Purpose and functions of VM Information Sources?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Purpose and functions of VM Information Sources?

L4 Transporter

I trying to understand what gain we have from having our vCenter server monitored by our PA 3020 firewall?

I reading about it here, but not understanding it.

https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-vm-informa...

 

We are recently upgraded to vSphere 6.5 and a new vCenter server that I need to replace this current palladium entry with.

We are using standard vSphere switching and not using NSX at all.

PAvCenter1.jpg

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @OMatlock

 

This works in tandem with dynamic objects: if you have a datacenter where servers are spawned based on load (for example) and during a busy day several new servers need to be booted on the spot, the VM information sources can feed the IP information into the firewall and add the IPs to dynamic objects so the servers are automatically added to existing firewall policies

 

if you have several different types of VMs that may need to be spun up they can each be member of individual dynamic groups and their access through security policy will be tied to their membership to the dynamic group (eg dmz servers may gain access to update servers, databases and DNS, while internal servers will automatically be reachable by your users and can fetch information off of the DMZ and so on

 

This way you don't need to add full subnets to your policies but can rely on the information sources to feed you unique IPs ties to a 'tag'

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @OMatlock

 

This works in tandem with dynamic objects: if you have a datacenter where servers are spawned based on load (for example) and during a busy day several new servers need to be booted on the spot, the VM information sources can feed the IP information into the firewall and add the IPs to dynamic objects so the servers are automatically added to existing firewall policies

 

if you have several different types of VMs that may need to be spun up they can each be member of individual dynamic groups and their access through security policy will be tied to their membership to the dynamic group (eg dmz servers may gain access to update servers, databases and DNS, while internal servers will automatically be reachable by your users and can fetch information off of the DMZ and so on

 

This way you don't need to add full subnets to your policies but can rely on the information sources to feed you unique IPs ties to a 'tag'

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Wow!  Thank you for that reaper.

Maybe these guys had plans to do stuff like this down the road, but not doing anything like that right now.

 

I might just remove it for now, especially since it is an old vCenter that is not in use anymore.

 

Thank you!

@OMatlock,

If you guys had an SE or an outside vendor setup your firewall for you during the initial install it's quite possible they added this to show off the feature. 

  • 1 accepted solution
  • 2799 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!