I’ve had the opportunity to deploy a few instances of Palo Alto Network’s Panorama and VM-Series firewall into VMware NSX environments. On the whole, it’s a rather straight forward process with some deep documentation provided by the folks at Palo Alto Networks (PAN). However, they have to rely upon the code / APIs provided by someone else (VMware), meaning there are bound to be things that don’t work quite as you might imagine.
This post will cover a few gotchas that have caused me grief in the past.
VM-Series Firewall Files for NSX
If you’re using the VM-Series firewall specifically for NSX, make sure to download and extract the NSX specific files onto your web server. I’ve found that the files don’t always match up – sometimes a zip will say it’s for NSX, while the files themselves are not. Here’s an easy way to spot the right files:
- VM-Series firewall for NSX looks like this: PA-VM-NSX-6.0.0.ovf
- VM-Series firewall for vSphere looks like this: PA-VM-ESX-6.0.0.ovf
If you try deploying the vSphere VM-Series firewall with NSX, it will fail.
[symple_box color=”red” fade_in=”false” float=”center” text_align=”left” width=””]Note: If you end up changing the deployment URL on Panorama after registering the PAN service, make sure to also edit the PAN service definition in NSX and update the deployment URL. I’ve found that these two values don’t always match up when changed from the Panorama side.[/symple_box]
Service Definition Functions
The Panorama 6.0 and 6.1 releases had difficulty registering their service definitions properly with NSX 6.1. Specifically, I’d register the service with NSX Manager and see the functions list was empty. I believe this was caused by changes to the NSX API.
To view this, head to Service Definitions and look for the Palo Alto Networks NGFW.
If the functions column is blank, you’ll need to use PAN DOC-8253 to resolve it. Basically, you query the NSX API for the service ID of the PAN service definition and then send a PUT request with the Firewall and IDS_IPS strings. Very easy to do.
This seems to be fully fixed in Panorama 6.1.1 – I haven’t had the issue since then.
Data Traffic Profile
After you’ve intergrated the NGFW service profile with NSX, navigate to Service Definitions and double click the Palo Alto Networks NGFW service. There will be a new service instance created called Palo Alto Networks NGFW-GlobalInstance.
If you open up this service instance, you’ll find a single profile called Palo Alto Networks profile 1. In a nutshell, this is how you steer data traffic to the VM-Series firewall.
Now for the kicker. Prior to NSX 6.1.1, you’d edit the profile and select the Logical Networks or Distributed Virtual Port Groups that should be steered to PAN. This was described in page 70 of PAN’s VM-Series Deployment Guide for PAN-OS 6.1 PDF, published in late October of 2014.
From what I can tell, VMware has altered their API slightly in NSX 6.1.1 because you are now supposed to steer Security Groups. If you try clicking on Logical Networks or Distributed Virtual Port Groups, nothing will show up. I thought I did something wrong or had hit a bug, but this was confirmed to be working as intended by VMware.
There seems to be no mention of editing the profile in PAN’s online docs (viewable here). I suppose you could move forward without adding any Security Groups to the profile, but I still do it as a CYA.
Default “Allow” Policy
The last thing is pretty short. Before you deploy the VM-Series firewall to the environment, create a global allow any/any rule in Panorama. This way you can test the deployment first to make sure it’s solid, troubleshoot any non-security related issues, and then lock things down with legit policies.
I do the same thing for SpoofGuard – create the policy, but don’t enable it until after the environment is online and you’ve solved any non-security related issues. Once you’re convinced that the system is operational, toggle it to enabled.