Next-Generation Security Platform on VMware NSX Reference Architecture

Transcription

1 t n e g i l l e nt i ES UR T C E T I ARCH Next-Generation Security Platform on VMware NSX Reference Architecture Release 1 March 2018

2 Contents Introduction Purpose of This Guide. 3 Customer Use Cases Technical Overview VMware vsphere ESXi. 7 VMware vcenter. 7 VMware NSX Manager. 7 NSX Distributed Firewall. 10 IP Sets. 10 SpoofGuard. 11 Security Tags. 12 Security Groups. 13 Security Policy 13 Service Manager. 14 Service Definitions. 14 Service Profile. 15 Operations-Oriented vs Security-Oriented Security Policy. 16 Firewall Security Policy 17 Panorama Steering Rules. 17 Palo Alto Networks VM-series Firewall for NSX 17 Deployment Preparing Your Environment. 18 Registering Panorama as an NSX Service Definition. 20 Deploying VM-series Firewalls into your Data Center Infrastructure 26 Creating and Associating NSX Security Tags 28 Creating Dynamic Address Groups and NSX Security Groups. 29 Automating Threat Response Quarantining Infected VMs. 31 Generating Panorama Traffic Steering Rules. 43 Removing a Service Deployment Virtual Firewall. 45 Removing NSX Manager Integration Components. 46 Summary What s New in This Version Contents 2

3 Introduction Three major building blocks are common in all data center environments: compute, storage, and network. These three elements are combined in various quantities and topologies to provide data center infrastructure, which provides applications and data processing to meet business requirements. Configuration and administration of these three elements in most data center environments require careful coordination between different groups in order to provide network connectivity and storage resources prior to application deployment. Network security policy configuration or changes may also be required. This coordination of duties can delay application delivery and business agility. One approach organizations have taken to minimize coordination bottlenecks is to present all network connectivity to all compute resources, often by trunking all available VLANs to every server, and application network connectivity is associated at the time of application creation. This model has implied trust that applications are deployed on the correct network segment and provides no visibility or separation within network segments. Add server virtualization to the equation and applying security policy in this highly dynamic environment can be a challenge when virtualized applications move around the data center. The ideal goal is to permit network, storage, and security teams to define independent policies that are dynamically linked to applications and for these characteristics remain associated with applications throughout their lifecycle. This model permits rapid provisioning and management of applications without advanced coordination of network, storage, and security teams. This model enables high-level policies such as: Web servers can communicate with applications servers. Application servers can communicate with database servers, without regard for physical or virtual instantiation of the services. The policies are maintained when virtualized servers are moved throughout the data center or new servers are created. This model is referred to as software-defined data center (SDDC). Purpose of This Guide This guide provides architectural and operational guidance for deploying Palo Alto Networks VM-series next generation firewalls within VMware NSX environments. To provide overall context, the guide discusses the Palo Alto Networks and VMware components used to construct a secure, software-defined data center infrastructure. Guidance within this document pertains to only Palo Alto Networks solutions; any VMware best practices supersede this document. Introduction 3

4 Customer Use Cases In a private data center cloud, there are two different classes of traffic: North-south Refers to data flows that move in and out of the virtualized environment from the host network. Sometimes traffic between application tiers are also called north-south; for the purposes of this guide, north-south traffic flows are to and from the virtualized environment. For performance reasons, north-south traffic is usually secured by one or more physical form factor, perimeter firewalls. The edge firewall is usually a high-throughput hardware appliance deployed in high availability mode in order to ensure application resiliency. East-west Refers to data flows moving between virtual workloads entirely within your private cloud. East-west traffic flows within the data center are often less well understood. East-west visibility and security enforcement can be difficult because the network elements providing transport usually don t provide the required features, and the highly dynamic nature of software-defined data centers further complicates applying these services at the correct network locations. East-west traffic visibility and security policy has long been a goal for many organizations wanting to enhance internal data center security. The VMware NSX solution was designed to address the challenges of this highly dynamic environment and bring visibility and security directly to virtualized applications, regardless of application location or network connectivity. East-west firewalls are inserted transparently into the application infrastructure and do not necessitate a redesign of the logical topology. Data centers are centralized repositories of your organization s most critical asset: the data that drives your business, which could include very sensitive customer information such as credit card numbers or patient medical records. Your data is a target for cybercriminals, as evidenced by the number of high-profile data breaches. Historically, organizations implemented network security to protect traffic flowing north-south. The assumption was that the threats were outside your network and that east-west visibility was difficult. However, relying on north-south protection alone is insufficient for protecting your data center. The compromise of a single data center asset could provide cybercriminals the pivot point they need to further compromise your data. To improve security posture relative to corporate data risk, organizations have acknowledged that protection from threats across the entire network, both north-south and east-west, has become a security requirement. Regulatory compliance, such as HIPPA, PCI, and GDPR, often dictate additional data security policies. One common practice in data centers is the logical grouping of application functions by trust level. All application functions within a tier are inherently trusted, and only traffic between tiers is inspected. This practice is known as network segmentation. Network segmentation has traditionally been applied between network segment (VLANS or subnets) because all traffic entering and leaving the segment must pass through a single network location. Higher-risk assets may require additional security policy between services within a network segment. Extending the concept of network segmentation to finer grain and larger scale can be difficult to deploy and manage because the limitations of number of VLANs or IP address subnetting grow rapidly. The ability to provide additional network security, without the need for network segmentation, can be very useful. Micro-segmentation provides this ability without need for network topology changes or application server IP address changes. Customer Use Cases 4

5 Logical segmentation of application functions during its lifecycle (development, testing, staging, and production), without regard for location within the data center, is also very useful. DevOps is becoming a more common practice for application development, and logical segmentation enables the agility required. Logical segmentation also plays a role in multitenancy, the ability to support many customers using the same applications while keeping their network traffic separate from each other. When security events do occur, your ability to respond to these events in a timely fashion is critical. Automation within the virtualized data center allows your infrastructure to respond to security events by applying appropriate security controls to protect the network and notification when these events occur. This automated response provides the timely protection to all assets within your data center, and the ability to safely remediate impacted resources. Customer Use Cases 5

6 Technical Overview Palo Alto Networks and VMware have partnered to provide a solution that enables the benefits of a software-defined data center, while also providing automated security services of Palo Alto Networks VM-Series next-generation firewalls and advanced threat prevention. The integrated solution is composed of three components: VMware NSX The leading network and security virtualization platform, NSX is a fullservice, programmable platform that provides logical network abstraction of the physical network and reproduces the entire network model in software, allowing diverse network topologies to be created and provisioned in seconds. NSX applies security controls at the hypervisor layer for optimal context and isolation, inherently provides security isolation, enables micro-segmentation based on logical boundaries, and allows for workload-level isolation and segmentation. Policies are enforced at the virtual interface and follow the workload unconstrained by physical topology. The NSX distributed service framework and service insertion platform enable the integration of next-generation security services. NSX native, kernel-based distributed firewall, used for L2 L4 filtering, steers traffic transparently to the VM-Series for advanced inspection. Palo Alto Networks VM-Series for NSX The VM-Series virtualized next-generation firewall brings secure application enablement and threat prevention to the virtualized and cloud environments. At the core of the VM-Series is the Palo Alto Networks Next- Generation Firewall, which determines the three critical elements of your security policy: the application identity, regardless of port; the content, malicious or otherwise; and the user identity all in a single pass. Unlike traditional security solutions, the VM-Series offers the same set of security features as our physical form factor firewalls and is managed using the same management platform, ensuring that a consistent set of policies is maintained in the data center. Identifying and controlling your data center traffic reduces the scope of attacks by: Validating data center applications are in use on standard ports. Blocking rogue or non-compliant applications. Preventing known and unknown threats from moving laterally. Systematically managing unknown traffic. Palo Alto Networks Panorama Panorama is a centralized management platform that provides the ability to manage a distributed network of virtualized and physical firewalls from a single location. Capabilities include the ability to view all firewall traffic, manage all aspects of device configuration, push global policies, generate reports on traffic patterns or security incidents, and automatically respond to security incidents by quarantining affected VMs. Technical Overview 6

7 VMware vsphere ESXi VMware vsphere ESXi is the foundational component of VMware data center server virtualization. vsphere ESXi is the hypervisor that is deployed on physical server hardware, which then presents the virtualized server components to guest virtual machines created from these components. The guest virtual machines function as the equivalent physical servers they represent, with the added benefit that they can be moved to facilitate business continuity or power optimization and copied like software components in order to ease data center operations. The virtual separation of guest functions of vsphere ESXi provides limited visibility into the virtual server containers and their configuration. To provide visibility to the configuration of virtual guests, an application called VMware Tools is installed on the guests. VMware Tools can be installed for all supported guest operating systems from vcenter or vsphere ESXi. Another option for Linux-based guests is the use of open-vm-tools, which provides the same functionality. Beginning with PAN-OS 7.1, VM-series firewalls have open-vm-tools installed as part of the native configuration. VMware vcenter A data center might contain hundreds or thousands of virtualized servers. Managing individual vsphere ESXi servers at this scale would be untenable. VMware vcenter provides the data center management functions of all virtualized server resources and is the center point of management for your SDDC. The default web interface for vcenter and ESXi makes use of Adobe Flash. Google Chrome provides built-in Pepper Flash version 170, which has Shockwave Flash crashes; reverting to version 159 resolves these crashes. Using Adobe Flash Player version 11.5 with your browser provides the greatest compatibility. VMware NSX Manager VMware NSX extends the virtualization model to the data center network fabric by creating a network virtualization platform of logical network functions. This platform treats the physical network as a pool of transport capacity. Virtual networks can be provisioned, modified, stored for later reuse, and deleted programmatically without making changes to the underlying physical network. This network virtualization provides for third-party services to be inserted dynamically at the guest VM virtual network interfaces (vnic), providing a service is called network introspection. All traffic into and out of the guest VM is made visible to supported solutions. Palo Alto Network VMseries firewalls provide network introspection services via NSX integration. Technical Overview 7

8 Figure 1. Comparison of server and network virtualization Application Application Application Workload Workload Workload x86 Environment L2-L7 Network Services Virtual Machine Virtual Machine Virtual Machine Virtual Network Virtual Network Virtual Network Server Hypervisor (ESXi) Network Hypervisor (NSX) x86 x86 Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB Bl ahbl ah 4096 GB CPU Memory Switch Router Server Virtualization Network Virtualization The NSX data plane creates a logical overlay virtual network of Layer 2 switches, Layer 3 routers, and Layer 4 firewalls. This logical network provides the ability to group application servers on a logical Layer 2 switch, which can span across arbitrary physical networks. NSX creates this logical networking by tunneling traffic using a protocol called VXLAN. NSX virtual networking is based on vsphere Distributed Switch, with additional capabilities added by hypervisor extensions on each physical host within the data center. Distributed Virtual Switch is a required licensed feature with vcenter for NSX deployments. NSX control plane is implemented as a set of three guest VMs that maintain the operational status of all the virtual networking elements. A cluster of three NSX controllers is required for successful installation; the cluster provides a highly reliable, distributed state database of all logical network elements within the NSX environment. Examples of network state include: MAC address tables, ARP tables, Layer 3 routing information, and Layer 4 stateful firewall sessions. NSX controllers are critical components to continuous functioning of the control plane. To maintain high availability, the controllers implement a protocol called Paxos among the members. The Paxos protocol enables a collection of unreliable members to arrive at a consensus of the current network state, ensuring consistent network state even with the failure of any single controller. NSX Manager extends the functionality of ESXi hypervisors, adding kernel modules that provide additional capabilities. The process of adding these additional hypervisor modules is called host preparation. Host preparation is applied at the vcenter cluster level, to all hosts within a given cluster. Technical Overview 8

9 Figure 2. VMware NSX logical network overlay on physical network Web Servers Logical Switch ervers Switch DB Servers Logical Switch Web1 Web2 App1 App2 DB1 DB2 Web1 App1 App2 DB1 DB2 Web2 Technical Overview 9

10 NSX Distributed Firewall NSX distributed firewall changes the paradigm of security services within the data center, extending network security services directly to the vnic of guest VMs and decoupling security from network topology. Distributed firewall provides legacy Layer 4 stateful firewall services, identifying traffic for policy application by the 5-tuple source/destination IP addresses, source/destination ports, and protocol. Distributed firewall policy is applied first, then optional third-party network security services may be applied as part of security policy. Palo Alto Networks VM-series firewalls provide network introspection services to NSX distributed firewall. Distributed firewall uses IO chaining to provide additional security services for third-party solutions (network introspection). IO chaining identifies traffic for additional inspection by Layer 2 MAC address or Layer 3 IP address. Distributed firewall maintains two state tables that are attached to each VM: Rule Table Layer 4 security policy rules Connection Tracker Table Active flows, which were permitted security policy When VMs are migrated, the rule and connection tracker tables move along with the VM, ensuring consistent network security and no disruption in current traffic flows. Network flows that were inspected and permitted by network introspection continue to flow, while new flows will be subject to network introspection policy at the VM s new destination host. Figure 3. Default NSX distributed firewall rules IP Sets NSX distributed firewall uses guest VM IP and MAC addresses to apply security policy and redirect traffic to third-party solutions for additional inspection. Virtual machines communicate their IP addresses to vcenter by using VMware Tools. For VMs not running VMware tools, you need a mechanism to associate them with distributed firewall security policy. IP sets provide the ability to assign a group of IP addresses to a security group. IP sets contain a combination of comma separated list of IP addresses, a range of IP addresses, or CIDR block notation. Technical Overview 10

11 Figure 4. IP Set SpoofGuard Ensuring an accurate association of guest VM IP address use is very important to maintaining data center security. After synchronizing with the vcenter Server, NSX Manager collects the IP addresses of all vcenter guest virtual machines from VMware Tools on each virtual machine, or from IP discovery if it is enabled. IP discovery uses DHCP snooping and ARP snooping to dynamically observe VM IP addresses, and to prevent malicious use of otherwise authorized IP addresses. You also have the option to manually inspect and approve IP address use. SpoofGuard is disabled by default. Figure 5. SpoofGuard policy enablement Technical Overview 11

12 Figure 6. SpoofGuard IP address assignment and approval Security Tags Security tags are a VM attribute assigned by an administrator or applied through automation. Security tags provide dynamic association of VMs with security policy through security group membership. Security tags can be user-generated or system-defined. To provide automated response to threats in your data center, Panorama can apply security tagging based on firewall logging. Figure 7. Security tags Technical Overview 12

13 Security Groups Security groups provide a flexible way to group virtual machines to which security policy is applied. Several options based on VM configuration state can be used to associate security groups. This guide uses security tags and IP sets to assign security groups. Security groups can also be created by dynamic address objects from Panorama by setting the match criteria _nsx_[security group name]. The address group name and match criteria for security group name must match exactly in characters and case; otherwise, the security group will not be creating in NSX. Security Policy Security policy identifies the network traffic which is to be allowed or blocked by distributed firewall and optionally inspected by network introspection. All security policies require a security group for source, destination, or source and destination. A security policy is created with implicit reference to an unnamed security group, and then the security policy is applied to a security group; you don t explicitly identify the security group within a security policy. Technical Overview 13

14 Service Manager Service managers register with NSX Manager to provide network introspection security services. Panorama registers with NSX Manager as a service manager, providing service definitions and service profiles. Figure 8. NSX Service Manager Service Definitions As a service manager, Panorama registers NSX service definitions, which can be used in network introspection of NSX security policies. Service definitions specify the Panorama device group and template to which newly deployed VM-series firewalls are to register. The device group identifies the capacity license of VM-series firewall (VM-100, VM-300, or VM-500) based on its authorization code. Service definitions also specify the URL for the VM-series firewall OVF file and the notify group. Figure 9. Panorama service definition Technical Overview 14

15 Figure 10. Panorama Service Manager and service definition name mapping to NSX Manager Service Profile NSX service profiles are used in NSX security policies to provide network introspection services. Virtual wire security zones created in your Panorama templates create these service profiles in NSX Manager. NSX security policy using a network introspection service profile forwards the traffic to the associated VM-series firewall virtual wire interface for additional inspection. Multiple service profiles permit you to apply different security policies on the VM-series firewall for applications such as multitenancy. Technical Overview 15

16 Figure 11. Panorama security zone mapping to NSX Manager service profile Operations-Oriented vs Security-Oriented Security Policy NSX security policy can be created and applied from within NSX Manager. This model is known as operations-oriented security policy, which is appropriate for many organizations. In this model, all data center security policy is an inherent function of administering the compute resources and NSX virtual networking; security staff can be granted access to participate in creation and oversight of security policy in a cooperative manner. Separation of data center operational duties from security policy creation and application can be a desirable capability. Security-oriented security policy separates security functions from data center operations. Desired data center security policy is created in Panorama, which then configures NSX security policy. Security policies created in Panorama and pushed to NSX become the authoritative security policy and replace natively configured security policy. Technical Overview 16

17 Firewall Security Policy Writing security policies in your new software-defined data center will likely be different than traditional firewall deployments. Network traffic is first inspected NSX firewall, and only permitted traffic is forwarded to VM-series firewalls for additional inspection. A best practice is to block all network traffic that can be identified on the NSX firewall and pass only permitted traffic to your VMseries firewall for additional inspection such App-ID and threat prevention. VM-series firewalls present a virtual wire interface to NSX Manager, with the same security zone on both sides of the virtual wire. Security policies in this type of environment should only be intrazone. Only traffic within the data center, to and from address groups, should be used in security policy. Default firewall policy (source/destination=any) should be addressed in the perimeter firewall. Panorama Steering Rules In the security-oriented data center, NSX traffic steering policies are pushed directly from Panorama. These steering rules can be automatically generated from Panorama security policies or created manually from a subset of security policies. NSX firewall doesn t understand the Panorama service object application-default, nor can you use more specific service objects in Panorama security policy. They will all be mapped to any in NSX steering rules. To more specifically target steering rules, you must modify the auto generated Panorama steering rules to use service object names understood by NSX. Palo Alto Networks VM-series Firewall for NSX Beginning with PAN-OS version 8.0, most of the VM-series firewalls are supported with NSX. Multiple VM-series firewalls can be deployed on a single host, as long as the overall CPU cores, memory, and storage requirements are met for the firewalls. Multiple firewalls can be deployed to meet performance or multitenancy requirements. The table below provides performance comparison of VMware NSX compatible PAN-OS 8.0 VMseries firewalls using maximum number of CPU cores. Table 1. Performance comparison of PAN-OS 8.0 VM-series firewalls VM-100/ VM-200 (2 Cores) VM-300/ VM-1000-HV (4 Cores) VM-500 (8 Cores) Firewall Throughput 1 Gbps 1.5 Gbps 3 Gbps Threat Prevention Throughput 500 Mbps 1 Gbps 3 Gbps Maximum Sessions 250, ,000 2,000,000 Technical Overview 17

18 Deployment NSX Manager deploys VM-series firewalls as part of service deployment and destroys firewalls when service deployments are deleted. After deployment, new firewalls contact Panorama to receive their license authorization. When firewalls are deleted, NSX Manager informs Panorama to deactivate the firewall and remove its licenses. To automate the license creation and deletion, Panorama requires an API key for Palo Alto Networks Support Portal to update licenses for your firewalls. The following procedure installs this license API key into Panorama Preparing Your Environment uick Start Procedure 1: Install Panorama License Authorization API key Procedure 2: Create a Web Server for VM-series Installation Procedure 1: Install Panorama License Authorization API key Step 1. Log in to the Palo Alto Networks Support portal ( Step 2. In the upper-right corner, click Go To > Licensing API. Step 3. Copy the text of your API key. Deployment 18

19 Step 4. At the Panorama CLI interface, enter the following commands. request license api-key set key [api key] commit VMware NSX Manager automatically deploys VM-series firewalls to all hosts within a cluster during service deployment. The service definition created within Panorama informs NSX Manager of a URL at which the Open Virtualization Format (OVF) file for the VM-series firewall can be downloaded. The OVF file provides the configuration details such as memory, CPU, and disk size required for each firewall instance type. A web server hosting the OVF file for the VM-series firewall is required as part of the integration between Panorama and NSX Manager. Procedure 2: Create a Web Server for VM-series Installation Step 1. Create a web service for VM-series firewall OVF and VMDK files that NSX Manager can reach. Step 2. Download the PAN-OS for VM-series NSX Base Image from Palo Alto Networks Support site. Select a base image within the same major version of PAN-OS desired (for example: PA-VM-NSX zip for 8.0). Step 3. Unzip the downloaded file to your computer Step 4. Copy the VMDK file and each OVF file for the VM-series firewall images to a directory of the web server that is served by a URL. This URL is used later in the NSX service definition. bb It is recommended that you rename the OVF files to generic names such as PA-VM- NSX-VM300.ovf. The OVF names are used in service definitions and cannot be changed after they are published to NSX Manager. Renaming the OVF files helps to avoid future confusion when the base file images are updated. Deployment 19

20 Registering Panorama as an NSX Service Definition A Panorama plugin extends the features of Panorama to add the required capabilities for integration with VMware NSX as a third-party service provider. After it is registered as a service, NSX Manager can use the service definition provided by Panorama to automatically deploy VM-series firewalls on host clusters in your data center. When firewalls are deployed, they are placed in the device group and template associated with their service definition. uick Start Procedure 1: Install the VMware NSX Plugin for Panorama Procedure 2: Create Panorama Device Group and Template for VM-series Firewalls Procedure 3: Create Template Stack Procedure 4: Create Security Zones for NSX Network Introspection service insertion Procedure 5: Create an NSX Notify Group Procedure 6: Create an NSX Manager Service Definition Procedure 7: Update Device Groups with VM-series Authorization Code Procedure 8: Create NSX Service Manager for Panorama Procedure 9: Confirm Panorama VM-series Service Definitions in NSX Manager Deployment 20

21 Procedure 1: Install the VMware NSX Plugin for Panorama Step 1. Log in to the Palo Alto Networks Support portal ( Step 2. Click Software Updates > Panorama Integration Plug In. Step 3. Download the vmware_nsx_2_0_0 plugin to your computer. Step 4. Log in into to the Panorama web interface. Step 5. Click Panorama > Plugins. Step 6. Click Upload > Browse, select the plugin you downloaded, and then click OK. Step 7. Click Install. Procedure 2: Create Panorama Device Group and Template for VM-series Firewalls Step 1. Select Panorama > Device Groups, and then click Add. Step 2. Enter a unique name and description for the device group. Step 3. Click OK. Step 4. Select Panorama > Templates, and then click Add. Step 5. Enter a unique name, and optional description, for your template, and then click OK. Deployment 21

22 Procedure 3: Create Template Stack (Optional) Device groups and templates associated with NSX service definitions cannot be changed after publication to NSX Manager. Addition of a template stack, and using it in your NSX service definition, provides flexibility for future changes. Multitenant deployments with common template configuration elements are an example where template stacks would be beneficial. Step 1. Click Add Stack. Step 2. Enter a unique name for template stack. Step 3. Select the previous template from Step 5, above. Step 4. Add additional templates to the template stack as required, and then click OK. Procedure 4: Create Security Zones for NSX Network Introspection service insertion NSX Network Introspection forwards traffic to virtual wires interfaces on the VM-series firewall. The vwire is implicit to the NSX integration of the two solutions. You create Security zones of type vwire. Panorama then creates a service profile using the vwire security zone name. Step 1. Select Network > Zones. Step 2. Select the template in which the service will be provided, and then click Add. Step 3. Enter a name for the zone. Step 4. Select Virtual Wire for Type, and then click OK. Procedure 5: Create an NSX Notify Group Your software-defined data center is a highly dynamic environment. To keep track of these changes and apply accurate security policy, NSX Manager notifies firewalls within a notify group of these changes. When a new VM is created, or a VM is deleted, members of the notify group are notified of changes to VM IP addresses so they can update their dynamic address groups. Step 1. Select Panorama > VMware NSX > Notify Groups. Step 2. Click Add. Step 3. Enter name of the Notify Group. Step 4. Check the Device Groups that should be notified of VM changes. Step 5. Click OK. Deployment 22

23 Procedure 6: Create an NSX Manager Service Definition Step 1. Select Panorama > VMware NSX > Service Definition. Step 2. Click Add. Step 3. Enter unique name for the service definition. Step 4. Select the device group. Step 5. Select the template. Step 6. Type the URL address of the web service from which NSX Manager can download the VMseries OVF file. Step 7. Select the notify group. Step 8. Click OK bbdevice groups and templates can be used in only a single service definition. Procedure 7: Update Device Groups with VM-series Authorization Code After a device group is associated with an NSX service definition, two additional fields are available: Authorization Code and Software Version. Panorama uses the authorization code to license newly deployed VM-series firewalls, and the firewalls will be upgraded to the indicated software version. Step 1. Select Panorama > Device Groups. Step 2. Select a device group. Step 3. Type the authorization code for your VM-series firewall license. Step 4. Select the software version you want deployed to new VM-series firewalls. bb Only VM-series software versions that are equal or lesser to the current running version of Panorama are available for selection. Deployment 23

24 Procedure 8: Create NSX Service Manager for Panorama Step 1. Select Panorama > VMware NSX > Service Manager. Step 2. Click Add. Step 3. Enter a name for the NSX Service Manager. Step 4. Enter the URL of the NSX Manager management address ( Step 5. Enter NSX Manager admin name Step 6. Enter NSX Manager password Step 7. Confirm NSX Manager password Step 8. Under Service Definitions, click Add, select the service definitions you created previously, and then click OK. Deployment 24

25 Step 9. Click Commit > Commit to Panorama. Panorama now registers the service definitions with NSX Manager. After you commit, Panorama status in the webui for your service manager initially indicates an error until the registration process is completed and the page is refreshed. This process can take approximately 30 seconds. You can refresh the service manager page periodically to check status or connect to Panorama CLI interface and follow registration progress. tail follow yes mp-log plugin_vmware_nsx.log :01: INFO: Config from panorama validated! :01: INFO: PANW NGFW: No service manager is found in db.will search NSX if one exists :01: INFO: PANW NGFW: Could not find Pan-NSX info. Creating a service manager now :01: INFO: PANW NGFW: Creating service Manager :01: INFO: PANW NGFW: service-manager created and id = servicemanager :01: INFO: PANW NGFW: Service manager is servicemanager :01: INFO: PANW NGFW: Service Manager servicemanager-1 updated :01: INFO: PANW NGFW: service-definition created and id = service :01: INFO: PANW NGFW: Service Definition VM-100 created with id = service :01: INFO: PANW NGFW: Vendor-Template created and id = :01: ERROR: PANW NGFW: Unknown error when registering vendor templates. Ret code: :01: INFO: PANW NGFW: Successfully set functionality Firewall functionality service on service :01: INFO: PANW NGFW: Successfully set functionality Status service on service :01: INFO: PANW NGFW: service-profile created and id = serviceprofile :01: INFO: PANW NGFW: Created service profile VM-100_VM-100 and id is serviceprofile :01: INFO: PANW NGFW: created versioneddeploymentspec 6.5.* for service service :01: INFO: PANW NGFW: created versioneddeploymentspec 6.0.* for service service :01: INFO: PANW NGFW: created versioneddeploymentspec 5.5.* for service service :01: INFO: PANW NGFW: created versioneddeploymentspec 6.1.* for service service :01: INFO: Config pushed from panorama to NSX :01: INFO: Finished processing update callbacks :02: INFO: PANW NGFW status changed from Unknown State to Registered The last line status change to Registered indicates successful registration of Panorama as an NSX Service Manager. Deployment 25

26 Procedure 9: Confirm Panorama VM-series Service Definitions in NSX Manager Step 1. Log in to vcenter. Step 2. Select Networking and Security > Service Definitions. Deploying VM-series Firewalls into your Data Center Infrastructure Panorama has now successfully registered your VM-series firewalls as a service available to NSX Manager. The next step is to deploy the firewalls to host clusters within your data center. NSX Manager deploys services at the cluster level, to include all hosts with the selected clusters. Procedure 1: Deploy VM-series firewalls Step 1. Log in to your vcenter management interface. Step 2. Select Networking and Security > Installation > Host Preparation. Step 3. Confirm all clusters on which you want to deploy your VM-series service definition are in Installation Status ready state. Step 4. For clusters not in ready state, click Not Ready > Resolve All. The required agent files are installed on the hosts within the cluster, and the cluster should indicate Ready. Deployment 26

27 Step 5. Select Installation > Service Deployment. Step 6. Click Add. Step 7. Select the service definition you want to deploy, and then click Next. Step 8. Select the cluster(s) that are to receive the service deployment, and then click Next. Step 9. Select the datastore on which the VM-series firewall should reside. Step 10. Select the network on which the VM-series firewall management interface should reside. Step 11. Select the IP address assignment (DHCP or IP Pool) for the firewall management interface, and then click Next. Step 12. After NSX Manager validates that dependent services are loaded, click Finish. NSX Manager now connects to your web server to deploy your VM-series firewalls. The web server access log hosting the VM-series OVF files during deployment of a single firewall will look similar to the following. GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX-VM100.ovf HTTP/ Java/1.8.0_131 GET /PA-VM-NSX disk1.vmdk HTTP/ Java/1.8.0_131 Once complete, the service deployment should look like the following. Deployment 27

28 Creating and Associating NSX Security Tags uick Start Procedure 1: Create a Security Tag Procedure 2: Assign Security Tag to VMs Procedure 1: Create a Security Tag Step 1. Select Networking and Security > NSX Managers > Objects. Step 2. Click your NSX Manager. Step 3. Select Manage > Security Tags. Step 4. Click New Security Tag. Step 5. Enter a name for the security tag, and then click OK. Procedure 2: Assign Security Tag to VMs Step 1. Select your security tag. Step 2. Click Assign Security Tag. Deployment 28

29 Step 3. Select a VM to apply the tag, and then click Select Object. Step 4. Add additional VMs as required, and then click OK. Creating Dynamic Address Groups and NSX Security Groups This procedure creates a new dynamic address group in Panorama, which automatically creates the associated NSX security group. The security group will be used in creating NSX security policy for distributed firewall inspection and network introspection by Palo Alto Networks VM-series firewall. NSX Manager provides dynamic updates to Panorama address groups of VM IP addresses associated with the security group. uick Start Procedure 1: Create Panorama Dynamic Address Group Procedure 2: Assigning Security Group Membership by Security Tag Deployment 29

30 Procedure 1: Create Panorama Dynamic Address Group Step 1. Log in to Panorama. Step 2. On the Objects tab, select the device group in which to create the address group, and then click Add Step 3. Type the name of the address group. Step 4. Select type Dynamic. Step 5. In the match criteria, enter _nsx_[address Group Name], and then click OK bb Ensure that the address group name and match criteria name are identical. The NSX security group will not be created unless they are identical. Procedure 2: Assigning Security Group Membership by Security Tag Step 1. Log in to NSX Manager. Step 2. Select Networking and Security > Service Composer > Security Groups. Step 3. Click Edit Security Group. Step 4. Select Define dynamic membership. Step 5. Click Add. Deployment 30

31 Step 6. From Criteria Details, select Security Tag. Step 7. Choose Contains for expression type. Step 8. In the Contains field, type the portion of your security tag that uniquely identifies the desired security group membership. Step 9. Click Finish. Automating Threat Response Quarantining Infected VMs uick Start Procedure 1: Create a Quarantine VMs Address Group Procedure 2: Create an HTTP Server profile to send API calls to NSX Manager Procedure 3: Create Panorama Log Forwarding Profile Procedure 4: Create Panorama Certificate Authority Procedure 5: Create NSX Manager Certificate Procedure 6: Export NSX Manager Certificates from Panorama Procedure 7: Create NSX Manager Certificate Chain Procedure 8: Assign NSX Threat Security Tag to Quarantine Security Group Procedure 9: Create an NSX Security Policy to Quarantine VMs Deployment 31

32 Procedure 1: Create a Quarantine VMs Address Group Step 1. Log in to Panorama. Step 2. Select Objects > Address Groups. Step 3. Choose a Device Group. Step 4. Click Add. Step 5. Type a name for the Address Group. Step 6. Select type dynamic. Step 7. In the match criteria, type _nsx_ [address group name], ensuring the name is identical to the name used in Step 5, and then click OK. Step 8. Click Commit > Commit to Panorama. Figure 12. Panorama dynamic address group for quarantined VMs Step 9. Confirm your address group created the associated security group in NSX. Figure 13. NSX security group created by Panorama address group Deployment 32

33 Procedure 2: Create an HTTP Server profile to send API calls to NSX Manager Step 1. Select Panorama > Server Profiles > HTTP. Step 2. Enter a name for the server profile. Step 3. On the Servers tab, click Add. Step 4. Enter a name for NSX Manager. Step 5. Enter the IP address for NSX Manager. Step 6. Select protocol HTTP or HTTPS. For HTTPS, there are additional certificate items in Procedure 4. Step 7. Select PUT for HTTP method. Step 8. Enter NSX Manager administrative username and password. Step 9. On the Payload Format tab, click Threat. Step 10. Choose a pre-defined NSX Threat Security Tag. NSX Anti-Virus Threat High is used in this example. Deployment 33

34 Step 11. Click OK. Procedure 3: Create Panorama Log Forwarding Profile Step 1. Select Panorama > Log Settings. Step 2. Under Threat, click Add. Step 3. Select a Filter option. Step 4. Under HTTP, click Add. Deployment 34

35 Step 5. Select the HTTP Server profile you created in the previous procedure, and click OK. Procedure 4: Create Panorama Certificate Authority Step 1. Select Panorama > Certificate Management > Certificates. Step 2. Click Generate. Step 3. Enter a certificate name. Step 4. In the Common Name box, enter the Panorama IP address. Step 5. Click Certificate Authority. Deployment 35

36 Step 6. Click Generate. Procedure 5: Create NSX Manager Certificate Step 1. Click Generate. Step 2. Enter a name the for NSX Manager certificate. Step 3. In the Common Name box, enter the NSX Manager IP address. Step 4. In the Signed By list, select Panorama CA. Deployment 36

37 Step 5. Click Generate. Procedure 6: Export NSX Manager Certificates from Panorama Step 1. Select Panorama CA certificate. Step 2. Click Export. Step 3. Choose file format Base64 PEM Deployment 37

38 Step 4. Clear the Export private key box, and click OK. Step 5. Select NSX Manager certificate. Step 6. Click Export. Step 7. Choose file format Base64 PEM. Step 8. Select the Export private key check box. Step 9. Enter a passphrase, and then click OK. Procedure 7: Create NSX Manager Certificate Chain NSX Manager has no concept of trusted Certificate Authorities. The certificate installed on NSX Manager must include the entire chain of trust, called a certificate chain. After installing a new certificate, NSX Manager must be rebooted. Step 1. Using Linux or Mac, concatenate the downloaded Panorama CA certificate and NSX Manager certificate from Procedure 6. %> cat PanoramaCA.cert NSXMgr.cert > NSXMgrChain.cert Step 2. Using OpenSSL, export the NSX Manager certificate chain in PKCS12 format. %> openssl pkcs12 -export -in NSXMgrChain.cert -out NSXMgrCert.p12 Deployment 38

39 Step 3. Log in to NSX Manager. Step 4. Select Manager Appliance Settings. Step 5. Select SSL Certificates. Step 6. Select Upload PKCS#12 Keystore. Step 7. Click Browse. Step 8. Choose the NSXMgrCert.p12 file created above. Step 9. Click Import. Step 10. In upper right corner, click Settings. Step 11. Choose Reboot Appliance. Deployment 39

40 Procedure 8: Assign NSX Threat Security Tag to Quarantine Security Group Step 1. Log in to vcenter. Step 2. Select Networking and Security > Service Composer. Step 3. Select the security group you created from the Panorama address group created for quarantined VMs. Step 4. Click the Edit Security Group icon. Step 5. Click Define dynamic membership. Step 6. Click Add icon. Step 7. Click Add button. Step 8. Select Security Tag. Step 9. Select Contains. Step 10. Enter threat=high Step 11. Click Finish. Procedure 9: Create an NSX Security Policy to Quarantine VMs This procedure creates an NSX Security Policy to prevent traffic to or from quarantined VMs. Step 1. Log in to vcenter. Step 2. Select Networking and Security > Service Composer > Security Policies. The first security policy will block all traffic originating from the offending VM Deployment 40

41 Step 3. Click the Create Security Policy icon. Step 4. Enter a name for the security policy. Step 5. Select Firewall Rules. Step 6. Click the Add icon. Step 7. Enter name of first firewall rule. Step 8. Under Action, select Block. Step 9. Under Source, click Change. Step 10. Select Policy s Security Groups. Step 11. Under Destination, click Change. Step 12. Select Any, and then click OK The second security policy blocks all traffic destined to the offending VM. Deployment 41

42 Step 13. Click the Add icon. Step 14. Enter the name of the second firewall rule. Step 15. Under Action, click Block. Step 16. Under Source, click Change. Step 17. Select Any. Step 18. Under Destination, click Change. Step 19. Select Policy s Security Groups, and then click OK. Deployment 42

43 Figure 14. VM tagged with NSX Anti-Virus Security Tag Generating Panorama Traffic Steering Rules Procedure 1: Auto-Generate Steering Rules Step 1. Log in to Panorama. Step 2. Select Panorama > Steering Rules. Step 3. Click Auto-Generate Steering Rules. Step 4. Click one of the auto-generate steering rules. Step 5. Under Services, click Add. Deployment 43

44 Step 6. Modify Services to a service understood by NSX firewall. Step 7. Click Commit > Commit to Panorama. Step 8. Verify the steering rules are pushed to NSX Manager. Step 9. Log in to vcenter, select Networking and Security > Firewall > Configuration > Partner security services. Deployment 44

45 Removing a Service Deployment Virtual Firewall To remove a VM-series firewall from a host in your data center, the service deployment within NSX Manager is deleted. NSX Manager notifies Panorama of the deletion of the VM-series firewall, and Panorama deactivates using the license API key. Panorama does not remove the firewall from its managed devices inventory. You must remove the deactivated virtual firewall for its device group and template first, and then remove it from managed devices. uick Start Procedure 1: Remove a Service Deployment VM-series Firewall Procedure 2: Remove a Deactived VM-series firewalls from Panorama Procedure 1: Remove a Service Deployment VM-series Firewall Step 1. Log in into vcenter. Step 2. Select Network and Security > Installation > Service Deployments. Step 3. Select the desired Service Deployment. Step 4. Click the Delete icon. Procedure 2: Remove a Deactived VM-series firewalls from Panorama Step 1. Log into Panorama. Step 2. Select Panorama > Device Groups/ Step 3. Select the device group to which the removed virtual firewall belonged. Step 4. Uncheck the firewall that was removed. Step 5. Select Panorama > Templates Step 6. Select the template (or template stack) to which the firewall belonged. Step 7. Uncheck the firewall that was removed. Step 8. Select Panorama > Managed Devices. Step 9. Check the firewall that was removed. Step 10. Click Delete. Deployment 45

46 Removing NSX Manager Integration Components NSX Manager prevents you from removing functions that are dependent on other features. Security policies and service deployments are both dependent on service definitions. Should you need to remove some, or all, components of the Palo Alto Networks integration with NSX Manager, use the following procedures. uick Start Procedure 1: Remove Dependent Security Policies Procedure 2: Remove NSX Service Deployments of VM-series Firewalls Procedure 3: Remove NSX Service Definitions Procedure 1: Remove Dependent Security Policies Step 1. Log into vcenter. Step 2. Select Networking and Security > Service Composer > Security Policies. Step 3. Right click on any security policy that is using the service definition you want to remove, and then click Delete. Step 4. Repeat the previous step for additional security policies. Procedure 2: Remove NSX Service Deployments of VM-series Firewalls Step 1. Select Networking and Security > Installation > Service Deployments. Step 2. Select the service deployment of the virtual firewall. Step 3. Click Delete. Step 4. Repeat this procedure for additional service deployments of the service definition. Procedure 3: Remove NSX Service Definitions Step 1. Select Networking and Security > Service Definitions > Services. Step 2. Right-click the service definition to be removed, and then select Edit. Step 3. Select Related Objects. Step 4. Click the service instance name [service definition name]-globalinstance. Deployment 46