REFERENCE ARCHITECTURE GUIDE

FOR VMWARE NSX

RELEASE 2.1
OCTOBER 2018
 Table of Contents

Table of Contents
Purpose of This Guide......................................................................................................................................................... 1

Audience................................................................................................................................................................................................................. 1

Related Documentation...................................................................................................................................................................................... 1

Introduction.......................................................................................................................................................................... 2

Private Data Center Concepts.......................................................................................................................................... 3

VMware Concepts and Services....................................................................................................................................... 5

VMware vSphere ESXi......................................................................................................................................................................................... 5

VMware vCenter................................................................................................................................................................................................... 5

VMware NSX Manager........................................................................................................................................................................................ 6

Palo Alto Networks Components...................................................................................................................................11

Palo Alto Networks VM-Series Firewall for NSX......................................................................................................................................... 11

Palo Alto Networks Panorama......................................................................................................................................................................... 12

Design Model......................................................................................................................................................................17

Service Insertion Model.................................................................................................................................................................................... 17

Design Consideration: Operations-Oriented vs Security-Oriented Security Policy ............................................................................18

Summary..............................................................................................................................................................................20

What’s New in This Release............................................................................................................................................21

Palo Alto Networks

 Purpose of This Guide

Purpose of This Guide

This guide provides architectural guidance for how to deploy Palo Alto Networks® VM-series next generation firewalls
within VMware® NSX® environments. To provide overall context, the guide discusses the Palo Alto Networks and
VMware components used to construct a secure, software-defined data center (SDDC) infrastructure. Guidance within
this document pertains to only Palo Alto Networks solutions; any VMware best practices supersede this document.
This design guide identifies the dependencies between NSX and VM-Series firewall configuration concepts to help you
properly evaluate design or policy tradeoff decisions that may affect your choices during deployment.

This architecture guide:

• Provides an architectural overview for using Palo Alto Networks VM-Series Firewall for NSX in order to provide
visibility, control, and protection to your applications built in a VMware NSX SDDC. It links the technical aspects
of the VMware NSX and Palo Alto Networks solutions together before exploring the design model. Use this
guide as a roadmap for architectural discussions between Palo Alto Networks and your organization.

• Is required reading prior to using the Deployment Guide for VMware NSX. The deployment guide provides as pro-
cedures for programming features of the VMware NSX and the Palo Alto Networks VM-Series Firewall for NSX
in order to achieve an integrated design.

AUDIENCE
This architecture guide is written for technical readers, including solution architects and engineers, who want to deploy
the Palo Alto Networks Security Operating Platform in a private cloud data center infrastructure. It assumes the reader
is familiar with the basic concepts of applications, networking, virtualization, security, and high availability, as well as a
basic understanding of virtualized network and data center architectures.

A working knowledge of networking and policy in PAN-OS® is required to be successful. It also assumes a working
knowledge of VMware NSX Manager network configurations.

RELATED DOCUMENTATION
The following documents support this design guide:

• Palo Alto Networks Security Operating Platform Overview—Introduces the various components of the Security
Operating Platform and describes the roles they can serve in various designs

• Deployment Guide for VMware NSX—Describes high-level tasks and then details the configuration steps for de-
ploying the next-generation firewall as part of a VMware NSX-based private data center.

Palo Alto Networks 1

 Introduction

Introduction
Three major building blocks are common in all data center environments: compute, storage, and network. These three
elements are combined in various quantities and topologies to provide data center infrastructure, which provides appli-
cations and data processing to meet business requirements. Configuration and administration of these three elements
in most data center environments require careful coordination between different groups in order to provide network
connectivity and storage resources prior to application deployment. Network security policy configuration or changes
may also be required. This coordination of duties can delay application delivery and business agility.

One approach organizations have taken to minimize coordination bottlenecks is to present all network connectivity to
all compute resources, often by trunking all available VLANs to every server, and application network connectivity is
associated at the time of application creation. This model has implied trust that applications are deployed on the cor-
rect network segment and provides no visibility or separation within network segments. Add server virtualization to the
equation and applying security policy in this highly dynamic environment can be a challenge when virtualized applica-
tions move around the data center.

The ideal goal is to permit network, storage, and security teams to define independent policies that are dynamically
linked to applications and for these characteristics remain associated with applications throughout their lifecycle. This
model permits rapid provisioning and management of applications without advanced coordination of network, storage,
and security teams. This model enables high-level policies such as:

• Web servers can communicate with applications servers.

• Application servers can communicate with database servers, without regard for physical or virtual instantiation
of the services.

The policies are maintained when virtualized servers are moved throughout the data center or new servers are created.
This model is referred to as software-defined data center.

Palo Alto Networks 2

 Private Data Center Concepts

Private Data Center Concepts

In a private data center cloud, there are two different classes of traffic:

• North-south—Refers to data flows that move in and out of the virtualized environment from the host network.
Sometimes traffic between application tiers are also called north-south; for the purposes of this guide, north-
south traffic flows are to and from the virtualized environment. For performance reasons, north-south traffic
is usually secured by one or more physical form factor, perimeter firewalls. The edge firewall is usually a high-
throughput hardware appliance deployed in high availability mode in order to ensure application resiliency.

• East-west—Refers to data flows moving between virtual workloads entirely within your private cloud. East-west
traffic flows within the data center are often less well understood. East-west visibility and security enforcement
can be difficult because the network elements providing transport usually don’t provide the required features,
and the highly dynamic nature of software-defined data centers further complicates applying these services at
the correct network locations. East-west traffic visibility and security policy has long been a goal for many orga-
nizations wanting to enhance internal data center security. The VMware NSX solution was designed to address
the challenges of this highly dynamic environment and bring visibility and security directly to virtualized applica-
tions, regardless of application location or network connectivity. East-west firewalls are inserted transparently
into the application infrastructure and do not necessitate a redesign of the logical topology.

Data centers are centralized repositories of your organization’s most critical asset: the data that drives your business,
which could include very sensitive customer information such as credit card numbers or patient medical records. Your
data is a target for cybercriminals, as evidenced by the number of high-profile data breaches. Historically, organizations
implemented network security to protect traffic flowing north-south. The assumption was that the threats were outside
your network and that east-west visibility was difficult. However, relying on north-south protection alone is insufficient
for protecting your data center. The compromise of a single data center asset could provide cybercriminals the pivot
point they need to further compromise your data. To improve security posture relative to corporate data risk, organiza-
tions have acknowledged that protection from threats across the entire network, both north-south and east-west, has
become a security requirement. Regulatory compliance, such as HIPPA, PCI, and GDPR, often dictate additional data
security policies.

One common practice in data centers is the logical grouping of application functions by trust level. All application func-
tions within a tier are inherently trusted, and only traffic between tiers is inspected. This practice is known as network
segmentation. Network segmentation has traditionally been applied between network segment (VLANS or subnets)
because all traffic entering and leaving the segment must pass through a single network location.

Higher-risk assets may require additional security policy between services within a network segment. Extending the
concept of network segmentation to finer grain and larger scale can be difficult to deploy and manage because the limi-
tations of number of VLANs or IP address subnetting grow rapidly. The ability to provide additional network security,
without the need for network segmentation, can be very useful. Micro-segmentation provides this ability without need
for network topology changes or application server IP address changes.

Palo Alto Networks 3

 Private Data Center Concepts

Logical segmentation of application functions during its lifecycle (development, testing, staging, and production),
without regard for location within the data center, is also very useful. DevOps is becoming a more common practice for
application development, and logical segmentation enables the agility required. Logical segmentation also plays a role
in multitenancy, the ability to support many customers using the same applications while keeping their network traffic
separate from each other.

When security events do occur, your ability to respond to these events in a timely fashion is critical. Automation within
the virtualized data center allows your infrastructure to respond to security events by applying appropriate security
controls to protect the network and notification when these events occur. This automated response provides the
timely protection to all assets within your data center, and the ability to safely remediate impacted resources.

Palo Alto Networks and VMware have partnered to provide a solution that enables the benefits of a software-defined
data center, while also providing automated security services of Palo Alto Networks VM-Series next-generation fire-
walls and advanced threat prevention. The integrated solution is composed of three components: VMWare NSX, the
VM-Series firewall, and Panorama™. The following sections first describe the required VMware NSX components and
then present the required Palo Alto Networks components of this solution.

Palo Alto Networks 4

 VMware Concepts and Services

VMware Concepts and Services

As the leading network and security virtualization platform, NSX is a full-service, programmable platform that provides
logical network abstraction of the physical network and reproduces the entire network model in software, allowing
diverse network topologies to be created and provisioned in seconds. NSX applies security controls at the hypervisor
layer for optimal context and isolation, inherently provides security isolation, enables micro-segmentation based on
logical boundaries, and allows for workload-level isolation and segmentation. Policies are enforced at the virtual inter-
face and follow the workload unconstrained by physical topology. The NSX distributed service framework and service
insertion platform enable the integration of next-generation security services. NSX native, kernel-based distributed
firewall, used for L2–L4 filtering, steers traffic transparently to the VM-Series for advanced inspection.

The following sections describe the required VMware components and features that enable this solution.

VMWARE VSPHERE ESXI

VMware vSphere ESXi is the foundational component of VMware data center server virtualization. vSphere ESXi is the
hypervisor that is deployed on physical server hardware, which then presents the virtualized server components to
guest virtual machines created from these components. The guest virtual machines function as the equivalent physi-
cal servers they represent, with the added benefit that they can be moved to facilitate business continuity or power
optimization and copied like software components in order to ease data center operations.

The virtual separation of guest functions of vSphere ESXi provides limited visibility into the virtual server containers
and their configuration. To provide visibility to the configuration of virtual guests, an application called VMware Tools
is installed on the guests. VMware Tools can be installed for all supported guest operating systems from vCenter or
vSphere ESXi. Another option for Linux-based guests is the use of open-vm-tools, which provides the same functional-
ity. Beginning with PAN-OS 7.1, VM-series firewalls have open-vm-tools installed as part of the native configuration.

VMWARE VCENTER
A data center might contain hundreds or thousands of virtualized servers. Managing individual vSphere ESXi servers
at this scale would be untenable. VMware vCenter provides the data center management functions of all virtualized
server resources and is the center point of management for your SDDC.

The default web interface for vCenter and ESXi makes use of Adobe Flash. Google Chrome provides built-in Pepper
Flash version 170, which has Shockwave Flash crashes; reverting to version 159 resolves these crashes. Using Adobe
Flash Player version 11.5 with your browser provides the greatest compatibility.

Palo Alto Networks 5

 VMware Concepts and Services

VMWARE NSX MANAGER

VMware NSX extends the virtualization model to the data center network fabric by creating a network virtualization
platform of logical network functions. This platform treats the physical network as a pool of transport capacity. Virtual
networks can be provisioned, modified, stored for later reuse, and deleted programmatically without making changes
to the underlying physical network. This network virtualization provides for third-party services to be inserted dynami-
cally at the guest VM virtual network interfaces (vNIC), providing a service is called network introspection. All traffic into
and out of the guest VM is made visible to supported solutions. Palo Alto Network VM-series firewalls provide network
introspection services via NSX integration.

Figure 1 Comparison of server and network virtualization

Application Application Application Workload Workload Workload

x86 Environment L2-L7 Network Services

Virtual Virtual Virtual Virtual Virtual Virtual
Machine Machine Machine Network Network Network

Server Hypervisor (ESXi) Network Hypervisor (NSX)

4096 GB

4096 GB

4096 GB

4096 GB

4096 GB

4096 GB
Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

4096 GB

4096 GB

4096 GB
Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

x86 x86
4096 GB

4096 GB

4096 GB

4096 GB

4096 GB

4096 GB
Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

4096 GB

4096 GB

4096 GB
Bl ahbl ah

Bl ahbl ah

Bl ahbl ah

CPU Memory Switch Router

Server Virtualization Network Virtualization

The NSX data plane creates a logical overlay virtual network of Layer 2 switches, Layer 3 routers, and Layer 4 firewalls.
This logical network provides the ability to group application servers on a logical Layer 2 switch, which can span across
arbitrary physical networks. NSX creates this logical networking by tunneling traffic using a protocol called VXLAN. NSX
virtual networking is based on vSphere Distributed Switch, with additional capabilities added by hypervisor extensions
on each physical host within the data center. Distributed Virtual Switch is a required licensed feature with vCenter for
NSX deployments.

NSX control plane is implemented as a set of three guest VMs that maintain the operational status of all the virtual net-
working elements. A cluster of three NSX controllers is required for successful installation; the cluster provides a highly
reliable, distributed state database of all logical network elements within the NSX environment. Examples of network
state include: MAC address tables, ARP tables, Layer 3 routing information, and Layer 4 stateful firewall sessions.

NSX controllers are critical components to continuous functioning of the control plane. To maintain high availability, the
controllers implement a protocol called Paxos among the members. The Paxos protocol enables a collection of unreli-
able members to arrive at a consensus of the current network state, ensuring consistent network state even with the
failure of any single controller.

Palo Alto Networks 6

 VMware Concepts and Services

NSX Manager extends the functionality of ESXi hypervisors, adding kernel modules that provide additional capabilities.
The process of adding these additional hypervisor modules is called host preparation. Host preparation is applied at the
vCenter cluster level, to all hosts within a given cluster.

Figure 2 VMware NSX logical network overlay on physical network

NSX Logical Network

Edge Services
Gateway

10.0.0.0/8

Distributed
Logical Router

DB Servers
Web Servers App Servers Logical Switch
Logical Switch Logical Switch

Service Service Service

Insertion Insertion Insertion

Web1 Web2 App1 App2 DB1 DB2

192.168.100.0/8 192.168.101.0/8 192.168.102.0/8

Physical Network
10.0.0.0/8

Web1 App1 App2 DB1 DB2 Web2

NSX Distributed Firewall

NSX distributed firewall changes the paradigm of security services within the data center, extending network security
services directly to the vNIC of guest VMs and decoupling security from network topology. Distributed firewall pro-
vides legacy Layer 4 stateful firewall services, identifying traffic for policy application by the 5-tuple source/destination
IP addresses, source/destination ports, and protocol. Distributed firewall policy is applied first, then optional third-party
network security services may be applied as part of security policy. Palo Alto Networks VM-series firewalls provide
network introspection services to NSX distributed firewall.

Distributed firewall uses IO chaining to provide additional security services for third-party solutions (network introspec-
tion). IO chaining identifies traffic for additional inspection by Layer 2 MAC address or Layer 3 IP address. Distributed
firewall maintains two state tables that are attached to each VM:

• Rule Table—Layer 4 security policy rules

• Connection Tracker Table—Active flows, which were permitted security policy

Palo Alto Networks 7

 VMware Concepts and Services

When VMs are migrated, the rule and connection tracker tables move along with the VM, ensuring consistent network
security and no disruption in current traffic flows. Network flows that were inspected and permitted by network intro-
spection continue to flow, while new flows will be subject to network introspection policy at the VM’s new destination
host.

Figure 3 Default NSX distributed firewall rules

IP Sets
NSX distributed firewall uses guest VM IP and MAC addresses to apply security policy and redirect traffic to third-party
solutions for additional inspection. Virtual machines communicate their IP addresses to vCenter by using VMware Tools.
For VMs not running VMware tools, you need a mechanism to associate them with distributed firewall security policy.
IP sets provide the ability to assign a group of IP addresses to a security group. IP sets contain a combination of comma
separated list of IP addresses, a range of IP addresses, or CIDR block notation.

Figure 4 IP Set

Palo Alto Networks 8

 VMware Concepts and Services

SpoofGuard
Ensuring an accurate association of guest VM IP address use is very important to maintaining data center security. After
synchronizing with the vCenter Server, NSX Manager collects the IP addresses of all vCenter guest virtual machines
from VMware Tools on each virtual machine, or from IP discovery if it is enabled. IP discovery uses DHCP snooping and
ARP snooping to dynamically observe VM IP addresses, and to prevent malicious use of otherwise authorized IP ad-
dresses. You also have the option to manually inspect and approve IP address use. SpoofGuard is disabled by default.

Figure 5 SpoofGuard policy enablement

Figure 6 SpoofGuard IP address assignment and approval

Security Tags
Security tags are a VM attribute assigned by an administrator or applied through automation. Security tags provide dy-
namic association of VMs with security policy through security group membership. Security tags can be user-generated
or system-defined. To provide automated response to threats in your data center, Panorama can apply security tagging
based on firewall logging.

Palo Alto Networks 9

 VMware Concepts and Services

Figure 7 Security tags

Service Manager
Service managers register with NSX Manager to provide network introspection security services. Panorama registers
with NSX Manager as a service manager, providing service definitions and service profiles.

Figure 8 NSX Service Manager

Palo Alto Networks 10

 Palo Alto Networks Components

Palo Alto Networks Components

To support the software-defined data center and ensure automated security services with advanced threat preven-
tion, Palo Alto Networks relies on two key components: the VM-Series firewall for NSX and Panorama, the centralized
management platform for coordinated and automated management of virtualized firewalls. The following sections de-
scribe the role of these components in this integrated solution and present the key features that enable the automated
security services.

PALO ALTO NETWORKS VM-SERIES FIREWALL FOR NSX

The VM-Series virtualized next-generation firewall brings secure application enablement and threat prevention to the
virtualized and cloud environments. At the core of the VM-Series is the Palo Alto Networks Next-Generation Firewall,
which determines the three critical elements of your security policy: the application identity, regardless of port; the
content, malicious or otherwise; and the user identity—all in a single pass. Unlike traditional security solutions, the VM-
Series offers the same set of security features as our physical form factor firewalls and is managed using the same man-
agement platform, ensuring that a consistent set of policies is maintained in the data center. Identifying and controlling
your data center traffic reduces the scope of attacks by:

• Validating data center applications are in use on standard ports.

• Blocking rogue or non-compliant applications.

• Preventing known and unknown threats from moving laterally.

• Systematically managing unknown traffic.

Beginning with PAN-OS version 8.0, most of the VM-series firewalls are supported with NSX. Multiple VM-series
firewalls can be deployed on a single host, as long as the overall CPU cores, memory, and storage requirements are met
for the firewalls. Multiple firewalls can be deployed to meet performance or multitenancy requirements.

The table below provides performance comparison of VMware NSX compatible PAN-OS 8.0 VM-series firewalls using
the maximum number of CPU cores.

Table 1 Performance comparison of PAN-OS 8.0 VM-series firewalls

VM-100/ VM-300/
VM-200 VM-1000-HV VM-500
Property (2 cores) (4 cores) (8 cores)
Firewall throughput 1 Gbps 1.5 Gbps 3 Gbps
Threat prevention throughput 500 Mbps 1 Gbps 3 Gbps
Maximum sessions 250,000 800,000 2,000,000

Palo Alto Networks 11

 Palo Alto Networks Components

PALO ALTO NETWORKS PANORAMA

Panorama is a centralized management platform that provides the ability to manage a distributed network of virtualized
and physical firewalls from a single location. Capabilities include the ability to view all firewall traffic, manage all aspects
of device configuration, push global policies, generate reports on traffic patterns or security incidents, and automatically
respond to security incidents by quarantining affected VMs. The following sections describe the key Panorama features
and functions leveraged in this design.

Security Groups
Security groups provide a flexible way to group virtual machines to which security policy is applied. Several options
based on VM configuration state can be used to associate security groups. This design uses security tags and IP sets to
assign security groups.

Security groups can also be created by dynamic address objects from Panorama by setting the match criteria
‘_nsx_[security group name]’. The address group name and match criteria for security group name must match exactly
in characters and case; otherwise, the security group will not be creating in NSX.

Figure 9 Linking Panorama address groups to NSX security groups

Palo Alto Networks 12

 Palo Alto Networks Components

Security Policy
Security policy identifies the network traffic which is to be allowed or blocked by distributed firewall and optionally
inspected by network introspection. All security policies require a security group for source, destination, or source and
destination. A security policy is created with implicit reference to an unnamed security group, and then the security
policy is applied to a security group; you don’t explicitly identify the security group within a security policy.

Service Definitions
As a service manager, Panorama registers NSX service definitions, which can be used in network introspection of NSX
security policies. Service definitions specify the Panorama device group and template to which newly deployed VM-
series firewalls are to register. The device group identifies the capacity license of VM-series firewall (VM-100, VM-300,
or VM-500) based on its authorization code. Service definitions also specify the URL for the VM-series firewall OVF file
and the notify group.

Figure 10 Panorama service definition

Palo Alto Networks 13

 Palo Alto Networks Components

Figure 11 Panorama Service Manager and service definition name mapping to NSX Manager

Service Profile
NSX service profiles are used in NSX security policies to provide network introspection services. Virtual wire security
zones created in your Panorama templates create these service profiles in NSX Manager. NSX security policy using a
network introspection service profile forwards the traffic to the associated VM-series firewall virtual wire interface for
additional inspection. Multiple service profiles permit you to apply different security policies on the VM-series firewall
for applications such as multitenancy.

Palo Alto Networks 14

 Palo Alto Networks Components

Figure 12 Panorama security zone mapping to NSX Manager service profile

Firewall Security Policy

Writing security policies in your new software-defined data center will likely be different than traditional firewall de-
ployments. Network traffic is first inspected NSX firewall, and only permitted traffic is forwarded to VM-series firewalls
for additional inspection. A best practice is to block all network traffic that can be identified on the NSX firewall and
pass only permitted traffic to your VM-series firewall for additional inspection (for example, App-ID™ and threat pre-
vention).

VM-series firewalls present a virtual wire interface to NSX Manager, with the same security zone on both sides of the
virtual wire. Security policies in this type of environment should only be intrazone. Only traffic within the data center, to
and from address groups, should be used in security policy. Default firewall policy (source/destination=any) should be
addressed in the perimeter firewall.

Palo Alto Networks 15

 Palo Alto Networks Components

Panorama Steering Rules

In the security-oriented data center, NSX traffic steering policies are pushed directly from Panorama. These steering
rules can be automatically generated from Panorama security policies or created manually from a subset of security
policies.

NSX firewall doesn’t understand the Panorama service object application-default, nor can you use more specific
service objects in Panorama security policy. They will all be mapped to any in NSX steering rules. To more specifically
target steering rules, you must modify the auto-generated Panorama steering rules to use service object names under-
stood by NSX.

Palo Alto Networks 16

 Design Model

Design Model
In SDDCs, you can steer traffic through a series of software functions that have replaced physical infrastructure service
appliances, such as firewalls and load balancers. In NSX, you can deploy these services with greater granularity by
inserting them into a specific forwarding path. This model is called the service insertion model. When multiple functions
are so combined, it is referred to as service chaining.

SERVICE INSERTION MODEL

After such infrastructure services are available as software, such as the Palo Alto Networks VM-Series firewall, they can
be created, configured, inserted, and deleted dynamically to all virtual workloads within your infrastructure. The deploy-
ment and configuration of these services can be automated and orchestrated.

As a hypervisor-integrated software platform, NSX uses the workload-centric insertion point of data center infrastruc-
ture services. It involves steering specified traffic via the NSX Distributed Firewall (DFW) through one or more service
virtual machines (SVMs). SVMs bypass the typical network stack and instead receive traffic directly via a messaging
channel that runs at the hypervisor layer. Network traffic designated for redirection to a third-party service is defined
using the traffic steering option of the NSX Distributed Firewall Rules. Traffic permitted by the distributed firewall can
be forwarded for further inspection. Traffic steering rules redirect Layer 3 or Layer 4 traffic to a specific SVM for ad-
ditional inspection.

When deploying the Palo Alto Networks VM-Series firewall on NSX, the firewall is inserted as an SVM following the
workload-centric service insertion model, either as a standalone service insertion or as part of a service chain. NSX dis-
tributes network services into the VM vNIC to form a logical pipeline of services applied to virtual network traffic. The
Palo Alto Networks VM-Series firewall integrates directly into this logical pipeline using virtual wire, enabling visibility
and safe enablement of VM traffic, along with safe enablement of applications and complete threat protection. 

Palo Alto Networks 17

 Design Model

Figure 13 Service insertion logical model vs. physical topology

In addition, this service insertion model enables the following outcomes:

• Independence from networking topology

• Automated deployment and provisioning

• More granular, dynamic security policies based on application, user, content and virtual machine “container”

• Linear scaling with the number of hosts

DESIGN CONSIDERATION: OPERATIONS-ORIENTED VS SECURITY-ORIENTED SECURITY

POLICY
NSX security policy can be created and applied from within NSX Manager. This model is known as operations-oriented
security policy, which is appropriate for many organizations. In this model, all data center security policy is an inherent
function of administering the compute resources and NSX virtual networking; security staff can be granted access to
participate in creation and oversight of security policy in a cooperative manner.

Palo Alto Networks 18

 Design Model

Separation of data center operational duties from security policy creation and application can be a desirable capability.
Security-oriented security policy separates security functions from data center operations. Desired data center security
policy is created in Panorama, which then configures NSX security policy. Security policies created in Panorama and
pushed to NSX become the authoritative security policy and replace natively configured security policy.

When deploying the VM-Series in the service insertion model, you must determine how to balance operations-orient-
ed vs. security-oriented policies.

Palo Alto Networks 19

 Summary

Summary
Meeting business demands for faster innovation, and doing so securely, can be a significant challenge. The integrated
solution of Palo Alto Networks Panorama and VM-Series for VMware NSX provides the flexibility to respond to busi-
ness requirements, improve operation efficiency, and raise overall security posture. The automated deployment of
VM-Series firewalls ensures workload-level visibility for user- and application-level policies to enable logical micro-
segmentation of the SDDC traffic in a north-south or east-west fashion while providing advanced threat prevention
capabilities across all flows. Further, this solution ensures that the security policies being enforced stay current with
dynamic nature of both the virtualized network and hypervisor environments.

Palo Alto Networks 20

 What’s New in This Release

What’s New in This Release

Palo Alto Networks made the following change since the last version of this guide:

• Updates to third-party trademarks

Palo Alto Networks 21

 You can use the feedback form to send comments
about this guide.

Headquarters

Palo Alto Networks Phone: +1 (408) 753-4000

4401 Great America Parkway Sales: +1 (866) 320-4788
Santa Clara, CA 95054, USA Fax: +1 (408) 753-4001
www.paloaltonetworks.com info@paloaltonetworks.com

© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trade-
marks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may
be trademarks of their respective companies. Palo Alto Networks reserves the right to change, modify, transfer, or other-
wise revise this publication without notice.

B-000180P-1 10/18