sai3317bes palo alto networks vm-series or distribution · what’s new in palo alto networks...

Sai - Product MarketingNithya – Technical Marketing

SAI3317BES

What’s New in Palo Alto Networks VM-Series Integration with VMware NSX – A Deep Dive

VMworld 2017 Content: Not fo

r publication or distri

bution

Agenda

Basecamp – The Journey So Far

Enhancements

– Into the Fear Zone – Climbing The VM-Series Performance Peak

– New VM-Series Models and Licensing

New Features

– Less Spray More Belay -- Alternative Security Policy Workflows

– Dyno Move -- Automated Security Response

– In Sight – Scaling Beyond A Single NSX Manager

Best Practices

– Redpoint Mode – Certified Versions and Clean Upgrades

Evolving Use Cases

Gardening Time – Q&A

2



bution

The Journey So Far

Basecamp

CONFIDENTIAL3



bution

5 years of continued investments

4 | ©

2017 P

alo Alto

Networ

ks, Inc.

Confide

ntial

and

NetX Integration

Dynamic Address Groups (DAGs)

VM-1000-HV

Secure Multi-Tenancy

Performance Enhancements

VM-100

VM-300

VM-500

Alternate Security Policy Lifecycle

Workflows

Automated Security Actions

Securing Across Multiple

NSX Managers



bution

Expanding the product portfolio

5

VM-100 VM-200 VM-300 VM-1000-HV

Circa 2016

VM-50 VM-100 VM-300 VM-500 VM-700

2017



bution

Broad Portfolio of Virtualized Next-Generation Firewalls

6

200Mbps 2Gbps 4Gbps 8Gbps 16Gbps

VM-50 VM-100 VM-500 VM-700VM-300

Core NFV Use Cases Distributed Enterprise/Data Center Use Cases

VM-200 VM-1000-HV



bution

VM-Series on NSX Product Portfolio

7 | © 2017, Palo Alto Networks and/or its partners. All rights reserved. Palo Alto Networks Public

1Gbps

VM-100

3Gbps

VM-500

1.5Gbps

VM-300



bution

Simplified Licensing Bundles

3 New Bundles

– Available for VM-50, VM-100, VM-300, VM-500 & VM-700 models

– Single SKU for each model and its associated renewal SKU.

– Available for all deployments

CONFIDENTIAL8

PREM

SUPP

PREM

SUPP

PREM

SUPP

BASIC BND BND2*



bution

VM-Series Enterprise Licensing Agreement

9

…aligning cloud security consumption model with the needs of the enterprise

Selected

Model Support

Unbounded Subscription

Based ModelSingle Bundle

Easy to Order & Deploy

Co-termed

Subscriptions & Support



bution

Climbing the VM-Series Performance Peak

Into The Fear Zone

CONFIDENTIAL10



bution

What we did under the hood..

11

DPDK Libs

VM-Series

User-space

Kernel-space

Intel DPDK

Integration

VM-Series

User-space

Kernel-space

PCI-PT CPU/Memory

Optimizations

CPU Pinning

NUMA/Huge Pages

VM-Series

User-space

Kernel-space

SR-IOV

SR-IOV

VM-Series



bution

Design considerations to get the best performance

• If disabled, enable DPDK in PAN-OS (turned on by default on VMware ESXi)

– admin@PA-VM> show system setting dpdk-pkt-io

– admin@PA-VM> set system setting dpdk-pkt-io on

• Update drivers to versions which support multiple queues

– ESX: Modify VMX file or advance settings to enable multiple queues

• Isolate CPU resources on single NUMA node, pin CPU, configure Huge Pages

• Use validated PCI-PT, SR-IOV network adapters

12



bution

DemoVM-Series Performance

13



bution

Alternative Security Policy Workflows

Less Spray and More Belay

CONFIDENTIAL14



bution

What Does It Take to Enforce Advanced Security Policy on NSX?

15

5Steps

1. Create Security Tags2. Create DAGs3. Apply Tags to Workloads4. Create Adv. Security Policies5. Create Redirection Rules

2Mgmt Consoles

NSX Manager Panorama

Security Admin

• Split Management Model• Manual Policy Lifecycle Synchronization• Unintended Security Loop Holes



bution

DemoPanorama Driven Security Policy Workflows

16



bution

Automated Security Response

Para Gliding

CONFIDENTIAL17



bution

Automate Security Actions

18

…with Panorama driven security event triggers

Threat Prevention logsMalware and phishing

logsCorrelated Event logs

System logsData filtering logs

… ...

10.3.4.122 Compromised

Dynamic Address Group

Policy Source Action

Compromised

hosts

Dynamic

Address

Group

Quarantine

1. Granular log filtering 2. Automated actions on the NGFW

HT

TP

/S

AUTO-TAG

3. Automated actions on third party systems

VM-Series and Wildfire C2

alerts on 10.3.4.122

Any REST API



bution

DemoAutomated Security Actions

19



bution

Scaling Beyond A Single NSX Manager

In Sight

CONFIDENTIAL20



bution

Panorama Multiple NSX Manager Support*

21

*Qualification pending for scale and performance metrics.

Disaster recovery CICD – Dev/Test/Prod Environments

M&AVMworld 2017 Content: N

ot for publicatio

n or distribution

Multi-NSX manager deployment topology

ActivePassive

NSX Manager 1

(primary)

NSX Manager 2

(secondary)

NSX Manager 16

(secondary)

vCenter <…>VMworld 2017 Content: N

ot for publicatio

n or distribution

DemoMultiple NSX Manager Support

23



bution

Certified Versions and Clean Upgrades

Redpoint Mode

CONFIDENTIAL24



bution

PAN-OS 8.0 Upgrade Considerations

• Must plan for new footprint adjusting before upgrading

– All existing models need larger memory and (optional) larger HDD footprint

– All existing models have lower maximum supported cores

• Simplified model & performance structure reduces need for some models

– VM-300 and VM-1000-HV will have identical capabilities

– VM-100 and VM-200 will have identical capabilities

• All VM-Series models will continue to be fully supported

• All existing VM-Series customers get increased capabilities with PAN-OS 8.0

25



bution

Design Considerations

26

Leveraging VM-Series Models on ESXi clusters



bution

VMWare NSX Certification

PAN-OS Version NSX Manager Version vSphere Version Status

7.1.9 + 6.2.4 + ESXi 5.5 U2, U3

ESXi 6.0 U1, U2, U3

7.1.9 + 6.3.0 +

ESXi 5.5 U2, U3

ESXi 6.0 U1, U2, U3

ESXi 6.5 U1

8.0.2 +

(Plugin 1.0+)6.2.4 +

ESXi 5.5 U2, U3

ESXi 6.0 U1, U2, U3

8.0.2 +

(Plugin 1.0+)6.3.0 +

ESXi 5.5 U2, U3

ESXi 6.0 U1, U2, U3

ESXi 6.5 U1

https://www.vmware.com/resources/compatibility/search.php?deviceCategory=security



bution

https://www.vmware.com/resources/compatibility/search.php?deviceCategory=security

Evolving Use Cases

Beyond Software Defined Data Center

CONFIDENTIAL28



bution

Enterprise perimeter is now everywhere

Public Cloud

Software as a Service (SaaS)

Mobile Users

Private Cloud Remote Networks/Locations

VMware Cloud(VMC) on AWS



bution

Enterprise security challenges

30 | ©

2015, P

alo Alto

Networ

ks.

Confide

ntial

and

…extend beyond the confines of software defined data center

Cloud

Secure Multi Cloud

Architectures

Secure Remote Office/

Branch OfficeVMworld 2017 Content: N

ot for publicatio

n or distribution

Use Case: Secure Multi-Cloud…extending VMware NSX and VM-Series integration into public clouds protected by VM-Series

Internet

Secure connectivity between

private and public clouds (via

IPSec tunnels)

uniform security policy across

corporate networks, clouds and

mobile end points

VMC on AWS



bution

Use Case: Secure Multi-Cloud with GlobalProtect cloud service…extending enterprise security posture to VMC on AWS via GlobalProtect cloud service

Headquarters

GlobalProtect cloud service

IPSec/SSL VPN

VMC on AWS



bution

Use Case: Branch in a Box

33 | ©

2015, P

alo Alto

Networ

ks.

Confide

ntial

and

…extending NSX distributed firewall and VM-Series advanced security to remote offices

VM VM

Branch Services

SD-WAN

Internet

MPLS

Remote Office/Branch Office

Branch in a Box Use Case



bution

Use Case: Secure Remote Office…leveraging GlobalProtect cloud service with SD-WAN integration

Headquarters

GlobalProtect cloud service

IPSec

SD-WAN

FABRIC

Traffic Flow

Internet



bution

In Summary

• Learn more about VM-Series virtual firewall running with the latest PAN-OS 8.0 software

– New Features, Enhanced Performance and More Choices

– https://www.paloaltonetworks.com/products/new/new-panos8-0

• Try out our updated Hands-On-Lab at VMworld 2017 – HOL1823

• Meet our Subject Matter Experts at our booth #G211 on the solutions exchange floor

35



bution

https://www.paloaltonetworks.com/products/new/new-panos8-0



bution

sai3317bes palo alto networks vm-series or distribution · what’s new in palo alto networks...

Documents