksforHA1orHA2.
HeartbeatPollingandHelloMessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerdeviceisresponsiveandoperational.
HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverifythestateofthe
device.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeerrespondstotheping
toestablishthatthedevicesareconnectedandresponsive.FordetailsontheHAtimersthattriggera
failover,seeHATimers.(TheHAtimersfortheVMSeriesfirewallarethesameasthatofthePA5000Series
firewalls).
DevicePriorityandPreemption
ThedevicesinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichdevice
shouldassumetheactiveroleandmanagetrafficuponfailover.Ifyouneedtouseaspecificdeviceinthe
HApairforactivelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsand
assignadevicepriorityvalueforeachdevice.Thedevicewiththelowernumericalvalue,andtherefore
higherpriority,isdesignatedasactiveandmanagesalltrafficonthenetwork.Theotherdeviceisinapassive
state,andsynchronizesconfigurationandstateinformationwiththeactivedevicesothatitisreadyto
transitiontoanactivestateshouldafailureoccur.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothdevices.Whenenabled,the
preemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeasactive
afteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthesystemlogs.
HATimers
Highavailability(HA)timersareusedtodetectafirewallfailureandtriggerafailover.Toreducethe
complexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressive,and
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
HATimerontheVMSeriesonAWS DefaultvaluesforRecommended/Aggressiveprofiles
Promotionholdtime 2000/500ms
Hellointerval 8000/8000ms
Heartbeatinterval 2000/1000ms
Maxnumberofflaps 3/3
Preemptionholdtime 1/1min
Monitorfailholduptime 0/0ms
Additionalmasterholduptime 500/500ms
ConfigureActive/PassiveHAonAWS
ConfigureActive/PassiveHAonAWS
ConfigureActive/PassiveHAonAWS(Continued)
2. (Optional)SelectEncryption Enabled,forsecureHA
communicationbetweenthepeers.Toenableencryption,you
mustexporttheHAkeyfromadeviceandimportitintothepeer
device.
a. SelectDevice > Certificate Management > Certificates.
b. SelectExport HA key. SavetheHAkeytoanetworklocation
thatthepeerdevicecanaccess.
c. Onthepeerdevice,navigateto Device > Certificate
Management > Certificates, andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportitin
tothepeerdevice.
ConfigureActive/PassiveHAonAWS(Continued)
7. (Optional)ModifytheThresholdforHA2 Keep-alivepackets.
Bydefault,HA2 Keep-aliveisenabledformonitoringtheHA2
datalinkbetweenthepeers.Ifafailureoccursandthisthreshold
(defaultis10000ms)isexceeded,thedefinedactionwilloccur.
AcriticalsystemlogmessageisgeneratedwhenanHA2
keepalivefailureoccurs.
YoucanconfiguretheHA2 keep-aliveoptiononboth
devices,orjustonedeviceintheHApair.Ifyouenable
thisoptionononedevice,onlythatdevicewillsendthe
keepalivemessages.
ConfigureActive/PassiveHAonAWS(Continued)
ConfigureActive/PassiveHAonAWS(Continued)
Onthepassivedevice:Thestateof Ontheactivedevice:Thestateofthelocaldeviceshoulddisplay
thelocaldeviceshoulddisplay active andtheconfigurationissynchronized.
passive andtheconfigurationis
synchronized.
UseCase:SecuretheEC2InstancesintheAWSCloud
Inthisexample,theVPCisdeployedinthe10.0.0.0/16networkwithtwo/24subnets:10.0.0.0/24and
10.0.1.0/24.TheVMSeriesfirewallwillbelaunchedinthe10.0.0.0/24subnettowhichtheinternet
gatewayisattached.The10.0.1.0/24subnetisaprivatesubnetthatwillhosttheEC2instancesthatneed
tobesecuredbytheVMSeriesfirewall;anyserveronthisprivatesubnetusesNATforaroutableIPaddress
(whichisanElasticIPaddress)toaccesstheinternet.UsethePlanningWorksheetfortheVMSeriesinthe
AWSVPCtoplanthedesignwithinyourVPC;recordingthesubnetranges,networkinterfacesandthe
associatedIPaddressesfortheEC2instances,andsecuritygroups,willmakethesetupprocesseasierand
moreefficient.
Thefollowingimagedepictsthelogicalflowoftrafficto/fromthewebservertotheinternet.Trafficto/from
thewebserverissenttothedatainterfaceoftheVMSeriesfirewallthatisattachedtotheprivatesubnet.
Thefirewallappliespolicyandprocessesincoming/outgoingtrafficfrom/totheinternetgatewayofthe
VPC.Theimagealsoshowsthesecuritygroupstowhichthedatainterfacesareattached.
DeploytheVMSeriesFirewallonAWSasaCloudGateway
4. ClickCreate VPC.
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
ForEth1/1(VMSeriesUntrust)
Subnet:10.0.0.0/24
PrivateIP:10.0.0.10
Securitygroup:PublicServerCloudDC
ForEth1/2(VMSeriesTrust)
Subnet:10.0.1.0/24
PrivateIP:10.0.1.10
Securitygroup:PrivateServerCloudDC
7. ToattachtheENItotheVMSeriesfirewall,selectthe
interfaceyoujustcreated,andclickAttach.
8. SelecttheInstance IDoftheVMSeriesfirewall,andclick
Attach.
9. Repeatsteps7and8toattachtheothernetworkinterface.
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
Inthisexample,theconfigurationis:
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
ForeachwebordatabaseserverdeployedonanEC2
instanceintheprivatesubnet,youmustdefineadefault
routetotheIPaddressoftheVMSeriesfirewallsothatthe
firewallisthedefaultgatewayfortheserver.
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
3. CreateaSourceNATruletoallowoutboundtrafficfromthe
webservertotheinternet.
a. ClickAdd,andenteranamefortherule.Forexample,
NAT2External.
b. IntheOriginal Packettab,makethefollowingselections:
Source Zone:trust(wherethetrafficoriginates)
Destination Zone:untrust(thezoneforthefirewall
dataplaneinterfacewithwhichtheEIPforthewebserver
isassociated.)
Source Address:Any
Destination Address:Any
c. IntheTranslated Packettab,makethefollowingselections
intheSourceAddressTranslationsection:
Translation Type:DynamicIPandPort
Address Type:TranslatedAddress
Translated Address:10.0.0.10(thefirewalldataplane
interfaceintheuntrustzone.)
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
d. ClickOK.
4. ClickCommittosavetheNATpolicies.
3. Createaruletoallowinboundtraffictothewebserver.
a. ClickAddandenteraNamefortheruleandverifythatthe
Rule Typeisuniversal.
b. IntheSourcetab,adduntrustastheSource Zone.
c. IntheDestinationtab,addtrustastheDestination Zone.
d. IntheApplicationstab,Addwebbrowsing.
e. IntheService/URL Categorytab,verifythattheserviceis
settoapplicationdefault.
f. IntheActionstab,settheActiontoAllow.
g. IntheProfileSettingssectionoftheActionstab,select
Profilesandthenattachthedefaultprofilesforantivirus,
antispyware,andvulnerabilityprotection.
h. ClickOK.
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
InsteadofenteringastaticIPaddressfor 4. Createaruletoallowinternetaccesstothewebserver.
thewebserver,useadynamicaddress a. ClickAddandenteraNamefortheruleandverifythatthe
group.Dynamicaddressgroupsallowyou RuleTypeisuniversal.
tocreatepolicythatautomaticallyadapts b. IntheSourcetab,addtrustastheSource Zone.
tochangessothatyoudonotneedto
c. IntheSourceAddresssectionoftheSourcetab,add
updatethepolicywhenyoulaunch
10.0.1.62,theIPaddressofthewebserver.
additionalwebserversinthesubnet.For
details,seeUseCase:UseDynamic d. IntheDestinationtab,adduntrustastheDestination Zone.
AddressGroupstoSecureNewEC2 e. IntheService/URL Categorytab,verifythattheserviceis
InstanceswithintheVPC. settoapplication-default.
f. IntheActionstab,settheActiontoAllow.
g. IntheProfileSettingssectionoftheActionstab,select
Profilesandthenattachthedefaultprofilesforantivirus,
antispyware,andvulnerabilityprotection.
h. ClickOK.
5. Edittheinterzonedefaultruletologalltrafficthatisdenied.
Thispredefinedinterzoneruleisevaluatedwhennootherrule
isexplicitlydefinedtomatchtrafficacrossdifferentzones.
a. Selecttheinterzone-default ruleandclickOverride.
b. IntheActionstab,selectLog at session end.
c. ClickOK.
6. Reviewthecompletesetofsecurityrulesdefinedonthe
firewall.
7. ClickCommittosavethepolicies.
DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
Trafficoutboundfromthewebserver(EC2instanceinthe
AWSVPC):
YouhavesuccessfullydeployedtheVMSeriesfirewallasacloudgateway!
UseCase:UseDynamicAddressGroupstoSecureNewEC2
InstanceswithintheVPC
InadynamicenvironmentsuchastheAWSVPCwhereyoulaunchnewEC2instancesondemand,the
administrativeoverheadinmanagingsecuritypolicycanbecumbersome.UsingDynamicAddressGroupsin
securitypolicyallowsforagilityandpreventsdisruptioninservicesorgapsinprotection.
Inthisexample,weillustratehowyoucanmonitortheVPCanduseDynamicAddressGroupsinsecurity
policytodiscoverandsecureEC2instances.AsyouspinupEC2instances,theDynamicAddressGroup
collatestheIPaddressesofallinstancesthatmatchthecriteriadefinedforgroupmembership,andthen
securitypolicyisappliedforthegroup.Thesecuritypolicyinthisexampleallowsinternetaccesstoall
membersofthegroup.
ThisworkflowinthefollowingsectionassumesthatyouhavecreatedtheAWSVPCanddeployedthe
VMSeriesfirewallandsomeapplicationsonEC2instances.ForinstructionsonsettinguptheVPCforthe
VMSeries,seeUseCase:SecuretheEC2InstancesintheAWSCloud.
UseDynamicAddressGroupsinPolicy
f. EntertheVPC IDthatisdisplayedontheVPCDashboardin
theAWSmanagementconsole.
g. ClickOK,andCommitthechanges.
h. VerifythattheconnectionStatus displaysas connected
UseDynamicAddressGroupsinPolicy(Continued)
7. ClickOK.
8. ClickCommit.
UseDynamicAddressGroupsinPolicy(Continued)
10. ClickCommit.
UseCase:DeploytheVMSeriesFirewallstoSecureHighly
AvailableInternetFacingApplicationsonAWS
TheAWSinfrastructureandservicesprovideanarchitecturethatcanscaleandgrowwithyourbusiness.In
additiontoperformanceandapplicationavailabilitydemands,yourbusinessrequiresassuredsecurityand
applicationenablement.Inordertoreducetheattacksurfaceforthreatsandtoensurethatyour
businesscriticalservers,applications,anddataaresecure,yourequirethePaloAltoNetworksVMSeries
firewall.Together,AWSandtheVMSeriesfirewalldeliveroperationalefficiencywithincreasedagilityand
optimalsecurity.
SolutionOverviewSecureHighlyAvailableInternetFacingApplications
DeploytheSolutionComponentsforHighlyAvailableInternetFacingApplicationsonAWS
SolutionOverviewSecureHighlyAvailableInternetFacingApplications
Inthisusecase,weshowyouhowtosecurehighlyavailabletwotierapplicationsinAmazonWebServices
(AWS)thatareaccessedbyusersovertheinternet.ThissetupisonespecificexamplethatusesWordPress
andMySQLasthe2tierapplications.Itincludesarelationaldatabaseservice,aDNSbasedglobalload
balancingwebservice,CitrixNetScalerloadbalancers,andseveralVMSeriesfirewallstosecurenorthsouth
andeastwesttrafficflowstotheapplicationsintheAmazonVirtualPrivateCloud(VPC).Forhigh
availability,theVPCspanstwoAvailabilityZones(AZs)onAWS.Therearemanyotherapplicationsand
architecturesthatPaloAltoNetworksfirewallscansecure;thisusecaseisjustoneoption.
Thefollowingtableliststheelementsrequiredtodeploythesolutionforhighlyavailableinternetfacing
applicationsonAWS.
SeeDeploytheSolutionComponentsforHighlyAvailableInternetFacingApplicationsonAWSforthe
configurationdetails.
DeploytheSolutionComponentsforHighlyAvailableInternetFacing
ApplicationsonAWS
UsethesehighleveltaskstodeploythecomponentslistedintheSolutionOverviewSecureHighly
AvailableInternetFacingApplications.
SetUptheVPC
CreatetheVPCandaddthesubnets,securitygroups,internetgateway,andaroutetable.Youwillalso
createElasticNetworkInterfaces(ENIs)andallocateElasticIPAddressesforsomeinstancesintheVPC.
DuplicatethissetupinanotherAvailabilityZoneforredundancy.
DeploytheVMSeriesFirewallsintheVPC
DeployandconfigurefourVMSeriesfirewallsineachAvailabilityZoneapairoffirewallstosecurethe
webfarm,onetosecuretheRDS,andonefirewallforoutboundaccessfromtheVPC.Thefirewallthat
regulatesoutboundaccesstotheinternetalsosecuresallthemanagementtraffictoandfromthe
firewalls,servers,andservicesintheVPC.Thisusecasefocusesprimarilyonhowtosetupthefirewalls
forsecuringyourinternetfacingmultitieredapplication(s).Italsobrieflycoverstheprocessofdeploying
andconfiguringtheNetScalerVPXtoloadbalancetrafficacrosstheVMSeriesfirewalls.
DeploytheWebFarmintheVPC
SetUptheAmazonRelationalDatabaseService(RDS)
ConfiguretheCitrixNetScalerVPX
VerifyTrafficEnforcement
SetupAmazonRoute53
SetUptheVPC
SettinguptheVPCrequiresyoutoataminimumcreatetheVPC,addthesubnets,createthesecurity
groups,deployEC2instances,andattachENIswithprivateIPaddresses.Toallowexternalaccesstothe
serversintheVPC,youalsorequireaninternetgatewayandanElasticIPAddressforeachEC2instancethat
needsaccesstotheinternet.Forthisusecase,theVPCsetupisasfollows:
SetUptheVPC
SetUptheVPC(Continued)
SetUptheVPC(Continued)
AllocateElasticIPAddresses.FordetailsonassigningElasticIP
Addresses,refertotheAWSdocumentation.
AWShasadefaultmaximumnumberofElasticIP
Addresses;ifyourspecificarchitecturerequiresmore
thanthedefault,youcanrequestmoreElasticIP
AddressesthroughAWS.
ThisexampleusessevenElasticIPAddresses.SeeAllocateand
associateElasticIPAddressesforthefirewallandtheNetScaler
VPX.
Setuptheroutetables:
Renamethemainrouterwithadescriptivename(thisroute
tableisautomaticallycreatedwhenyoucreatetheVPC)and
attachtheinternetgatewaytothisroutetable.
Addanewroutetable.Thisroutetableisrequiredfor
routingtrafficfromthewebserverstotheVMSeries
firewall;thisroutetablealleviatestheneedtocreatea
defaultrouteoneachwebserverasyouhorizontallyscale
outyourwebfarm.
Forthecompleteworkflow,seeDeploytheSolutionComponentsforHighlyAvailableInternetFacing
ApplicationsonAWS
DeploytheVMSeriesFirewallsintheVPC
Youmustdeploythefirewalls,licensethefirewallsasappropriate,configurethenetworkinterfaces,and
createpoliciesthatlimitapplicationanddatatrafficflowsasappropriateforeachserverandapplication.
Inthisusecase,eachAvailabilityZonehasfourVMSeriesfirewalls:
MgmtFWAfirewallthatsecuresinboundandoutboundtrafficnecessaryformanagingandupdating
theinfrastructure.ItsecuresallinboundandoutboundmanagementtraffictoandfromtheEC2instances
andservicesintheVPC,includingdatabaseengineupdates,SSHandHTTPSaccesstotheEC2instances
andservices,andSNMP.SeeLaunchtheVMSeriesFirewallsandtheNetScalerVPXandConfigurethe
VMSeriesFirewallforSecuringOutboundAccessfromtheVPC
AZ1FW1andAZ1FW2ApairoffirewallsthatmanagetrafficfromtheNetScalerVPXtotheweb
farm.Intheeventthatafirewallfails,theloadbalancerusesservicemonitorstodetectthefailureand
redirecttrafficthroughtheotherfirewall.SeeLaunchtheVMSeriesFirewallsandtheNetScalerVPXand
ConfiguretheFirewallsthatSecuretheWebFarm
AZ1DBAfirewalltosegmentthewebfarmfromtheRelationalDatabaseService(RDS).This
architectureallowsyoutoaddalayerofsecurityandisolatethedatabaseserviceandlimittheexposure
offrontendserverstorisksandthreats.SeeLaunchtheVMSeriesFirewallsandtheNetScalerVPXand
ConfiguretheFirewallthatSecurestheRDS.
LaunchtheVMSeriesFirewallsandtheNetScalerVPX
OntheAWSmanagementconsole,launchthefirewalls,launchtheloadbalancer,andedittheroutetables
youaddedwhenyoucreatedtheVPC.
LaunchtheVMSeriesFirewalls
TheIPaddressassignedtothemanagementinterfaces(eth0)of
eachfirewallisasfollows:
MgmtFW192.168.0.10
AZ1FW1192.168.0.11
AZ1FW2192.168.0.12
AZ1DB192.168.0.13
2. EstablishanSSHconnectiontotheIPaddressassignedtothe
managementinterfaceandperforminitialconfigurationonthe
commandlineinterface(CLI)oftheVMSeriesfirewall.
3. CreateandattachtwoENIstoeachfirewall;theseinterfaces
willserveasthedataplaneinterfacesoneachfirewall.
ConnecteachENItotheappropriatesubnetandsecurity
group.
MgmtFWThedataplaneinterfaceIPaddressesare:
192.168.2.254(towebfarm)
192.168.0.254(externalconnectivityforinternetaccess)
AZ1FW1ThedataplaneinterfaceIPaddressesare:
192.168.1.11(toNetScaler)
192.168.2.11(towebfarm)
AZ1FW2ThedataplaneinterfaceIPaddressesare:
192.168.1.12(toNetScaler)
192.168.2.12(towebfarm)
AZ1DBThedataplaneinterfaceIPaddressesare:
192.168.2.13(towebfarm)
192.168.3.13(toRDS)
LaunchtheVMSeriesFirewalls(Continued)
LaunchtheVMSeriesFirewalls(Continued)
3. Createandattachtheinternetgatewaytothemainrouteron
theVPCtoallowoutboundinternetaccessfromtheVPC.
ConfiguretheVMSeriesFirewallforSecuringOutboundAccessfromthe
VPC
TheMgmtFWinthisusecaseistheVMSeriesfirewallthatsecuresinboundmanagementtraffic,suchas
infrastructureupdatesthatincludeDNSandaptgetupdatesforallwebservers.Thisfirewallisalsothe
defaultgatewayforalloutboundtrafficfromthewebfarmtotheinternet.
ConfiguretheVMSeriesFirewallthatSecuresOutboundAccess
Step1 Launchthefirewallsandperforminitialconfiguration.
Step2 AllocateandassignElasticIPAddresses.
ThisusecaserequiresoneElasticIPAddressforthemanagementinterfaceoftheVMSeriesfirewallandone
forthedataplaneinterfacethatallowsinternetaccessfromtheVPC.SeeStep 3.
Step3 LogintothewebinterfaceoftheVMSeriesfirewallusingtheElasticIPAddressassignedtothemanagement
interface.
ConfiguretheVMSeriesFirewallthatSecuresOutboundAccess(Continued)
Step5 Createserviceobjectsandaservicegroup.
Aserviceobjectallowsyoutospecifytheportnumberthatanapplicationscanuseifyouplantousea
nondefaultportforanapplication.YouusetheseobjectsinNATpolicy(Step 7)sothatthefirewallcan
performporttranslationtoroutetrafficproperly.
1. SelectObjects > ServicesandAddtheserviceobjectstoenableTCPaccesstothewebserversonports
10000,10001,10002,and10003.
Step6 Definesecuritypolicyforsanctionedapplications.
Forexample,allowSSHforinboundmanagementandallowapplicationandDNSupdatestothewebservers
intheVPC.BecausethisusecaseemploysnondefaultportsforSSHaccess,changetheServiceforSSH
ManagementfromapplicationdefaulttoWebserver_Services(theservicegroupcreatedinthelaststep)to
definetheportsthatprovideaccesstothewebservers.
ConfiguretheVMSeriesFirewallthatSecuresOutboundAccess(Continued)
Step7 DefineNATpolicyrules.TheserulesensurethatthefirewallperformsIPaddressandporttranslationand
securesallinboundandoutboundtrafficonthewebserverfarm.
1. CreateNATrulesforpermittinginboundaccesstoeachwebserver.Youneedtoenabledestination
translationtotheserviceobjectsyoudefinedearlierforeachwebserver.
2. CreateanoutboundNATrulethatallowsinternetaccessforthewebserversintheVPC.Thisruleallows
thefirewalltotranslatethesourceIPaddressasthepublicfacinginterfaceonthemanagementfirewall.
TheAWSinternetgatewaythentranslatestheprivateIPaddresstotheElasticIPAddressassociatedwith
theinterfaceforroutingthetraffictotheinternet.
SeePortTranslationforServiceObjectsfordetailsonhowthefirewallperformsIPaddressand
porttranslationtoproperlyroutetraffic.
Step8 Toensurethattrafficisroutedproperlytothefirewall,performthefollowingtasksontheAWSmanagement
console:
1. Createaroutetableforthewebfarmsubnetandaddanewroutethatdirectsalltrafficfromthewebfarm
totheENIthatisattachedtothewebserversubnetontheVMSeriesfirewall(MgmtFW).SeeStep 42.
2. Disablesourceanddestinationchecksonthedataplanenetworkinterface(s)assignedtothefirewall.
DisablingthisoptionallowstheinterfacetohandlenetworktrafficthatisnotdestinedtotheIPaddress
assignedtotheinterface.SelectthenetworkinterfaceintheNetwork InterfacestabontheEC2
Dashboard,forexampleeth1/1,andintheActiondropdown,selectChange Source/Dest. Check.Click
DisabledandSaveyourchanges.
ConfiguretheFirewallsthatSecuretheWebFarm
UsetheseinstructionstoconfiguretheredundantpairofVMSeriesfirewallsthatsecurethewebservers
withinanAvailabilityZone.
Foratopologyandsolutiondetailssee,UseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailable
InternetFacingApplicationsonAWSandSolutionOverviewSecureHighlyAvailableInternetFacing
Applications.
ConfiguretheVMSeriesFirewallsthatSecuretheWebFarm
Step1 Launchthefirewallsandperforminitialconfiguration.
Step2 AllocateandassignElasticIPAddresses.
ThisusecaserequiresoneElasticIPAddressforthemanagementinterfaceofeachVMSeriesfirewall.See
Step 3.
Step3 LogintothewebinterfaceoftheVMSeriesfirewallusingtheEIPaddressassignedtothemanagement
interface.
ConfiguretheVMSeriesFirewallsthatSecuretheWebFarm(Continued)
Step5 Createasecuritypolicyruletoallowthesanctionedapplications.BecauseweusetheWordPressapplication
inthisexample,thepolicyruleallowsthewebbrowsingandblogpostingapplicationsforWordPress.
Step6 CreateaNATpolicyruletoensuresymmetricroutingoftrafficwhentheNetScalerVPXloadbalancestraffic
acrossthetwo(ormore)firewallsthatareprotectingthewebservers.ThisNATpolicyruleisrequiredto
translatetheprivateIPaddressestopublicIPaddressesthatcanberoutedtoexternalnetworks.Italso
ensuresthatthesamefirewallmanagestherequestandresponsetrafficforawebserverinthewebfarm.
ConfiguretheFirewallthatSecurestheRDS
ThistaskhelpsyousetuptheVMSeriesfirewallthatsecuresthedatabaseserviceonAWS.Forthetopology
andsolutiondetails,seeUseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailable
InternetFacingApplicationsonAWSandSolutionOverviewSecureHighlyAvailableInternetFacing
Applications.
ConfiguretheVMSeriesFirewallthatSecurestheRDS
Step1 Launchthefirewallsandperforminitialconfiguration.
Step2 AllocateandassignElasticIPAddressesforthemanagementinterfaceoftheVMSeriesfirewall.SeeStep 3.
Step3 LogintothewebinterfaceoftheVMSeriesfirewallusingtheElasticIPAddressassignedtothemanagement
interface.
Step5 Createthesecuritypolicyrulethatallowstraffictopassfromthewebserverstothedatabaseserver.
Step6 CreateaSourceNATpolicythatallowsoutboundtrafficinitiatedbythedatabaseservertoberoutedthrough
ethernet1/2interface(192.168.3.13)onthefirewalltothewebservers.
YoucannotconfigureroutingontheAmazonRDS.SourceNATpolicyonthefirewallisrequiredto
ensurethatthetrafficisroutedproperly.
DeploytheWebFarmintheVPC
ThisworkflowshowsyouhowtodeploythewebserverandconfiguretheWordPressapplication.These
instructionsareincludedsolelyforthepurposeoftakingyouthroughtheimplementationinthisusecase.
ForconceptsanddetailsondeployingWordPress,refertotheWordPressdocumentation.
Forthetopologyandsolutiondetails,seeUseCase:DeploytheVMSeriesFirewallstoSecureHighly
AvailableInternetFacingApplicationsonAWSandSolutionOverviewSecureHighlyAvailable
InternetFacingApplications.
DeploytheWebFarmintheVPC
DeploytheWebFarmintheVPC(Continued)
3. Connecttothedatabase.Forexample:
mysql -u awsuser -h
myrdbinstances.cdfujxufuwlc.us-west-2.rds.amazonaw
s.com -p
4. CreatethedatabaseandaddWordPressusersand
permissions.Forexample:
CREATE DATABASE Ignite;
CREATE USER 'student'@'%' IDENTIFIED BY 'paloalto';
GRANT ALL PRIVILEGES ON Ignite.* TO 'student'@'%';
FLUSH PRIVILEGES;
Exit
DeploytheWebFarmintheVPC(Continued)
SetUptheAmazonRelationalDatabaseService(RDS)
Thissectionshowshowtosetupthedatabaseserviceforthisusecase.Theseinstructionsareincluded
solelyforthepurposeoftakingyouthroughtheimplementationofthisspecificusecase.Forsetupand
conceptualinformationontheservice,refertoAmazonRelationalDatabaseServicedocumentation.
Forthetopologyandsolutiondetails,seeUseCase:DeploytheVMSeriesFirewallstoSecureHighly
AvailableInternetFacingApplicationsonAWSandSolutionOverviewSecureHighlyAvailable
InternetFacingApplications.
SetUptheRelationalDatabaseService
Step1 IntheVPCDashboard,makesuretherearetwodatabasesubnets.Ifnot,createasecondone(aminimumof
twosubnetsisrequiredfortheRDS).
SetUptheRelationalDatabaseService(Continued)
SetUptheRelationalDatabaseService(Continued)
Step4 VerifythattheRDSisrunning.
ConfiguretheCitrixNetScalerVPX
ThissectionshowsyouhowtosetuptheNetScalerVPXloadbalancerforthisusecase.Theseinstructions
areincludedsolelyforthepurposeoftakingyouthroughtheimplementationinthisusecase.Forsetupand
conceptualinformationontheNetScalerVPX,refertotheCitrixdocumentation.
Forthetopologyandsolutiondetails,seeUseCase:DeploytheVMSeriesFirewallstoSecureHighly
AvailableInternetFacingApplicationsonAWSandSolutionOverviewSecureHighlyAvailable
InternetFacingApplications.
ConfiguretheCitrixNetScalerVPX
ConfiguretheCitrixNetScalerVPX(Continued)
ConfiguretheCitrixNetScalerVPX(Continued)
2. BindthewebservicesyoucreatedinStep 4tothisvirtual
server.
3. EditthesettingsforthevirtualservertoenableIPaddress
persistence.IPaddresspersistenceisrequiredforthe
applicationtoauthenticateproperly.Basedonyour
preference,selectCookie-basedorSource-IP-based
persistence.
SetupAmazonRoute53
UseAmazonRoute53astheDNSserviceforyourregistereddomainnames.
Foranoverviewofthetopologyandsolutiondetailssee,UseCase:DeploytheVMSeriesFirewallsto
SecureHighlyAvailableInternetFacingApplicationsonAWSandSolutionOverviewSecureHighly
AvailableInternetFacingApplications.
SetupRoute53
SetupRoute53(Continued)
Inaredundantconfiguration,configurethedomainto
resolvetoeveryElasticIPAddressassociatedwithaVIP
ontheNetScalerVPX.
TheCitrixNetScalercanhostmultipleapplicationsonone
IPaddresswithContentSwitchingenabled.
VerifyTrafficEnforcement
AccesstheWordPressserverandmonitorthelogsontheVMSeriesfirewallstoverifythatpolicyisbeing
enforcedforyourmultitieredapplicationsonAWS.
VerifyTrafficEnforcement
Fortheoverviewofthetopologyandsolutiondetailssee,UseCase:DeploytheVMSeriesFirewallsto
SecureHighlyAvailableInternetFacingApplicationsonAWSandSolutionOverviewSecureHighly
AvailableInternetFacingApplications.
PortTranslationforServiceObjects
ThistableshowshowthefirewallperformsIPaddressandporttranslationforroutingtraffictothewebfarm
whenyouhaveconfiguredserviceobjectswithNATpolicyinStep 5andStep 7ofConfiguretheVMSeries
FirewallforSecuringOutboundAccessfromtheVPC.
UseCase:VMSeriesFirewallsasGlobalProtectGateways
onAWS
Securingmobileusersfromthreatsandriskyapplicationsisoftenacomplexmixofprocuringandsettingup
thesecurityandITinfrastructure,ensuringbandwidthanduptimerequirementsinmultiplelocationsaround
theglobewhilestayingwithinyourbudget.
TheVMSeriesfirewallonAWSmeldsthesecurityandITlogisticsrequiredtoconsistentlyandreliably
protectdevicesusedbymobileusersinregionswhereyoudonothaveapresence.Bydeployingthe
VMSeriesfirewallintheAWScloud,youcanquicklyandeasilydeployGlobalProtectgatewaysinany
regionwithouttheexpenseorITlogisticsthataretypicallyrequiredtosetupthisinfrastructureusingyour
ownresources.
Tominimizelatency,selectAWSregionsthatareclosesttoyourusers,deploytheVMSeriesfirewallson
EC2instances,andconfigurethefirewallsasGlobalProtectgateways.Withthissolution,theGlobalProtect
gatewaysintheAWScloudenforcesecuritypolicyforinternettrafficsothereisnoneedtobackhaulthat
traffictothecorporatenetwork.Additionally,foraccesstoresourcesonthecorporatenetwork,the
VMSeriesfirewallsonAWSleveragetheLSVPNfunctionalitytoestablishIPSectunnelsbacktothefirewall
onthecorporatenetwork.
Foreaseofdeploymentandcentralizedmanagementofthisdistributedinfrastructure,usePanoramato
configuretheGlobalProtectcomponentsusedinthissolution.Optionally,toensurethatmobiledevices,
suchassmartphonesandtablets,aresafeforuseonyournetwork,useaMobileDeviceManagerto
configureandmanagemobiledevices.
ComponentsoftheGlobalProtectInfrastructure
Toblockriskyapplicationsandprotectmobileusersfrommalware,youmustsetuptheGlobalProtect
infrastructure,whichincludestheGlobalProtectportal,theGlobalProtectgateway,andtheGlobalProtect
app.Additionally,foraccesstocorporateresources,youmustsetupanIPSecVPNconnectionbetweenthe
VMSeriesfirewallsonAWSandthefirewallinthecorporateheadquartersusingLSVPN(ahubandspoke
VPNdeployment).
TheGlobalProtectagent/appisinstalledoneachendusersystemthatisallowedtoaccesscorporate
applicationsandresources.Theagentfirstconnectstotheportaltoobtaininformationonthegateways
andthenestablishesasecureVPNconnectiontotheclosestGlobalProtectgateway.TheVPN
connectionbetweentheendusersystemandthegatewayensuresdataprivacy.
TheGlobalProtectportalprovidesthemanagementfunctionsfortheGlobalProtectinfrastructure.Every
endusersystemreceivesconfigurationinformationfromtheportal,includinginformationabout
availablegatewaysaswellasanyclientcertificatesthatmayberequiredtoconnecttotheGlobalProtect
gateway(s).Inthisusecase,theGlobalProtectportalisahardwarebasedfirewallthatisdeployedinthe
corporateheadquarters.
TheGlobalProtectgatewaydeliversmobilethreatpreventionandpolicyenforcementbasedon
applications,users,content,device,anddevicestate.Inthisusecase,theVMSeriesfirewallsonAWS
functionastheGlobalProtectgateways.TheGlobalProtectgatewayscanseachuserrequestformalware
andotherthreats,and,ifpolicyallows,sendstherequesttotheinternetortothecorporatenetworkover
theIPSectunnel(totheLSVPNgateway).
ForLSVPN,youmustconfiguretheGlobalProtectportal,GlobalProtectgatewayforLSVPN(hub),and
theGlobalProtectSatellites(spokes).
Inthisusecase,thehardwarebasedfirewallinthecorporateofficeisdeployedastheGlobalProtect
portalandtheLSVPNgateway.TheVMSeriesfirewallsonAWSareconfiguredtofunctionas
GlobalProtectsatellites.TheGlobalProtectsatellitesandgatewayareconfiguredtoestablishanIPSec
tunnelthatterminatesonthegateway.Whenamobileuserrequestsanapplicationorresourcethat
residesonthecorporatenetwork,theVMSeriesfirewallroutestherequestovertheIPSectunnel.
DeployGlobalProtectGatewaysonAWS
Tosecuremobileusers,inadditiontodeployingandconfiguringtheGlobalProtectgatewaysonAWS,you
needtosetuptheothercomponentsrequiredforthisintegratedsolution.Thefollowingtableincludesthe
recommendedworkflow:
DeployGlobalProtectonAWS
DeploytheVMSeriesfirewall(s)onAWS. SeeDeploytheVMSeriesFirewallonAWS.
Configurethefirewallatthecorporate ConfiguretheGlobalProtectportal.
headquarters. ConfiguretheGlobalProtectportalforLSVPN.
Inthisusecase,thefirewallisconfiguredasthe ConfiguretheportaltoauthenticateLSVPNsatellites.
GlobalProtectportalandtheLSVPNgateway. ConfiguretheGlobalProtectgatewayforLSVPN.
DeployGlobalProtectonAWS(Continued)
SetupatemplateonPanoramaforconfiguring Createtemplate(s)onPanorama.
theVMSeriesfirewallsonAWSas Thenusethefollowinglinkstodefinetheconfigurationinthe
GlobalProtectgatewaysandLSVPNsatellites. templates.
Toeasilymanagethisdistributeddeployment, ConfigurethefirewallasaGlobalProtectgateway.
usePanoramatoconfigurethefirewallson PreparethesatellitetojointheLSVPN.
AWS.
CreatedevicegroupsonPanoramatodefinethe SeeCreatedevicegroups.
networkaccesspoliciesandinternetaccess
rulesandapplythemtothefirewallsonAWS.
Applythetemplatesandthedevicegroupsto
theVMSeriesfirewallsonAWS,andverifythat
thefirewallsareconfiguredproperly.
DeploytheGlobalProtectclientsoftware. EveryendusersystemrequirestheGlobalProtectagentorappto
connecttotheGlobalProtectgateway.
SeeDeploytheGlobalProtectclientsoftware.
AutoScaleVMSeriesFirewallswiththeAmazonELB
PaloAltoNetworksdeliversCloudFormationTemplatesfordeployinganautoscalingtierofVMSeries
firewallsusingseveralAWSservicessuchasLambda,autoscalinggroups,ElasticLoadBalancing(ELB),S3,
SNS,andCloudWatch,andtheVMSeriesautomationcapabilitiesincludingthePANOSAPIand
bootstrapping.Thetemplates(latestisvpcclassicv1.2.templateandvpcalbv1.2.template)allowyouto
leveragetheAWSscalabilityfeaturesdesignedtomanagesuddensurgesindemandforapplicationworkload
resourcesbysimultaneouslyscalingtheVMSeriesfirewallswithchangingworkloads.
ThetemplatesdeploytheVMSeriesinanELBsandwichtopologywithaninternetfacingclassicELBandan
eitheraninternalclassicloadbalanceroraninternalapplicationloadbalancer(internalELB). The
internetfacingELBisaccessiblefromtheinternetanddistributestrafficthatenterstheVPCacrossapool
ofVMSeriesfirewalls.ThefirewallsthenredirecttrafficusingNATpolicytotheinternalELB.Theinternal
ELB,whichisonlyaccessibleinsidetheVPC,distributestraffictoanautoscalingtierofwebservers.TheAPI
integrationwithAWSCloudWatchallowstheCloudWatchservicetomonitorthehealthandresourceload
ontheEC2instancesVMSeriesfirewallsandwebserversandthenusethatinformationtotriggerascale
inorscaleouteventintherespectiveAutoScalingGroup(ASG).
WhatComponentsDoestheVMSeriesAutoScalingTemplateforAWSDeploy?
HowDoestheVMSeriesAutoScalingTemplateforAWSEnableDynamicScaling?
PlantheVMSeriesAutoScalingTemplateforAWS
LaunchtheVMSeriesAutoScalingTemplateforAWS
CustomizetheBootstrap.xmlFile
NATPolicyRuleandAddressObjectsintheAutoScalingTemplate
StackUpdatewithVMSeriesAutoScalingTemplateforAWS(v1.2)
ModifyAdministrativeAccountandUpdateStack
TroubleshoottheVMSeriesAutoScalingTemplateforAWS
WhatComponentsDoestheVMSeriesAutoScalingTemplateforAWS
Deploy?
TheVMSeriesAutoScalingtemplateforAWSprovidestwodeploymentoptions.Thefirstoptionoffersthe
flexibilitytodeployacompleteAWSenvironmentalongwiththeautoscalingtierofVMSeriesfirewallsin
onestreamlinedworkflow.ThesecondoptionallowsyoutodeployonlytheautoscalingtierofVMSeries
firewallsintoyourexistingAWSdeployment.
ThisVMSeriesAutoScalingtemplatedoesnotdeployPanorama,andPanoramaisoptionalinthissolution.
IfyouwanttousePanoramatomanagetheVMSeriesfirewallsthatthesolutiondeploys,youcaneitherusean
MSeriesapplianceinsideyourcorporatenetwork,oraPanoramavirtualapplianceonaVMwareESXiserver
insideyourcorporatenetworkorinvCloudAir;youcannotdeployPanoramaonAWS.
TheVMSeriesAutoScalingtemplateincludesthefollowingbuildingblocksthatmaketheseoptions
possible:
BuildingBlock Description
VPCtemplate TheVPCtemplatesautomatetheprocessofdeployingaVPCwithtwoorthree
AvailabilityZones(AZs).ItdeploysanexternalELB,awebserverfarmandaninternal
ELBthatloadbalancestraffictothewebserverfarm.Inadditiontothesubnets,route
tables,andsecuritygroupsrequiredforroutingtrafficacrosstheseAZs,italso
createstheAutoScalingGroup(ASG)forthewebserverfarmandanAWSNAT
gateway,ifyouoptforone.
DependingonyourpreferencefortheinternalELB,youcanchoosefromthesetwo
templates:
vpcclassicv.<number>templateUsethistemplateifyouwanttouseaclassicELB
forloadbalancingtraffictotheinternalwebserverfarm.
vpcalbv.<number>.templateUsethistemplate,ifyoupreferanapplicationELB
forloadbalancingtraffictotheinternalwebserverfarm.
Bothtemplates,deploytheclassicELBforinternetfacingtraffic.
Firewalltemplate TheVPCtemplateinvokesthefirewall.templatetolaunchtheVMSeriesfirewall.
IfyouhaveanexistingVPCwiththerequiredsubnets,securitygroups,webservers,
andELBs,andwanttoonlydeploytheVMSeriesfirewallatscale,youcanusethe
firewall.templateinsteadofthevpc.template.
Thefirewall.templatecreatesaninitialASGwithasingleVMSeriesfirewalltosecure
thewebserversineachAZ,addstheENIsforthetrustandmanagementinterfaces,
andtriggersthebootstrapprocessincludingregistrationwithPanorama.Toenable
autoscalingoftheVMSeriesfirewalls,thistemplateleveragesPANOSmetricsfrom
theVMSeriesfirewallandpublishesdataonyourpreferredmetrictoAWS
CloudWatch.
YoucanselectoneofthefollowingPANOSmetricsactivesessions,dataplaneCPU
utilization,ordataplaneCPUbufferutilization.
Lambdafunctions AWSLambdaprovidesrobust,eventdrivenautomationwithouttheneedfor
complexorchestrationsoftware.Inthistemplate,AWSLambdamonitorsthecustom
PANOSmetricsandtheinternalELBtoenabledynamicscalingoftheVMSeries
firewalls.TheLambdafunctionsaddorremoveelasticnetworkinterfaces(ENIs)
whenthefirewallislaunchedorterminated,collectandpublishCloudWatchmetrics
sothatyoucandefineautoscalingpolicyusingCloudWatchalarms,deleteallthe
associatedresourceswhenaninstanceisterminatedorthestackisdeleted,and
removethefirewallasamanageddeviceonPanorama.TheLambdafunctionsalso
monitortheVIPaddressesontheinternalELBsothatitcanaddorremoveanASG
fortheVMSeriesfirewallsothatitcanensurea1:1ratiobetweentheinternalELB
VIPandtheVMSeriesfirewallsASG.
BuildingBlock Description
Bootstrapfiles Thissolutionrequirestheinitcfg.txtfileandthebootstrap.xmlfilesothatthe
Thebootstrap.xmlfile VMSeriesfirewallhasthebasicconfigurationforhandlingtrafficfromtheELB.
providedintheGitHub Theinitcfg.txtfileincludesthemgmtinterfaceswapoperationalcommandto
repositoryisprovidedfor enablethefirewalltoreceivedataplanetrafficonitsprimaryinterface(eth0).For
testingandevaluation detailsseeManagementInterfaceMappingforUsewithAmazonELB.
only.Foraproduction Thebootstrap.xmlfilecontainsaNATpolicyruletoproperlyroutetrafficinthis
deployment,youmust autoscalingELBenvironment.
modifythebootstrap.xml InordertoperformNAT,thefirewallrequiresasingleIPaddressintheNATpolicy
priortolaunch.See rule,thefirewallcannotuseanFQDNorroundrobinNATtomultipleIP
Customizethe addresses.Buttoenableautoscaling,theAWSELBpublishesanFQDNasavirtual
Bootstrap.xmlFile. IPaddress(VIP)ratherthatpublishinganIPaddress.AndastheinternalELBscales,
theFQDNautomaticallyresolvestomultipleIPaddresses(perAZ).TheNAT
policyruleincludedinthebootstrap.xmlfileresolvedthisconflict.
Thebootstrap.xmlfilereferencesanaddressobjectwithintheNATpolicyrule.
Whenthefirewallbootsup,aLambdafunctionaddstheIPaddressoftheinternal
ELBintotheaddressobjectsothattheNATpolicyresolvestothecorrectIP
addressfortheinternalELB,andcanroutetraffictoandfromtheexternalELBand
theinternalELBinthissolution.
Todeploythesolution,seeLaunchtheVMSeriesAutoScalingTemplateforAWS.
HowDoestheVMSeriesAutoScalingTemplateforAWSEnableDynamic
Scaling?
TheVMSeriesfirewallsscaleinandscaleoutbasedonPANOSmetricsandonapplicationtraffic.
PANOSmetricbasedscalingTheVMSeriesfirewallsscalebasedoncustomPANOSmetricsthat
triggeralarmsandpoliciestodynamicallydeployorterminateinstancestoincreaseordecreasecapacity
intheVMSeriesfirewallASG.TomonitortrafficloadontheVMSeriesfirewalls,youcanconfigure
alarmsbasedonthefollowingcustomPANOSmetricsthenumberofactivesessionsonthefirewall,
dataplaneCPUutilization,ordataplanebufferutilization.TheVMSeriesAutoScalingtemplateusesan
AWSLambdafunctiontopublishthemetricstoAWSCloudWatchataoneminutefrequency.Whena
metricthatisbeingmonitoredreachesaconfiguredthresholdforthedefinedtimeinterval,CloudWatch
triggersanalarmandinitiatesanautoscalingevent.
ApplicationtrafficbasedscalingTheVMSeriesfirewallsscalebasedontheinternalELB,whichscales
inresponsetothedemandsoftheapplicationtrafficinthewebserverASG.Thereisa1:1ratiobetween
thenumberofinternalELBVirtualIPaddressesandthenumberofASGsfortheVMSeriesfirewalls.So,
whentheLambdafunctionintheVMSeriesAutoScalingtemplatedetectstheadditionorthedeletion
ofaninternalELBVIPaddress,anASGfortheVMSeriesfirewallisaddedordeletedinresponsetothe
change.AndtheIPaddressofthefirewallisaddedorremovedfromtheexternalELBpoolsothatthe
externalELBcandistributetrafficacrossalltheavailablefirewallsintheASG.
TheVMSeriesfirewallswithinanASGareidenticalinconfiguration.Eachfirewallisbootstrappedand
configuredwithaNATpolicyrulethatdirectsalltraffictotheIPaddressoftheinternalELB.
Similarly,whentrafficvolumeisreducedandaninternalELBVIPaddressisdeleted,theLambdafunction
deletestheASGandtheVMSeriesfirewallsassociatedwiththeASG.TheIPaddressofthefirewallisalso
removedfromtheexternalELBpool.
PlantheVMSeriesAutoScalingTemplateforAWS
TheGitHubrepositoryprovidesVMSeriesAutoScalingtemplateversion1.1andversion1.2.Version1.2isthe
latestanditprovidesthemechanismtoupdatethePANOSversionoftheautoscalingtierofVMSeriesfirewallsand
otherresourcesusingthestackupdatecapabilityforAWSCloudFormationtemplates.Toaccommodateyourbusiness
needs,italsoallowsyoutochooseandswitchacrossthreelicensingoptions,BYOL,PAYGbundle1andPAYGbundle2.
VMSeriesAutoScalingtemplateversion1.1providessupportforPAYGbundle2only.
Inordertolaunchthesolutionsuccessfully,reviewthischecklistbeforeyoubegin.
VMSeriesAutoScalingTemplateforAWSVersion1.2
VMSeriesAutoScalingTemplateforAWSVersion1.1
VMSeriesAutoScalingTemplateforAWSVersion1.2
Theitemsinthischecklistareactionsandchoicesyoumustmakeforimplementingthissolution.
PlanningChecklistforVersion1.2
Verifythe ThesolutionrequiresAWSLambdaandSignatureversions2or4forPANOS8.0;
requirementsfor PANOS7.1requiressignatureversion2.
deployingthe LookupthelistofsupportedregionsandtheAMIIDs.
VMSeriesAuto
Scalingtemplate.
Assigntheappropriate TheuserwhodeploystheVMSeriesAutoScalingtemplatemusteitherhave
permissionsforthe administrativeprivilegesorhavethepermissionslistedintheiampolicy.jsonfileto
IAMuserrole. successfullylaunchthissolution.Copyandpastethepermissionsfromthisfileinto
anewIAMpolicyandthenattachthepolicytoaneworexistingIAMrole.
CreateaSupport WithVMSeriesAutoScalingtemplateversion1.2,youcanoptfortheBYOLor
AccountonthePalo PAYG(bundle1orbundle2)licenses.
AltoNetworksSupport ForBYOL,youmustregistertheauthcodetoyourPaloAltoNetworkssupport
portal. accountpriortolaunchingtheVMSeriesAutoScalingtemplate.
ForPAYG,youmustregistertheVMSeriesfirewallstoactivateyoursupport
entitlement.
(ForPAYG)Reviewand IntheAWSMarketplace,searchforPaloAltoNetworks,andselectthebundleyou
accepttheEndUser plantouse.TheVMSeriesAutoScalingtemplatewillfailtodeployifyouhave
LicenseAgreement notacceptedtheEULAforthebundleyouplantouse.
(EULA). Forexample,searchforVM-Series Next Generation Firewall Bundle 2.
Required,ifyouare
launchingaVMSeries
firewallinanAWS
accountforthefirst
time.
ClickContinue,andselectManual Launch.Reviewtheagreementandclick
Accept Software TermstoaccepttheEULA.
Youcannowclosethebrowser.
PlanningChecklistforVersion1.2(Continued)
Downloadthe GetthefilesfromthefollowingGitHubrepositoryat:
Templates,AWS https://github.com/PaloAltoNetworks/awselbautoscaling/tree/master/Version1.
Lambdacode,andthe 2
bootstrapfiles. TemplatesandLambdacode:
Donotmixand panwaws.zip
matchfilesacross firewall.template
VMSeriesAuto
vpcclassicv1.2.templateorvpcalbv1.2.template.(youneedonlyone)
Scalingtemplateversions.
Thevpcclassicv1.2.templateincludessupportfortwoclassicELBs;the
vpcalbv1.2.templateincludessupportforaclassicELBandaninternal
applicationELB.
Usethevpcalb.templateifyouwanttodeployanapplicationELBforload
balancingtraffictotheinternalwebserversandaclassicELBfor
internetfacingtraffic.
Usethevpcclassic.templateifyouwanttodeploytwoclassicELBs;onefor
loadbalancingtraffictotheinternalwebserversandanotherfor
internetfacingtraffic.
ThesolutionissupportedbyPaloAltoNetworksTechnicalSupportas
itispublished.Youmaymodifythetemplatetosuityourspecificuse
casebutPaloAltoNetworksTechnicalSupportcannotassistwith
issuesthatarisefromcustomization.
Bootstrapfiles:
initcfg.txt
bootstrap.xml
Thebootstrap.xmlfilebundledwiththissolutionisdesignedtohelpyougetstarted,
andisprovidedfortestingandevaluationonly.Foraproductiondeployment,you
mustmodifythebootstrap.xmlpriortolaunch.SeeCustomizetheBootstrap.xmlFile.
Customizethe Toensurethatyourproductionenvironmentissecure,youmustCustomizethe
bootstrap.xmlfilefor Bootstrap.xmlFilewithauniqueadministrativeusernameandpassword.Thedefault
yourproduction usernameandpasswordispandemo/demopassword.Youcanalsousethis
environment. opportunitytocreateanoptimalfirewallconfigurationwithinterfaces,zones,and
securitypolicyrulesthatmeetyourapplicationsecurityneeds.
PlanningChecklistforVersion1.2(Continued)
Decidewhetheryou Panoramaisanoptionforadministrativeease.Itisnotrequiredtomanagetheauto
wanttousePanorama scalingtierofVMSeriesfirewallsdeployedinthissolution.
forcentralizedlogging, IfyouwanttousePanorama,youcaneitherusetheMSeriesapplianceora
reporting,andfirewall PanoramavirtualapplianceonaVMwareESXiserverinsideyourcorporatenetwork,
management. oruseaPanoramavirtualapplianceonvCloudAir.
TosuccessfullyregisterthefirewallswithPanorama,youmustcollectthefollowing
details:
APIkeyforPanorama.SothatAWSLambdacanmakeAPIrequeststoPanorama,
youmustprovideanAPIkeywhenyoulaunchtheVMSeriesAutoScaling
template.Asabestpractice,inaproductiondeployment,youshouldcreatea
separateadministrativeaccountjustfortheAPIcallandgenerateanassociated
APIkey.
PanoramaIPaddress.YoumustincludetheIPaddressintheconfiguration
(initcfg.txt)file.ThefirewallsmustbeabletoaccessthisIPaddressfromtheVPC;
toensureasecureconnection,useadirectconnectlinkoranIPSectunnel.
VMauthkeythatallowsPanoramatoauthenticatethefirewallsinordertoadd
eachfirewallasamanageddevice.Youmustincludethiskeyintheconfiguration
(initcfg.txt)file.
Thevmauthkeyisrequiredforthelifetimeofthedeployment.Withoutavalidkey
intheconnectionrequest,theVMSeriesfirewallwillbeunabletoregisterwith
Panorama.Fordetailsonthekey,seeGenerateVMAuthKey.
Templatenameandthedevicegroupnametowhichtoassignthefirewalls.You
mustfirstaddatemplateandcreateadevicegrouponPanorama,andtheninclude
thetemplatenameandthedevicegroupnameintheconfiguration(initcfg.txt)
file.
Decidewhetheryou Toallowthefirewallstoinitiateoutboundrequestsforretrievingupdates,connecting
wanttousetheAWS toPanorama,andpublishingmetricstoAWSCloudWatch,youcaneitherdeployan
NATgatewayorassign AWSNATgatewayorassignanEIPaddresstothemanagementinterfaceoneach
anEIPaddresstothe firewall.
managementinterface TheAWSNATgatewayoptionallowsyoutoconservetheuseofEIPaddresses;you
oneachVMSeries onlyneedoneEIPaddressperAvailabilityZone(AZ).Hence,youmustallocatea
firewall. maximumofthreeEIPaddressesifyoudeploytheVMSeriesAutoScaling
templateacrossthreeAZs.WhenyouuseaNATgatewayandarenotusing
Panoramatomanagethefirewalls,youmustdeployajumpserver(abastionhost
withanEIPaddress)withintheVPCtoenableSSHand/orHTTPSaccesstothe
VMSeriesfirewalls.Thisjumpserverisrequiredbecausethemanagementinterface
ontheVMSeriesfirewallshasaprivateIPaddressonly.
IfyouchoosetoassignanEIPaddresstothemanagementinterfaceofeach
VMSeriesfirewall,youmustestimatethenumberofEIPaddressesyouneedto
enableoutboundaccessfortheVMSeriesfirewalls.Basedonthesizeofyour
deployment,youmayneedtorequestanincreaseinthemaximumnumberofEIP
addressesfortheAWSregion;thedefaultlimitis5EIPaddressesperaccount.This
estimationiscrucialtothedeploymentbecauseAWSLambdarequirestheEIP
addresstosuccessfullylaunchthefirewall.
Getstarted LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.2)
StackUpdatewithVMSeriesAutoScalingTemplateforAWS(v1.2)
VMSeriesAutoScalingTemplateforAWSVersion1.1
Theitemsinthischecklistareactionsandchoicesyoumustmakeforimplementingthissolution.
PlanningChecklistforVersion1.1
Verifythe ThesolutionrequiresAWSLambdaandSignatureversion2,andissupportedinthe
requirementsfor followingregions:USEast(N.Virginia),USWest(Oregon),EU(Ireland),AsiaPacific
deployingthe (Singapore),AsiaPacific(Tokyo),AsiaPacific(Sydney).
VMSeriesAuto
Scalingtemplate
version1.1.
Assigntheappropriate TheuserwhodeploystheVMSeriesAutoScalingtemplatemusteitherhave
permissionsforthe administrativeprivilegesorhavethepermissionslistedintheiampolicy.jsonfileto
IAMuserrole. successfullylaunchthesolution.Copyandpastethepermissionsfromthisfileintoa
newIAMpolicyandthenattachthepolicytoaneworexistingIAMrole.
CreateaSupport AlltheVMSeriesfirewallsdeployedbyVMSeriesAutoScalingtemplateversion
AccountonthePalo 1.1supporttheusagebased(PAYGbundle2)licenses.Version1.1doesnotsupport
AltoNetworksSupport theBYOLoption.
portal. YoumustregistertheVMSeriesfirewallstoactivateyoursupportentitlement.
ClickContinue,andselectManual Launch.Reviewtheagreementandclick
Accept Software TermstoaccepttheEULA.
Youcannowclosethebrowser.
PlanningChecklistforVersion1.1(Continued)
Downloadthe GetthefilesfromthefollowingGitHubrepositoryat:
Templates,AWS https://github.com/PaloAltoNetworks/awselbautoscaling/tree/master/Version1.
Lambdacode,andthe 1
bootstrapfiles. TemplatesandLambdacode:
panwaws.zip
firewall.template
vpcclassicv1.1.templateorvpcalbv1.1.template.(youneedonlyone)
Thevpcclassicv1.1.templateincludessupportfortwoclassicELBs;the
vpcalbv1.1.templateincludessupportforaclassicELBandaninternal
applicationELB.
Usethevpcalb.templateifyouwanttodeployanapplicationELBforload
balancingtraffictotheinternalwebserversandaclassicELBfor
internetfacingtraffic.
Usethevpcclassic.templateifyouwanttodeploytwoclassicELBs;onefor
loadbalancingtraffictotheinternalwebserversandanotherfor
internetfacingtraffic.
ThesolutionissupportedbyPaloAltoNetworksTechnicalSupportas
itispublished.Youmaymodifythetemplatetosuityourspecificuse
casebutPaloAltoNetworksTechnicalSupportcannotassistwith
issuesthatarisefromcustomization.
Bootstrapfiles:
initcfg.txt
bootstrap.xml
Thebootstrap.xmlfilebundledwiththissolutionisdesignedtohelpyougetstarted,
andisprovidedfortestingandevaluationonly.Foraproductiondeployment,you
mustmodifythebootstrap.xmlpriortolaunch.SeeCustomizetheBootstrap.xmlFile.
Customizethe Toensurethatyourproductionenvironmentissecure,youmustCustomizethe
bootstrap.xmlfilefor Bootstrap.xmlFilewithauniqueadministrativeusernameandpassword.Youcan
yourproduction alsousethisopportunitytocreateanoptimalfirewallconfigurationwithinterfaces,
environment. zones,andsecuritypolicyrulesthatmeetyourapplicationsecurityneeds.
PlanningChecklistforVersion1.1(Continued)
Decidewhetheryou Panoramaisanoptionforadministrativeease.Itisnotrequiredtomanagetheauto
wanttousePanorama scalingtierofVMSeriesfirewallsdeployedinthissolution.
forcentralizedlogging, IfyouwanttousePanorama,youcaneitherusetheMSeriesapplianceora
reporting,andfirewall PanoramavirtualapplianceonaVMwareESXiserverinsideyourcorporatenetwork,
management. oruseaPanoramavirtualapplianceonvCloudAir.
And,ifyouusePanorama,youneedthefollowinginformationsothatthefirewalls
canregisterwithPanorama:
APIkeyforanadministrativeuseraccountonPanorama.AWSLambdausesthis
keytomakeAPIrequeststoPanorama.Bydefault,theVMSeriesAutoScaling
templateusesanAPIkeywithusernameandpassword,admin/admin.Forbetter
security,createanadministrativeaccountonPanoramaandgenerateanewAPI
keyfortheaccount.YoumustenterthiskeywhenyoulaunchtheVMSeries
AutoScalingtemplate.
PanoramaIPaddress.YoumustincludetheIPaddressintheconfiguration
(initcfg.txt)file.ThefirewallsmustbeabletoaccessthisIPaddressfromtheVPC;
toensureasecureconnection,useadirectconnectlinkoranIPSectunnel.
VMauthkeythatallowsPanoramatoauthenticatethefirewallsinordertoadd
eachfirewallasamanageddevice.Youmustincludethiskeyintheconfiguration
(initcfg.txt)file.
Thevmauthkeyisrequiredforthelifetimeofthedeployment.Withoutavalidkey
intheconnectionrequest,theVMSeriesfirewallwillbeunabletoregisterwith
Panorama.Fordetailsonthekey,seeGenerateVMAuthKey.
Templatenameandthedevicegroupnametowhichtoassignthefirewalls.You
mustfirstaddatemplateandcreateadevicegrouponPanorama,andtheninclude
thetemplatenameandthedevicegroupnameintheconfiguration(initcfg.txt)
file.
Decidewhetheryou Toallowthefirewallstoinitiateoutboundrequestsforretrievingupdates,connecting
wanttousetheAWS toPanorama,andpublishingmetricstoAWSCloudWatch,youcaneitherdeployan
NATgatewayorassign AWSNATgatewayorassignanEIPaddresstothemanagementinterfaceoneach
anEIPaddresstothe firewall.
managementinterface TheAWSNATgatewayoptionallowsyoutoconservetheuseofEIPaddresses;you
oneachVMSeries onlyneedoneEIPaddressperAvailabilityZone(AZ).Hence,youmustallocatea
firewall. maximumofthreeEIPaddressesifyoudeploytheVMSeriesAutoScaling
templateacrossthreeAZs.WhenyouuseaNATgatewayandarenotusing
Panoramatomanagethefirewalls,youmustdeployajumpserver(abastionhost
withanEIPaddress)withintheVPCtoenableSSHand/orHTTPSaccesstothe
VMSeriesfirewalls.Thisjumpserverisrequiredbecausethemanagementinterface
ontheVMSeriesfirewallshasaprivateIPaddressonly.
IfyouchoosetoassignanEIPaddresstothemanagementinterfaceofeach
VMSeriesfirewall,youmustestimatethenumberofEIPaddressesyouneedto
enableoutboundaccessfortheVMSeriesfirewalls.Basedonthesizeofyour
deployment,youmayneedtorequestanincreaseinthemaximumnumberofEIP
addressesfortheAWSregion;thedefaultlimitis5EIPaddressesperaccount.This
estimationiscrucialtothedeploymentbecauseAWSLambdarequirestheEIP
addresstosuccessfullylaunchthefirewall.
Getstarted LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.1)
LaunchtheVMSeriesAutoScalingTemplateforAWS
PicktheworkflowfortheVMSeriesAutoScalingtemplateversionyouaredeploying.
LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.2)
LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.1)
Ifyouhavedeployedthetemplatev1.2andwanttoupdateresourcesseeStackUpdatewithVMSeries
AutoScalingTemplateforAWS(v1.2).
LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.2)
Usethefollowingworkflowtodeployallthecomponentsinthissolutionusingthevpcclassicv1.2.template
orthevpcalbv1.2.template.
IfyouhaveanexistingVPCwiththerequiredsubnets,securitygroups,webservers,andELBs,youonlyneedtodeploy
theVMSeriesfirewallatscale,usethefirewall.template.Theworkflowforusingonlythefirewall.tempateisnot
documentedinthisversionofthedocument,butitisverysimilar.
LaunchtheTemplateVersion1.2
LaunchtheTemplateVersion1.2(Continued)
ThevmauthkeyandPanoramaIPaddressaboveare
examplevalues.Youneedtoenterthevaluesthatmatch
yoursetup.
4. Saveandclosethefile.
LaunchtheTemplateVersion1.2(Continued)
c. Clickthelinktoopentheconfigfolder.
d. SelectActions > UploadandAdd Files,browsetoselectthe
initcfg.txtfileandbootstrap.xmlfile,andclickOpen.
e. ClickStart Uploadtoaddthefilestotheconfigfolder.The
foldercancontainonlytwofiles:initcfg.txtandthe
bootstrap.xml.
f. (ForBYOLonly)Clickthelinktoopenthelicensefolderand
uploadthetxtfilewiththeauthcoderequiredforlicensing
theVMSeriesfirewalls.
LaunchtheTemplateVersion1.2(Continued)
3. CreateanotherS3bucketanduploadtheAWSLambdacode
andthefirewall.templatetotheS3bucket.
a. Clickthebucketname.
b. ClickAdd Filestoselectthepanwaws.zipfileandthe
firewall.template,clickOpen.
c. ClickStart UploadtoaddthefilestotheS3bucket.
LaunchtheTemplateVersion1.2(Continued)
LaunchtheTemplateVersion1.2(Continued)
LaunchtheTemplateVersion1.2(Continued)
LaunchtheTemplateVersion1.2(Continued)
Step15 Reviewthetemplatesettingsandlaunch 1. SelectI acknowledge that this template might cause AWS
thetemplate. CloudFormation to create IAM resources.
2. ClickCreatetolaunchthetemplate.The
CREATE_IN_PROGRESSeventdisplays.
3. Onsuccessfuldeploymentthestatusupdatesto
CREATE_COMPLETE.
IneachAZ,theVMSeriesAutoScalingtemplatewilllaunchan
ASGthatincludesoneVMSeriesfirewallbehindtheexternal
ELB.ThefirewallswillbebootstrappedwithaNATpolicyrule
andabasicSecuritypolicyrule.Itwillalsolaunchtwoweb
serversinanASGbehindtheinternalELB.
Whenyouarefinishedwithtestingoraproductiondeployment,theonlywaytoensurechargesstopoccurring
istocompletelydeletethestack.Shuttingdowninstances,orchangingtheASGmaximumto0,isnotsufficient
astheVMSeriesAutoScalingtemplatemightautomaticallydeploynewASGs.
IfyouareusingPanorama,deletetheinternalELBonAWSbeforeyoudeletethestack.DeletingtheinternalELB
allowstheVMSeriesfirewallstoshutdowngracefully,andPanoramacanremovethefirewallsfromthelistof
manageddevices.
LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.1)
Usethefollowingworkflowtodeployallthecomponentsinthissolutionusingthevpcclassicv1.1.template
orthevpcalbv1.1.template.
IfyouhaveanexistingVPCwiththerequiredsubnets,securitygroups,webservers,andELBs,youonlyneedtodeploy
theVMSeriesfirewallatscale,usethefirewall.template.Theworkflowforusingonlythefirewall.tempateisnot
documentedinthisversionofthedocument,butitisverysimilar.
LaunchtheTemplateVersion1.1
ThevmauthkeyandPanoramaIPaddressaboveare
examplevalues.Youneedtoenterthevaluesthatmatch
yoursetup.
5. Saveandclosethefile.
LaunchtheTemplateVersion1.1(Continued)
c. Clickthelinktoopentheconfigfolder.
d. SelectActions > UploadandAdd Files,browsetoselectthe
initcfg.txtfileandbootstrap.xmlfile,andclickOpen.
e. ClickStart Uploadtoaddthefilestotheconfigfolder.The
foldercancontainonlytwofiles:initcfg.txtandthe
bootstrap.xml.
3. CreateanotherS3bucketanduploadtheAWSLambdacode
andthefirewall.templatetotheS3bucket.
a. Clickthebucketname.
b. ClickAdd Filestoselectthepanwaws.zipfileandthe
firewall.template,clickOpen.
c. ClickStart UploadtoaddthefilestotheS3bucket.
LaunchtheTemplateVersion1.1(Continued)
LaunchtheTemplateVersion1.1(Continued)
LaunchtheTemplateVersion1.1(Continued)
LaunchtheTemplateVersion1.1(Continued)
Step14 Reviewthetemplatesettingsandlaunch 1. SelectI acknowledge that this template might cause AWS
thetemplate. CloudFormation to create IAM resources.
2. ClickCreatetolaunchthetemplate.The
CREATE_IN_PROGRESSeventdisplays.
3. Onsuccessfuldeploymentthestatusupdatesto
CREATE_COMPLETE.
IneachAZ,theVMSeriesAutoScalingtemplatewilllaunchan
ASGthatincludesoneVMSeriesfirewallbehindtheexternal
ELB.ThefirewallswillbebootstrappedwithaNATpolicyrule
andabasicSecuritypolicyrule.Itwillalsolaunchtwoweb
serversinanASGbehindtheinternalELB.
Whenyouarefinishedwithtestingoraproductiondeployment,theonlywaytoensurechargesstopoccurring
istocompletelydeletethestack.Shuttingdowninstances,orchangingtheASGmaximumto0,isnotsufficient
astheVMSeriesAutoScalingtemplatemightautomaticallydeploynewASGs.
IfyouareusingPanorama,deletetheinternalELBonAWSbeforeyoudeletethestack.DeletingtheinternalELB
allowstheVMSeriesfirewallstoshutdowngracefully,andPanoramacanremovethefirewallsfromthelistof
manageddevices.
CustomizetheBootstrap.xmlFile
Thebootstrap.xmlfileprovidedintheGitHubrepositoryusesadefaultusernameandpasswordforthe
firewalladministrator.BeforedeployingtheVMSeriesAutoScalingtemplateinaproductionenvironment,
ataminimum,youmustcreateauniqueusernameandpasswordfortheadministrativeaccountonthe
VMSeriesfirewall.Optionally,youcanfullyconfigurethefirewallwithzones,policyrules,securityprofiles
andexportagoldenconfigurationsnapshot.Youcanthenusethisconfigurationsnapshotasthe
bootstrap.xmlfileforyourproductionenvironment.
Youhavetwowaystocustomizethebootstrap.xmlfileforuseinaproductionenvironment:
Option1:LaunchaVMSeriesfirewallonAWSusingthebootstrapfilesprovidedintheGitHub
repository,modifythefirewallconfigurationandexporttheconfigurationtocreateanewbootstrap.xml
filefortheVMSeriesAutoScalingtemplate.SeeUsetheGitHubBootstrapFilesasSeed.
Option2:LaunchanewVMSeriesfirewallonAWSwithoutusingthebootstrapfiles,addaNATpolicy
ruletoensurethattheVMSeriesfirewallhandlestrafficproperly,andexporttheconfigurationtocreate
anewbootstrap.xmlfilefortheVMSeriesAutoScalingtemplate.SeeCreateanewBootstrapFilefrom
Scratch.
Ifyouhavedeployedthetemplateandnowneedtochangethecredentialsfortheadministrativeuseroradda
newadminuserandupdatethetemplatestack,seeModifyAdministrativeAccountandUpdateStack.
UsetheGitHubBootstrapFilesasSeed
LaunchaVMSeriesfirewallonAWSfromtheAWSMarketplaceusingthebootstrapfilesprovidedinthe
GitHubrepository,modifythefirewallconfigurationforyourproductionenvironmentandexportthe
configurationtocreateanewbootstrap.xmlfilethatyoucannowusefortheVMSeriesAutoScaling
template.
Option1:CustomizetheBootstrap.xmlFile
1. TolaunchthefirewallseeBootstraptheVMSeriesFirewallinAWS.
2. Addanelasticnetworkinterface(ENI)andassociateanelasticIPaddress(EIP)toit,sothatyoucanaccessthe
webinterfaceontheVMSeriesfirewall.SeeLaunchtheVMSeriesFirewallonAWSfordetails.
3. UsetheEIPaddresstologintothefirewallwebinterfacewithadminastheusernameandpassword.
4. Addasecurepasswordfortheadminuseraccount(Device > Local User Database > Users).
5. (Optional)Configurethefirewallforsecuringyourproductionenvironment.
6. SelectPolicies > NAT toverifythefirewallhastheNATpolicyrulerequiredfortheVMSeriesAutoScaling
template.TheNATpolicyruleisincludedinthebootstrap.xmlfile,andisrequiredtoavoidblackholingtraffic.
TheNATpolicyruleroutestraffictotheinternalELBandensuressymmetricreturnofthetrafficfromthe
webservers.
7. Committhechangesonthefirewall.
8. GenerateanewAPIkeyfortheadministratoraccount.Copythisnewkeytoanewfile.Youwillneedtoenter
thisAPIkeywhenyoulaunchtheVMSeriesAutoScalingtemplate;theAWSservicesusetheAPIkeyto
deploythefirewallandtopublishmetricsforautoscaling.
Option1:CustomizetheBootstrap.xmlFile
11. (RequiredifyouexportedaPANOS8.0configuration)EnsurethatthesettingtovalidatethePaloAlto
Networksserversisdisabled.Lookfor<server-verification>no</server-verification>.
Ifthecheckisyes,changeittono.
12. Savethefile.YoucannowproceedwithLaunchtheVMSeriesAutoScalingTemplateforAWS.
CreateanewBootstrapFilefromScratch
LaunchanewVMSeriesfirewallonAWSusingPANOS8.0withoutusingthebootstrapfiles,addaNAT
policyruletoensurethattheVMSeriesfirewallhandlestrafficproperly,andexporttheconfigurationto
createanewbootstrap.xmlfilefortheVMSeriesAutoScalingtemplate.
Option2:CustomizetheBootstrap.xmlFile
1. DeploytheVMSeriesFirewallonAWS(nobootstrappingrequired)andusethepublicIPaddresstoSSHinto
theCommandLineInterface(CLI)oftheVMSeriesfirewall.Youwillneedtoconfigureanewadministrative
passwordforthefirewall.
2. Logintothefirewallwebinterface.
3. (Optional)Configurethefirewall.Youcanconfigurethedataplaneinterfaces,zonesandpolicyrules.Commit
thechangesonthefirewall.
4. Exporttheconfigurationfileandnameitasbootstrap.xml.(Device > Setup > Operation > Export Named
Configuration Snapshot).
5. Downloadthebootstrap.xmlfilefromtheGitHubrepository,openitwithatexteditingtool,andcopylines
406to435and445to454.TheselinesdefinetheNATpolicyruleandtheaddressobjectrequiredforthe
VMSeriesAutoScalingtemplate.IfyouwanttocopyandpastetheNATpolicyruleandaddressobjects,see
NATPolicyRuleandAddressObjectsintheAutoScalingTemplate
Option2:CustomizetheBootstrap.xmlFile
6. Useatexteditingtooltoopentheconfigurationfileyouexportedearlier.
a. Searchfor</security>andpastethelines406to435after</security>.
b. Searchfor</import> andpastethelines445to454after</import>.
7. Deletethemanagementinterfaceconfiguration.
a. Searchfor</service>anddeletetheipaddress,netmaskanddefaultgatewaythatfollow.
b. Searchfor</type>anddeletetheipaddress,netmask,defaultgateway,andpublickeythatfollow.
8. Savethefile.YoucannowproceedwithLaunchtheVMSeriesAutoScalingTemplateforAWS.
NATPolicyRuleandAddressObjectsintheAutoScalingTemplate
ToCustomizetheBootstrap.xmlFilefordeployingtheVMSeriesAutoScalingTemplateforAWSinyour
productionenvironment,youmustcopythefollowingNATpolicyruleintoyourconfigurationfile.Youcan
findtheNATruleandaddressobjectsinthebootstrap.xmlfileintheGitHubrepository.
NATPolicyRule
<nat>
<rules>
<entry name="nat-for-asg">
<to>
<member>Untrust</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>AWS-NAT-UNTRUST</member>
</destination>
<service>any</service>
<to-interface>ethernet1/1</to-interface>
<destination-translation>
<translated-address>AWS-NAT-ILB</translated-address>
</destination-translation>
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/2</interface>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
</entry>
</rules>
</nat>
NATPolicyAddressObjects
<address>
<entry name="AWS-NAT-ILB">
<ip-netmask>192.168.12.223</ip-netmask>
<description>ILB-IP-address</description>
</entry>
<entry name="AWS-NAT-UNTRUST">
<ip-netmask>192.168.11.115</ip-netmask>
<description>UNTRUST-IP-address</description>
</entry>
</address>
StackUpdatewithVMSeriesAutoScalingTemplateforAWS(v1.2)
AstackupdateallowsyoutomodifytheresourcesthattheVMSeriesAutoScalingtemplatedeploys.
Insteadofdeletingyourexistingdeploymentandredeployingthesolution,usethestackupdatetomodify
thefollowingparameters:
PANOSversionDeploynewVMSeriesfirewallswithadifferentPANOSversion.
LicenseSwitchfromBYOLtoPAYGandviceversaorswitchfromonePAYGbundletoanother.
OtherstackresourcesChangethelaunchconfigurationparameterssuchastheAmazonMachineImage
(AMI)ID,theinstancetype,keypairforyourautoscalinggroups.YoucanalsoupdatetheAPIkey
associatedwiththeadministrativeuseraccountonthefirewall.
WhenyoudeploytheVMSeriesAutoScalingtemplate,theautoscalinggroupsandthelaunchconfiguration
areautomaticallycreatedforyou.Thelaunchconfigurationisatemplatethatanautoscalinggroupusesto
launchEC2instance,anditspecifiesparameterssuchastheAMIID,theinstancetype,keypairforyourauto
scalinggroup.Tomodifytheseparameters,youmustupdatethestackandthenreplacetheexistingauto
scalinggroupwithanewautoscalinggroupthatusestheupdatedstackparameterstocreatethelaunch
configurationanddeploynewinstanceswiththesenewparameters;existinginstancescontinuetorunwith
theconfigurationthattheywereoriginallylaunchedwith.Thisphasedrolloutallowsyoutoverifythe
updatesinoneAZatatimeandthencompletethechangesacrosstheotherAZswithoutdisruption.For
criticalapplications,performastackupdateduringamaintenancewindow.
Youcanupdatestackdirectlyorcreatechangesets.Theworkflowinthisdocumenttakesyouthroughthe
manualstackupdate.
StackUpdatewithVMSeriesAutoScalingTemplatev1.2
Step1 IntheAWSCloudFormationconsole,selecttheparentstackthatyouwanttoupdateandchoose
Actions > Update Stack.
StackUpdatewithVMSeriesAutoScalingTemplatev1.2
Step2 Modifytheresourcesthatyouwanttoupdate.
PANOSversionTomodifythePANOSversionlookuptheAMIIDfortheversionyouwanttouse
andentertheID.IfyouareupgradingtoPANOS8.0makesuretoselectaninstancetypethatmeets
theVMSeriesSystemRequirements.
LicenseoptionSwitchfromBYOLtoPAYGoracrossPAYGbundles1and2.
IfyoureswitchingtoBYOL,makesuretoincludetheauthcodeinthebootstrappackage(SeeStep 3
andStep 5).
IfyoureswitchingbetweenPAYGbundleversion1and2,lookuptheAMIIDfortheVMSeries
firewall.
OtherstackresourcesYoucanmodifytheAMIID,theinstancetype,securitygroup,keypairforthe
stackresources,ortheAPIkeyassociatedwiththeadministrativeuseraccountonthefirewall.
Ifyoucreateanewadministrativeuseraccountormodifythecredentialsoftheexistingadministrator
onthefirewall,inordertoupdatethatstackanddeploynewfirewallswiththeupdatedAPIkey,you
needtofollowtheworkflowinModifyAdministrativeAccountandUpdateStack.
Step3 AcknowledgethenotificationsandreviewthechangesandclickUpdatetoinitiatethestackupdate.
StackUpdatewithVMSeriesAutoScalingTemplatev1.2
Step5 Deletethelaunchconfiguration.
Step6 VerifythattheupdatedparametersareusedtolaunchtheVMSeriesfirewallsinthenewASG.
TestthenewASGthoroughlyandensureitisproperlyhandlingtraffic.Asabestpractice,waitonehour
beforecontinuingtothenextASG.
ModifyAdministrativeAccountandUpdateStack
Ifyouhavealreadydeployedthetemplateandnowwanttochangethepasswordfortheadministrative
accountorcreateanewadministrativeuseraccountontheVMSeriesfirewall,youmustgenerateanew
APIkeyandupdatethetemplatestackwiththenewAPIkeyfortheadministrativeuseraccount.Andin
ordertoensurethatnewfirewallinstancesareconfiguredwiththeupdatedadministrativeuseraccount,you
needtoexportthefirewallconfigurationandrenameittobootstrap.xml,thenuploadittotheS3bootstrap
folderthattheVMSeriesAutoScalingtemplateuses.
ModifyAdministrativeAccountandUpdateStack
Step1 Logintothewebinterfaceofthefirewallandchangethecredentialsforanexisting
administrativeuserorcreateanewaccount.
Step2 GeneratetheAPIkey.
Step3 Exportthecurrentrunningconfigurationandrenameittobootstrap.xml.
Step4 Uploadthisbootstrap.xmlfiletotheS3bootstrapfolder.
Step5 UpdatetheAPIkeyinthestacktoensurethatnewlylaunchedfirewallswillhavetheupdated
administratoraccount.SeeStackUpdatewithVMSeriesAutoScalingTemplateforAWS(v1.2)for
details.
TroubleshoottheVMSeriesAutoScalingTemplateforAWS
WhendeployingtheVMSeriesAutoScalingtemplate,ifthetemplatestackisunabletoprovisionthe
resourcesspecifiedinthetemplate,theprocessautomaticallyrollsbackanddeletestheresourcesthatwere
successfullycreated.Becauseaninitialerrorcantriggeracascadeofadditionalerrors,youneedtoreview
thelogstolocatethefirstfailureevent.
DeploymentIssues
Error:InadequatenumberofElasticIPaddresses(EIPs)
AWSLambdarequiresEIPaddresstosuccessfullylaunchthefirewall.
1. OntheAWSManagementConsole,selectCloudFormation.
2. IntheStacklist,selectthenameofthetemplatethatfailedtodeployandviewthelistofEvents.
3. Lookthroughthefailureeventsformaximum number of addresses has been reached.
Error:Stacknameislongerthan10characters.
TheVMSeriesAutoScalingtemplatedeploymentfailsifthestacknameislongerthan10charactersinlength.
1. OntheAWSManagementConsole,selectCloudWatch > Logs.
2. IntheLogGroupslist,selectthenameoftheLogStreamforthetemplatethatfailedtodeploysothat
youcanfindtheerror.
3. FilterforERROReventsandlookforstack name more than 10 characters long.
Error:TheinstancesizedoesnotmeettheminimumsystemrequirementsfortheVMSeriesfirewallmodel.
TheVMSeriesAutoScalingtemplatedeploymentfailsiftheinstancesizeyouselecteddoesnot
matchtheVMSeriesSystemRequirements.
DeploymentIssues(Continued)
Error:Unabletologintothefirewall
Thereasonsyoucannotlogintothefirewallcanbebecause:
Thefirewallisnotconfiguredproperlybecausethebootstrapprocessfailed.
YouchosetheNATgatewayoptiontoconservetheuseofEIPaddresses,sothefirewalldoesnothavea
publiclyaccessibleIPaddress.IfyouarenotusingPanoramatomanagethefirewall,toaccesstheCLIor
webinterfaceonthefirewallontheprivateIPaddressassignedbyAWS,youmustdeployabastionhost
orjumpserveronthesamesubnetasthefirewallandassignapublicIPaddresstothejumpserver.Then
logintothejumpserverandconnecttothefirewall.
Youeditedthebootstrap.xmlfileandtheNATpolicyismissingorincorrect.
1. Totroubleshoot,firstcheckthatthetemplatereferencesthecorrectS3bucketwiththebootstrapfiles:
a. OntheEC2Dashboard,selectInstances.
b. Selectthefirewallinstance,andclickActions > View/Change User Data.
c. VerifythenamefortheS3bucketthatcontainsthebootstrapfiles.
d. VerifythatyoucreatedtheS3bucketattherootlevel,directlyunderAllBuckets.IfyounesttheS3
bucket,bootstrappingwillfailbecauseyoucannotspecifyapathtothelocationofthebootstrapfiles.
SeePreparetheAmazonSimpleStorage(S3)bucketsforlaunchingtheVMSeriesAutoScaling
template.
e. VerifythattheS3bucketisinthesameregioninwhichyouaredeployingtheVMSeriesAutoScaling
template.
2. CheckiftheinternetfacingELBisinservice.Ifbootstrappingfails,theVMSeriesfirewallforload
balancingtrafficwillbeoutofservice.
a. SelectEC2 > LoadBalancers.
b. Selecttheinternetfacing(orexternal)classicELBtoverifythattheVMSeriesfirewallinstancesare
inservice.
ThefollowingscreenshotshowsthattheVMSeriesfirewallsarenotinservice.
DeploymentIssues(Continued)
3. IftheVMSeriesfirewallsareinservice,checkthattheNATpolicywassuccessfullycommitted.
Ifyoueditedthebootstrap.xmlfileanddeletedormodifiedtheNATpolicyrules,thefirewallmayhavea
misconfiguration,thatpreventstrafficfrombeingproperlyroutedtothefirewall.
DeploymentIssues(Continued)
Error:AWSLambdaisnotsupportedintheregioninwhichyouaredeployingtheVMSeriesAutoScaling
template.
Tofindtheerror:
1. OntheAWSManagementConsole,selectCloudFormation.
2. IntheStacklist,selectthenameofthetemplatethatfailedtodeployandviewthelistofEvents.The
errorResourceisnotsupportedinthisregion.
Error:Failuretosuccessfullycreatearesourcewithamessagesuchas:
Embedded stack arn:aws:cloudformation:<AWS region>:290198859335:stack/<name of your stack>
was not successfully created: The following resource(s) failed to create:[ResourceName].
Tofindtheerrors:
1. OntheAWSManagementConsole,selectCloudWatch.
2. ClickonLogsandthenselectLambda functionontheright.Youllseeoneormorelogstreams.
3. Searchfor[ERROR]and[CRITICAL].
ThefollowingexampleshowsthattheELBspecifiedwasnotfound:
DeploymentIssues(Continued)
Error:FailuretolaunchtheVMSeriesAutoScalingtemplatebecauseofamissingrequiredparameterornot
specifyingtheAWSAvailabilityZonesforthetemplate.
Tofindtheerror:
1. OntheAWSManagementConsole,selectCloudFormation.
2. IntheStacklist,selectthenameofthetemplatethatfailedtodeploy.Agenerictemplatevalidationerror
displays.
DeploymentIssues(Continued)
Error:FailuretolaunchtheVMSeriesAutoScalingtemplatebecauseyoudidnotaccepttheEndUser
LicenseAgreement(EULA)forthePAYGVMSeriesFirewallBundleyouaredeploying.
1. OntheEC2Dashboard,selectAuto Scaling Groups.
2. CheckthedetailsonthefailuretolaunchthefirewallsintheASG.Theerrorindicatesthatyoumust
acceptthetermsfordeployingtheVMSeriesfirewalls.
ListofAttributesMonitoredontheAWSVPC
Youcanmonitoruptoatotalof32attributes14predefinedand18userdefinedaskeyvaluepairs.The
followingattributes(ortagnames)areavailableasmatchcriteriafordynamicaddressgroups.
Attribute Format
Architecture Architecture.<Architecturestring>
GuestOS GuestOS.<guestOSname>
ImageID ImageId.<ImageIdstring>
InstanceID InstanceId.<InstanceIdstring>
InstanceState InstanceState.<instancestate>
InstanceType InstanceType.<instancetype>
KeyName KeyName.<KeyNamestring>
PlacementTenancy, Placement.Tenancy.<string>
GroupName,Availability Placement.GroupName.<string>
Placement.AvailabilityZone.<string>
PrivateDNSName PrivateDnsName.<PrivateDNSName>
PublicDNSName PublicDnsName.<PublicDNSName>
SubnetID SubnetID.<subnetIDstring>
Tag(key,value) awstag.<key>.<value>
Maximumof18ofthesetagsaresupportedperinstance
VPCID VpcId.<VpcIdstring>
IAMPermissionsRequiredforMonitoringtheAWSVPC
InordertoenableVMMonitoringtheusersAWSlogincredentialstiedtotheAWSAccessKeyandSecret
AccessKeymusthavepermissionsfortheattributeslistedabove.Theseprivilegesallowthefirewallto
initiateAPIcallsformonitoringthevirtualmachinesintheAWSVPC.
TheIAMpolicyassociatedwiththeusermusteitherhaveglobalreadonlyaccesssuchas
AmazonEC2ReadOnlyAccess,ormustincludeindividualpermissionsforallofthemonitoredattributes.The
followingIAMpolicyexampleliststhepermissionsforinitiatingtheAPIactionsformonitoringtheresources
intheAWSVPC:
{
"Version":"20121017",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeKeyPairs",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs"
],
"Resource":[
"*"
]
}
]
}
VMSeriesonKVMRequirementsandPrerequisites
SystemRequirements
OptionsforAttachingtheVMSeriesontheNetwork
PrerequisitesforVMSeriesonKVM
SystemRequirements
Requirements Description
HardwareResources SeeVMSeriesSystemRequirementsfortheminimumhardwarerequirementsfor
yourVMSeriesmodel.
SoftwareVersions Ubuntu:
14.04LTSQEMUKVM2.0.0andlibvirt1.2.2)
16.04LTS(QEMUKVM2.50;libvirt1.3.1;OpenvSwitch:2.5.0)
CentOS/RedHatEnterpriseLinux:7.2(QEMUKVM1.5.3andlibvirt2.0.0)
OpenvSwitch:2.3.1andlater
NetworkInterfaces TheVMSeriesonKVMsupportsatotalof25interfaces1managementinterface
NetworkInterfaceCards andamaximumof24networkinterfacesfordatatraffic.
andSoftwareBridges VMSeriesdeployedonKVMsupportssoftwarebasedvirtualswitchessuchasthe
LinuxbridgeortheOpenvSwitchbridge,anddirectconnectivitytoPCIpassthrough
oranSRIOVcapableadapter.
OntheLinuxbridgeandOVS,thee1000andvirtiodriversaresupported;the
defaultdriverrtl8139isnotsupported.
ForPCIpassthrough/SRIOVsupport,theVMSeriesfirewallhasbeentestedfor
thefollowingnetworkcards:
Intel82576based1GNIC:SRIOVsupportonallsupportedLinux
distributions;PCIpassthroughsupportonallexceptUbuntu12.04LTS.
Intel82599based10GNIC:SRIOVsupportonallsupportedLinux
distributions;PCIpassthroughsupportonallexceptUbuntu12.04LTS.
Broadcom57112and578xxbased10GNIC:SRIOVsupportonall
supportedLinuxdistributions;NoPCIpassthroughsupport.
Drivers:igb;ixgbe;bnx2x
Drivers:igbvf;ixgbevf;bnx2x
SRIOVcapableinterfacesassignedtotheVMSeriesfirewall,mustbe
configuredasLayer3interfacesorasHAinterfaces.
DataPlaneDevelopment DPDKisenabledbydefaultonVMSeriesfirewallsonKVM.FortheVMSeriesto
Kit(DPDK)Support takeadvantageofDPDK,youmustconfigureOpenvSwitchandDPDKonthehost.
YoumustuseaNICwithoneofthefollowingdrivers:
VirtualDriver:virtio
NICDrivers:ixgbe,ixgbevf,i40e,i40evf
SRIOVcapableinterfacesassignedtotheVMSeriesfirewall,mustbe
configuredasLayer3interfacesorasHAinterfaces.
OptionsforAttachingtheVMSeriesontheNetwork
WithaLinuxbridgeorOVS,datatrafficusesthesoftwarebridgetoconnectguestsonthesamehost.
Forexternalconnectivity,datatrafficusesthephysicalinterfacetowhichthebridgeisattached.
WithPCIpassthrough,datatrafficispasseddirectlybetweentheguestandthephysicalinterfaceto
whichitisattached.Whentheinterfaceisattachedtoaguest,itisnotavailabletothehostortoother
guestsonthehost.
WithSRIOV,datatrafficispasseddirectlybetweentheguestandthevirtualfunctiontowhichitis
attached.
PrerequisitesforVMSeriesonKVM
BeforeyouinstalltheVMSeriesfirewallontheLinuxserver,reviewthefollowingsections:
PreparetheLinuxServer
PreparetoDeploytheVMSeriesFirewall
PreparetheLinuxServer
ChecktheLinuxdistributionversion.Foralistofsupportedversions,seeSystemRequirements.
VerifythatyouhaveinstalledandconfiguredKVMtoolsandpackagesthatarerequiredforcreatingand
managingvirtualmachines,suchasLibvirt.
IfyouwanttouseaSCSIdiskcontrollertoaccessthedisktowhichtheVMSeriesfirewallstoresdata,
youmustusevirshtoattachthevirtioscsicontrollertotheVMSeriesfirewall.Youcantheneditthe
XMLtemplateoftheVMSeriesfirewalltoenabletheuseofthevirtioscsicontroller.Forinstructions,
seeEnabletheUseofaSCSIController.
KVMonUbuntu12.04doesnotsupportthevirtioscsicontroller.
Verifythatyouhavesetupthenetworkinginfrastructureforsteeringtrafficbetweentheguestsand
theVMSeriesfirewallandforconnectivitytoanexternalserverortheInternet.TheVMSeriesfirewall
canconnectusingaLinuxbridge,theOpenvSwitch,PCIpassthrough,orSRIOVcapablenetworkcard.
Makesurethatthelinkstateforallinterfacesyouplantouseareup,sometimesyouhaveto
manuallybringthemup.
VerifythePCIIDofalltheinterfaces.Toviewthelist,usethecommand:Virsh nodedev-list tree
IfusingaLinuxbridgeorOVS,verifythatyouhavesetupthebridgesrequiredtosend/receive
trafficto/fromthefirewall.Ifnot,createbridge(s)andverifythattheyareupbeforeyoubegin
installingthefirewall.
IfusingPCIpassthroughorSRIOV,verifythatthevirtualizationextensions(VTd/IOMMU)are
enabledintheBIOS.Forexample,toenableIOMMU,intel_iommu=onmustbedefinedin
/etc/grub.conf.Refertothedocumentationprovidedbyyoursystemvendorforinstructions.
IfusingPCIpassthrough,ensurethattheVMSeriesfirewallhasexclusiveaccesstotheinterface(s)
thatyouplantoattachtoit.
Toallowexclusiveaccess,youmustmanuallydetachtheinterface(s)fromtheLinuxserver;Referto
thedocumentationprovidedbyyournetworkcardvendorforinstructions.
Tomanuallydetachtheinterface(s)fromtheserver.,usethecommand:
Virsh nodedev-detach <pci id of interface>
Forexample,pci_0000_07_10_0
Insomecases,in/etc/libvirt/qemu.conf,youmayhavetouncommentrelaxed_acs_check = 1.
IfusingSRIOV,verifythatthevirtualfunctioncapabilityisenabledforeachportthatyouplanto
useonthenetworkcard.WithSRIOV,asingleEthernetport(physicalfunction)canbesplitinto
multiplevirtualfunctions.Aguestcanbemappedtooneormorevirtualfunctions.
Toenablevirtualfunctions,youneedto:
1.Createanewfileinthislocation:/etc/modprobe.d/
2.Modifythefileusingthevieditortomakethefunctionspersistent:vim/etc/modprobe.d/igb.conf
3.Enablethenumberofnumberofvirtualfunctionsrequired:optionsigbmax_vfs=4
AfteryousavethechangesandreboottheLinuxserver,eachinterface(orphysicalfunction)inthis
examplewillhave4virtualfunctions.
Refertothedocumentationprovidedbyyournetworkvendorfordetailsontheactualnumberof
virtualfunctionssupportedandforinstructionstoenableit.
ConfigurethehostformaximumVMSeriesperformance.RefertoPerformanceTuningofthe
VMSeriesforKVMforinformationaboutconfiguringeachoption.
EnableDPDK.DPDKallowsthehosttoprocesspacketsfasterbybypassingtheLinuxkernel.
Instead,interactionswiththeNICareperformedusingdriversandtheDPDKlibraries.Open
vSwitchisrequiredtouseDPDKwiththeVMSeriesfirewall.
EnableSRIOV.SinglerootI/Ovirtualization(SRIOV)allowsasinglePCIephysicaldeviceundera
singlerootporttoappeartobemultipleseparatephysicaldevicestothehypervisororguest.
EnablemultiqueuesupportforNICs.Multiqueuevirtionetallowsnetworkperformancetoscale
withthenumberofvCPUsandallowsforparallelpacketprocessingbycreatingmultipleTXandRX
queues.
IsolateCPUResourceinaNUMANode.YoucanimproveperformanceofVMSeriesonKVMby
isolatingtheCPUresourcesoftheguestVMtoasinglenonuniformmemoryaccess(NUMA)node.
PreparetoDeploytheVMSeriesFirewall
PurchasetheVMSeriesmodelandregistertheauthorizationcodeonthePaloAltoNetworksCustomer
Supportwebsite.SeeCreateaSupportAccountandRegistertheVMSeriesFirewall.
Obtaintheqcow2imageandsaveitontheLinuxserver.Asabestpractice,copytheimagetothefolder:
/var/lib/libvirt/qemu/images.
IfyouplantodeploymorethanoneinstanceoftheVMSeriesfirewall,maketherequirednumberof
copiesoftheimage.BecauseeachinstanceoftheVMSeriesfirewallmaintainsalinkwiththe.qcow2
imagethatwasusedtodeploythefirewall,topreventanydatacorruptionissuesensurethateachimage
isindependentandisusedbyasingleinstanceofthefirewall.
SupportedDeploymentsonKVM
YoucandeployasingleinstanceoftheVMSeriesfirewallperLinuxhost(singletenant)ormultipleinstances
oftheVMSeriesfirewallsonaLinuxhost.TheVMSeriesfirewallcanbedeployedwithvirtualwire,Layer
2,orLayer3interfaces.IfyouplanonusingSRIOVcapableinterfacesontheVMSeriesfirewall,youcan
onlyconfiguretheinterfacesasLayer3interfaces.
SecureTrafficonaSingleHost
SecureTrafficAcrossLinuxhosts
SecureTrafficonaSingleHost
TosecureeastwesttrafficacrossguestsonaLinuxserver,theVMSeriesfirewallcanbedeployedwith
virtualwire,Layer2,orLayer3interfaces.TheillustrationbelowshowsthefirewallwithLayer3interfaces,
wherethefirewallandtheotherguestsontheserverareconnectedusingLinuxbridges.Inthisdeployment,
alltrafficbetweenthewebserversandthedatabaseserversisroutedthroughthefirewall;trafficacrossthe
databaseserversonlyoracrossthewebserversonlyisprocessedbythebridgeandisnotroutedthrough
thefirewall.
SecureTrafficAcrossLinuxhosts
Tosecureyourworkloads,morethanoneinstanceoftheVMSeriesfirewallscanbedeployedonaLinux
host.If,forexample,youwanttoisolatetrafficforseparatedepartmentsorcustomers,youcanuseVLAN
tags
tologicallyisolatenetworktrafficandrouteittotheappropriateVMSeriesfirewall.Inthefollowing
example,oneLinuxhosthoststheVMSeriesfirewallsfortwocustomers,CustomerAandCustomerB,and
theworkloadforCustomerBisspreadacrosstwoservers.Inordertoisolatetrafficanddirectittothe
VMSeriesfirewallconfiguredforeachcustomer,VLANsareused.
Inanothervariationofthisdeployment,apairofVMSeriesfirewallsaredeployedinahighavailabilityset
up.TheVMSeriesfirewallsinthefollowingillustrationaredeployedonaLinuxserverwithSRIOVcapable
adapters.WithSRIOV,asingleEthernetport(physicalfunction)canbesplitintomultiplevirtualfunctions.
EachvirtualfunctionattachedtotheVMSeriesfirewallisconfiguredasaLayer3interface.Theactivepeer
intheHApairsecurestrafficthatisroutedtoitfromgueststhataredeployedonadifferentLinuxserver.
InstalltheVMSeriesFirewallonKVM
ThelibvirtAPIthatisusedtomanageKVMincludesahostoftoolsthatallowyoutocreateandmanage
virtualmachines.ToinstalltheVMSeriesfirewallonKVMyoucanuseanyofthefollowingmethods:
ManuallycreatetheXMLdefinitionoftheVMSeriesfirewall,thenusevirshtoimportthedefinition.
Virshisthemostpowerfultoolthatallowsforfulladministrationofthevirtualmachine.
UsevirtinstalltocreatethedefinitionfortheVMSeriesfirewallandinstallit.
Usethedesktopuserinterfacecalledvirtmanager;virtmanagerprovidesaconvenientwizardtohelp
youthroughtheinstallationprocess.
ThefollowingprocedureusesvirtmanagertoinstalltheVMSeriesfirewallonaserverrunningKVMon
RHEL;theinstructionsforusingvirshorvirtinstallarenotincludedinthisdocument.
IfyouaredeployingseveralVMSeriesfirewallsandwanttoautomatetheinitialconfigurationonthe
firewall,seeUseanISOFiletoDeploytheVMSeriesFirewall.
InstalltheVMSeriesonKVM
4. SettheMemorytotheminimummemorybasedonthe
VMSeriesSystemRequirementsofyourVMSeriesmodel.
5. SetCPUtotheminimumCPUsbasedontheVMSeriesSystem
RequirementsofyourVMSeriesmodel.
InstalltheVMSeriesonKVM(Continued)
InstalltheVMSeriesonKVM(Continued)
8. Tomodifydisksettings:
a. SelectDisk,expandAdvancedoptionsandselectStorage
format qcow2;Disk BusVirtioorIDE,basedonyourset
up.
IfyouwanttouseaSCSIdiskbus,seeEnablethe
UseofaSCSIController.
b.ExpandPerformanceoptions,andsetCache
modetowritethrough.Thissettingimprovesinstallation
timeandexecutionspeedontheVMSeriesfirewall.
InstalltheVMSeriesonKVM(Continued)
9. Toaddnetworkadaptersforthedatainterfaces:
a. SelectAdd Hardware >Network ifyouareusingasoftware
bridgesuchastheLinuxbridgeortheOpenvSwitch.
ForHost Device,enterthenameofthebridgeorselect
itfromthedropdownlist.
Tospecifythedriver,setDevice Modeltoe1000or
virtio.Thesearetheonlysupportedvirtualinterface
types.
IntheHost Devicelist,selecttheinterfaceonthecard
orthevirtualfunction.
c. ClickApplyorFinish.
10. ClickBeginInstallation .
InstalltheVMSeriesonKVM(Continued)
EnabletheUseofaSCSIController
IfyouwanttheVMSeriesfirewalltousethediskbustypeSCSItoaccessthevirtualdisk,usethefollowing
instructionstoattachthevirtioscsicontrollertothefirewallandthenenabletheuseofthevirtioscsi
controller.
KVMonUbuntu12.04doesnotsupportthevirtioscsicontroller;thevirtioscsicontrollercan
onlybeenabledontheVMSeriesfirewallrunningonRHELorCentOS.
ThisprocessrequiresvirshbecauseVirtmanagerdoesnotsupportthevirtioscsicontroller.
EnabletheVMSeriesFirewalltouseaSCSIController
Step1 CreateanXMLfilefortheSCSIcontroller.Inthisexample,itiscalledvirtscsi.xml.
[root@localhost ~]# cat /root/virt-scsi.xml
<controller type='scsi' index='0' model='virtio-scsi'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0b'function='0x0'/>
</controller>
Makesurethattheslotusedforthevirtioscsicontrollerdoesnotconflictwithanotherdevice.
Step2AssociatethiscontrollerwiththeXMLtemplateoftheVMSeriesfirewall.
[root@localhost ~]# virsh attach-device --config <VM-Series_name> /root/virt-scsi.xml
Device attached successfully
Step3 EnablethefirewalltousetheSCSIcontroller.
[root@localhost ~]# virsh attach-disk
<VM-Series_name>/var/lib/libvirt/images/PA-VM-6.1.0-c73.qcow2 sda --cache none --persistent
Disk attached successfully
Step4 EdittheXMLtemplateoftheVMSeriesfirewall.IntheXMLtemplate,youmustchangethetargetdiskand
thediskbus,usedbythefirewall.
Bydefault,theXMLtemplateisstoredatetc/libvirt/qemu.
VerifyPCIIDforOrderingofNetworkInterfacesontheVMSeriesFirewall
Regardlessofwhetheryouuseavirtualinterfaces(Linux/OVSbridge)orPCIdevices(PCIpassthroughor
SRIOVcapableadapter)forconnectivitytotheVMSeriesfirewall,theVMSeriesfirewalltreatsthe
interfaceasaPCIdevice.TheassignmentofaninterfaceontheVMSeriesfirewallisbasedonPCIIDwhich
isavaluethatcombinesthebus,deviceorslot,andfunctionoftheinterface.Theinterfacesareordered
startingatthelowestPCIID,whichmeansthatthemanagementinterface(eth0)ofthefirewallisassigned
totheinterfacewiththelowestPCIID.
Let'ssayyouassignfourinterfacestotheVMSeriesfirewall,threevirtualinterfacesoftypevirtioande1000
andthefourthisaPCIdevice.ToviewthePCIIDforeachinterface,enterthecommandvirsh dumpxml
$domain <name of the VM-Series firewall>ontheLinuxhosttoviewthelistofinterfacesattachedtothe
VMSeriesfirewall.Intheoutput,checkforthefollowingnetworkingconfiguration:
<interface type='bridge'>
<mac address='52:54:00:d7:91:52'/>
<source bridge='mgmt-br'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='bridge'>
<mac address='52:54:00:f4:62:13'/>
<source bridge='br8'/>
<model type='e1000'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x10' function='0x0'/>
</interface>
<interface type='bridge'>
<mac address='52:54:00:fe:8c:80'/>
<source bridge='br8'/>
<model type='e1000'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>
Inthiscase,thePCIIDofeachinterfaceisasfollows:
FirstvirtualinterfacePCIIDis00:03:00
SecondvirtualinterfacePCIIDis00:10:00
ThirdvirtualinterfacePCIIDis00:06:00
FourthinterfacePCIIDis00:07:00
Therefore,ontheVMSeriesfirewall,theinterfacewithPCIIDof00:03:00isassignedaseth0(management
interface),theinterfacewithPCIID00:06:00isassignedaseth1(ethernet1/1),theinterfacewithPCIID
00:07:00iseth2(ethernet1/2)andtheinterfacewithPCIID00:10:00iseth3(ethernet1/3).
UseanISOFiletoDeploytheVMSeriesFirewall
IfyouwanttopassascripttotheVMSeriesfirewallatboottime,youcanmountaCDROMwithanISO
file.TheISOfileallowsyoutodefineabootstrapXMLfilethatincludestheinitialconfigurationparameters
forthemanagementportofthefirewall.TheVMSeriesfirewallonfirstbootchecksforthe
bootstrapnetworkconfig.xmlfile,andusesthevaluesdefinedinit.
Ifasingleerrorisencounteredinparsingthebootstrapfile,theVMSeriesfirewallwillrejectalltheconfigurationinthis
fileandbootwithdefaultvalues.
CreateaBootableISOFile
CreateaBootableISOFile(Continued)
SampleXMLfilefortheVMSeriesFirewall
<?xml version="1.0"?>
<domain type="kvm">
<name>PAN_Firewall_DC1</name>
<memory>4194304</memory>
<currentMemory>4194304</currentMemory>
<vcpu placement="static">2</vcpu>
<os>
<type arch="x86_64">hvm</type>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type="file" device="disk">
<driver type="qcow2" name="qemu"/>
<source file="/var/lib/libvirt/images/panos-kvm.qcow2"/>
<target dev="vda" bus="virtio"/>
</disk>
<controller type="usb" index="0"/>
<controller type="ide" index="0"/>
<controller type="scsi" index="0"/>
<serial type="pty">
<source path="/dev/pts/1"/>
<target port="0"/>
<alias name="serial0"/>
</serial>
<console type="pty" tty="/dev/pts/1">
<source path="/dev/pts/1"/>
<target type="serial" port="0"/>
<alias name="serial0"/>
</console>
<input type="mouse" bus="ps2"/>
<graphics type="vnc" port="5900" autoport="yes"/>
</devices>
</domain>
TomodifythenumberofvCPUsassignedontheVMSeriesfirewall,changethevalue2to4or8vCPUsinthislineofthe
sampleXMLfile:
<vcpu placement="static">2</vcpu>
PerformanceTuningoftheVMSeriesforKVM
TheVMSeriesfirewallforKVMisahighperformanceappliancebutmayrequiretuningofthehypervisor
toachievethebestresults.Thissectiondescribessomebestpracticesandrecommendationsforfacilitating
thebestperformanceoftheVMSeriesfirewall.
Bydefault,KVMusesalinuxbridgeforVMnetworking.However,thebestperformanceinavirtual
environmentisrealizedwithdedicatedI/Ointerfaces(PCIpassthroughorSRIOV).Ifavirtualswitchis
required,useaperformanceoptimizedvitualswitch(suchasOpenvSwitchwithDPDK).
InstallKVMandOpenvSwitchonUbuntu16.04.1LTS
EnableOpenvSwitchonKVM
IntegrateOpenvSwitchwithDPDK
EnableSRIOVonKVM
EnableMultiQueueSupportforNICsonKVM
IsolateCPUResourcesinaNUMANodeonKVM
InstallKVMandOpenvSwitchonUbuntu16.04.1LTS
Foreaseofinstallation,Ubuntu16.04.1LTSisrecommendedforuseastheKVMhypervisorplatform.
InstallKVMandOpenvSwitchonUbuntu16.04.1LTS
EnableOpenvSwitchonKVM
EnableOVSbymodifyingtheguestXMLdefinitionnetworksettings.
EnableOVS
Step1 ModifytheguestXMLdefinitionasfollows.
[...]
<interface type='bridge'>
<mac address='52:54:00:fb:00:01'/>
<source bridge='ovsbr0'/>
<virtualport type='openvswitch'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
[...]
IntegrateOpenvSwitchwithDPDK
TointegrateOpenvSwitch(OVS)withDPDK,youmustinstalltherequiredcomponentsandthenconfigure
OVS.DPDKisenabledbydefaultontheVMSeriesfirewallforKVM.
InstallQEMU,DPDK,andOVSonUbuntu
ConfigureOVSandDPDKontheHost
EdittheVMSeriesFirewallConfigurationFile
InstallQEMU,DPDK,andOVSonUbuntu
BeforeyoucanenableDPDKonOVS,youmustinstallQEMU2.5.0,DPDK2.2.0,andOVS2.5.1.Complete
thefollowingprocedurestoinstallthecomponents.
BuildandInstallOVSDPDKonUbuntu16.04
Step1 LogintotheKVMhostCLI.
Step2 InstallQEMU2.5.0byexecutingthefollowingcommands:
apt-get install build-essential gcc pkg-config glib-2.0 libglib2.0-dev libsdl1.2-dev
libaio-dev libcap-dev libattr1-dev libpixman-1-dev
apt-get build-dep qemu
apt-get install qemu-kvm libvirt-bin
wget http://wiki.qemu.org/download/qemu-2.5.0.tar.bz2
tar xjvf qemu-2.5.0.tar.bz2
cd qemu-2.5.0
./configure
make
make install
BuildandInstallOVSDPDKonUbuntu16.04
Step3 Installdpdk2.2.0.
1. Executethefollowingcommands:
wget http://dpdk.org/browse/dpdk/snapshot/dpdk-2.2.0.tar.gz
tar xzvf dpdk-2.2.0.tar.gz
cd dpdk-2.2.0
vi config/common_linuxapp
2. ChangeCONFIG_RTE_APP_TEST=ytoCONFIG_RTE_APP_TEST=n
3. ChangeCONFIG_RTE_BUILD_COMBINE_LIBS=ntoCONFIG_RTE_BUILD_COMBINE_LIBS=y
4. Executethefollowingcommand:
vi GNUmakefile
5. ChangeROOTDIRS-y := lib drivers app toROOTDIRS-y := lib drivers
6. Executethefollowingcommand:
make install T=x86_64-native-linuxapp-gcc
Step4 InstallOVS2.5.1byexecutingthefollowingcommands:
wget http://openvswitch.org/releases/openvswitch-2.5.1.tar.gz
tar xzvf openvswitch-2.5.1.tar.gz
cd openvswitch-2.5.1
./configure with-dpdk=/root/dpdk-2.2.0/x86_64-native-linuxapp-gcc/
make
make install
ConfigureOVSandDPDKontheHost
AfterinstallingthenecessarycomponentstosupportOVSandDPDK,youmustconfigurethehosttouse
OVSandDPDK.
ConfigureOVSandDPDKontheHost
Step1 LogintotheKVMhostCLI.
Step2 IfyouarereplacingorreconfiguringanexistingOVSDPDKsetup,executethefollowingcommandstoreset
anypreviousconfiguration.Repeatthecommandforeachinterface.
rm /usr/local/var/run/openvswitch/<interface-name>
Step3 ConfigureinitialhugepagesforOVS.
echo 16384 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
Step4 MounthugepagesforQEMU:
mkdir /dev/hugepages
mkdir /dev/hugepages/libvirt
mkdir /dev/hugepages/libvirt/qemu
mount -t hugetlbfs hugetlbfs /dev/hugepages/libvirt/qemu
Step5 UsethefollowingcommandtokillanycurrentlyexistingOVSdaemon.
killall ovsdb-server ovs-vswitchd
Step6 CreatedirectoriesfortheOVSdaemon.
mkdir -p /usr/local/etc/openvswitch
mkdir -p /usr/local/var/run/openvswitch
ConfigureOVSandDPDKontheHost
Step7 Clearolddirectories.
rm -f /var/run/openvswitch/vhost-user*
rm -f /usr/local/etc/openvswitch/conf.db
Step8 Initializetheconfigurationdatabase.
ovsdb-tool create /usr/local/etc/openvswitch/conf.db\
/usr/local/share/openvswitch/vswitch.ovsschema
Step9 CreateanOVSDBserver.
ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \
--remote=db:Open_vSwitch,Open_vSwitch,manager_options \
--private-key=db:Open_vSwitch,SSL,private_key \
--certificate=db:Open_vSwitch,SSL,certificate \
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
--pidfile --detach
Step10 InitializeOVS.
ovs-vsctl --no-wait init
Step11 Startthedatabaseserver.
export DB_SOCK=/usr/local/var/run/openvswitch/db.sock
Step12 Installtheigb_uiomodule(networkdevicedriver)forDPDK.
cd ~/dpdk-2.2.0/x86_64-native-linuxapp-gcc/kmod
modprobe uio
insmod igb_uio.ko
cd ~/dpdk-2.2.0/tools/
Step13 EnableDPDKoninterfacesusingPCIIDorinterfacename.
./dpdk_nic_bind.py --bind=igb_uio <your first data interface>
./dpdk_nic_bind.py --bind=igb_uio <your second data interface>
Step14 StarttheOVSdaemoninDPDKmode.Youcanchangethenumberofcoresforovsvswitchd.Bychangingc
0x1toc0x3,youcanhavetwocorerunthisdaemon.
ovs-vswitchd --dpdk -c 0x3 -n 4 -- unix:$DB_SOCK --pidfile --detach
echo 50000 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
Step15 CreatetheOVSbridgeandattachportstotheOVSbridge.
ovs-vsctl add-br ovs-br0 -- set bridge ovs-br0 datapath_type=netdev
ovs-vsctl add-port ovs-br0 dpdk0 -- set Interface dpdk0 type=dpdk
ovs-vsctl add-br ovs-br1 -- set bridge ovs-br1 datapath_type=netdev
ovs-vsctl add-port ovs-br1 dpdk1 -- set Interface dpdk1 type=dpdk
Step16 CreateDPDKvhostuserportsforOVS.
ovs-vsctl add-port ovs-br0 vhost-user1 -- set Interface vhost-user1 type=dpdkvhostuser
ovs-vsctl add-port ovs-br1 vhost-user2 -- set Interface vhost-user2 type=dpdkvhostuser
Step17 SetthenumberofhardwarequeuesoftheNICusedbythehost.
ovs-vsctl set Open_vSwitch . other_config:n-dpdk-rxqs=8
ovs-vsctl set Open_vSwitch . other_config:n-dpdk-txqs=8
Step18 SettheCPUmaskusedforOVS.
ovs-vsctl set Open_vSwitch . other_config:pmd-cpu-mask=0xffff
ConfigureOVSandDPDKontheHost
Step19 SetthenecessarypermissionsforDPDKvhostuserports.Intheexamplebelow,777isusedtogiveread,
write,andexecutablepermissions.
chmod 777 /usr/local/var/run/openvswitch/vhost-user1
chmod 777 /usr/local/var/run/openvswitch/vhost-user2
chmod 777 /dev/hugepages/libvirt/qemu
EdittheVMSeriesFirewallConfigurationFile
EdittheVMSeriesfirewallXMLconfigurationfiletosupportOVSandDPDK.YoucanaccesstheXML
configurationfileorafterdeployingtheVMSeriesfirewall.Ifyoudothisafterdeployingthefirewall,besure
toshutdownthefirewallbeforemakinganychanges.Thevaluesbelowareexamples,yourvaluesforeach
parameterwillvarybasedonyourVMSeriesmodel.
EdittheVMConfigurationFile
Step1 LogintotheKVMhostCLI.
Step2 EdittheXMLconfigurationfileofyourVMSeriesfirewall.
1. OpentheXMLconfigfileusingvirsh edit $<your-vm-series-name>.
2. Setsthememorybackingforthehugepage.Ensurethatyouprovideenoughmemorytosupportthe
VMSeriesfirewallmodelyouaredeployingonthehost.SeeVMSeriesSystemRequirementsformore
information.
<memory unit='KiB'>12582912</memory>
<currentMemory unit='KiB'>6291456</currentMemory>
<memoryBacking>
<hugepages/>
3. SetthenecessaryCPUflagsforVM.
<cpu mode='host-model'>
4. EnablememorysharingbetweentheVMandthehost.
<numa>
<cell id='0' cpus='0,2,4,6' memory='6291456' unit='KiB' memAccess='shared'/>
<cell id='1' cpus='1,3,5,7' memory='6291456' unit='KiB' memAccess='shared'/>
</numa>
5. SettheDPDKvhostuserportsastheVMseriesfirewallsnetworkinterfaces.Additionally,setthenumber
ofvirtiovirtualqueuesprovidedtotheVMSeriesfirewallbythehost.
<interface type='vhostuser'>
<mac address='52:54:00:36:83:70'/>
<source type='unix' path='/usr/local/var/run/openvswitch/vhost-user1'
mode='client'/>
<model type='virtio'/>
<driver name=vhost queues=8/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</interface>
<interface type='vhostuser'>
<mac address='52:54:00:30:d7:94'/>
<source type='unix' path='/usr/local/var/run/openvswitch/vhost-user2'
mode='client'/>
<model type='virtio'/>
<driver name=vhost qeueus=8>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</interface>
EnableSRIOVonKVM
SinglerootI/Ovirtualization(SRIOV)allowsasinglePCIephysicaldeviceunderasinglerootporttoappear
tobemultipleseparatephysicaldevicestothehypervisororguest.ToenableSRIOVonaKVMguest,define
apoolofvirtualfunction(VF)devicesassociatedwithaphysicalNICandautomaticallyassignVFdevices
fromthepooltoPCIIDs.
SRIOVontheVMSeriesforKVMrequiresoneofthefollowingIntelNICdrivers.
DriverFilename Version
ixgbe/ixgbe.ko 4.2.0.4.1
DriverFilename Version
ixgbevf/ixgbevf.ko 2.14.2
i40e/i40e.ko 1.3.49
i49evf/i40evf.ko 1.2.25
CompletethefollowingproceduretoenableSRIOV.
EnableSRIOV
EnableMultiQueueSupportforNICsonKVM
ModifytheguestXMLdefinitiontoenablemultiqueuevirtionet.Multiqueuevirtionetallowsnetwork
performancetoscalewiththenumberofvCPUsandallowsforparallelpacketprocessingbycreating
multipleTXandRXqueues.
EnableMultiQueueSupport
Step1 ModifytheguestXMLdefinition.Insertavaluefrom1to256forNtospecifythenumberofqueues.Forthe
bestresults,matchthenumberofqueueswithnumberofdataplanecoresconfiguredontheVM.
<interface type='network'>
<source network='default'/>
<model type='virtio'/>
<driver name='vhost' queues='N'/>
</interface>
IsolateCPUResourcesinaNUMANodeonKVM
YoucanimproveperformanceofVMSeriesonKVMbyisolatingtheCPUresourcesoftheguestVMtoa
singlenonuniformmemoryaccess(NUMA)node.OnKVM,youcanviewtheNUMAtopologyvirsh.The
followingexampleisfromatwonodeNUMAsystem:
IsolateCPUResourcesinaNUMANode
Step1 ViewtheNUMAtopology.Intheexamplebelow,therearetwoNUMAnodes(sockets),eachwitha
fourcoreCPUwithhyperthreadingenabled.AlltheevennumberedCPUIDsbelongtoonenode
andalltheoddnumberedCPUIDsbelongtotheothernode.
% virsh capabilities
<>
<topology>
<cells num='2'>
<cell id='0'>
<memory unit='KiB'>33027228</memory>
<pages unit='KiB' size='4'>8256807</pages>
<pages unit='KiB' size='2048'>0</pages>
<distances>
<sibling id='0' value='10'/>
<sibling id='1' value='20'/>
</distances>
<cpus num='8'>
<cpu id='0' socket_id='1' core_id='0' siblings='0,8'/>
<cpu id='2' socket_id='1' core_id='1' siblings='2,10'/>
<cpu id='4' socket_id='1' core_id='2' siblings='4,12'/>
<cpu id='6' socket_id='1' core_id='3' siblings='6,14'/>
<cpu id='8' socket_id='1' core_id='0' siblings='0,8'/>
<cpu id='10' socket_id='1' core_id='1' siblings='2,10'/>
<cpu id='12' socket_id='1' core_id='2' siblings='4,12'/>
<cpu id='14' socket_id='1' core_id='3' siblings='6,14'/>
</cpus>
</cell>
<cell id='1'>
<memory unit='KiB'>32933812</memory>
<pages unit='KiB' size='4'>8233453</pages>
<pages unit='KiB' size='2048'>0</pages>
<distances>
<sibling id='0' value='20'/>
<sibling id='1' value='10'/>
</distances>
<cpus num='8'>
<cpu id='1' socket_id='0' core_id='0' siblings='1,9'/>
<cpu id='3' socket_id='0' core_id='1' siblings='3,11'/>
<cpu id='5' socket_id='0' core_id='2' siblings='5,13'/>
<cpu id='7' socket_id='0' core_id='3' siblings='7,15'/>
<cpu id='9' socket_id='0' core_id='0' siblings='1,9'/>
<cpu id='11' socket_id='0' core_id='1' siblings='3,11'/>
<cpu id='13' socket_id='0' core_id='2' siblings='5,13'/>
<cpu id='15' socket_id='0' core_id='3' siblings='7,15'/>
</cpus>
</cell>
</cells>
IsolateCPUResourcesinaNUMANode
Step2 PinvCPUsinaKVMguesttospecificphysicalvCPUs,usethecpusetattributeintheguestxmldefinition.
Inthisexample,all8vCPUsarepinnedtophysicalCPUsinthefirstNUMAnode.Ifyoudonotwishto
explicitlypinthevCPUs,youcanomitthecputuneblock,inwhichcase,allvCPUswillbepinnedtotherange
ofCPUsspecifiedincpuset,butwillnotbeexplicitlymapped.
<vcpu cpuset='0,2,4,6,8,10,12,14'>8</vcpu>
<cputune>
<vcpupin vcpu='0' cpuset='0'/>
<vcpupin vcpu='1' cpuset='2'/>
<vcpupin vcpu='2' cpuset='4'/>
<vcpupin vcpu='3' cpuset='6'/>
<vcpupin vcpu='4' cpuset='8'/>
<vcpupin vcpu='5' cpuset='10'/>
<vcpupin vcpu='6' cpuset='12'/>
<vcpupin vcpu='7' cpuset='14'/>
</cputune>
SupportedDeploymentsonHyperV
YoucandeployoneormoreinstancesoftheVMSeriesonhostsrunningHyperV.Whereyouplacethe
VMSeriesfirewalldependsonyournetworktopology.VMSeriessupportstap,virtualwire,Layer2,and
Layer3interfacedeployments.
SecureTrafficonaSingleHyperVHost
SecureTrafficAcrossMultipleHyperVHosts
SecureTrafficonaSingleHyperVHost
TheVMSeriesfirewallisdeployedonasingleHyperVhostalongwithotherguestVMs.Intheexample
below,theVMSeriesfirewallhasaLayer3interfacesandtheVMSeriesandotherguestVMsare
connectedbyHyperVvSwitches.Alltrafficbetweenthewebserversanddatabaseserversisrouted
throughthefirewall.Trafficacrossthedatabaseserversonlyoracrossthewebserversonlyisprocessedby
theexternalvSwitchandnotroutedthroughthefirewall.
SecureTrafficAcrossMultipleHyperVHosts
YoucandeployyourVMSeriesfirewalltosecurethetrafficofmultipleHyperVhosts.Intheexample
below,theVMSeriesisdeployedinLayer2modeprotectingtraffictoandfromtheguestVMs.Asingle
VMSeriesfirewallprotectstrafficbetweenfourguestVMsspreadacrosstwoHyperVhosts.VLANtagging
isusedtologicallyisolatetrafficanddirectittothefirewall.Additionally,managementtrafficisdecoupled
fromallothertrafficbyplacingitonitsownexternalvSwitch.
SystemRequirementsonHyperV
TheVMSeriesrequiresaminimumresourceallocationontheHyperVhost,somakesuretoconformtothe
requirementslistedbelowtoensureoptimalperformance.
ThehostCPUmustbea64bitx86basedIntelorAMDCPUwithvirtualizationextension.
SeeVMSeriesSystemRequirementsfortheminimumhardwarerequirementsforyourVMSeries
model.
Minimumoftwonetworkadapters.TheVMSeriesfirewallsupportssyntheticnetworkadapters,which
providebetterperformancethanemulatednetworkadapters.HyperVsupportsuptoeightsynthetic
networkadapters.
WindowsServer2012R2withHyperVroleaddon.TheHyperVroleaddonforWindowsServer2012
R2canbemanagedthroughHyperVManagerorPowerShell.
HyperVServer2012R2HyperVServer2012R2doesnothaveanativegraphicaluserinterface;all
configurationisdonethroughPowerShell.However,HyperVServer2012R2canbemanagedusing
HyperVManagerrunningonaremotemachine.
TheVMSeriesdoesnotsupportLegacyNetworkAdapterorSRIOV/PCIPassthrough.
LinuxIntegrationServices
LinuxIntegrationServices(LIS)isapackageofdriversandservicesthatenhancetheperformanceof
LinuxbasedvirtualmachinesonHyperV.TheVMSeriesfirewallsupportsthefollowingservicestoimprove
theintegrationbetweenthehostandthevirtualmachine:
GracefulShutdownAllowsyoutoperformagracefulshutdownoftheVMSeriesfirewallfromthe
HyperVmanagementinterfacewithouthavingtologintotheguest.
HeartbeattoHyperVManagerProvidesheartbeatmonitoringoftherunningstatusofguestVMsfrom
theHyperVmanagementinterface.
FirewallManagementIPAddressVisibilityAllowsyoutouseHyperVManagertoviewtheIPaddress
assignedtothemanagementinterfaceonthefirewall.
InstalltheVMSeriesFirewallonHyperV
UsetheinstructionsinthissectiontodeployyourVMSeriesfirewallonaHyperVhost.APaloAlto
NetworkssupportaccountandavalidVMSerieslicensearerequiredtodownloadtheVHDXimagefileand
installtheVMSeriesontheHyperVhost.Ifyouhavenotalreadyregisteredthecapacityauthcodethat
youreceivedwiththeorderfulfillmentemail,withyoursupportaccount,seeRegistertheVMSeries
Firewall.Aftercompletingtheregistrationcontinuetothefollowingtasks:
BeforeYouBegin
PerformanceTuningoftheVMSeriesFirewallonHyperV
ProvisiontheVMSeriesFirewallonaHyperVhostwithHyperVManager
ProvisiontheVMSeriesFirewallonaHyperVhostwithPowerShell
PerformInitialConfigurationontheVMSeriesFirewall
BeforeYouBegin
BeforeinstallingandconfiguringyourVMSeriesfirewall,considerthefollowingitemsandkeepthemin
mindwhencompletingyourconfiguration.
VirtualSwitchTypes
BeforeinstallingtheVMSeries,youmustcreatethevSwitchesrequiredforprovidingexternalconnectivity
formanagementaccessandforroutingtrafficfromandtothevirtualmachinesthatthefirewallwillsecure.
HyperVallowsyoutocreatethreetypesofvSwitches:
ExternalvSwitchbindstoaphysicalnetworkadapterandprovidesthevSwitchaccesstoaphysical
network.
InternalvSwitchpassestrafficbetweenthevirtualmachinesandtheHyperVhost.ThistypeofvSwitch
doesnotprovideconnectivitytoaphysicalnetworkconnection.
PrivatevSwitchpassestrafficbetweenthevirtualmachinesontheHyperVhostonly.
AnexternalvSwitchisrequiredformanagementoftheVMSeriesfirewall.OthervSwitchesconnectedto
theVMSeriesfirewallcanbeofanytypeandwilldependonyournetworktopology.
MACAddressSpoofing
IfyouaredeployingtheVMSeriesfirewallwithinterfacesenabledinLayer3mode,makesuretoenableuse
ofhypervisorassignedMACaddressessothatthehypervisorandthefirewallcanproperlyhandlepackets.
Alternatively,usetheHyperVManagertoenableMACaddressspoofingonthevirtualnetworkadapterfor
eachdataplaneinterfaceonthefirewall.Formoreinformation,seeHypervisorAssignedMACAddresses.
IfyouaredeployingtheVMSeriesfirewallwithinterfacesenabledinLayer2modeorvirtualwiremode,
youmustenableMACaddressspoofingonthevirtualnetworkadapterinHyperVforeachdataplane
interfaceonthefirewall.ThissettingisrequiredtoensurethatpacketssentbytheVMSeriesarenot
droppedbythevirtualnetworkadapterifthesourceMACaddressdoesnotmatchtheoutgoinginterface
MACaddress.
PerformanceTuningoftheVMSeriesFirewallonHyperV
TheVMSeriesfirewallforHyperVisahighperformanceappliancebutmayrequiretuningofthe
hypervisortoachievethebestresults.Thissectiondescribessomebestpracticesandrecommendationsfor
facilitatingthebestperformanceoftheVMSeriesfirewall.
DisableVirtualMachineQueues
IsolateCPUResourcesinaNUMANode
DisableVirtualMachineQueues
PaloAltoNetworksrecommendsdisablingvirtualmachinequeues(VMQ)forallNICsontheHyperVhost.
Thisoptionispronetomisconfigurationandcancausereducednetworkperformancewhenenabled.
DisableVMQ
Step1 LogintoHyperVManagerandselectyourVM.
Step2 SelectSettings > Hardware > Network Adapter > Hardware Acceleration.
Step4 ClickApplysaveyourchangesandOKtoexittheVMsettings.
IsolateCPUResourcesinaNUMANode
YoucanimproveperformanceofVMSeriesforHyperVbyisolatingtheCPUresourcesoftheguestVMto
asinglenonuniformmemoryaccess(NUMA)node.YoucanviewtheNUMAsettingsofyourVMinHyperV
ManagerbyselectingSettings > Hardware > Processor > NUMA.
ProvisiontheVMSeriesFirewallonaHyperVhostwithHyperVManager
UsetheseinstructionstodeploytheVMSeriesfirewallonHyperVusingHyperVManager.
InstalltheVMSeriesFirewallonHyperV
d. ConfigureNetworking.SelectanexternalvSwitchto
connectthemanagementinterfaceonthefirewall.
e. ToconnecttheVirtual Hard Disk,selectUse an existing
virtual hard diskandbrowsetotheVHDXfileyou
downloadedearlier.
f. ReviewthesummaryandclickFinish.
2. AssignvirtualCPUstothefirewall.
a. SelecttheVMyoucreatedandnavigatetoAction >
Settings.
b. SelectProcessorandentertheminimumnumberofCPUs
basedontheVMSeriesSystemRequirementsofyour
VMSeriesmodel..
c. ClickOK.
InstalltheVMSeriesFirewallonHyperV
ProvisiontheVMSeriesFirewallonaHyperVhostwithPowerShell
UsetheseinstructionstodeploytheVMSeriesfirewallonHyperVusingPowerShell.
InstalltheVMSeriesFirewallonHyperV
PerformInitialConfigurationontheVMSeriesFirewall
UsetheseinstructionstoperformtheinitialconfigurationofyourVMSeriesfirewall.Bydefault,the
VMSeriesfirewallusesDHCPtoobtainanIPaddressforthemanagementinterface.However,youcan
assignastaticIPaddress.Aftercompletingtheinitialconfiguration,accessthewebinterfacetocomplete
furtherconfigurationstasks.IfyouhavePanoramaforcentralmanagement,refertothePanorama
AdministratorsGuideforinformationonmanagingthedeviceusingPanorama.
IfyouareusingbootstrappingtoperformtheconfigurationofyourVMSeriesfirewallonHyperV,referto
BootstraptheVMSeriesFirewallonHyperV.Formoreinformationaboutbootstrapping,seeBootstrapthe
VMSeriesFirewall.
ConfiguretheManagementInterface
ConfiguretheManagementInterface
2. UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.
ConfiguretheManagementInterface
AbouttheVMSeriesFirewallonAzure
TheVMSeriesfirewallonAzuremustbedeployedinavirtualnetwork(VNet)usingtheResourceManager
deploymentmode.YoucandeploytheVMSeriesfirewallonboththestandardAzurepubliccloudandon
AzureGovernmentenvironments.TheVMSeriesfirewallonAzuresupportsboththeBringYourOwn
License(BYOL)modelandthehourlyPayAsYouGo(PAYG)option(usagebasedlicensing).ForAzure
GovernmentMarketplace,theVMSeriesfirewallisavailableintheBYOLoptiononly.Todeploythe
VMSeriesonAzureGovernment,usetheBYOLworkflowoutlinedintheDeploytheVMSeriesFirewall
fromtheAzureMarketplace(SolutionTemplate).
Forlicensingdetails,seeLicenseTypesVMSeriesFirewalls,andrefertothelistofsupportedAzureregions
inwhichyoucandeploytheVMSeriesfirewall.
AzureDoDisaspecialregionthatoffersahigherlevelofsecurityclassificationthanAzureGovernment.The
VMSeriesfirewallisnotsupportedonAzureDoDregions.
AzureNetworkingandVMSeries
VMSeriesFirewallTemplatesonAzure
MinimumSystemRequirementsfortheVMSeriesonAzure
AzureNetworkingandVMSeries
TheAzureVNetinfrastructuredoesnotrequirevirtualmachinestohaveanetworkinterfaceineachsubnet.
Thearchitectureincludesaninternalroutetable(calledsystemroutes)thatdirectlyconnectsallvirtual
machineswithinaVNetsuchthattrafficisautomaticallyforwardedtoavirtualmachineinanysubnet.For
adestinationIPaddressthatisnotwithintheVNet,thetrafficissenttothedefaultInternetgatewayorto
aVPNgateway,ifconfigured.InordertoroutetrafficthroughtheVMSeriesfirewall,youmustcreateuser
definedroutes(UDRs)thatspecifythenexthopfortrafficleavingasubnet.Thisrouteforcestrafficdestined
toanothersubnettogototheVMSeriesfirewallinsteadofusingthesystemroutestodirectlyaccessthe
virtualmachineintheothersubnet.Forexample,inatwotieredapplicationwithawebtierandadatabase
tier,youcansetupUDRsfordirectingtrafficfromthewebsubnettotheDBsubnetthroughtheVMSeries
firewall.
OnAzure,UDRsarefortrafficleavingasubnetonly.Youcannotcreateuserdefinedroutestospecifyhowtraffic
comesintoasubnetfromtheInternetortoroutetraffictovirtualmachineswithinasubnet.
FordocumentationonMicrosoftAzure,refertohttps://azure.microsoft.com/enus/documentation/.
ThesolutiontemplatesfordeployingtheVMSeriesfirewallthatareavailableintheAzureMarketplace,
havethreenetworkinterfaces.BecausetheVNetinfrastructuredoesnotrequirevirtualmachinestohavea
networkinterfaceineachsubnet,threenetworkinterfacesaresufficientformostdeployments.Ifyouwant
tocustomizethetemplate,usetheARMtemplatesthatareavailableintheGitHubrepository.
VMSeriesFirewallTemplatesonAzure
YoucandeploytheVMSeriesfirewallonAzureusingtemplates.PaloAltoNetworksprovidestwokindsof
templates:
SolutionTemplatesintheAzureMarketplaceThesolutiontemplatesthatareavailableintheAzure
MarketplaceallowyoutodeploytheVMSeriesfirewallusingtheAzureportal.Youcanuseanexisting
resourcegroupandstorageaccount(orcreatethemnew)todeploytheVMSeriesfirewallwiththe
followingdefaultsettings:
VNetCIDR192.168.0.0/16;youcancustomizetheCIDRtoadifferentprivateIPaddressrange.
Threesubnets192.168.0.0/24(management),192.168.1.0/24(untrust),192.168.2.0/24(trust)
Threenetworkinterfaces,oneineachsubnet.IfyoucustomizetheVNetCIDR,thesubnetranges
maptoyourchanges.
Tousethesolutiontemplate,seeDeploytheVMSeriesFirewallfromtheAzureMarketplace(Solution
Template).
ARMTemplatesintheGitHubRepositoryInadditiontoMarketplacebaseddeployments,PaloAlto
NetworksprovidesAzureResourceManagertemplatesintheGitHubRepositorytosimplifytheprocess
ofdeployingtheVMSeriesfirewallonAzure.
UsetheARMTemplatetoDeploytheVMSeriesFirewallThebasicARMtemplateincludestwoJSON
files(aTemplatefileandaParametersFile)tohelpyoudeployandprovisionalltheresourceswithin
theVNetinasingle,coordinatedoperation.Thesetemplatesareprovidedunderanasis,besteffort,
supportpolicy.
IfyouwanttousetheAzureCLItolocatealltheimagesavailablefromPaloAltoNetworks,youtheneedthe
followingdetailstocompletethecommand(showvmimagelist):
Publisher:paloaltonetworks
Offer:vmseries1
SKU:byol,bundle1,bundle2
Version:8.0.0,7.1.1orlatest
DeploytheVMSeriesandAzureApplicationGatewayTemplatetosupportascaleoutsecurity
architecturethatprotectsyourinternetfacingwebapplicationsusingtwoVMSeriesfirewalls
betweenapairof(externalandinternal)AzureloadbalancersVMSeriesandAzureApplication
Gateway.
MinimumSystemRequirementsfortheVMSeriesonAzure
YoumustdeploytheVMSeriesfirewallintheAzureResourceManager(ARM)modeonly;theclassicmode
(ServiceManagementbaseddeployments)isnotsupported.TheVMSeriesfirewallonAzuremustmeetthe
followingrequirements:
AzureVMsofthefollowingtypes:Standard_A4,Standard_D3,Standard_D3_v2,Standard_D4,
Standard_D4_v2,Standard_D5_v2,Standard_DS5_v2.
Formemory,diskandCPUcoresrequiredtodeploytheVMSeriesfirewall,seeVMSeriesSystem
Requirements.
Youcanaddadditionaldiskspaceof60GBto8TBforloggingpurposes.TheVMSeriesfirewalldoesnot
utilizethetemporarydiskthatAzureprovides.
Uptothreenetworkinterfaces(NICs).Aprimaryinterfaceisrequiredformanagementaccessandupto
twointerfacesfordatatraffic.
OnAzure,becauseavirtualmachinedoesnotrequireanetworkinterfaceineachsubnet,youcansetup
theVMSeriesfirewallwithjustthreenetworkinterfaces.Tocreatezonebasedpolicyrulesonthe
firewall,inadditiontothemanagementinterface,youneedatleasttwodataplaneinterfacessothatyou
canassignonedataplaneinterfacetothetrustzone,andtheotherdataplaneinterfacetotheuntrust
zone.
BecausetheAzureVNetisaLayer3network,theVMSeriesfirewallonAzuresupportsLayer3
interfacesonly.
VMSeriesonAzuredoesnotsupportthetraditionalactive/passivehighavailabilitywithsession
synchronization,asitisnotagoodfitforcloudarchitectures.Instead,forbothsmallandlargedeployments,
useascaleoutarchitectureusingcloudnativeloadbalancerssuchastheAzureApplicationGatewayor
AzureLoadBalancer.Fordetails,seeDeploytheVMSeriesandAzureApplicationGatewayTemplate.
NativeVMMonitoringcapabilitiesforvirtualmachinesthatarehostedonAzureisalsonotavailable.
DeploymentsSupportedonAzure
UsetheVMSeriesfirewallonAzuretosecureyournetworkusersinthefollowingscenarios:
HybridandVNettoVNetTheVMSeriesfirewallonAzureallowsyoutosecurelyextendyourphysical
datacenter/privatecloudintoAzureusingIPSecandExpressRoute.Toimproveyourdatacenter
security,ifyouhavesegmentedyournetworkanddeployedyourworkloadsinseparateVNets,youcan
securetrafficflowingbetweenVNetswithanIPSectunnelandapplicationwhitelistingpolicies.
InterSubnetTheVMSeriesfirewallcanfrontyourserversinaVNetandprotectagainstlateralthreats
forintersubnettrafficbetweenapplicationsinamultitierarchitecture.
GatewayTheVMSeriesfirewallservesastheVNetgatewaytoprotectInternetfacingdeploymentsin
theAzureVirtualNetwork(VNet).TheVMSeriesfirewallsecurestrafficdestinedtotheserversinthe
VNetanditalsoprotectsagainstlateralthreatsforintersubnettrafficbetweenapplicationsina
multitierarchitecture.
GlobalProtectUsetheAzureinfrastructuretoquicklyandeasilydeploytheVMSeriesfirewallas
GlobalProtectandextendyourgatewaysecuritypolicytoremoteusersanddevices,regardlessof
location.
YoucancontinuewithDeploytheVMSeriesFirewallfromtheAzureMarketplace(SolutionTemplate)and
configurethefirewallandAzureforyourdeploymentneeds,oryoucanlearnabouttheVMSeriesFirewall
TemplatesonAzurethatyoucanusetodeploythefirewall.Forinformationonbootstrapping,seeBootstrap
theVMSeriesFirewallinAzure.
DeploytheVMSeriesFirewallfromtheAzureMarketplace
(SolutionTemplate)
ThefollowinginstructionsshowyouhowtodeploythesolutiontemplatefortheVMSeriesfirewallthatis
availableintheAzurepublicorGovernmentCloudMarketplace.TousethecustomizableARMtemplates
availableintheGitHubrepository,seeUsetheARMTemplatetoDeploytheVMSeriesFirewall.
DeploytheVMSeriesFirewallonAzure
3. SelectanofferingandclickCreate.
DeploytheVMSeriesFirewallonAzure(Continued)
Step3 Deploythefirewall.
1. Configurebasicsettingsforthefirewall.
a. EnteraUsernameforthefirewalladministrator.
b. EnteraPasswordorcopyandpasteanSSH public keyforsecuringadministrativeaccesstothefirewall.
c. SelectyourAzureSubscription.
d. CreateanewresourcegroupforholdingalltheresourcesassociatedwiththeVMSeriesfirewallforthis
deployment.
FromtheAzureMarketplace,youcandeploytheVMSeriesfirewallintoanewResourceGroup,or
anexistingResourceGroupthatisempty.Todeploythefirewallintoanexistingresourcegroupthat
hasotherresources,usetheARMtemplateintheGitHubRepositoryoryourowncustomARM
template.EnsurethattheexistingresourcesmatchtheparametervaluesyouprovideintheARMtemplate.
e. SelecttheAzure Location.Thisistheregioninwhichyouaredeployingthefirewall.
2. Configurestorageandnetworking.
a. Selectanexistingstorageaccountorcreateanewone.
b. SelectanexistingVNetorcreateanewone,andentertheIPaddressspacefortheVNet.BydefaulttheCIDR
is10.0.0.0/16.
c. Configurethesubnetsforthenetworkinterfaces.IfyouuseanexistingVNet,youmusthavedefinedthree
subnets,oneeachforthemanagement,trustanduntrustinterfaces.IfyoucreateanewVNet,verifyorchange
theprefixesforeachsubnet.Thedefaultsubnetsare10.0.0.0/24forthemanagementsubnet,10.0.1.0/24for
theuntrustsubnet,and10.0.2.0/24forthetrustsubnet.
d. EnterthesourceIPaddressorIPrange(includeCIDR)thatcanaccesstheVNet.Network Security Group:
inbound source IP allowsyoutorestrictinboundaccesstotheAzureVNet.
3. Definemanagementaccesstothefirewall.
a. Usethedefaultvariable(newPublicIP)toassignaPublic IP addresstothemanagementinterface(eth0)ofthe
firewall.
b. EnteraprefixtoaccessthefirewallusingaDNSname.Youmustcombinetheprefixyouenterwiththesuffix
displayedonscreenforexample<yourname>centralus.cloudapp.azure.comtoaccessthewebinterfaceofthe
firewall.
c. EnteradisplaynametoidentifytheVMSeriesfirewallwithintheresourcegroup.
d. ToselectthePANOSversion,usetheVM-Series Versiondropdown.Thelatestisthemostrecentrelease,
whichis8.0.0currently.
e. SelecttheAzurevirtualmachinetierandsizetomeetyourneeds.SeeMinimumSystemRequirementsforthe
VMSeriesonAzure.
4. Reviewthesummary,acceptthetermsofuseandprivacypolicy,andclickCreatetodeploythefirewall.
5. VerifythatyouhavesuccessfullydeployedtheVMSeriesfirewall.
a. SelectDashboard >Resource Groups,selecttheresourcegroup.
b. SelectAll Settings > Deployments > Deployment Historyfordetailedstatus
DeploytheVMSeriesFirewallonAzure(Continued)
Step4 AttachapublicIPaddressfortheuntrustinterfaceoftheVMSeriesfirewall.
1. OntheAzureportal,selectthenetworkinterfaceforwhichyouwanttoaddapublicIPaddress.For
exampletheeth1interface.
2. SelectIP Configurations > AddandforPublicIPaddress,selectEnabled.CreateanewpublicIPaddress
orselectonethatyouhaveavailable.
3. VerifythatyoucanviewthesecondaryIPaddressassociatedwiththeinterface.
WhenyouattachasecondaryIPaddresstoanetworkinterface,theVMSeriesfirewalldoesnot
automaticallyacquiretheprivateIPaddressassignedtotheinterface.Youwillneedtomanuallyconfigure
theprivateIPaddressusingtheVMSeriesfirewallwebinterface.SeeConfigurethedataplanenetwork
interfacesasLayer3interfacesonthefirewall.
EachinterfaceontheVMSeriesfirewallonAzurecanhaveonedynamic(default)orstaticprivateIP
address,andmultiplepublicIPaddresses(staticordynamic)associatedwithit.Themaximumnumberof
publicIPaddressesyoucanassigntoaninterfaceisbasedonyourAzuresubscription.Whenyoucreatea
newpublicIPaddressyougetonefromtheblockofIPaddressesMicrosoftowns,soyoucantchoosea
specificone.
Step5 Logintothewebinterfaceofthefirewall.
1. OntheAzureportal,inAll Resources,selecttheVMSeriesfirewallandviewthefullDNSnameforthe
firewall.
2. Usingasecureconnection(https)fromyourwebbrowser,logintotheDNSnameforthefirewall.
3. Entertheusername/passwordyoudefinedintheparametersfile.Youwillseeacertificatewarning;thatis
okay.Continuetothewebpage.
DeploytheVMSeriesFirewallonAzure(Continued)
ForthePAYGversion
1. CreateaSupportAccount.
2. RegistertheUsageBasedModeloftheVMSeriesFirewallin
AWSandAzure(noauthcode).
DeploytheVMSeriesFirewallonAzure(Continued)
DeploytheVMSeriesFirewallonAzure(Continued)
UsetheARMTemplatetoDeploytheVMSeriesFirewall
InadditiontoMarketplacebaseddeployments,PaloAltoNetworksprovidesaGitHubrepositorywhich
hostssampleARMtemplatesthatyoucandownloadandcustomizeforyourneeds.ARMtemplatesare
JSONfilesthatdescribetheresourcesrequiredforindividualresourcessuchasnetworkinterfaces,a
completevirtualmachineorevenanentireapplicationstackwithmultiplevirtualmachines.
Tosimplifythedeploymentofalltherequiredresources,thetemplateincludestwojsonfiles:
TemplateFileTheazureDeploy.jsonisthemainresourcesfilethatdeploysallthecomponentswithin
theresourcegroup.
ParametersFileTheazureDeploy.parameters.jsonisthefilethatincludestheparametersrequiredto
successfullydeploytheVMSeriesfirewallintheVNet.Itincludesdetailssuchasthevirtualmachinetier
andsize,usernameandpasswordforthefirewall,thenameofthestoragecontainerforthefirewall.You
cancustomizethisfileforyourAzureVNetdeployment.
TohelpyoudeploythefirewallasagatewayforInternetfacingapplications,thetemplateprovisionsthe
VMSeriesfirewall,adatabaseserver,awebserverandavirtualmachinethatperformsNATsothatthe
VMSeriesfirewallcanreceivedatatrafficfromtheInternet.TheNATvirtualmachinefrontsthefirewalland
receivesdatatrafficonitspublicIPaddress,whichitthenroutestothefirewall.TheVNetusestheprivate
nonroutableIPaddressspace192.168.0.0/16.Youcanmodifythetemplatetouse172.16.0.0/12,or
10.0.0.0/8.
TheARMtemplatealsoprovidesthenecessaryuserdefinedrulesandIPforwardingflagstoenablethe
VMSeriesfirewalltosecuretheAzureresourcegroup.ForthefivesubnetsTrust,Untrust,Web,DB,and
NATincludedinthetemplate,youhavefiveroutetables,oneforeachsubnetwithuserdefinedrulesfor
routingtraffictotheVMSeriesfirewallandtheNATvirtualmachine.
ARMtemplatesareforadvancedusers.PaloAltoNetworksprovidestheARMtemplateunderanasis,best
effort,supportpolicy.
DeployingVMSeriesFirewallusingtheARMTemplate
UsetheARMTemplatetoDeploytheVMSeriesFirewall
UsetheARMTemplatetoDeploytheVMSeriesFirewall(Continued)
TheaddressspacewithintheVNetusestheprefix192.168,whichisdefinedintheARMtemplate.
UsetheARMTemplatetoDeploytheVMSeriesFirewall(Continued)
DeploytheVMSeriesandAzureApplicationGateway
Template
TheVMSeriesandAzureApplicationGatewaytemplateisastarterkitthatyoucanusetodeployVMSeries
firewallstosecurewebworkloadsforinternetfacingdeploymentsonMicrosoftAzure.
ThistemplatedeploystwoVMSeriesfirewallsbetweenapairof(externalandinternal)Azureloadbalancers.
TheexternalloadbalancerisanAzureApplicationGateway,whichisanHTTP(Layer7)loadbalancerthat
alsoservesastheinternetfacinggateway,whichreceivestrafficanddistributesitthroughtheVMSeries
firewallontotheinternalloadbalancer.TheinternalloadbalancerisanAzureLoadBalancer(Layer4)that
frontsapairofwebservers.ThetemplatesupportstheBYOLandtheAzureMarketplaceversionsofthe
VMSeriesfirewall.
Asdemandonyourwebworkloadsincreasesandyouincreasecapacityforthewebservertieryoucan
manuallydeployadditionalVMSeriesfirewallstosecureyourwebservertier.
VMSeriesandAzureApplicationGatewayTemplate
StartUsingtheVMSeries&AzureApplicationGatewayTemplate
VMSeriesandAzureApplicationGatewayTemplate
TheVMSeriesandAzureApplicationGatewaytemplatelaunchesanAzureApplicationGateway(Layer7
loadbalancer)andanAzure(Layer4)loadbalancer.NestedbetweentheApplicationgatewayandtheload
balancerareapairofVMSeriesfirewallsinanAvailabilitySet,andapairofsamplewebserversrunning
Apache2onUbuntuinanotherAvailabilitySet.TheAvailabilitySetsprovideprotectionfromplannedand
unplannedoutages.Thefollowingtopologydiagramshowstheresourcesthatthetemplatedeploys:
Youcanuseaneworanexistingstorageaccountandresourcegroupinwhichtodeployalltheresources
forthissolutionwithinanAzurelocation.Itdoesnotprovidedefaultvaluesfortheresourcegroupnameand
storageaccountname,youmustenteranameforthem.WhileyoucancreateaneworuseanexistingVNet,
thetemplatecreatesadefaultVNetnamedvnetFWwiththeCIDRblock192.168.0.0/16,andallocatesfive
subnets(192.168.1.0/24192.168.5.0/24)fordeployingtheAzureApplicationGateway,theVMSeries
firewalls,theAzureloadbalancerandthewebservers.EachVMSeriesfirewallisdeployedwiththree
networkinterfacesethernet0/1inMgmtsubnet(192.168.0.0/24),ethernet1/1inUntrustsubnet
(192.168.1.0/24),andethernet1/2inTrustsubnet(192.168.2.0/24).
ThetemplatecreatesaNetworkSecurityGroup(NSG)thatallowsinboundtrafficfromanysourceIPaddress
onports80,443,and22.ItalsodeploysthepairofVMSeriesfirewallsandthewebserverpairintheir
respectiveAvailabilitySetstoensurethatatleastoneinstanceofeachisavailableduringaplannedor
unplannedmaintenancewindow.EachAvailabilitySetisconfiguredtousethreefaultdomainsandfive
updatedomains.
TheAzureApplicationGatewayactsasareverseproxyservice,whichterminatesaclientconnectionand
forwardstherequeststobackendwebservers.TheAzureApplicationGatewayissetupwithanHTTP
listenerandusesadefaulthealthprobetotestthattheVMSeriesfirewallIPaddress(forethernet1/1)is
healthyandcanreceivetraffic.
Thetemplatedoesnotprovideanautoscalingsolution;youmustplanyourcapacityneedsandthendeploy
additionalresourcestoAdapttheTemplateforyourdeployment.
TheVMSeriesfirewallsarenotconfiguredtoreceiveandsecurewebtrafficdestinedtothewebservers.
Therefore,ataminimum,youmustconfigurethefirewallwithastaticroutetosendtrafficfromthe
VMSeriesfirewallstothedefaultrouter,configuredestinationNATpolicytosendtrafficbacktotheIP
addressoftheloadbalancer,andconfigureSecuritypolicyrules.TheNATpolicyruleisalsorequiredforthe
firewalltosendresponsesbacktothehealthprobesfromtheHTTPlistenerontheAzureApplication
Gateway.Toassistyouwithabasicfirewallconfiguration,theGitHubrepositoryincludesasample
configurationfilecalledappgwsample.xmlthatyoucanusetogetstarted.
StartUsingtheVMSeries&AzureApplicationGatewayTemplate
TheVMSeries&AzureApplicationGatewaytemplatelaunchesalltheresourcesyouneedtodeployand
secureyourwebworkloadsforInternetfacingdeploymentsonMicrosoftAzure.Thissectionprovides
detailsonhowtodeploythetemplate,configurethefirewallstorouteandsecuretrafficdestinedtotheweb
servers,andextendthecapabilitiesandresourcesthatthistemplateprovidestoaccommodateyour
deploymentneeds.
DeploytheTemplatetoAzure
VMSeriesandAzureApplicationGatewayTemplateParameters
SampleConfigurationFile
AdapttheTemplate
DeploytheTemplatetoAzure
UsethefollowinginstructionstodeploythetemplatetoAzure.
DeploytheTemplatetoAzure
c. NotethePublicIPaddressortheDNSnameassignedto
eth0-VM-Series0 and eth0-VM-Series1 toaccessthe
managementinterfaceoftheVMSeriesfirewalls.
DeploytheTemplatetoAzure
DeploytheTemplatetoAzure
Toimportthesampleconfigurationfile:
1. DownloadandsavetheSampleConfigurationFiletoyourlocal
client.
2. SelectDevice > Setup > Operations,clickImport named
configuration snapshot,Browsetothesampleconfiguration
filethatyouhavesavedlocally,andclickOK.
3. ClickLoad named configuration snapshot,selecttheNameof
thesampleconfigurationfileyoujustimported,andclickOK.
4. ChangetheIPaddressoftheaddressobjectsandthestatic
routetomatchtheIPaddressfromtheCIDRblockyouused.
UpdateaddressobjectstousetheprivateIPaddressesfor
eth1VMSeries0andeth1VMSeries1.
5. Important!Createanewadminuseraccount.SelectDevice >
Administrators andAddanewaccount.
6. ModifytheHostnameintheGeneralSettingswidgetinDevice
> Setup > Management.
7. Commityourchanges,andlogout.Thecommitoverwritesthe
runningconfigurationwiththesampleconfigurationfileand
updatesyoujustmade.Oncommit,thehostnameandthe
administratoruseraccountthatyouspecifiedwhendeploying
thetemplateareoverwritten.Youwillnowneedtologinusing
thenewadminuseraccountandpassword.
8. Logintothefirewallusingthecredentialsyoucreated,and
deletethepandemoadminaccountthatwasimportedfromthe
sampleconfigurationfile.
Ifyouhaveusedthesampleconfigurationfirewall,loginto
thefireewallandviewtheTrafficlogsgeneratedonsession
startinMonitor > Logs > Traffic.
VMSeriesandAzureApplicationGatewayTemplateParameters
Thefollowingtableliststherequiredandoptionalparametersandthedefaultvalues,ifany.
Parameter Description
Resourcegroup Createneworuseexisting(nodefault).
Subscription ThetypeofAzuresubscriptionyouwillusetocoverthecostoftheresources
deployedwiththetemplate.
Location SelecttheAzurelocationtowhichyouwanttodeploythetemplate(nodefault).
NetworkSecurityGroup
NetworkSecurityGroupName ThenetworksecuritygrouplimitsthesourceIPaddressesfromwhichtheVMSeries
firewallsandwebserverscanbeaccessed.
Default:nsgmgmt
NetworkSecurityGroup ThesourceIPaddressesthatcanlogintothemanagementportoftheVMsdeployed
InboundSrcIP bythetemplate.
Thedefaultvalue0.0.0.0/0meansyoucanlogintothefirewallmanagementport
fromanyIPaddress.
StorageAccount
StorageAccountName CreateneworenterthenameofanexistingStorageAccount(nodefault).Thename
mustbegloballyunique.
StorageAccountType Choosebetweenstandardandpremiumstorageandyourdatareplicationneedsfor
localredundancy,georedundancy,andreadaccessgeoredundancy.
ThedefaultoptionisLocallyRedundantStorage(LRS).Theotheroptionsare
StandardGRS,PremiumLRS,andStandardRAGRS.
VNet
VirtualNetwork CreateneworenterthenameofanexistingVNet.
ThedefaultnamefortheVNetisvnetFW
VirtualNetworkAddressPrefix 192.168.0.0/16
AzureApplicationGateway
AppGatewayName myAppGw
AppGatewayDNSName EnteragloballyuniqueDNSnamefortheAzureApplicationGateway.
AppGatewaySubnetNameand DefaultnameisAppGWSubnetandthesubnetprefixis192.168.3.0/24.
Prefix
AzureLoadBalancerandWebServers
InternalLoadBalancerName myPrivateLB
InternalLoadBalancerSubnet DefaultnameisbackendSubnetandthesubnetprefixis192.168.4.0/24.
NameandPrefix
BackendVmSize ThedefaultsizeisStandardtierD1AzureVM.Usethedropdowninthetemplateto
viewtheotherAzureVMoptionsavailableforthebackendwebservers.
Parameter Description
Firewalls
FirewallModel ChoosefromBYOLorPAYG(bundle1orbundle2,eachbundleincludestheVM300
andasetofsubscriptions).
FirewallVmNameandSize ThedefaultnameforthefirewallisVMSeries,andthedefaultsizeisStandardtier
D3AzureVM.
UsethedropdowninthetemplatetoviewtheotherAzureVMoptionsavailablefor
theVMSeriesfirewalls
MgmtSubnetNameandPrefix ThemanagementsubnetfortheVMSeriesfirewallsandthewebserversdeployed
inthissolution.
DefaultnameisMgmtandthesubnetprefixis192.168.0.0/24.
MgmtPublicIPAddressName Enterahostnametoaccessthemanagementinterfaceoneachfirewall.Thenames
mustbegloballyunique.
TrustedSubnetNameandPrefix Thesubnettowhicheth1/1ontheVMSeriesfirewallisconnected;thissubnet
connectstheVMSeriesfirewalltotheAzureApplicationgateway.Thefirewall
receiveswebtrafficdestinedtothewebserversoneth1/1.
DefaultnameisTrustandthesubnetprefixis192.168.2.0/24.
UntrustedSubnetName Thesubnettowhicheth1/2ontheVMSeriesfirewallisconnected.Thefirewall
receivesreturnandoutboundwebtrafficonthisinterface.
DefaultnameisUntrustandthesubnetprefixis192.168.1.0/24.Thenamemustbe
globallyunique.
Username EntertheusernamefortheadministrativeaccountontheVMSeriesfirewallsand
thewebservers.
AuthenticationType YoumusteitherenterapasswordforauthenticationoruseanSSHpublickey(no
default).
SampleConfigurationFile
Tohelpyougetstarted,theGitHubrepositorycontainsasampleconfigurationfilenamedappgwsample.xml
thatincludesthefollowingrules/objects:
AddressobjectsTwoaddressobjects,firewall-untrust-IPand
internal-load-balancer-IP,whichyouwillneedtomodifytomatchtheIPaddressesinyour
setup.YouneedtomodifytheseaddressobjectstousetheprivateIPaddressesassignedto
eth1VMSeries0andeth1VMSeries1ontheAzureportal.
StaticrouteThedefaultvirtualrouteronthefirewallhasastaticrouteto192.168.1.1,andthisIP
addressisaccurateifyouusethedefaulttemplatevalues.IfyouhavechangedtheUntrustsubnetCIDR,
youllneedtoupdatetheIPaddresstomatchyoursetup.Alltrafficcomingfromthebackendweb
servers,destinedfortheapplicationgateway,usesthisIPaddressasthenexthopfordeliveringpackets
totheuntrustinterfaceonthefirewall.
NATPolicyRuleTheNATpolicyruleenablesdestinationNATandsourceNAT.
ThedestinationNATruleisforalltrafficthatarrivesonthefirewallsuntrustinterface(ethernet1/2),
whichisthefirewalluntrustIPaddressobject.ThisruletranslatesthedestinationIPaddressonthe
packettothatoftheinternalloadbalancersothatalltrafficisdirectedtotheinternalloadbalancer
andthustothebackendwebservers.
ThesourceNATruleisforalltrafficfromthebackendwebserveranddestinedtotheuntrust
networkinterfaceonthefirewall.ThisruletranslatesthesourceaddresstotheIPaddressofthe
trustinterfaceonthefirewall(ethernet1/2).
SecurityPolicyRuleTwoSecuritypolicyrulesaredefinedinthesampleconfigurationfile.Thefirstrule
allowsallinboundwebbrowsingtrafficandgeneratesalogatthestartofasessiononthefirewall.The
secondruleblocksallothertrafficandgeneratesalogatthestartandendofasessiononthefirewall.
Youcanusetheselogstomonitoralltraffictothewebserversinthisdeployment.
AdministrativeUserCredentialsThesampleconfigurationfileincludesausernameandpasswordfor
loggingintothefirewall,whichissettopandemo/demopassword.Afteryouimportthesample
configuration,youmusteitherchangethepasswordandsetittoastrong,custompasswordorcreatea
newadministratoraccountanddeletethepandemoaccount.
AdapttheTemplate
Asyourneedsevolve,youcanscopeyourcapacityneedsandextendthetemplateforyourdeployment
scenario.Herearesomewaysyoucanbuildonthestartertemplatetomeetyourplannedcapacityneeds:
DeployadditionalVMSeriesfirewallsbehindtheAzureApplicationGateway.Youcanmanuallyinstall
moreVMSeriesfirewallsintothesameAvailabilitySetorlaunchanewAvailabilitySetandmanually
deployadditionalVMSeriesfirewalls.
ConfiguretheVMSeriesfirewallsbeyondthebasicconfigurationprovidedinthesampleconfiguration
fileintheGitHubrepository.
EnableHTTPSloadbalancing(SSLoffload)ontheAzureApplicationGateway.RefertotheAzure
documentationfordetails.
Addorreplacethesamplewebserversincludedwiththetemplate.
VMSeriesFirewallforOpenStack
TheVMSeriesfirewallforOpenStackallowsyoutodeploytheVMSeriesfirewallontheKVMhypervisor
runningonacomputenodeinyourOpenStackenvironment.ThissolutionusesHeatOrchestration
TemplatesandbootstrappingtodeploytheVMSeriesfirewallandaLinuxserver.TheVMSeriesfirewall
protectsthedeployedLinuxserverbyinspectingthetrafficgoinginandoutoftheserver.Thesample
bootstrapfilesallowtheVMSeriesfirewalltobootwithbasicconfigurationforhandlingtraffic.
ComponentsoftheVMSeriesforOpenStackSolution
OrchestrationwiththeHeatTemplate
ComponentsoftheVMSeriesforOpenStackSolution
ThefollowingcomponentsarerequiredfordeployingtheVMSeriesfirewallinanOpenStackenvironment.
Component Description
Software Hypervisor:KVM/Ubuntu14.04
Networking:Contrail3.0.2
OpenStackDistro:Mirantis8.0(Liberty)
Orchestration:OpenStackHeatTemplates(Version20151015orhigher)
VMSeriesforKVMPANOS8.0orlater
VMSeriesHardware SeeVMSeriesSystemRequirementsfortheminimumhardwarerequirementsfor
Resources yourVMSeriesmodel.
InOpenStack,flavorsdefinetheCPU,memory,andstoragecapacityofacompute
instance.WhensettingupyourHeattemplate,choosethecomputeflavorthatmeets
orexceedsthehardwarerequirementsfortheVMSeriesmodel.
FuelMaster FuelisawebUIdrivendeploymentandmanagementtoolforOpenStack.
OpenStackController ThisnoderunsmostofthesharedOpenStackservices,suchAPIandscheduling.
Additionally,theHorizonUIrunsonthisnode.
OpenStackCompute Thecomputenodecontainsthevirtualmachines,includingtheVMSeriesfirewall,in
theOpenStackdeployment.ThecomputenodethathousestheVMSeriesmust
meetthefollowingcriteria:
InstancetypeOS::Nova::Server
Allowconfigurationofatleastthreeinterfaces
AccepttheVMSeriesqcow2image
Acceptthecomputeflavorparameter
InstalltheOpenStackcomputenodeonabaremetalserverbecausethe
VMSeriesfirewalldoesnotsupportnestedvirtualization.
ContrailController TheContrailcontrollernodeisasoftwaredefinednetworkingcontrollerusedfor
management,control,andanalyticsforthevirtualizednetwork.Itprovidesrouting
informationtothecomputeandgatewaynodes.
Component Description
ContrailGateway TheContrailgatewaynodeprovidesIPconnectivitytoexternalnetworksfromvirtual
networks.MPLSoverGREtunnelsfromthevirtualmachinesterminateatthe
gatewaynode,wherepacketsaredecapsulatedandsenttotheirdestinationsonIP
networks.
HeatOrchestration PaloAltoNetworksprovidesasampleHeattemplatefordeployingtheVMSeries
TemplateFiles firewall.Thistemplateismadeupofamaintemplate(pan_basic_gw.yaml)andan
environmenttemplate(pan_basic_gw_env.yaml).Thesefilesinstantiateone
VMSeriesinstancewithonemanagementinterfaceandtwodatainterfaces.The
managementinterfaceandonedatainterfaceattachtoanuntrustnetwork.The
otherdatainterfaceconnectstothetrustnetwork.
Additionally,thetemplateinstantiatesaLinuxserverwithoneinterface.The
interfaceoftheserverattachestotheprivatenetworkcreatedbythetemplate.
VMSeriesFirewall TheVMSeriesfirewallbootstrapfilesconsistofainitcfg.txtfile,bootstrap.xmlfile,
BootstrapFiles andVMSeriesauthcodes.AlongwiththeHeattemplatefiles,PaloAltoNetworks
providesasampleinitcfg.txtandbootstrap.xmlfiles.Youmustprovideyourown
authcodestolicenseyourVMSeriesfirewallandactivateanysubscriptions.See
BootstraptheVMSeriesFirewallformoreinformationaboutVMSeriesbootstrap
files.
OrchestrationwiththeHeatTemplate
TheheattemplatefileincludesthefollowingfourfilestohelpyoulaunchtheVMSeriesfirewallonKVMin
OpenStack.AllfourfilesarerequiredtodeploytheVMSeriesfirewallandLinuxserver.
pan_basic_gw.yamlDefinestheresourcescreatedtosupporttheVMSeriesfirewallandLinuxserver
onthecomputenode,suchasinterfacesandIPaddresses.
pan_basic_gw_env.yamlDefinestheenvironmentthattheVMSeriesfirewallandLinuxserverexistin.
Manyparametersinthepan_basic_gw.yamlfilereferencetheparametersdefinedinthisfile,suchas
flavorfortheVMSeriesandtheLinuxserver.
initcfg.txtIncludestheoperationalcommandtoenableDHCPonthefirewallmanagementinterface.
bootstrap.xmlProvidesbasicconfigurationfortheVMSeriesfirewall.Thebootstrap.xmlfileconfigures
thedatainterfacesandIPaddresses.Thesevaluesmustmatchthecorrespondingvaluesinthe
pan_basic_gw.yamlfile.
Additionally,thebootstrap.xmlfileincludesaNATrulecalleduntrust2trust.Thisruletranslatethetrust
portontheservertotheuntrustportoftheVMSeriesfirewall.
Theseheattemplatefilesandthebootstrapfilescombinetocreatetwovirtualmachines,theVMSeries
firewallandLinuxserver,inanetworkconfigurationsimilartothatshownbelow.
Thetablebelowdescribesresourcesthatthepan_basic_gw.yamltemplatefilecreatesandprovidesthe
defaultvalue,ifapplicable.
Resource Description
pan_fw_instance VMSeriesfirewallwithamanagementinterfaceandtwodatainterfaces.
server_instance ALinuxserverwithasingleinterface.
pan_trust_net Aconnectiontotheinternalnetworktowhichthetrustinterfaceofthefirewalland
trustinterfaceoftheserverareattached.
pan_trust_subnet Subnetattachedtothetrustinterfaceonthefirewall(pan_trust_net)andhasaCIDR
valueof192.168.100.0/24.
pan_untrust_net Untrustnetworktowhichtheuntrustportofthefirewallisattached.
pan_untrust_subnet Subnetattachedtotheuntrustinterfaceofthefirewall(pan_untrust_net)andhasa
CIDRvalueof192.168.200.0/24.
allow_ssh_https_icmp_sec SecuritygroupthatallowsTCPonports22and443andICMPtraffic.
group
pan_untrust_port TheuntrustportoftheVMSeriesfirewalldeployedinLayer3mode.TheHeat
templateprovidesadefaultIPaddressof192.168.200.10tothisport.
IfyouchangethisIPaddressintheheattemplate,youmustchangetheIPaddressin
thebootstrap.xmlfile.
pan_untrust_floating_ip AfloatingIPaddressassignedfromthepublic_network.
pan_untrust_floating_ip_a Thisassociatesthepan_untrust_floating_iptothepan_untrust_port.
ssoc
pan_trust_port ThetrustportoftheVMSeriesfirewallLayer3mode.
Resource Description
server_trust_port ThetrustportoftheLinuxserverLayer3mode.TheHeattemplateprovidesadefault
IPaddressof192.168.100.10tothisport.
IfyouchangethisIPaddressintheheattemplate,youmustchangetheIPaddressin
thebootstrap.xmlfile.
Thepan_basic_gw.yamlfilereferencesthepan_basic_gw_env.yamlformanyofthevaluesneededtocreate
theresourcesneedtodeploytheVMSeriesfirewallandLinuxserver.Theheattemplateenvironmentfile
containsthefollowingparameters.
Parameter Description
mgmt_network TheVMSeriesfirewallmanagementinterfaceattachestothenetworkspecifiedin
thisparameter.Thetemplatedoesnotcreatethemanagementnetwork;youmust
createthisbeforedeployingtheheattemplates.Thedefaultvalueismgmt_ext_net.
public_network AddressesthattheOpenStackclusterandthevirtualmachinesintheclusteruseto
communicatewiththeexternalorpublicnetwork.Thepublicnetworkprovides
virtualIPaddressesforpublicendpoints,whichareusedtoconnecttoOpenStack
servicesAPIs.Thetemplatedoesnotcreatethepublicnetwork;youmustcreatethis
beforedeployingtheheattemplates.Thedefaultvalueispublic_net.
pan_image ThisparameterspecifiestheVMSeriesbaseimageusedbytheHeattemplatewhen
deployingtheVMSeriesfirewall.Thedefaultvalueispavm7.1.4.
pan_flavor ThisparameterdefinesthehardwareresourcesallocatedtotheVMSeriesfirewall.
Thedefaultvalueism1.medium.ThisvaluemeetstheSystemRequirements
describedintheSetUptheVMSeriesFirewallonKVMchapter.
server_image ThisparametertellstheHeattemplatewhichimagetousefortheLinuxserver.The
defaultvalueisUbuntu14.04.
server_flavor ThisparameterdefinesthehardwareresourcesallocatedtotheLinuxserver.The
defaultvalueism1.small.
server_key TheserverkeyisusedforaccessingtheLinuxserverthroughssh.Thedefaultvalue
isserver_key.Youcanchangethisvaluebyenteranewserverkeyinthe
environmentfile.
VMSeriesFirewallonOpenStackDeploymentChecklist
TodeploytheVMSeriesfirewallinOpenStack,usethefollowingworkflow:
Step1SetupyourOpenStackEnvironment.
Ifyouhavenotalreadysetupthesecomponents,seetheOpenStackandContraildocumentationfor
instructionsonsettinguptheOpenStackenvironment.Thisdocumentdoesnottakeyouthroughthe
processofsettingupacompleteOpenStackenvironment.
Deploytherequirednodes(seeComponentsoftheVMSeriesforOpenStackSolutionformore
information).
Createapublicnetwork.ThedefaultvalueintheHeattemplateispublic_net.Ifyouuseadifferent
name,changethedefaultvalueinthepan_basic_gw_env.yamlfile.
Createamanagementnetwork.ThedefaultvalueintheHeattemplateismgmt_ext_net.Ifyouuse
adifferentname,changethedefaultvalueinthepan_basic_gw_env.yamlfile.
Step2InstalltheVMSeriesFirewallinOpenStack.
Downloadthetemplatefiles.
(Optional)Editthedefaultvaluesinthetemplatefilestomatchyournetwork.
DownloadtheVMSeriesbaseimageforKVM(PAVMKVM8.0.0.qcow2)fromtheCustomer
SupportPortal.
DownloadUbuntu14.04usedfortheLinuxserver.
UploadthefilestoyourOpenStackcontrollernode.
DeploytheVMSeriesfirewallandLinuxserver.
InstalltheVMSeriesFirewallinOpenStack
Completethefollowingstepstopreparetheheattemplates,bootstrapfiles,andsoftwareimagesneededto
deploytheVMSeriesfirewallinOpenStack.Afterpreparingthefiles,deploytheVMSeriesfirewalland
Linuxserver.
InstalltheVMSeriesFirewallinOpenStack
InstalltheVMSeriesFirewallinOpenStack
Step6 Editthepan_basic_gw.yamltemplatetopointtothebootstrapfilesandauthcodes.UnderPersonality,specify
thefilepathorwebserveraddresstothelocationofyourfiles.Uncommentwhicheverlinesyouarenotusing.
pan_fw_instance:
type: OS::Nova::Server
properties:
image: { get_param: pan_image }
flavor: { get_param: pan_flavor }
networks:
- network: { get_param: mgmt_network }
- port: { get_resource: pan_untrust_port }
- port: { get_resource: pan_trust_port }
user_data_format: RAW
config_drive: true
personality:
/config/init-cfg.txt: {get_file: "/opt/pan_bs/init-cfg.txt"}
# /config/init-cfg.txt: { get_file: "http://web_server_name_ip/pan_bs/init-cfg.txt" }
/config/bootstrap.xml: {get_file: "/opt/pan_bs/bootstrap.xml"}
# /config/bootstrap.xml: { get_file: "http://web_server_name_ip/pan_bs/bootstrap.xml" }
/license/authcodes: {get_file: "/opt/pan_bs/authcodes"}
# /license/authcodes: {get_file: "http://web_server_name_ip/pan_bs/authcodes"}
Step7 Editthepan_basic_gw_env.yamltemplateenvironmentfiletosuityourenvironment.Makesurethatthe
managementandpublicnetworkvaluesmatchthosethatyoucreatedinyourOpenStackenvironment.Set
thepan_imagetomatchthenameyouassignedtotheVMSeriesbaseimagefile.Youcanalsochangeyour
serverkeyhere.
root@node-2:~# cat basic_gateway/pan_basic_gw_env.yaml
parameters:
mgmt_network: mgmt_ext_net
public_network: public_net
pan_image: pa-vm-8.0.0
pan_flavor: m1.medium
server_image: Ubuntu-14.04
server_flavor: m1.small
server_key: server_key
Step8 DeploytheHeattemplate.
1. Executethecommandsource openrc
2. Executethecommandheat stack-create <stack-name> -f <template> -e ./<env-template>
InstalltheVMSeriesFirewallinOpenStack
VMSeriesFirewallBootstrapWorkflow
AfteryoufamiliarizeyourselfwiththeBootstrapPackageandassesswhetheryouwillwanttofullyconfigure
thefirewallorusePanoramatomanagethebootstrappedfirewall,usethefollowingworkflowtobootstrap
yourVMSeriesfirewall.
BootstrapaVMSeriesFirewall
Forsecurityreasons,youcanonlybootstrapafirewallwhenitisinfactorydefaultstate.Ifyouwantto
bootstrapaVMSeriesfirewallthathasbeenpreviouslyconfigured,ResettheFirewalltoFactoryDefault
Settings.
GeneratetheVMAuthKeyonPanorama,ifyouwanttousePanoramatomanagetheVMSeries
firewallsbeingbootstrapped.Youmustincludethiskeyinthebasicconfiguration(initcfg.txt)file,
whenyoupreparethebootstrappackage.
PreparetheLicensesforBootstrapping.
Createtheinitcfg.txtFileandoptionallyCreatethebootstrap.xmlFileifyouarenotusingPanoramato
managethefirewallconfiguration.
PreparetheBootstrapPackage.
PlacethebootstrappackageintheformatrequiredbyyourhypervisorandbootstraptheVMSeriesfirewall.
BootstraptheVMSeriesFirewallonESXi
BootstraptheVMSeriesFirewallonHyperV
BootstraptheVMSeriesFirewallonKVM
BootstraptheVMSeriesFirewallinAWS
BootstraptheVMSeriesFirewallinAzure
VerifyBootstrapCompletion.
BootstrapPackage
Thebootstrapprocessisinitiatedonlyonfirstbootwhenthefirewallisinafactorydefaultstate.Whenyou
attachthevirtualdisk,virtualCDROM,orAWSS3buckettothefirewall,thefirewallscansforabootstrap
packageand,ifoneexists,thefirewallusesthesettingsdefinedinthebootstrappackage.Ifyouhave
includedaPanoramaserverIPaddressinthefile,thefirewallconnectswithPanorama.Ifthefirewallhas
Internetconnectivity,itcontactsthelicensingservertoupdatetheUUIDandobtainthelicensekeysand
subscriptions.ThefirewallisthenaddedasanassetinthePaloAltoNetworksSupportPortal.Ifthefirewall
doesnothaveInternetconnectivity,iteitherusesthelicensekeysyouincludedinthebootstrappackageor
itconnectstoPanorama,whichretrievestheappropriatelicensesanddeploysthemtothemanaged
firewalls.
Thebootstrappackagethatyoucreatemustincludethefollowingfourfolders,evenifempty:
/configfolderContainstheconfigurationfiles.Thefoldercanholdtwofiles:initcfg.txtandthe
bootstrap.xml.FordetailsseeBootstrapConfigurationFiles.
IfyouintendtopreregisterVMSeriesfirewallswithPanoramawithbootstrapping,youmustgenerateaVMauthkey
onPanoramaandincludethegeneratedkeyintheinitcfgfile.SeeGeneratetheVMAuthKeyonPanorama.
/licensefolderContainsthelicensekeysorauthcodesforthelicensesandsubscriptionsthatyou
intendtoactivateonthefirewalls.IfthefirewalldoesnothaveInternetconnectivity,youmusteither
manuallyobtainthelicensekeysfromthePaloAltoNetworksSupportportalorusetheLicensingAPIto
obtainthekeysandthensaveeachkeyinthisfolder.Fordetails,seePreparetheLicensesfor
Bootstrapping.
Youmustincludeanauthcodebundleinsteadofindividualauthcodessothatthefirewallororchestrationservicecan
simultaneouslyfetchalllicensekeysassociatedwithafirewall.Ifyouuseindividualauthcodesinsteadofabundle,the
firewallwillretrieveonlythelicensekeyforthefirstauthcodeincludedinthefile.
/softwarefolderContainsthesoftwareimagesrequiredtoupgradeanewlyprovisionedVMSeries
firewalltothedesiredPANOSversionforyournetwork.Youmustincludeallintermediatesoftware
versionsbetweentheOpenVirtualizationFormat(OVF)versionandthefinalPANOSsoftwareversion
towhichyouwanttoupgradetheVMSeriesfirewall.
/contentfolderContainstheapplicationandthreatupdates,WildFireupdates,andtheBrightCloud
URLfilteringdatabaseforthevalidsubscriptionsontheVMSeriesfirewall.Youmustincludethe
minimumcontentversionsrequiredforthedesiredPANOSversion,withouttheminimumrequired
contentversionassociatedwiththePANOSversion,theVMSeriesfirewallcannotcompletethe
softwareupgrade.
ThefiletypeusedtodeliverthebootstrappackagetotheVMSeriesfirewallvariesbasedonyour
hypervisor.Usethetablebelowtodeterminethefiletypeyourhypervisorsupports.
VirtualHardDisk(vhd) Yes
S3Bucket(ISOimage) Yes
configdrive Yes
BootstrapConfigurationFiles
Thebootstrappackagemustincludethebasicconfigurationcontainedintheinitcfg.txtfileinthe/config
folder;thecompleteconfiguration(containedinbootstrap.xmlfileinthe/configfolder)isoptional.When
youincludebothfilesinthebootstrappackage,thefirewallmergestheconfigurationsofthosefilesand,if
anyconfigurationsettingsoverlapbetweenthetwofiles,thefirewallusesthesettingdefinedinthe
initcfg.txtfile.
BasicConfigurationTheinitcfg.txtfileisatextfilethatcontainsbasicinitialconfigurationinformation.
Youcannamethisfilegenericallyasinitcfg.txt,oryoucanprependtheUUIDorSerialnumberofeach
firewalltothefilenametobemorespecific(forexample:0008C100105initcfg.txt).Thisfilemust
includebasicinformationforconfiguringthemanagementinterfaceonthefirewall,suchastheIPaddress
type(staticorDHCP),IPaddress(IPv4onlyorbothIPv4andIPv6),netmask,anddefaultgateway.The
DNSserverIPaddress,PanoramaIPaddressanddevicegroupandtemplateparametersareoptional.
Whenthefirewallboots,itsearchesforatextfilethatmatchesitsUUIDorserialnumberand,ifnoneis
found,itsearchesusingthegenericfilename.Forasamplefile,seeCreatetheinitcfg.txtFile.
FortheVMSeriesfirewallsthatyouwanttomanageusingPanorama,youmustgenerateaVMauthkey
onPanoramaandincludethekeyintheinitcfg.txtfile.Formoreinformation,seeGeneratetheVMAuth
KeyonPanorama.
CompleteConfigurationThebootstrap.xmlfileallowsyoutofullyconfigurethefirewall.The
bootstrap.xmlfileisoptionalandisonlyrequiredifyouarenotusingPanoramaforcentrallymanaging
yourfirewall.Youcaneitherdefinethismanuallyorexporttherunningconfigurationfromanexisting
firewallandsavethefileasbootstrap.xml.Ifyouincludethebootstrap.xmlfile,makesuretoexportthe
XMLfilefromafirewallofthesameplatformorhypervisor.Ifyouprovidetheinitcfg.txtfileandthe
bootstrap.xmlfile,thefirewallmergesthefilesintoarunningconfigurationaspartofthebootstrap
processand,ifanysettingsoverlap,thefirewallwillusethesettingfromthebasicconfigurationfile.See
Createthebootstrap.xmlFile.
GeneratetheVMAuthKeyonPanorama
IfyouwanttousePanoramatomanagetheVMSeriesfirewallsthatyouarebootstrapping,youmust
generateaVMauthkeyonPanoramaandincludethekeyinthebasicconfiguration(initcfg.txt)file.TheVM
authkeyallowsPanoramatoauthenticatethenewlybootstrappedVMSeriesfirewall.So,tomanagethe
firewallusingPanorama,youmustincludetheIPaddressforPanoramaandtheVMauthkeyinthebasic
configurationfileaswellasthelicenseauthcodesinthe/licensefolderofthebootstrappackage.The
firewallcanthenprovidetheIPaddress,serialnumber,andtheVMauthkeyinitsinitialconnectionrequest
toPanoramasothatPanoramacanverifythevalidityoftheVMauthkeyandaddthefirewallasamanaged
device.Ifyouprovideadevicegroupandtemplateinthebasicconfigurationfile,Panoramawillassignthe
firewalltotheappropriatedevicegroupandtemplatesothatyoucancentrallyconfigureandadministerthe
firewallusingPanorama.
Thelifetimeofthekeycanvarybetween1hourand8760hours(1year).Afterthespecifiedtime,thekey
expiresandPanoramawillnotregisterVMSeriesfirewallswithoutavalidauthkeyinthisconnection
request.
GeneratetheVMAuthKeyonPanorama
Step1 LogintothePanoramaCLIoraccesstheAPI:
IntheCLI,usethefollowing operationalcommand:
request bootstrap vm-auth-key generate lifetime <1-8760>
Forexampletogenerateakeythatisvalidfor24hrs,enterthefollowing:
request bootstrap vm-auth-key generate lifetime 24
VM auth key 755036225328715 generated. Expires at: 2015/12/29 12:03:52
IntheAPI,usethefollowingURL:
https://Panorama_IP_address/api/?type=op&cmd=<request><bootstrap><vm-auth-key><generate>
<lifetime><number-of-hours></lifetime></generate></vm-auth-key></bootstrap></request>
wherethelifetimeisthenumberofhoursforwhichtheVMauthkeyisvalid.
GeneratetheVMAuthKeyonPanorama(Continued)
Step2 VerifythevaliditytermoftheVMauthkey(s)yougeneratedonPanorama.Makesurethatthevalidityterm
allowsenoughtimeforthefirewall(s)toregisterwithPanorama.
https://Panorama_IP_address/api/?type=op&cmd=<request><bootstrap><vm-auth-key><show>
</show></vm-auth-key></bootstrap></request>
Step3 AddthegeneratedVMauthkeytothebasicconfiguration(initcfg.txt)file.SeeCreatetheinitcfg.txtFile
Createtheinitcfg.txtFile
Createtheinitcfg.txtFile
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetype,ipaddress,defaultgateway,and
netmaskarerequired.
Fieldsintheinitcfg.txtFile
Field Description
type= TypeofmanagementIPaddress:staticordhcpclient.Thisfieldisrequired.
ipaddress= IPv4address.Thisfieldisignoredifthetypeisdhcpclient.Ifthetypeisstatic,anIPv4
addressisrequired;theipv6addressfieldisoptionalandcanbeincluded.
YoucannotspecifythemanagementIPaddressandnetmaskconfigurationforthe
VMSeriesfirewallinAWSandAzure.Ifdefined,thefirewallignoresthevaluesyou
specify.
defaultgateway= IPv4defaultgatewayforthemanagementinterface.Thisfieldisignoredifthetype
isdhcpclient.Ifthetypeisstatic,andipaddressisused,thisfieldisrequired.
netmask= IPv4netmask.Thisfieldisignoredifthetypeisdhcpclient.Ifthetypeisstatic,and
ipaddressisused,thisfieldisrequired.
ipv6address= (Optional)IPv6addressand/prefixlengthofthemanagementinterface.Thisfieldis
ignoredifthetypeisdhcpclient.Ifthetypeisstatic,thisfieldcanbespecifiedalong
withtheipaddressfield,whichisrequired.
ipv6defaultgateway= IPv6defaultgatewayforthemanagementinterface.Thisfieldisignoredifthetype
isdhcpclient.Ifthetypeisstaticandipv6addressisused,thisfieldisrequired.
hostname= Hostnameforthefirewall.
panoramaserver= IPv4orIPv6addressoftheprimaryPanoramaserver.Thisfieldisnotrequiredbut
recommendedforcentrallymanagingyourfirewalls.
panoramaserver2= IPv4orIPv6addressofthesecondaryPanoramaserver.Thisfieldisnotrequiredbut
recommended.
tplname= Panoramatemplatename.IfyouaddaPanoramaserverIPaddress,asabestpractice
createatemplateonPanoramaandenterthetemplatenameinthisfieldsothatyou
cancentrallymanageandpushconfigurationsettingstothefirewall.
dgname= Panoramadevicegroupname.IfyouaddaPanoramaserverIPaddress,asabest
practicecreateadevicegrouponPanoramaandenterthedevicegroupnameinthis
fieldsothatyoucangroupthefirewallslogicallyandpushpolicyrulestothefirewall.
dnsprimary= IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary= IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey= Virtualmachineauthenticationkey.(Thisfieldisignoredwhenbootstrapping
hardwarefirewalls.)
opcommandmodes= Thefollowingvaluesareallowed:multivsys,jumboframe,mgmtinterfaceswap.If
youentermultiplevalues,useaspaceoracommatoseparatetheentries.
multivsys(Forhardwarebasedfirewallsonly)Enablesmultiplevirtualsystems.
jumboframesEnablesthedefaultMTUsizeforallLayer3interfacestobesetat
9192bytes.
mgmtinterfaceswap(ForVMSeriesfirewallinAWSonly)Allowsyoutoswap
themanagementinterface(MGT)withthedataplaneinterface(ethernet1/1)
whendeployingthefirewall.Fordetails,seeManagementInterfaceMappingfor
UsewithAmazonELB.
Fieldsintheinitcfg.txtFile
Field Description
dhcpsendhostname= ThevalueofyesornocomesfromtheDHCPserver.Ifyes,thefirewallwillsendits
hostnametotheDHCPserver.Thisfieldisrelevantonlyiftypeisdhcpclient.
dhcpsendclientid= ThevalueofyesornocomesfromtheDHCPserver.Ifyes,thefirewallwillsendits
clientIDtotheDHCPserver.Thisfieldisrelevantonlyiftypeisdhcpclient.
dhcpacceptserverhostname ThevalueofyesornocomesfromtheDHCPserver.Ifyes,thefirewallwillacceptits
= hostnamefromtheDHCPserver.Thisfieldisrelevantonlyiftypeisdhcpclient.
dhcpacceptserverdomain= ThevalueofyesornocomesfromtheDHCPserver.Ifyes,thefirewallwillacceptits
DNSserverfromtheDHCPserver.Thisfieldisrelevantonlyiftypeisdhcpclient.
Thefollowingsamplebasicconfiguration(initcfg.txt)filesshowsalltheparametersthataresupportedinthe
file;requiredparametersareinbold.
Sampleinitcfg.txtfile(StaticIPAddress) Sampleinitcfg.txtfile(DHCPClient)
type=static type=dhcp-client
ip-address=10.5.107.19 ip-address=
default-gateway=10.5.107.1 default-gateway=
netmask=255.255.255.0 netmask=
ipv6-address=2001:400:f00::1/64 ipv6-address=
ipv6-default-gateway=2001:400:f00::2* ipv6-default-gateway=
hostname=Ca-FW-DC1 hostname=Ca-FW-DC1
vm-auth-key=755036225328715 vm-auth-key=755036225328715
panorama-server=10.5.107.20 panorama-server=10.5.107.20
panorama-server-2=10.5.107.21 panorama-server-2=10.5.107.21
tplname=FINANCE_TG4 tplname=FINANCE_TG4
dgname=finance_dg dgname=finance_dg
dns-primary=10.5.6.6 dns-primary=10.5.6.6
dns-secondary=10.5.6.7 dns-secondary=10.5.6.7
op-command-modes=jumbo-frame, op-command-modes=jumbo-frame,
mgmt-interface-swap** mgmt-interface-swap**
dhcp-send-hostname=no dhcp-send-hostname=yes
dhcp-send-client-id=no dhcp-send-client-id=yes
dhcp-accept-server-hostname=no dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=no dhcp-accept-server-domain=yes
You cannot specify the management IP address and netmask configuration for the VM-Series firewall in AWS. If
defined, the firewall ignores the values you specify because AWS uses a back-end metadata file to assign the
management IP address and netmask.
*TheIPv6defaultgatewayisrequiredifyouincludeanIPv6address.
**Themgmt-interface-swapoperationalcommandpertainsonlytoaVMSeriesfirewallinAWS.
Createthebootstrap.xmlFile
Usetheseinstructionstocreatetheoptionalbootstrap.xmlfile.
Createthebootstrap.xmlFile
PreparetheLicensesforBootstrapping
Tolicensethefirewallduringthebootstrappingprocess,youmustpurchasetheauthcodesandregisterthe
licensesandsubscriptionsonthePaloAltoNetworksSupportportalbeforeyoubeginbootstrapping.
FortheVMSeriesfirewallsrunningBYOL(notapplicableforusagebasedlicensingPAYG),youmusthave
anauthcodebundlethatincludesthecapacityauthcode,supportsubscription,andanyothersubscriptions
yourequire.Theprocessofpreparingthelicensesforbootstrappingdependsonwhetherthefirewallhas
internetaccesswhenbootstrapping:
DirectInternetaccessThefirewallisconnecteddirectlytotheInternet.
IndirectInternetaccessThefirewallismanagedbyPanorama,whichhasdirectInternetaccessandthe
abilitytofetchthelicensekeysonbehalfofthefirewall.
NoInternetaccessThefirewallusesanorchestrationserviceoracustomscripttofetchthelicensekeys
onbehalfofthefirewall.
PreparetheLicensesforBootstrapping
ForVMSeriesfirewallswithInternetaccess. Entertheauthcodeinthe/licensefolderwhenyouPreparethe
BootstrapPackage.
ForVMSeriesfirewallswithindirectInternet 1. RegistertheauthcodeonthePaloAltoNetworksSupport
access. portal.
a. Gotosupport.paloaltonetworks.com,login,andselect
Assets > Register New Device > Register device using
Serial Number or Authorization Code.
b. FollowthestepstoRegistertheVMSeriesFirewall
c. ClickSubmit.
2. ActivatetheauthcodesonthePaloAltoNetworksSupport
portaltogeneratelicensekeys.
a. Gotosupport.paloaltonetworks.com,login,andselectthe
Assetstab.
b. ForeachS/N,clicktheActionlink.
c. SelecttheActivate Auth-Codebutton.
d. EntertheAuthorization code,clickAgree,andSubmit.
e. Downloadthelicensekeysandsaveittoalocalfolder.
f. ContinuetoPreparetheBootstrapPackage;youmustadd
thelicensekeysthatyoudownloadedtothe\license
folderinthebootstrappackage.
Foracustomscriptoranorchestrationservice ThescriptorservicemustfetchtheCPUIDandtheUUIDfromthe
thatcanaccesstheInternetonbehalfof hypervisoronwhichthefirewallisdeployedandaccessthePalo
firewalls. AltoNetworksSupportportalwithCPUID,UUID,APIkeyandthe
authcodetoobtaintherequiredkeys.SeeLicensingAPI.
PreparetheBootstrapPackage
Usethefollowingproceduretopreparethebootstrappackage.
PreparetheBootstrapPackage
/content
panupv2allcontents4882590
panupallantivirus14941969
panupallwildfire5474661460
/software
PanOS_vm7.1.1
PanOS_vm7.1.4
/license
Ifyousavethekeystothisfolder,youcanuseafilenaming
conventionthatworksforyoubutkeepthe .keyextensioninthe
filename.
0001A100105authcodes
0001A100110url3.key
0001A100110threats.key
0001A100110url3wildfire.key
Useanauthcodebundleinsteadofindividualauthcodesso
thatthefirewallororchestrationservicecan
simultaneouslyfetchalllicensekeysassociatedwitha
firewall.Ifyouuseindividualauthcodesinsteadofa
bundle,thefirewallwillretrieveonlythelicensekeyforthe
firstauthcodeincludedinthefile.
BootstraptheVMSeriesFirewallonESXi
YoucanbootstraptheVMSeriesfirewallusinganISOimageoravirtualharddisk.
BootstraptheVMSeriesFirewallonESXiwithanISO
BootstraptheVMSeriesFirewallonESXiwithaBlockStorageDevice
BootstraptheVMSeriesFirewallonESXiwithanISO
UsetheseinstructionstobootstraptheVMSeriesfirewallonanESXiserverusinganISO.
BootstraptheVMSeriesFirewallinESXi
BootstraptheVMSeriesFirewallonESXiwithaBlockStorageDevice
UsetheseinstructionstobootstraptheVMSeriesfirewallonanESXiserverusingablockstoragedevice.
VirtualHardDiskBootstrappinginESXI
BootstraptheVMSeriesFirewallonHyperV
YoucanbootstraptheVMSeriesfirewallusinganISOimageoravirtualharddisk.
BootstraptheVMSeriesFirewallonHyperVwithanISO
BootstraptheVMSeriesFirewallonHyperVwithaBlockStorageDevice
BootstraptheVMSeriesFirewallonHyperVwithanISO
UsetheseinstructionstobootstraptheVMSeriesfirewallonaHyperVserverwithanISO.
BootstraptheVMSeriesFirewallinHyperV
BootstraptheVMSeriesFirewallonHyperVwithaBlockStorageDevice
UsetheseinstructionstobootstraptheVMSeriesfirewallonaHyperVserverwithablockstoragedevice.
VirtualHardDiskBootstrappinginHyperV
BootstraptheVMSeriesFirewallonKVM
YoucanbootstraptheVMSeriesfirewallonKVMusinganISOimageoravirtualharddisk.Additionally,you
canbootstraptheVMSeriesfirewallonKVMinanOpenStackenvironmentusingaconfigdrive.
BootstraptheVMSeriesFirewallonKVMwithanISO
BootstraptheVMSeriesFirewallonKVMWithaBlockStorageDevice
BootstraptheVMSeriesFirewallonKVMinOpenStack
BootstraptheVMSeriesFirewallonKVMwithanISO
UsetheseinstructionstobootstraptheVMSeriesfirewallonaKVMserverusinganISO.
BootstraptheVMSeriesFirewallinKVM
BootstraptheVMSeriesFirewallonKVMWithaBlockStorageDevice
UsetheseinstructionstobootstraptheVMSeriesfirewallonaKVMserverwithablockstoragedevice.
VirtualHardDiskBootstrappinginKVM
BootstraptheVMSeriesFirewallonKVMinOpenStack
YoucanbootstraptheKVMeditionoftheVMSeriesfirewallinanOpenStackenvironmentwith:
RedHatOpenStackPlatform5orOpenStackPlatform7runningonRedHatEnterpriseLinux7.2or
Mirantis7.0runningonUbuntu14.04.
SupportforOpenStackCLIonly;theUIisnotsupported.
MinimumPANOSversionisPANOS7.1.4.
ISO9660orVFATconfigurationdriveformats.
TheKVMeditionoftheVMSeriesfirewallinanOpenStackenvironmentreadsthebootstrappackagefrom
aconfigdrivethatattachestotheinstancewhenitboots.Theconfigdriveislimitedtoamaximumsizeof
64MB.Therefore,only/configand/licenseoftheBootstrapPackagecanhavecontent;/softwareand
/contentmustremainempty.
PANOSsupportstwomethodsforpassingthebootstrappackagetotheconfigdrive:
file:passesthebootstrappackageascleartextfiles
userdata:passesthebootstrappackageinacompressedtarball(.tgzfile)
Tousetheuserdatamethod,ensurethatyourversionofOpenStackPlatform5(Icehousebased)hasbeenpatched
withafixforthisIcehouseissue.Withoutthepatch,useofatarballwiththeuserdatamethodcausesthenovaboot
commandtofail.
Youcanusebothmethodsconcurrentlyindeploymentswheresomefilesinthebootstrappackagearestatic
acrossallVMSeriesinstanceswhileotherfilesareuniquetoeachfirewall.Ifyouincludefilesusingboth
methods,thecomputenodeunpacksthetarballfirstandanyfilespassedbythe--filecommandoverwrite
duplicatefilesfromthetarball.
BootstraptheVMSeriesFirewallonKVMinOpenStack
BootstraptheVMSeriesFirewallonKVMinOpenStack(Continued)
ThenovabootcommandandthefollowingargumentsarerequiredtoBootstraptheVMSeriesFirewallon
KVMinOpenStack.
Arguments Description
novaboot Usedtobootanewcomputeinstance.
configdrivetrue Enablestheconfigdrive.
image SpecifiesthePANOSimagefile.Onlytheimagenameisrequired.Thisbaseimagefile
isrequiredtolaunchtheVMSeriesfirewall.Youcanviewalistofimagesavailablein
yourOpenStackenvironmentwiththefollowingcommand:
nova image-list
Arguments Description
flavor TheVMinstancetype.Ensurethatyouselectaflavorthatprovidesthehardware
resourcesrequiredforyourVMSeriesfirewall.Youcanviewalistofavailableflavors
andtheirhardwareresourceswiththefollowingcommand:
nova flavor-list
SeeVMSeriesonKVMRequirementsandPrerequisitesforminimumhardware
resourcesrequiredbytheKVMVMSeriesfirewall.
userdata Usedtopassthetarballcontainingthebootstrappackagetotheconfigdrive.
file Usedtopasstheinitcfg.txtfileandlicensefileascleartextfilestotheconfigdrive.
Forthebootstrapprocesstosucceed,youmustincludethe/config/initcfg.txt=
argumentandeitherthe/license/license.keyor/license/authcodesargument.
Optionally,bootstrap.xmlfilesarealsosupported.
file/config/initcfg.txt=
file/config/bootstrap.xml=
file/license/license.key=
file/license/authcodes=
TheServerPersonalitydefinesthemaximumnumberoffilesthatcanbepassedusing
the--filecommand.Usethenova absolute-limits commandtoviewthelimit.In
theexamplebelow,thePersonalitylimitisfive.Therefore,themaximumnumberoffiles
islimitedtofive.
nova absolute-limits
+--------------------+-------+--------+
| Name | Used | Max |
+--------------------+-------+--------+
| Cores | 18 | 240 |
| FloatingIps | 0 | 10 |
| ImageMeta | - | 128 |
| Instances | 12 | 1000 |
| Keypairs | - | 100 |
| Personality | - | 5 |
| Personality Size | - | 65536 |
| RAM | 32256 | 393216 |
| SecurityGroupRules | - | 20 |
| SecurityGroups | 1 | 10 |
| Server Meta | - | 128 |
| ServerGroupMembers | - | 10 |
| ServerGroups | 0 | 10 |
+--------------------+-------+--------+
Exceedingthislimitgeneratesanerrormessage.Ifyouneedtopassmorefilesthanthis
limitallows,usetheuserdatamethodorthecombineduserdataandfilemethod.
nicnetid<networkUUID> CreatesaNIContheVMSeriesfirewallwiththespecifiedUUID.Youshouldcreateat
leasttwoNICs:oneforamanagementportandoneforadataport.
securitygroup Youcanprovideacommaseparatedlistofsecuritygroupstoprovideaccesstothe
VMSeriesfirewall.Ifyoudonotspecifyasecuritygroup,theVMisplacedinthe
defaultsecuritygroup.
BootstraptheVMSeriesFirewallinAWS
Toperformbootstrapping,youmustbefamiliarwithAWSS3andIAMpermissionsrequiredforcompleting
thisprocess.Fordetailedinstructionsoncreatingpolicy,refertotheAWSdocumentationonCreating
CustomerManagedPolices.
ThemanagementinterfaceoftheVMSeriesfirewallmustbeabletoaccesstheS3buckettocomplete
bootstrapping.YoucaneitherassignapublicIPaddressoranelasticIPaddresstothemanagementinterface
sothattheS3bucketcanbeaccessedovertheInternet.Or,createaAWSVPCendpointinthesameregion
astheS3bucket,ifyouprefertocreateaprivateconnectionbetweenyourVPCandtheS3bucketanddo
notwanttoenableinternetaccessonthefirewallmanagementinterface.Formoreinformationrefertothe
AWSdocumentationonsettingupVPCendpoints.
BootstrapthefirewallinAWS
Step1 OntheAWSconsole,createanAmazonSimpleStorageService(S3)bucketattherootlevel.TheS3
bucketinthisexample,vmseriesawsbucketisattheAllBucketsrootfolderlevel.Bootstrapwillfail
ifyounestthefolderbecauseyoucannotspecifyapathtothelocationofthebootstrapfiles.
Step2 CreateanIAMrolewithinlinepolicytoenablereadaccesstotheS3bucket[ListBucket,GetObject].
FordetailedinstructionsoncreatinganIAMrole,definingwhichaccountsorAWSservicescan
assumetherole,definingwhichAPIactionsandresourcestheapplicationcanuseuponassumingthe
role,refertotheAWSdocumentationonIAMRolesforAmazonEC2.WhenlaunchingtheVMSeries
firewall,youmustattachthisroletoenableaccesstotheS3bucketandtheobjectsincludedinthe
bucketforbootstrappingsuccessfully.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<bucketname>"]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::<bucketname>/*"]
}
]
}
BootstrapthefirewallinAWS
Step3 CreatethefolderswithintheS3bucket.
Createthetopleveldirectorystructureforthebootstrappackage.Createthestructuredirectlyin
thisS3bucket.
Addcontentwithineachfolder.Youcanleaveafolderempty,butyoumusthaveallthefour
folders.
IfyouhaveenabledlogginginAmazonS3,aLogsfolderisautomaticallycreatedintheS3
bucket.TheLogsfolderhelpstroubleshootissueswithaccesstotheS3bucket.
Step4 LaunchtheVMSeriesFirewallonAWS.WhenlaunchingthefirewallasanEC2instance,attachthe
IAMroleyoucreatedinStep 2andintheuserdatafield(Advancedsection),specifythefollowingS3
keyvalue:
vmseries-bootstrap-aws-s3bucket=<bucketname>
Step5 VerifyBootstrapCompletion.
BootstraptheVMSeriesFirewallinAzure
Toperformbootstrapping,youmustbefamiliarwiththeprocessofcreatingaVHDandmustknowabout
storageaccountsandcontainersinAzure,andhowtoattachtheVHDtoavirtualmachine.
BootstrapthefirewallinAzure
Step1 CreatetheVHD.UsetheAzuredocumentationforthecommandsrequiredtocompletetheprocess
ofcreatingaVHD.
1. OntheAzureportal,deployaLinuxvirtualmachine.
2. OntheLinuxvirtualmachine,Add a data disk rangingbetween1to39GB.Makesuretosavethe
disktothesamestorageaccountthatyouwillusefortheVMSeriesfirewall.
3. ConnecttotheconsoleorCLIoftheLinuxvirtualmachine.
4. Partitionthediskandformatthefilesystemasext3.
5. Createthetopleveldirectorystructureforthebootstrappackage.andAddcontentwithineach
folder.Youcanleaveafolderempty,butyoumusthaveallthefourfolders.
6. Copythecontentsofthebootstrappackageyoucreatedabovetothedisk.
7. Unmountthedisk.
8. DetachthediskfromtheAzureportal.Thediskisstoredasapageblob.
BootstrapthefirewallinAzure
Step2 CustomizetheARMtemplatetopointtotheVHDsothatthefirewallcanaccessthediskonfirst
boot.Forexample,youneedtoaddthefollowingobjectinthevirtualMachineresourceinthe
Templatefile:
"storageProfile": {
"imageReference": {
"publisher": "[parameters('imagePublisher')]",
"offer": "[parameters('imageOffer')]",
"sku": "[parameters('imageSku')]",
"version": "latest"
},
"dataDisks": [
{
"name": "datadisk1",
"diskSizeGB": "[parameters('BootstrapUriSizeGB')]",
"lun": 0,
"vhd": {
"uri": "[parameters('BootstrapUri')]"
},
"caching": "ReadOnly",
"createOption": "Attach"
}
],
"osDisk": {
"name": "osdisk",
"vhd": {
"uri": "[concat('http://',
parameters('storageAccountName'), '.blob.core.windows.net/vhds/',
parameters('vmName'), '-', parameters('imageOffer'), '-',
parameters('imageSku'), '.vhd')]"
},
"caching": "ReadWrite",
"createOption": "FromImage"
}
},
Step3 VerifyBootstrapCompletion.
VerifyBootstrapCompletion
Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucanverifythattheprocessis
complete.
VerifyBootstrapCompletion
Step1 Ifyouincludedpanoramaserver,tplname,anddgnameinyourinitcfg.txtfile,checkPanoramamanaged
devices,devicegroup,andtemplatename.
Step4 IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.Ifyou
donothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsandsoftwareversions.
BootstrapErrors
Ifyoureceiveanerrormessageduringthebootstrappingprocess,refertothefollowingtablefordetails.
Errormessage(Severity) Reasons
Bootimageerror(high) Noexternaldevicewasdetectedwiththebootstrappackage.
Or
Acriticalerrorhappenedwhilebootingfromtheimageontheexternaldevice.
Thebootstrapprocesswasaborted.
Nobootstrapconfigfileon Theexternaldevicedidnothavethebootstrapconfigurationfile.
externaldevice(high)
Badornoparametersfor Thenetworkingparametersrequiredforbootstrappingwereeitherincorrector
mandatorynetworking missing.TheerrormessageliststhevalueIPaddress,netmask,defaultgateway
informationinthebootstrap thatcausedthebootstrapfailure.
configfile(high)
Failedtoinstalllicensekeyfor Thelicensekeycouldnotbeapplied.Thiserrorindicatesthatthelicensekeyused
file<licensekeyfilename> wasinvalid.Theoutputincludesthenameofthelicensekeythatcouldnotbe
(high) applied.
Failedtoinstalllicensekey Thelicenseauthcodecouldnotbeapplied.Thiserrorindicatesthatthelicense
usingauthcode<authcode> authcodeusedwasinvalid.Theoutputincludesthenameoftheauthcodethat
(high) couldnotbeapplied.
Failedcontentupdatecommits Thecontentupdateswerenotsuccessfullyapplied.
(high)
USBmediaprepared ThebootstrapimagehasbeensuccessfullycompliedontheUSBflashdevice.
successfullyusinggivenbundle <username>:SuccessfullypreparedtheUSBusingbundle<bundlename>
(informational)
Successfulbootstrap Thefirewallwassuccessfullyprovisionedwiththebootstrapconfigurationfile.The
(informational) outputincludesthelicensekeysinstalledandthefilenameofthebootstrap
configuration.OntheVMSeriesfirewallsonly,thePANOSversionandcontent
updateversionarealsodisplayed.
ReadabouttheBootstrapPackageandhowtoPreparetheBootstrapPackage.