VM-SERIES FOR VMWARE VM VM

Similar documents
Agenda Basecamp The Journey So Far Enhancements Into the Fear Zone Climbing The VM-Series Performance Peak New VM-Series Models and Licensing Best Pra

PANORAMA. Figure 1: Panorama deployment

VM-SERIES FOR NSX IMPLEMENTATION AND TRAFFIC STEERING GUIDELINES

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

PANORAMA. Key Security Features

ONBOARDING GUIDE GLOBALPROTECT CLOUD SERVICE FOR REMOTE NETWORKS

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

PROTECT WORKLOADS IN THE HYBRID CLOUD

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

DISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

Next-Generation Security Platform on VMware NSX Reference Architecture

What s New in VMware vcloud Director 8.20

Ordering and deleting Single-node Trial for VMware vcenter Server on IBM Cloud instances

1V0-642.exam.30q.

vedge Cloud Datasheet PRODUCT OVERVIEW DEPLOYMENT USE CASES EXTEND VIPTELA OVERLAY INTO PUBLIC CLOUD ENVIRONMENTS

SEGMENTATION TO A TRADITIONAL DATA CENTER

5 STEPS TO BUILDING ADVANCED SECURITY IN SOFTWARE- DEFINED DATA CENTERS

and public cloud infrastructure, including Amazon Web Services (AWS) and AWS GovCloud, Microsoft Azure and Azure Government Cloud.

Pulse Secure Application Delivery

ForeScout CounterACT. Configuration Guide. Version 1.1

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

CASE STUDY INSIGHTS: MICRO-SEGMENTATION TRANSFORMS SECURITY. How Organizations Around the World Are Protecting Critical Data

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

NEXT-GENERATION SECURITY WITH VMWARE NSX AND PALO ALTO NETWORKS VM-SERIES

A Modern Framework for Network Security in Government

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Empowering SDN SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA. Bruno Barba Systems Engineer Mexico & CACE

SOLUTION OVERVIEW THE ARUBA MOBILE FIRST ARCHITECTURE

Disclaimer CONFIDENTIAL 2

Workload Mobility and Disaster Recovery to VMware Cloud IaaS Providers

FortiGate. on OCB FE Configuration Guide. 6 th December 2018 Version 1.0

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Firefly Perimeter ( vsrx ) Technical information 12.1 X47 D10.2. Tuncay Seyran

Securing the Software-Defined Data Center

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Securing Your Amazon Web Services Virtual Networks

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

WIND RIVER TITANIUM CLOUD FOR TELECOMMUNICATIONS

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

WHITE PAPER OCTOBER VMWARE NSX WITH CHECK POINT vsec. Enhancing Micro-Segmentation Security

Securing VMware NSX MAY 2014

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

WHITE PAPER. Applying Software-Defined Security to the Branch Office

Cisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer

CLOUD PROVIDER POD. for VMware. Release Notes. VMware Cloud Provider Pod January 2019 Check for additions and updates to these release notes

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

What s New with VMware vcloud Director 8.0

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Feature. *1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

VMware vcloud Networking and Security Overview

Pivot3 Acuity with Microsoft SQL Server Reference Architecture

vshield Administration Guide

WHITE PAPER SEPTEMBER 2017 VCLOUD DIRECTOR 9.0. What s New

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

CLOUD PROVIDER POD RELEASE NOTES

Cross-vCenter NSX Installation Guide. Update 4 VMware NSX for vsphere 6.4 VMware NSX Data Center for vsphere 6.4

Palo Alto Networks PCNSE7 Exam

PERFORMANCE CHARACTERIZATION OF MICROSOFT SQL SERVER USING VMWARE CLOUD ON AWS PERFORMANCE STUDY JULY 2018

Deployments and Network Topologies

Cross-vCenter NSX Installation Guide. Update 3 Modified on 20 NOV 2017 VMware NSX for vsphere 6.2

Unity EdgeConnect SP SD-WAN Solution

21CTL Disaster Recovery, Workload Mobility and Infrastructure as a Service Proposal. By Adeyemi Ademola E. Cloud Engineer

VMware vcloud Director Configuration Maximums vcloud Director 9.1 and 9.5 October 2018

vcenter Operations Management Pack for NSX-vSphere

Data Sheet Gigamon Visibility Platform for AWS

Monitoring Hybrid Cloud Applications in VMware vcloud Air

WHITE PAPER SEPTEMBER VMWARE vsphere AND vsphere WITH OPERATIONS MANAGEMENT. Licensing, Pricing and Packaging

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

TALK THUNDER SOFTWARE FOR BARE METAL HIGH-PERFORMANCE SOFTWARE FOR THE MODERN DATA CENTER WITH A10 DATASHEET YOUR CHOICE OF HARDWARE

Enabling Efficient and Scalable Zero-Trust Security

Securing VMware NSX-T J U N E 2018

CLOUD PROVIDER POD RELEASE NOTES

The Road to a Secure, Compliant Cloud

Cloud Provider Pod Designer User Guide. November 2018 Cloud Provider Pod 1.0.1

Private Cloud Public Cloud Edge. Consistent Infrastructure & Consistent Operations

*Performance and capacities are measured under ideal testing conditions using PAN-OS.0. Additionally, for VM

McAfee Network Security Platform 8.3

Feature Comparison Summary

Introducing VMware Validated Design Use Cases

Disaggregation and Virtualization within the Juniper Networks Mobile Cloud Architecture. White Paper

VMworld disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no

The vsphere 6.0 Advantages Over Hyper- V

Cross-vCenter NSX Installation Guide. Update 6 Modified on 16 NOV 2017 VMware NSX for vsphere 6.3

Customer Onboarding with VMware NSX L2VPN Service for VMware Cloud Providers

*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

IBM Cloud for VMware Solutions NSX Edge Services Gateway Solution Architecture

Transcription:

SERIES FOR WARE Virtualization technology from ware is fueling a significant change in today s modern data centers, resulting in architectures that are commonly a mix of private, public or hybrid cloud computing environments. The benefits of cloud computing are well-known and significant. However, so too are the security challenges, exemplified by the many recent high-profile data breaches. Whether stored in a physical data center or in a public, private or hybrid cloud, your data is the cybercriminal s target. The for ware supports ware NSX, ESXi stand-alone and vcloud Air, allowing you to deploy nextgeneration firewall security and advanced threat prevention within your ware-based private, public and hybrid cloud computing environments. Identify and control applications within your virtualized environments; limit access based on users; prevent known and unknown threats Isolate and segment missioncritical applications and data using Zero Trust principles Streamline policy deployment so that security keeps pace with the rate of change within your private, public or hybrid cloud. Organizations are expanding their virtualization and cloud initiatives in a variety of ways with security remaining top of mind. Increased use dictates an effort for more-streamlined security workflows and an eye towards cloudcentric architectures that are scalable and resilient. More workloads are now virtualized on-premise (private cloud) than ever before, and the use of the public cloud is increasing dramatically, leading to multi-vendor (private and public) environments, along with increased demands on capacities. Additional examples include security deployed as an NFV component for a more cost-effective alternative to securing branch offices and data center/private cloud workloads, as well as an uptick in virtualization to address demands for (more) complete tenant isolation in multi-tenancy environments. Cloud security automation workflows have streamlined deployments, but they can still be complex and involve many carefully orchestrated steps. Security, traditionally viewed as a bottleneck that slows deployment, must more readily support the move toward cloud-centric architectures. Palo Alto Networks for ware Datasheet 1

Securing your ware-based cloud introduces a range of challenges, including a lack of application visibility, inconsistent security functionality, and difficulty keeping pace with the rate of change commonly found in cloud computing environments. To be successful, organizations need a cloud security solution that: Has the ability to identify and control applications within the cloud, based on the identity, not the port and protocols it may use. Stops malware from gaining access to and moving laterally (east-west) within the cloud. Determines who should be allowed to use the applications and grant access based on need and their credentials. Simplifies management and minimizes the security policy lag as s are added, removed or moved within the cloud environment. The Palo Alto Networks for ware allows you to protect your data that resides in NSX, ESXi, and vcloud Air environments from cyberthreats with our next-generation firewall security and advanced threat prevention features. Panorama network security management, combined with native automation features, allows you to streamline policy management in a manner that minimizes the policy time gap that may occur as virtual machines are added, moved or removed. Virtualized Next-Generation Security at High Performance and Scale The virtualized next-generation firewall has been optimized and expanded to deliver App-ID enabled throughput that ranges from 200 Mbps to 16 Gbps across five models, both of which are industry-leading metrics. The models include: The 50 is optimized to consume minimal resources and support CPU oversubscription, yet deliver up to 200 Mbps of App-ID enabled firewall performance, for customer scenarios that range from virtual branch office/customer premise equipment (CPE) to high-density, multi-tenancy environments. The 100 and 300 have been optimized to deliver performance at 2 Gbps and 4 Gbps of App-ID enabled firewall performance for hybrid cloud, segmentation, and internet gateway use cases. The 500 and 700 deliver an industry-leading 8 Gbps to 16 Gbps of App-ID enabled firewall performance, respectively, and can be deployed as NFV security components in fully virtualized data center and service provider environments. Intel Data Plane Development Kit (DPDK) has been integrated with the for ware for enhanced packet-processing performance on x86 infrastructure. Network I/O options, such as PCI passthrough and single-root I/O virtualization (SR-IOV), are supported for enhanced performance. Applying Next-Generation Security to Virtualized Environments The virtualized firewall is based on the same full-stack traffic classification engine that can be found in our physical form factor firewalls. The natively classifies all traffic, inclusive of applications, threats and content and then ties that traffic to the user. The application, content and user the elements that run your business are then used as the basis of your virtualized security policies, resulting in an improved security posture and a reduction in incident response time. Isolate Mission-Critical applications and Data Using Zero Trust Principles Security best practices dictate that your mission-critical applications and data should be isolated in secure segments using Zero Trust (never trust, always verify) principles at each segmentation point. The can be deployed throughout your virtualized environment, residing as a gateway within your virtual network or in between the s running in different tiers, thereby protecting east-west traffic, by exerting control based on application and user identity. NSX Manager Panorama registers the as a service with NSX Manager Cloud Admin Real-time, contextual updates on changes Security Admin deployed automatically by NSX; policies then steer select traffic to for inspection WEB APP DB Automated licensing, policy deployment and updates NSX Network Service Insertion ware ESXi 1000-HV NSX Palo Alto Networks for ware Datasheet 2

Block Lateral Movement of Cyberthreats Today s cyberthreats will commonly compromise an individual workstation or user and then move across the network, looking for a target. Within your virtual network, cyberthreats will move laterally and rapidly from to, in an east-west manner, placing your mission-critical applications and data at risk. Exerting application-level control using Zero Trust principles in between s will reduce the threat footprint while applying policies to block both known and unknown threats Automated, Transparent Deployment and Provisioning A rich set of APIs can be used to integrate with external orchestration and management tools, collecting information related to workload changes, which can then be used to dynamically drive policy updates via Monitoring and Dynamic Address Groups. RESTful APIs: A flexible REST-based API allows you to integrate with third-party or custom cloud orchestration solutions. This enables the to be deployed and configured in lockstep with virtualized workloads. Monitoring: Security policies must be able to monitor and keep up with changes in virtualization environments, including attributes and the addition or removal of s. Virtual machine monitoring ( Monitoring) automatically polls your virtualization environments, such as vcenter for virtual machine inventory and changes, collecting this data in the form of tags that can then be used in Dynamic Address Groups to keep policies up to date. Dynamic Address Groups: As your virtual machines change functions or move from server to server, building security policies based on static data, such as IP address, delivers limited value and can contain outdated information. Dynamic Address Groups allow you to create policies using tags (from monitoring) as identifiers for virtual machines instead of a static object definition. Multiple tags representing virtual machine attributes, such as IP address and operating system, can be resolved within a Dynamic Address Group, allowing you to easily apply policies to virtual machines as they are created or travel across the network without administrative intervention. Centrally Manage Virtualized and Physical Form Factor Firewalls Panorama allows you to manage your deployments along with your physical security appliances, thereby ensuring policy consistency and cohesiveness. Rich centralized logging and reporting capabilities provide visibility into virtualized applications, users and content. Deployment Flexibility The for ware supports NSX, ESXi and vcloud Air environments. for ware NSX The for NSX is a tightly integrated solution that ties together the virtualized next-generation Network Application Security APIs Interfaces Objects Policies Licensing Corporate Data Center firewall, Panorama for centralized management, and ware NSX to deliver on the promise of a software-defined data center. As new virtual workloads are deployed, NSX Manager simultaneously installs a nextgeneration firewall on each ESXi server. Once deployed on the ESXi server, safe application enablement policies that identify, control, and protect your virtualized applications and data can be deployed to each virtual appliance in an automated manner by Panorama. NSX will then begin steering select application traffic to the for more granular application-level security. As new workloads are added, moved or removed, NSX feeds those attribute changes to Panorama where they are translated into dynamic security policy updates to the virtual and perimeter gateway firewalls. The for NSX supports virtual wire network interface mode, which requires minimal network configuration and simplifies network integration. Please see the for ware NSX datasheet for more information on this integration. for ESXi (Standalone) The on ESXi servers is ideal for networks where the virtual form factor may simplify deployment and provide more flexibility. Common deployment scenarios include: Private or public cloud computing environments where virtualization is prevalent. Environments where physical space is restricted and at a premium. Remote locations where shipping hardware is not practical. The for ESXi allows you to deploy safe application enablement policies that identify, control and protect your virtualized applications and data. Panorama and a rich set of APIs can be used to integrate with external orchestration and management tools to collect information related to workload changes, which can then be used to dynamically drive policy updates via Dynamic Address Groups and Monitoring. A range of interface types, including L2, L3 and virtual wire, allow you to deploy the for ESXi in a different interface mode for each virtualized server, depending on your needs. Palo Alto Networks for ware Datasheet 3

vcloud Air Perimeter gateway: In this use case, the is deployed as your gateway firewall, securing your vcloud Air environment based on application, regardless of port and protocol, while preventing known and unknown threats and controlling access based on user identity. Hybrid cloud security: In this use case, the is configured to establish a secure, standards-based IPsec connection between your private, ware-based cloud and your vcloud Air-based public cloud. Access to the vcloud Air environment can then be controlled based on application and user identity. Network Application Security APIs Interfaces Objects Policies Licensing Corporate Data Center Panorama and a rich set of APIs can be used to integrate with external orchestration and management tools to collect information related to workload changes, which can then be used to dynamically drive policy updates via Dynamic Address Groups and Monitoring. A range of interface types, including L2, L3 and virtual wire, allow you to deploy the for ESXi in a different interface mode for each virtualized server, depending on your needs. for vcloud Air The for vcloud Air allows you to protect your ware-based public cloud with the same safe application enablement policies that are used to protect your ESXi-based private cloud. Common use cases include: Performance and Capacities Summary The security performance table listed below is tested under controlled lab conditions using PAN-OS 8.0. In virtualized and cloud environments, many factors, such as the type of CPU, hypervisor version, number of cores assigned, memory, and network I/O options, can impact your performance. We recommend additional testing within your environment to ensure your performance and capacity requirements are met. 100/ 200 (2 Cores) 300/ 1000-HV (4 Cores) Performance and Capacities 50 (0.4 core) 500 (8 Cores) 700 (16 cores) With Single Root I/O Virtualization (SR-IOV)/PCI Passthrough of I/O enabled Firewall throughput (App-ID enabled) 200 Mbps 2 Gbps 4 Gbps 8 Gbps 16 Gbps Threat prevention throughput 100 Mbps 1 Gbps 2 Gbps 4 Gbps 8 Gbps IPsec VPN throughput* In process In process In process In process In process With ware Distributed Virtual Switch (XNET3) Firewall throughput (App-ID enabled) 100 Mbps 1 Gbps 2 Gbps 4 Gbps 8 Gbps Threat prevention throughput 50 Mbps 500 Mbps 1 Gbps 2 Gbps 4 Gbps IPsec VPN throughput* In process In process In process In process In process Capacities New sessions per second 1,000 8,000 15,000 30,000 60,000 Max sessions 50,000 250,000 800,000 2,000,000 10,000,000 *IPsec VPN throughput data will be published upon completion of the test suite The performance and capacities results shown above were tested under the following conditions: Firewall and IPsec VPN throughput are measured with App-ID and User-ID features enabled. Threat prevention throughput is measured with App-ID, User-ID, IPS, antivirus and anti-spyware features enabled. Throughput is measured with 64KB HTTP transactions. Connections per second is measured with 4KB HTTP transactions. Palo Alto Networks for ware Datasheet 4

Specifications and Features The tables below list all supported specifications, resource requirements and networking features on the for ware. Virtualization Specifications Image formats supported s supported ware ESXi 5.1, 5.5 and 6.0 ware NSX Manager 6.0, 6.1 and 6.2 Network I/O options ware paravirtual drivers (vmxnet3, e1000) PCI pass-through Single-root I/O Virtualization (SR-IOV) OVA System Requirements 50 (0.4 Core) 100/ 200 (2 Cores) 300/ 1000-HV (4 Cores) 500 (8 Cores) 700 (16 Cores) vcpu configurations supported 2 1 2 2,4 2,4 and 8 2,4,8 and 16 Memory (minimum) 4.5GB 6.5GB 9GB 16GB 56GB Disk drive capacity (min/max) 32GB 2 /2TB 60GB/2TB 60GB/2TB 60GB/2TB 60GB/2TB 1. CPU oversubscription is supported with up to 5 instances running on a 2 CPU core configuration 2. 60GB drive capacity is needed on initial boot. instance will use 32GB drive capacity after license activation. Networking Features Interface Modes: L2, L3, tap, virtual wire (transparent mode): for ESXi L3: vcloud Air Virtual wire (transparent mode): for NSX Routing Modes: OSPF, RIP, BGP, Static Policy-based forwarding Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3 High Availability Modes: active/passive with session synchronization Failure detection: path monitoring, interface monitoring VLANs 802.1q VLAN tags per device/per interface: 4,094/4,094 Max interfaces: 4096 (500/700) 2048 (100/300) 512 (50) Network Address Translation (NAT) NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port (port address translation) NAT64 Additional NAT features: dynamic IP reservation, dynamic IP and port oversubscription IPv6 L2, L3, tap, virtual wire (transparent mode) Features: App-ID, User-ID, Content-ID, WildFire and SSL decryption To view additional information on the security features and associated capacities, please visit www.paloaltonetworks.com/products. 4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. vm-series-for-vmware-ds-020617

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback