SAI3317BES Palo Alto Networks VM-Series or distribution · What’s New in Palo Alto Networks...

Sudeep - Product Line ManagerSai - Product Marketing

SAI3317BES

What’s New in Palo Alto Networks VM-Series Integration with VMware NSX – A Deep Dive

VMworld 2017 Content: Not fo

r publication or distri

bution

Agenda

Basecamp – The Journey So Far

Enhancements

– Into the Fear Zone – Climbing The VM-Series Performance Peak

– New VM-Series Models and Licensing

Best Practices

– Redpoint Mode – Certified Versions and Clean Upgrades

New Features

– Less Spray More Belay -- Alternative Security Policy Workflows

– Dyno Move -- Automated Security Response

– In Sight – Scaling Beyond A Single NSX Manager

Evolving Use Cases

Gardening Time – Q&A

2



bution

The Journey So Far

Basecamp

CONFIDENTIAL3



bution

5 Years of continued investments

4

VM-1000-HV

2012

2013

2014

2015

2016

2017

Cloud Infrastructure

Support

VM-100

VM-200

VM-300

vCloud Air

SDN/Orchestration

Integrations

Azure ELBAuto Scaling



bution

What we did in the last 12 months?

5

2017

VM-50 VM-100 VM-300 VM-500 VM-700

Broad Portfolio

Device Package 1.2

Enhanced Security Policy

Lifecycle Management

Security Templates

Cloud Infrastructure

Support

SDN/Orchestration

Integrations

Performance



bution

Expanding the product portfolio

6

VM-100 VM-200 VM-300 VM-1000-HV

Circa 2016

VM-50 VM-100 VM-300 VM-500 VM-700

2017



bution

Broad Portfolio of Virtualized Next-Generation Firewalls

7

200Mbps 2Gbps 4Gbps 8Gbps 16Gbps

VM-50 VM-100 VM-500 VM-700VM-300

Core NFV Use Cases Distributed Enterprise/Data Center Use Cases

VM-200 VM-1000-HV



bution

VM-Series on NSX Product Portfolio

8 | © 2017, Palo Alto Networks and/or its partners. All rights reserved. Palo Alto Networks Public

1Gbps

VM-100

3Gbps

VM-500

1.5Gbps

VM-300



bution

Cloud Security Licensing Challenges

9

Multi-Cloud Strategy

Shadow IT license spend

Lack of license portability

Constrained access to licenses

Licensing Automation Challenges

Technology Barriers

Piecemeal Security

Multiple Point Security Solutions

Multiple VendorsBudget unpredictability

Decentralized purchasing

Operational Barriers



bution

Simplified Licensing Bundles

3 New Bundles

– Available for VM-50, VM-100, VM-300, VM-500 & VM-700 models

– Single SKU for each model and its associated renewal SKU.

– Available for all deployments

10

PREM

SUPP

PREM

SUPP

PREM

SUPP

BASIC BND BND2*



bution

VM-Series Enterprise Licensing Agreement

11

…aligning cloud security consumption model with the needs of the enterprise

Selected

Model Support

Unbounded Subscription

Based ModelSingle Bundle

Easy to Order & Deploy

Co-termed

Subscriptions & Support



bution

Climbing the VM-Series Performance Peak

Into The Fear Zone

12



bution

What we did under the hood..

13

DPDK Libs

VM-Series

User-space

Kernel-space

Intel DPDK

Integration

VM-Series

User-space

Kernel-space

PCI-PT CPU/Memory

Optimizations

CPU Pinning

NUMA/Huge Pages

VM-Series

User-space

Kernel-space

SR-IOV

SR-IOV

VM-Series



bution

Design considerations to get the best performance

• Isolate CPU resources on single NUMA node, pin CPU, configure Huge Pages

• Use validated PCI-PT, SR-IOV network adapters

• Update drivers to versions which support multiple queues

– ESX: Modify VMX file or advance settings to enable multiple queues

• Enable DPDK in PAN-OS (turned on by default on VMware ESXi)

– admin@PA-VM> show system setting dpdk-pkt-io

– admin@PA-VM> set system setting dpdk-pkt-io on

14



bution

DemoVM-Series Performance

15



bution

Certified Versions and Clean Upgrades

Redpoint Mode

16



bution

PAN-OS 8.0 Upgrade Considerations

18

All VM-Series models

supported

Existing models get increased capacity

and performance

Higher resources and max supported

coresIdentical Capabilities

VM-1000-HV to VM-300

VM-200 to VM-100



bution

Design Considerations

19



bution

VMWare NSX Certification

PAN-OS Version NSX Manager Version vSphere Version Status

7.1.9 + 6.2.4 + ESXi 5.5 U2, U3

ESXi 6.0 U1, U2, U3

7.1.9 + 6.3.0 +

ESXi 5.5 U2, U3

ESXi 6.0 U1, U2, U3

ESXi 6.5 U1

8.0.2 +

(Plugin 1.0+)6.2.4 +

ESXi 5.5 U2, U3

ESXi 6.0 U1, U2, U3

8.0.2 +

(Plugin 1.0+)6.3.0 +

ESXi 5.5 U2, U3

ESXi 6.0 U1, U2, U3

ESXi 6.5 U1

https://www.vmware.com/resources/compatibility/search.php?deviceCategory=security



bution

https://www.vmware.com/resources/compatibility/search.php?deviceCategory=security

Alternative Security Policy Workflows

Less Spray and More Belay

CONFIDENTIAL21



bution

Operational Workflows within VMware NSX: Before PAN-OS 8.0

NSX Manager Security Admin

Apply Security Tags to Workloads3

Create Security Tags1

Create Traffic Redirection Policies to VM-

Series5

Apply App-Id and Advanced Security

Policies between Security Tags4

Create Dynamic Address Groups to

Synchronize with Security Tags2



bution

Security policy lifecycle management within VMware NSX: PAN-OS 8.0

NSX Manager Security Admin

Create Security Tags1

Apply Security Tags to Workloads3

Create Traffic Redirection Policies to VM-

Series2 Apply App-Id and Advanced Security

Policies between DAGs2

Create Dynamic Address Groups with

special NSX tags1



bution

NSX Admin

(Performs Step 2)

Security Admin

(Performs Steps 1 & 3)

Automated Security Policy Creation Workflow

24

PCI

Define security tag

membership within NSX2

Create security tags within

Panorama

PCI DMZ

PROD DEV

1

Automated update of security tags

information to NSX manager1

Automated creation of redirection policies on NSX manager3

Create security policies in Panorama based on security tags3

NSX manager



bution

DemoPanorama Driven Security Policy Workflows

28



bution

Automated Security Response

Para Gliding

CONFIDENTIAL29



bution

Automate Security Actions

30

…with Panorama driven security event triggers

Threat Prevention logsMalware and phishing

logsCorrelated Event logs

System logsData filtering logs

… ...

10.3.4.122 Compromised

Dynamic Address Group

Policy Source Action

Compromised

hosts

Dynamic

Address

Group

Enforce multi-factor

authentication

1. Granular log filtering 2. Automated actions on the NGFW

HT

TP

/S

AUTO-TAG

3. Automated actions on third party systems

VM-Series and Wildfire C2

alerts on 10.3.4.122

Any REST API



bution

DemoAutomated Security Actions

31



bution

Scaling Beyond A Single NSX Manager

In Sight

32



bution

Panorama Multiple NSX Manager Support*

33

*Qualification pending for scale and performance metrics.

Disaster recovery CICD – Dev/Test/Prod Environments

M&AVMworld 2017 Content: N

ot for publicatio

n or distribution

Multi-NSX manager deployment topology

ActivePassive

NSX Manager 1

(primary)

NSX Manager 2

(secondary)

NSX Manager 16

(secondary)

vCenter <…>VMworld 2017 Content: N

ot for publicatio

n or distribution

DemoMultiple NSX Manager Support

35



bution

Enterprise security challenges

36 | ©

2015, P

alo Alto

Networ

ks.

Confide

ntial

and

…extend beyond the confines of software defined data center

Cloud

Secure Multi Cloud

Architectures

Secure Remote Office/

Branch OfficeVMworld 2017 Content: N

ot for publicatio

n or distribution

Enterprise perimeter is now everywhere

Public Cloud

Software as a Service (SaaS)

Mobile Users

Private Cloud Remote Networks/Locations

VMware Cloud(VMC) on AWS

Challenging to scale

globally and manage

rapid changes



bution

Use Case: Secure Multi-Cloud…extending VMware NSX and VM-Series integration into public clouds protected by VM-Series

Internet

Secure connectivity between

private and public clouds (via

IPSec tunnels)

uniform security policy across

corporate networks, clouds and

mobile end points

VMC on AWS



bution

Use Case: Secure Multi-Cloud with GlobalProtect cloud service…extending enterprise security posture to VMC on AWS via GlobalProtect cloud service

Headquarters

GlobalProtect cloud service

IPSec/SSL VPN

VMC on AWS



bution

Use Case: Branch in a Box

40 | ©

2015, P

alo Alto

Networ

ks.

Confide

ntial

and

…extending NSX distributed firewall and VM-Series advanced security to remote offices

VM VM

Branch Services

SD-WAN

Internet

MPLS

Remote Office/Branch Office

Branch in a Box Use Case



bution

Use Case: Secure Remote Office…leveraging GlobalProtect cloud service with SD-WAN integration

Headquarters

GlobalProtect cloud service

IPSec

SD-WAN

FABRIC

Traffic Flow

Internet



bution

In Summary

• Learn more about VM-Series virtual firewall running with the latest PAN-OS 8.0 software

– New Features, Enhanced Performance and More Choices

– https://www.paloaltonetworks.com/products/new/new-panos8-0

• Try out our updated Hands-On-Lab at VMworld 2017 – SPL1823

• Meet our Subject Matter Experts at our booth #627 on the solutions exchange floor

42



bution

https://www.paloaltonetworks.com/products/new/new-panos8-0

43



bution



bution



bution

Date post:	07-Apr-2018
Category:	Documents
Upload:	truongmien
View:	219 times
Download:	2 times

SAI3317BES Palo Alto Networks VM-Series or distribution · What’s New in Palo Alto Networks...

Documents