sai3317bes palo alto networks vm-series or distribution · what’s new in palo alto networks...
TRANSCRIPT
Sai - Product MarketingNithya – Technical Marketing
SAI3317BES
What’s New in Palo Alto Networks VM-Series Integration with VMware NSX – A Deep Dive
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
Basecamp – The Journey So Far
Enhancements
– Into the Fear Zone – Climbing The VM-Series Performance Peak
– New VM-Series Models and Licensing
New Features
– Less Spray More Belay -- Alternative Security Policy Workflows
– Dyno Move -- Automated Security Response
– In Sight – Scaling Beyond A Single NSX Manager
Best Practices
– Redpoint Mode – Certified Versions and Clean Upgrades
Evolving Use Cases
Gardening Time – Q&A
2
VMworld 2017 Content: Not fo
r publication or distri
bution
The Journey So Far
Basecamp
CONFIDENTIAL3
VMworld 2017 Content: Not fo
r publication or distri
bution
5 years of continued investments
4 | ©
2017 P
alo Alto
Networ
ks, Inc.
Confide
ntial
and
NetX Integration
Dynamic Address Groups (DAGs)
VM-1000-HV
Secure Multi-Tenancy
Performance Enhancements
VM-100
VM-300
VM-500
Alternate Security Policy Lifecycle
Workflows
Automated Security Actions
Securing Across Multiple
NSX Managers
VMworld 2017 Content: Not fo
r publication or distri
bution
Expanding the product portfolio
5
VM-100 VM-200 VM-300 VM-1000-HV
Circa 2016
VM-50 VM-100 VM-300 VM-500 VM-700
2017
VMworld 2017 Content: Not fo
r publication or distri
bution
Broad Portfolio of Virtualized Next-Generation Firewalls
6
200Mbps 2Gbps 4Gbps 8Gbps 16Gbps
VM-50 VM-100 VM-500 VM-700VM-300
Core NFV Use Cases Distributed Enterprise/Data Center Use Cases
VM-200 VM-1000-HV
VMworld 2017 Content: Not fo
r publication or distri
bution
VM-Series on NSX Product Portfolio
7 | © 2017, Palo Alto Networks and/or its partners. All rights reserved. Palo Alto Networks Public
1Gbps
VM-100
3Gbps
VM-500
1.5Gbps
VM-300
VMworld 2017 Content: Not fo
r publication or distri
bution
Simplified Licensing Bundles
3 New Bundles
– Available for VM-50, VM-100, VM-300, VM-500 & VM-700 models
– Single SKU for each model and its associated renewal SKU.
– Available for all deployments
CONFIDENTIAL8
PREM
SUPP
PREM
SUPP
PREM
SUPP
BASIC BND BND2*
VMworld 2017 Content: Not fo
r publication or distri
bution
VM-Series Enterprise Licensing Agreement
9
…aligning cloud security consumption model with the needs of the enterprise
Selected
Model Support
Unbounded Subscription
Based ModelSingle Bundle
Easy to Order & Deploy
Co-termed
Subscriptions & Support
VMworld 2017 Content: Not fo
r publication or distri
bution
Climbing the VM-Series Performance Peak
Into The Fear Zone
CONFIDENTIAL10
VMworld 2017 Content: Not fo
r publication or distri
bution
What we did under the hood..
11
DPDK Libs
VM-Series
User-space
Kernel-space
Intel DPDK
Integration
VM-Series
User-space
Kernel-space
PCI-PT CPU/Memory
Optimizations
CPU Pinning
NUMA/Huge Pages
VM-Series
User-space
Kernel-space
SR-IOV
SR-IOV
VM-Series
VMworld 2017 Content: Not fo
r publication or distri
bution
Design considerations to get the best performance
• If disabled, enable DPDK in PAN-OS (turned on by default on VMware ESXi)
– admin@PA-VM> show system setting dpdk-pkt-io
– admin@PA-VM> set system setting dpdk-pkt-io on
• Update drivers to versions which support multiple queues
– ESX: Modify VMX file or advance settings to enable multiple queues
• Isolate CPU resources on single NUMA node, pin CPU, configure Huge Pages
• Use validated PCI-PT, SR-IOV network adapters
12
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoVM-Series Performance
13
VMworld 2017 Content: Not fo
r publication or distri
bution
Alternative Security Policy Workflows
Less Spray and More Belay
CONFIDENTIAL14
VMworld 2017 Content: Not fo
r publication or distri
bution
What Does It Take to Enforce Advanced Security Policy on NSX?
15
5Steps
1. Create Security Tags2. Create DAGs3. Apply Tags to Workloads4. Create Adv. Security Policies5. Create Redirection Rules
2Mgmt Consoles
NSX Manager Panorama
Security Admin
• Split Management Model• Manual Policy Lifecycle Synchronization• Unintended Security Loop Holes
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoPanorama Driven Security Policy Workflows
16
VMworld 2017 Content: Not fo
r publication or distri
bution
Automated Security Response
Para Gliding
CONFIDENTIAL17
VMworld 2017 Content: Not fo
r publication or distri
bution
Automate Security Actions
18
…with Panorama driven security event triggers
Threat Prevention logsMalware and phishing
logsCorrelated Event logs
System logsData filtering logs
… ...
10.3.4.122 Compromised
Dynamic Address Group
Policy Source Action
Compromised
hosts
Dynamic
Address
Group
Quarantine
1. Granular log filtering 2. Automated actions on the NGFW
HT
TP
/S
AUTO-TAG
3. Automated actions on third party systems
VM-Series and Wildfire C2
alerts on 10.3.4.122
Any REST API
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoAutomated Security Actions
19
VMworld 2017 Content: Not fo
r publication or distri
bution
Scaling Beyond A Single NSX Manager
In Sight
CONFIDENTIAL20
VMworld 2017 Content: Not fo
r publication or distri
bution
Panorama Multiple NSX Manager Support*
21
*Qualification pending for scale and performance metrics.
Disaster recovery CICD – Dev/Test/Prod Environments
M&AVMworld 2017 Content: N
ot for publicatio
n or distribution
Multi-NSX manager deployment topology
ActivePassive
NSX Manager 1
(primary)
NSX Manager 2
(secondary)
NSX Manager 16
(secondary)
vCenter <…>VMworld 2017 Content: N
ot for publicatio
n or distribution
DemoMultiple NSX Manager Support
23
VMworld 2017 Content: Not fo
r publication or distri
bution
Certified Versions and Clean Upgrades
Redpoint Mode
CONFIDENTIAL24
VMworld 2017 Content: Not fo
r publication or distri
bution
PAN-OS 8.0 Upgrade Considerations
• Must plan for new footprint adjusting before upgrading
– All existing models need larger memory and (optional) larger HDD footprint
– All existing models have lower maximum supported cores
• Simplified model & performance structure reduces need for some models
– VM-300 and VM-1000-HV will have identical capabilities
– VM-100 and VM-200 will have identical capabilities
• All VM-Series models will continue to be fully supported
• All existing VM-Series customers get increased capabilities with PAN-OS 8.0
25
VMworld 2017 Content: Not fo
r publication or distri
bution
Design Considerations
26
Leveraging VM-Series Models on ESXi clusters
VMworld 2017 Content: Not fo
r publication or distri
bution
VMWare NSX Certification
PAN-OS Version NSX Manager Version vSphere Version Status
7.1.9 + 6.2.4 + ESXi 5.5 U2, U3
ESXi 6.0 U1, U2, U3
7.1.9 + 6.3.0 +
ESXi 5.5 U2, U3
ESXi 6.0 U1, U2, U3
ESXi 6.5 U1
8.0.2 +
(Plugin 1.0+)6.2.4 +
ESXi 5.5 U2, U3
ESXi 6.0 U1, U2, U3
8.0.2 +
(Plugin 1.0+)6.3.0 +
ESXi 5.5 U2, U3
ESXi 6.0 U1, U2, U3
ESXi 6.5 U1
https://www.vmware.com/resources/compatibility/search.php?deviceCategory=security
VMworld 2017 Content: Not fo
r publication or distri
bution
Evolving Use Cases
Beyond Software Defined Data Center
CONFIDENTIAL28
VMworld 2017 Content: Not fo
r publication or distri
bution
Enterprise perimeter is now everywhere
Public Cloud
Software as a Service (SaaS)
Mobile Users
Private Cloud Remote Networks/Locations
VMware Cloud(VMC) on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
Enterprise security challenges
30 | ©
2015, P
alo Alto
Networ
ks.
Confide
ntial
and
…extend beyond the confines of software defined data center
Cloud
Secure Multi Cloud
Architectures
Secure Remote Office/
Branch OfficeVMworld 2017 Content: N
ot for publicatio
n or distribution
Use Case: Secure Multi-Cloud…extending VMware NSX and VM-Series integration into public clouds protected by VM-Series
Internet
Secure connectivity between
private and public clouds (via
IPSec tunnels)
uniform security policy across
corporate networks, clouds and
mobile end points
VMC on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
Use Case: Secure Multi-Cloud with GlobalProtect cloud service…extending enterprise security posture to VMC on AWS via GlobalProtect cloud service
Headquarters
GlobalProtect cloud service
IPSec/SSL VPN
VMC on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
Use Case: Branch in a Box
33 | ©
2015, P
alo Alto
Networ
ks.
Confide
ntial
and
…extending NSX distributed firewall and VM-Series advanced security to remote offices
VM VM
Branch Services
SD-WAN
Internet
MPLS
Remote Office/Branch Office
Branch in a Box Use Case
VMworld 2017 Content: Not fo
r publication or distri
bution
Use Case: Secure Remote Office…leveraging GlobalProtect cloud service with SD-WAN integration
Headquarters
GlobalProtect cloud service
IPSec
SD-WAN
FABRIC
Traffic Flow
Internet
VMworld 2017 Content: Not fo
r publication or distri
bution
In Summary
• Learn more about VM-Series virtual firewall running with the latest PAN-OS 8.0 software
– New Features, Enhanced Performance and More Choices
– https://www.paloaltonetworks.com/products/new/new-panos8-0
• Try out our updated Hands-On-Lab at VMworld 2017 – HOL1823
• Meet our Subject Matter Experts at our booth #G211 on the solutions exchange floor
35
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution