- #Palo alto vmware image download update
- #Palo alto vmware image download code
- #Palo alto vmware image download zip
I suppose you could move forward without adding any Security Groups to the profile, but I still do it as a CYA. There seems to be no mention of editing the profile in PAN’s online docs ( viewable here). I thought I did something wrong or had hit a bug, but this was confirmed to be working as intended by VMware. If you try clicking on Logical Networks or Distributed Virtual Port Groups, nothing will show up. This was described in page 70 of PAN’s VM-Series Deployment Guide for PAN-OS 6.1 PDF, published in late October of 2014.įrom what I can tell, VMware has altered their API slightly in NSX 6.1.1 because you are now supposed to steer Security Groups. Prior to NSX 6.1.1, you’d edit the profile and select the Logical Networks or Distributed Virtual Port Groups that should be steered to PAN. In a nutshell, this is how you steer data traffic to the VM-Series firewall. If you open up this service instance, you’ll find a single profile called Palo Alto Networks profile 1. There will be a new service instance created called Palo Alto Networks NGFW-GlobalInstance. Data Traffic ProfileĪfter you’ve intergrated the NGFW service profile with NSX, navigate to Service Definitions and double click the Palo Alto Networks NGFW service. This seems to be fully fixed in Panorama 6.1.1 – I haven’t had the issue since then. Basically, you query the NSX API for the service ID of the PAN service definition and then send a PUT request with the Firewall and IDS_IPS strings.
If the functions column is blank, you’ll need to use PAN DOC-8253 to resolve it. To view this, head to Service Definitions and look for the Palo Alto Networks NGFW. I believe this was caused by changes to the NSX API. Specifically, I’d register the service with NSX Manager and see the functions list was empty. The Panorama 6.0 and 6.1 releases had difficulty registering their service definitions properly with NSX 6.1. I’ve found that these two values don’t always match up when changed from the Panorama side.
#Palo alto vmware image download update
Note: If you end up changing the deployment URL on Panorama after registering the PAN service, make sure to also edit the PAN service definition in NSX and update the deployment URL. If you try deploying the vSphere VM-Series firewall with NSX, it will fail. VM-Series firewall for vSphere looks like this: PA-VM- ESX-6.0.0.ovf.VM-Series firewall for NSX looks like this: PA-VM- NSX-6.0.0.ovf.Here’s an easy way to spot the right files:
#Palo alto vmware image download zip
I’ve found that the files don’t always match up – sometimes a zip will say it’s for NSX, while the files themselves are not. If you’re using the VM-Series firewall specifically for NSX, make sure to download and extract the NSX specific files onto your web server. This post will cover a few gotchas that have caused me grief in the past.
#Palo alto vmware image download code
However, they have to rely upon the code / APIs provided by someone else (VMware), meaning there are bound to be things that don’t work quite as you might imagine. On the whole, it’s a rather straight forward process with some deep documentation provided by the folks at Palo Alto Networks (PAN). I’ve had the opportunity to deploy a few instances of Palo Alto Network’s Panorama and VM-Series firewall into VMware NSX environments.