03-05-2018 11:36 PM
Hi Team,
I am currently looking for the option of configuring NSX for one of our European customers and i am exploring the option of using Palo Alto VM series firewall to secure East-West traffic inside NSX.
I am looking for the count of license that would be required for using the VMseries firewall for approximately 50 ESXi hosts. In the documents that i read, it is mentioned that one Palo Alto virtual firewall instance will be deployed per ESXi host.
Does this mean, i need to purchase 50 Palo Alto virtual firewalls for 50 ESXi hosts? How will the virtual firewalls be charged?
If i deploy one VM per host, is there a way i can create a "zone admin" if my ESXi hosts are shared and i deploy virtual firewalls per host?
03-08-2018 10:01 PM - edited 03-08-2018 11:50 PM
Hello,
Each ESXi host requires a licensed firewall so if you have 50 ESXi host you need 50 VM-Series licenses. VM-Series pricing is same for non-NSX and NSX integrated solutions, so you need to purchase perpetual licenses which are all paid up front with support and security update subscritions for specific time frame (1 or 3 years etc).
Unfortunaltely PANW does not have rental license model for Service Providers like VMware (VCPP) and Microsoft (SPLA) have. However, 50 licenses would be rather big deal so there might be some good discounts or other options for such deal.
As I understand Panorama capabilities, there is no such multitenancy support currently which would allow you to specificy user roles so that they could see and manage rules matching only specific zone. So I think answer to your last question is no.
03-08-2018 10:01 PM - edited 03-08-2018 11:50 PM
Hello,
Each ESXi host requires a licensed firewall so if you have 50 ESXi host you need 50 VM-Series licenses. VM-Series pricing is same for non-NSX and NSX integrated solutions, so you need to purchase perpetual licenses which are all paid up front with support and security update subscritions for specific time frame (1 or 3 years etc).
Unfortunaltely PANW does not have rental license model for Service Providers like VMware (VCPP) and Microsoft (SPLA) have. However, 50 licenses would be rather big deal so there might be some good discounts or other options for such deal.
As I understand Panorama capabilities, there is no such multitenancy support currently which would allow you to specificy user roles so that they could see and manage rules matching only specific zone. So I think answer to your last question is no.
03-08-2018 11:36 PM
Hi thakala,
Thanks a lot. This clearly answers my query.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
