NSX-V Configuration for Panorama

Printer Friendly Page

Brief Description

This skillet will automatically configure Panorama and plugin for a state-of-the-art integration into NSX-V for a “one click ready” POC with single and multiple tenant support.

 

Target Audience

This skillet is designed to be used by SEs and Partners.

 

Skillet Details

Authoring Group: Private Cloud CE
Documentationhttps://github.com/ceskillets/DCV-skillet-nsx/blob/master/README.md
Github Location: https://github.com/ceskillets/DCV-skillet-nsx.git

Github Branchesmaster

PAN-OS Supported: 8.1.X and higher releases with NSX plugin version 2.0.X

Cloud Provider(s) Supported: VMWARE NSX
Type of Skillet: Multiple XML files to configure panorama and the plugin entirely

Purpose: Config ready for POCs

Detail Description

This skillet will automate these tasks for you on Panorama :

 

  • create a Template Stack and a Template dedicated for NSX-V with DNS and NTP server configured with webpage variables.
  • create a Device Group dedicated for NSX-V with the authcode configured with webpage variables.
  • create a Service Definition and a Service Manager profile with a single Service Profile "Tenant" attached to the service Definition.
  • create an empty DAG with a TAG attached to it that will be pushed into NSX-Manager for demo as a Security Group.
  • create 2 intrazone pre-rulebase firewall security rules for your tenant with Security Profiles, Log Forwarding Profile and a dedicated TAG for that tenant to filter both incoming and outgoing traffic of that Security Group members.
  • automatically generate the NSX Manager Steering Rule Policies on Panorama that fits the previous pre-rulebase.
  • create an HTTP log forwarding profile on Panorama to provide "automated quarantine" on NSX Manager in case of a virus detection in one of our VM-Series agent firewall.

 

Notice that if you want a second ("Tenant"), you just need to launch the Skillet a second time and just modify the "Tenant" name variable at the end of the webpage with your second "Tenant" name

 

How to execute it:

Just launch the skillet with Panorama as a target destination. Your Panorama must be able to reach out NSX Manager without proxy to successfully configure and register the service definition and service profile(s).

 

Variables

  • STACK (Template Stack name for NSX)
  • DEVICEGROUP (Device Group name for NSX)
  • AUTHCODE (AuthCode VM series for NSX)
  • URLOVA (URL where ovf/ova package is hosted)
  • NSXLOGIN (NSX Manager login)
  • NSXMANAGER (NSX Manager IP Address)
  • NSXPASSWORD (NSX Manager password)
  • DNS (DNS Server IP address)
  • NTP (NTP Server IP address)
  • TENANT (Tenant name for Zone creation)
  • TAGCOLOR (Color of the TAG for your Tenant)

 

Caution

  • This skillet will not deploy our VM agents on NSX manager nor configure it for deployment, it's Panorama configuration only.
  • This skillet will create only one single Security Group into NSX Manager linked to one single DAG in Panorama. Additional DAGs/Security Groups must be added manually after you apply the skillet if you need more on your setup.
  • Generation of the certificate, signature of that certificate, extraction and installation of that certificate into NSX Manager is not part of that skillet. That step need to be manually done after you launch the skillet to have that automated quarantine feature fully functional.