vm-series on vmware nsx

VMware® and Palo Alto Networks® have partnered on an offering that
­leverages NSX® to enable the VM-Series to be transparently inserted into
SDDC environments, allowing you to protect your applications and data with
the next-generation firewall and advanced threat prevention.
A strategic partnership for Palo Alto
Networks, the integration of our
Next-Generation ­Security Platform
with VMware NSX automates ­
next-generation firewall services
for the SDDC.
• Accelerate the deployment of
business-­critical applications by
provisioning ­security services
and new virtual workloads
• Dynamically scale next-generation
security in lockstep with workload build-out by simply adding
• Isolate and safely enable virtualized
­applications of different trust levels
through micro-­segmentation and
secure multi-tenancy support.
• Address security and compliance
mandates with protection against
known and unknown threats,
including exploits, viruses, spyware,
malware and advanced persistent
• Simplify automation of security
workflows across your SDDC.
• Enforce policy consistency across
north-south and east-west data
center traffic through Panorama.
Software-defined data center, or SDDC, architectures virtualize compute, storage
and networking infrastructure to enable you to simplify operations, speed time
to provision network and security services, and fundamentally improve your data
center security. VMware NSX is a network virtualization platform that delivers
the operational model of a VM for the network and reproduces all networking
services in software. The extensible, native security capability of NSX, including
kernel-based distributed firewalling and security operations automation, allows
server-to-server traffic inside the data center to be automatically steered to the
VM-Series for granular inspection based on applications, content and users.
Together, the integrated offering delivers the dynamic insertion, chaining, distribution and orchestration of advanced security services for SDDC environments.
Existing network security solutions are optimized for perimeter-based defense,
but server-to-server traffic, which represents 80 percent of overall data center
traffic, is not inspected by security controls.
The joint offering leverages VMware NSX to fully automate the provisioning
and deployment of Palo Alto Networks VM-Series next-generation firewalls,
allowing customers to protect their applications and data from today’s
advanced cyberattacks. The components of the offering include:
• VMware NSX: NSX, the leading network and security virtualization
platform, is a full-service, programmable platform that provides logical
network abstraction of the physical network and reproduces the entire
network model in software, allowing diverse network topologies to be
created and provisioned in seconds. NSX applies security controls at
the hypervisor layer for optimal context and isolation, inherently provides
security isolation, enables micro-segmentation based on logical boundaries,
and allows for workload-level isolation and segmentation. Policies are
enforced at the virtual interface and follow the workload, unconstrained
by physical topology. The NSX distributed service framework and service
insertion platform enable integration of next-generation security services.
The NSX native, kernel-based distributed firewall, used for L2–L4 filtering,
steers traffic transparently to the VM-Series for advanced inspection.
• VM-Series on NSX: The VM-Series virtualized next-generation firewall
brings secure application enablement and threat prevention to virtualized
and cloud environments. At the core of the VM-Series platform is the
next-generation firewall, which identifies the three critical elements of your
security policy – application, regardless of port; content, malicious or otherwise; and user – all in a single pass. Unlike traditional security solutions,
Palo Alto Networks | VM-Series on VMware NSX | Datasheet
the VM-Series offers the same set of security features as our physical form factor firewalls and is managed using the same
management platform, ensuring a consistent set of policies is maintained in the data center.
•Panorama: Panorama™ network security management lets you manage a distributed network of virtualized and physical
firewalls from a single location. Capabilities include the ability to view all firewall traffic, manage all aspects of device
configuration, push global policies, and generate reports on traffic patterns or security incidents.
The integrated offering enables you to leverage NSX to automate the provisioning of next-generation security services.
Additional integration points between NSX and the VM-Series can automate policy updates to help eliminate the time lag that
may occur between new virtualized application deployments or changes, and the associated security policy updates. As shown
in Figure 1, the offering delivers the following capabilities:
• Independence from networking topology: Security policies are applied, regardless of where a VM connects at a point in
time. This works with any network overlay and with traditional VLAN networking.
• Automated deployment and provisioning of next-generation security: The VM-Series is deployed by NSX Manager, keeping security in lockstep with the fluid virtual compute layer. Panorama communicates with the NSX Manager to register
the VM-Series as a security service. NSX Manager then deploys the VM-Series on every VMware ESXi™ server in an
automated manner, thereby ensuring security is deployed as the environment scales. Each VM-Series deployed then
communicates directly with Panorama to receive associated security policies.
• Next-generation security protection for virtualized applications and data: Each ESXi server that needs security receives
a VM-Series next-generation firewall, which will allow you to deploy security policies to identify, control and safely enable data center applications while inspecting all content for all threats. Safe application enablement means you can build
firewall policies that are based on applications/application features, users, user groups and content, as opposed to port,
protocol, and IP address, transforming your traditional allow/deny firewall policy into business-friendly elements. Threat
prevention capabilities address the whole attack lifecycle, featuring protection against exploits, viruses, spyware, malware
and targeted unknown threats, such as advanced persistent threats.
• Seamless traffic steering to next-generation security: Traffic is steered by the NSX Distributed Firewall, a stateful, in-­kernel
firewall, to the VM-Series via NSX APIs without a need for manual configuration changes to virtual networking elements.
• Dynamic security policies based on application, content and user: VM-Series security policies based on applications,
content and users can be defined through the use of security groups. As virtualized applications are instantiated, they
are placed in security groups in NSX Manager, which are recognized by Panorama and the VM-Series. Security groups
then become the basis of the security policies that are deployed to each VM-Series instance.
• Multiple security policy sets within the SDDC environment: VM-Series on NSX can be configured to support dedicated
security policy sets per cluster. A separate service profile gets assigned to each tenant, leading to duplicate IP address
support, isolation of network traffic, and security policy and logs per tenant. Secure multi-tenancy can be implemented
across shared and dedicated virtual compute infrastructure.
Panorama registers the VM-Series as a service with NSX Manager
Cloud Admin
Real-time, contextual updates on VM changes
VM-Series deployed automatically
by NSX; policies then steer select
traffic to VM-Series for inspection
Security Admin
Automated licensing, policy
deployment and updates
Figure 1: VMware NSX and Palo Alto Networks VM-Series integrated offering
Palo Alto Networks | VM-Series on VMware NSX | Datasheet
NSX admin
(performs step 2)
Security admin
(performs Ssteps 1 & 3)
Automated update of security groups
NSX Platform
Information to NSX Manager
Local Network
Switch & Router
VMware NSX
1 Create security groups
within Panorama
Any network hardware
Define security group
membership within NSX
3 Create security policies in Panorama based on security groups
3 Automated creation of redirection policies on NSX Manager
Figure 2: Automated security policy creation within Panorama
• Simplified security automation workflows with Panorama: Panorama can manage the entire security workflow in the
NSX deployment. As shown in Figure 2, creation of NSX security groups and traffic steering rules within NSX Manager
is automated and streamlined during security policy creation within Panorama. Panorama also ensures security configurations
are in sync with NSX Manager for consistent security posture.
As virtual workloads within the security groups change, context sharing between NSX Manager and Panorama occurs, triggering
a dynamic policy update. The use of security groups, combined with dynamic context sharing, ensures security is deployed for
virtualized applications, no matter when they are created or moved across the network.
Flexible Licensing Options
The VM-Series on NSX supports several licensing options, including perpetual bundles and enterprise license agreements.
Perpetual bundle options allow you to choose any one VM-Series model, along with its associated subscriptions and support.
A VM-Series Enterprise License Agreement takes a forecast of your VM-Series firewall consumption over a one- or three-year
period, and purchase price is based on that projected usage. Included in each VM-Series ELA is a VM-Series firewall license,
subscriptions for Threat Prevention, URL Filtering, WildFire® cloud-based threat analysis service, GlobalProtect™ Gateway,
and unlimited Panorama VM licenses and support. The VM-Series ELA allows you to use a single license authorization code
across all virtual environments supported by the VM-Series and is ideally suited for customers who have large-scale, expanding virtual environments, and who want to be able to deploy VM-Series next-generation firewalls and associated subscriptions
wherever needed. The VM-Series ELA simplifies the purchasing process and provides a simplified, predictable cost structure
by establishing a single start and end date for all VM-Series licenses and subscriptions.
Performance and Capacities Summary
In virtualized and cloud environments, many factors, such as type of CPU, hypervisor version, number of cores assigned and
network I/O options, can impact your performance. We recommend additional testing within your environment to ensure your
performance and capacity requirements are met.
VM-200 (2
(4 Cores)
(8 Cores)
Firewall throughput (App-ID enabled)1
2 Gbps
4 Gbps
9 Gbps
Threat Prevention throughput1
1 Gbps
2 Gbps
5 Gbps
Max sessions
1. Throughput was measured between virtual workloads (east-west traffic) and with large receive offload (LRO) enabled on VM-Series.
Palo Alto Networks | VM-Series on VMware NSX | Datasheet
The performance and capacities results were tested under the following conditions:
• Firewall and IPsec VPN throughput are measured with App-ID™ and User-ID™ technology features enabled.
• Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus and anti-spyware features enabled.
• Throughput is measured with 64KB HTTP transactions.
• Connections per second is measured with 4KB HTTP transactions.
VM-Series on VMware NSX Specifications and Requirements
The table below lists all supported specifications and resource requirements on VM-Series on VMware NSX.
Virtualization Specifications
Hypervisor version supported
I/O options supported
VMware vSphere® 5.5, 6.0, 6.5 U1
VMware NSX Manager 6.0, 6.1, 6.2, 6.3
VMware paravirtual drivers (vmxnet3, e1000)
(2 Cores)
(4 Cores)
(8 Cores)
2, 4
2, 4 and 8
Memory (minimum)
Disk drive capacity
System Requirements
CPU core configurations
The integration between VMware NSX and Palo Alto Networks VM-Series fully automates the deployment of the next-­
generation firewall and advanced threat prevention services for SDDC environments.
About Palo Alto Networks
Palo Alto Networks is the next-generation security company, maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. Our innovative security platform prevents known and unknown
threats, and safely enables applications, users and content, empowering organizations to securely and efficiently move their
businesses forward. Find out more at www.paloaltonetworks.com.
About VMware
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware’s industry-leading virtualization
technology, our solutions deliver a brave new model of IT that is fluid, instant and more secure. Customers can innovate
faster by rapidly developing, automatically delivering and more safely consuming any application. With 2014 revenues of
$6 billion, VMware has more than 500,000 customers and 75,000 partners. The company is headquartered in Silicon Valley
with offices throughout the world and can be found online at www.vmware.com.
3000 Tannery Way
Santa Clara, CA 95054
© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
of Palo Alto Networks. A list of our trademarks can be found at https://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies. vm-series-on-vmwarensx-ds-020218