vRealize Network Insight supports the Palo Alto Panorama firewall.
- Select .
- Click Add to add a new admin role.
-
The Admin Role Profile window opens.
- Enter the name to the role and select Panorama.
- Click the Web UI tab and disable all entries.
- Click the XML API tab and disable all entries, except configuration and Operational Requests.
- Click OK to close the window.
The new admin role appears in the list.
- Click Commit.
- Assign this role to an administrator account or create a new user and assign this role to the new user.
- Interrelation of Palo Alto and NSX entities: The VM membership of the address and the address group of Palo Alto Networks is computed based on the IP Address to VM mapping. This membership info can be queried as follows:
VM where Address = <>Palo Alto address where vm = <>-
VM where Address Group = <> Palo Alto address group where vm = <>
- Query: You can perform a query for all the Palo Alto entities that are supported by vRealize Network Insight. All the entities are prefixed by Palo Alto. Some of the queries are as follows:
Table 1. Entities Queries Palo Alto Address Palo Alto address where vm = <>VM where Address = <>Palo Alto Address Group Palo Alto address group where Translated VMs = <>VM where address group = <>Palo Alto Device Palo Alto Device where Version = <>Palo Alto Device where connected = truePalo Alto Device where family = 'PA-5060'Palo Alto Physical Device Palo Alto Physical Device where model = 'PA-5060'Palo Alto VM Device Palo Alto VM Device where model = 'PA-VM'Palo Alto Device Group Palo Alto Device Group where device = <>Palo Alto Device Group where address = <>Palo Alto Device Group where address group = <>Palo Alto Service Palo Alto service where Port = <>Palo Alto service where Protocol = <>Palo Alto Service Group Palo Alto service group where Member = <>Palo Alto Policy Palo Alto Policy where Source vm = <> and Destination vm = <>Palo Alto Policy where Source IP = <> and Destination IP = <>Palo Alto firewall Palo Alto firewall where Rule = <>Palo Alto Zone Palo Alto Zone where device = <>Palo Alto Virtual System Palo Alto Virtual System where Device = <>Palo Alto Virtual System where Device Group = <>Note: Other than the queries, you can also use facets to analyze the search results. - VM to VM Path: As a part of the VM-VM topology, vRealize Network Insight displays the Palo Alto VM Series firewall on the host. The applicable rules are displayed when one clicks the firewall icon. If a firewall device (routing device) of Palo Alto Network is also present in the path, then that device is also displayed. When you click the device icon, you can see the basic information such as a Routing table, Interfaces, and a table containing the applied firewall rules.
-
You can view some system events related to the following scenarios for Palo Alto Networks:
- Palo Alto device not connected to Panorama (manager)
- NSX Manager not in registered with Panorama
- NSX fabric agent not found on the ESX for palo alto device
- Palo alto device not found on Panorama for NSX fabric agent
- Out of sync security group membership data
- You can create and register multiple service definitions in Panorama with a given NSX manager. If different ESXi clusters have workloads that require the VM-Series firewall to handle traffic differently, then multiple service definitions are created. Each service definition has an associated device group from which the policies are picked. While displaying the VM-VM path in vRealize Network Insight, the correct set of policies based on the cluster information of the VM should be considered.
A sample Palo Alto Manager dashboard
