Nutanix DAG Harvesting Panorama Plugin

Community Team Member

Panorama plugin for NutanixPanorama plugin for Nutanix

 

About VM Monitoring on Nutanix

The Panorama plugin for Nutanix facilitates the use of dynamic address groups by monitoring virtual machines in your Nutanix environment. Prism Central groups entities in your Nutanix environments by categories and filters them further by value. Panorama creates tags based on categories and values you define in Prism Central.

 

When a virtual machine is placed in a category and assigned a value, Panorama applies the corresponding tag to the virtual machine’s IP address. You can then create security policy by using the tags as match criteria for dynamic address groups in Panorama.

 

Nutanix Plugin Category ValueNutanix Plugin Category Value

 

In the example above, we have two categories—Dev and HR—with two values inside each of them. These categories are in the cluster, which is within Prism Central. After you begin monitoring your Nutanix environment, Panorama uses value, category, cluster, and Prism Central to form tags.

 

When you view the match criteria for dynamic address groups, the tags are listed in the following format:

ntnx.PC-<prism-central-name>.CL-<cluster-name>.<category>.<value>

 

With the information in the example above, Panorama creates the following tags:

ntnx.PC-PrismCentralHQ.CL-ClusterAlpha.Dev.Engineering

ntnx.PC-PrismCentralHQ.CL-ClusterAlpha.Dev.QA

ntnx.PC-PrismCentralHQ.CL-ClusterAlpha.HR.Recruiting

ntnx.PC-PrismCentralHQ.CL-ClusterAlpha.HR.Benefits

 

To secure workloads in these categories, use tags such as these as match criteria in the dynamic address groups. You can then use the dynamic address groups as source and destination address groups in your security policy rules. When a virtual machine joins a dynamic address group, the policy you created is applied automatically.

 

Install the Panorama Plugin for Nutanix

To get started with endpoint monitoring on Nutanix, download and install the Panorama plugin for Nutanix. If you have a Panorama HA configuration, repeat this installation process on each Panorama peer.

 

When installing the plugin on Panorama in an HA pair, install the plugin on the passive peer before the active peer. After installing the plugin on the passive peer, it will transition to a non-functional state. Installing the plugin on the active peer returns the passive peer to a functional state.

  • Log in to the Panorama user interface.
  • Select > Panorama > Plugins
  • Select > Check Now to retrieve a list of available updates
  • Select > Download in the Action column to download the plugin
  • Select the version of the plugin and click Install in the Action column to install the plugin
  • Panorama will alert you when the installation is complete

 

Configure the Panorama Plugin for Nutanix

After installing the plugin, complete the following procedure to establish a connection between Panorama and Prism Central.

 

  • Log in to the Panorama web interface.
  • Enable monitoring and set the monitoring interval.
    • Select > Panorama > Nutanix > Setup > General
    • Select > Enable Monitoring
    • Set the Monitoring Interval in seconds
    • The monitoring interval is how often Panorama retrieves updated networking information from Prism Central


nutanix-plugin-general.png

 

    • Create a notify group.
      • Select > Panorama > Nutanix > Setup > Notify Groups
      • Click Add
      • Enter a descriptive Name for your notify group
      • Select the device groups in your Nutanix deployment


nutanix-plugin-notify-groups (1).png

 

      • Add Prism Central information
      • Select Panorama > Nutanix > Setup > Nutanix Prism Central
      • Click Add
      • Enter a descriptive name for your Prism Central
      • Enter the IP address or FQDN for your Prism Central
      • Enter your Prism Central username
      • Enter and confirm your Prism Central password
      • Click Validate to confirm that you entered the Prism Central credentials correctly.
      • Click OK

If you return to the Nutanix Prism Central Info window after clicking OK, clicking the Validate button returns a credential validation error message. This is the expected behavior. Although Panorama displays dots in the password field, the field is empty; this causes the validation to fail despite Panorama being successfully connected to Prism Central.


nutanix-plugin-prism-central.png

 

    • Configure the Monitoring Definition.
      • Select Panorama > Nutanix > Monitoring Definition and click Add
      • Enter a descriptive Name and optionally a description to identify the Prism Central for which you use this definition
      • Select the Prism Central and Notify Group
      • Click OK
      • Commit your changes


nutanix-plugin-monitoring-definition.png

 

    • Verify that you can view the VM information on Panorama and define the match criteria for dynamic address groups.
      • Select Panorama > Objects > Address Groups and click Add

      • Enter a descriptive n
        ame
         for your dynamic address group
      • Select Dynamic from the type dropdown
      • Click Add Match Criteria. You can select dynamic tags as the match criteria to populate the members of the group

      • Select the And or Or operator and select the attributes that you would like to filter for or match against

      • Click OK

      • Commit your changes


nutanix-plugin-config-dag.png

 

    • Verify that addresses in your VMs are added to dynamic address groups.
      • Select Panorama > Objects > Address Groups
      • Click More in the addresses column of a dynamic address group
      • Panorama displays a list of IP addresses added to that dynamic address group based on the match criteria you specified


nutanix-plugin-dag-more.png

 

    • Use dynamic address groups in policy.
      • Select Policies > Security
      • Click Add and enter a name and description for the policy
      • Add the Source Zone to specify the zone from which the traffic originates
      • Add the Destination Zone for which the traffic is terminating
      • For the Destination Address, select the Dynamic address group you just created
      • Specify the action Allow or Deny for the traffic and optionally attach the default security profiles to the rule
      • Repeat previous six steps to create another policy rule
      • Click Commit

 

Make sure to bookmark Set Up the VM Series Firewall on Nutanix AHV to stay informed on the latest updates!

 

Thanks for taking time to read my blog.


If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Kiwi out !

1,229 Views
Ask Questions Get Answers Join the Live Community
Labels