12-05-2017 07:38 AM
I trying to understand what gain we have from having our vCenter server monitored by our PA 3020 firewall?
I reading about it here, but not understanding it.
We are recently upgraded to vSphere 6.5 and a new vCenter server that I need to replace this current palladium entry with.
We are using standard vSphere switching and not using NSX at all.
12-06-2017 02:23 AM
Hi @OMatlock
This works in tandem with dynamic objects: if you have a datacenter where servers are spawned based on load (for example) and during a busy day several new servers need to be booted on the spot, the VM information sources can feed the IP information into the firewall and add the IPs to dynamic objects so the servers are automatically added to existing firewall policies
if you have several different types of VMs that may need to be spun up they can each be member of individual dynamic groups and their access through security policy will be tied to their membership to the dynamic group (eg dmz servers may gain access to update servers, databases and DNS, while internal servers will automatically be reachable by your users and can fetch information off of the DMZ and so on
This way you don't need to add full subnets to your policies but can rely on the information sources to feed you unique IPs ties to a 'tag'
12-06-2017 02:23 AM
Hi @OMatlock
This works in tandem with dynamic objects: if you have a datacenter where servers are spawned based on load (for example) and during a busy day several new servers need to be booted on the spot, the VM information sources can feed the IP information into the firewall and add the IPs to dynamic objects so the servers are automatically added to existing firewall policies
if you have several different types of VMs that may need to be spun up they can each be member of individual dynamic groups and their access through security policy will be tied to their membership to the dynamic group (eg dmz servers may gain access to update servers, databases and DNS, while internal servers will automatically be reachable by your users and can fetch information off of the DMZ and so on
This way you don't need to add full subnets to your policies but can rely on the information sources to feed you unique IPs ties to a 'tag'
12-07-2017 07:27 AM
Wow! Thank you for that reaper.
Maybe these guys had plans to do stuff like this down the road, but not doing anything like that right now.
I might just remove it for now, especially since it is an old vCenter that is not in use anymore.
Thank you!
12-07-2017 09:41 AM
If you guys had an SE or an outside vendor setup your firewall for you during the initial install it's quite possible they added this to show off the feature.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
