SAI3317BES Palo Alto Networks VM-Series or distribution · What’s New in Palo Alto Networks...
-
Upload
truongmien -
Category
Documents
-
view
217 -
download
2
Transcript of SAI3317BES Palo Alto Networks VM-Series or distribution · What’s New in Palo Alto Networks...
Sudeep - Product Line ManagerSai - Product Marketing
SAI3317BES
What’s New in Palo Alto Networks VM-Series Integration with VMware NSX – A Deep Dive
VMworld 2017 Content: Not fo
r publication or distri
bution
Agenda
Basecamp – The Journey So Far
Enhancements
– Into the Fear Zone – Climbing The VM-Series Performance Peak
– New VM-Series Models and Licensing
Best Practices
– Redpoint Mode – Certified Versions and Clean Upgrades
New Features
– Less Spray More Belay -- Alternative Security Policy Workflows
– Dyno Move -- Automated Security Response
– In Sight – Scaling Beyond A Single NSX Manager
Evolving Use Cases
Gardening Time – Q&A
2
VMworld 2017 Content: Not fo
r publication or distri
bution
The Journey So Far
Basecamp
CONFIDENTIAL3
VMworld 2017 Content: Not fo
r publication or distri
bution
5 Years of continued investments
4
VM-1000-HV
2012
2013
2014
2015
2016
2017
Cloud Infrastructure
Support
VM-100
VM-200
VM-300
vCloud Air
SDN/Orchestration
Integrations
Azure ELBAuto Scaling
VMworld 2017 Content: Not fo
r publication or distri
bution
What we did in the last 12 months?
5
2017
VM-50 VM-100 VM-300 VM-500 VM-700
Broad Portfolio
Device Package 1.2
Enhanced Security Policy
Lifecycle Management
Security Templates
Cloud Infrastructure
Support
SDN/Orchestration
Integrations
Performance
VMworld 2017 Content: Not fo
r publication or distri
bution
Expanding the product portfolio
6
VM-100 VM-200 VM-300 VM-1000-HV
Circa 2016
VM-50 VM-100 VM-300 VM-500 VM-700
2017
VMworld 2017 Content: Not fo
r publication or distri
bution
Broad Portfolio of Virtualized Next-Generation Firewalls
7
200Mbps 2Gbps 4Gbps 8Gbps 16Gbps
VM-50 VM-100 VM-500 VM-700VM-300
Core NFV Use Cases Distributed Enterprise/Data Center Use Cases
VM-200 VM-1000-HV
VMworld 2017 Content: Not fo
r publication or distri
bution
VM-Series on NSX Product Portfolio
8 | © 2017, Palo Alto Networks and/or its partners. All rights reserved. Palo Alto Networks Public
1Gbps
VM-100
3Gbps
VM-500
1.5Gbps
VM-300
VMworld 2017 Content: Not fo
r publication or distri
bution
Cloud Security Licensing Challenges
9
Multi-Cloud Strategy
Shadow IT license spend
Lack of license portability
Constrained access to licenses
Licensing Automation Challenges
Technology Barriers
Piecemeal Security
Multiple Point Security Solutions
Multiple VendorsBudget unpredictability
Decentralized purchasing
Operational Barriers
VMworld 2017 Content: Not fo
r publication or distri
bution
Simplified Licensing Bundles
3 New Bundles
– Available for VM-50, VM-100, VM-300, VM-500 & VM-700 models
– Single SKU for each model and its associated renewal SKU.
– Available for all deployments
10
PREM
SUPP
PREM
SUPP
PREM
SUPP
BASIC BND BND2*
VMworld 2017 Content: Not fo
r publication or distri
bution
VM-Series Enterprise Licensing Agreement
11
…aligning cloud security consumption model with the needs of the enterprise
Selected
Model Support
Unbounded Subscription
Based ModelSingle Bundle
Easy to Order & Deploy
Co-termed
Subscriptions & Support
VMworld 2017 Content: Not fo
r publication or distri
bution
Climbing the VM-Series Performance Peak
Into The Fear Zone
12
VMworld 2017 Content: Not fo
r publication or distri
bution
What we did under the hood..
13
DPDK Libs
VM-Series
User-space
Kernel-space
Intel DPDK
Integration
VM-Series
User-space
Kernel-space
PCI-PT CPU/Memory
Optimizations
CPU Pinning
NUMA/Huge Pages
VM-Series
User-space
Kernel-space
SR-IOV
SR-IOV
VM-Series
VMworld 2017 Content: Not fo
r publication or distri
bution
Design considerations to get the best performance
• Isolate CPU resources on single NUMA node, pin CPU, configure Huge Pages
• Use validated PCI-PT, SR-IOV network adapters
• Update drivers to versions which support multiple queues
– ESX: Modify VMX file or advance settings to enable multiple queues
• Enable DPDK in PAN-OS (turned on by default on VMware ESXi)
– admin@PA-VM> show system setting dpdk-pkt-io
– admin@PA-VM> set system setting dpdk-pkt-io on
14
VMworld 2017 Content: Not fo
r publication or distri
bution
Certified Versions and Clean Upgrades
Redpoint Mode
16
VMworld 2017 Content: Not fo
r publication or distri
bution
PAN-OS 8.0 Upgrade Considerations
18
All VM-Series models
supported
Existing models get increased capacity
and performance
Higher resources and max supported
coresIdentical Capabilities
VM-1000-HV to VM-300
VM-200 to VM-100
VMworld 2017 Content: Not fo
r publication or distri
bution
VMWare NSX Certification
PAN-OS Version NSX Manager Version vSphere Version Status
7.1.9 + 6.2.4 + ESXi 5.5 U2, U3
ESXi 6.0 U1, U2, U3
7.1.9 + 6.3.0 +
ESXi 5.5 U2, U3
ESXi 6.0 U1, U2, U3
ESXi 6.5 U1
8.0.2 +
(Plugin 1.0+)6.2.4 +
ESXi 5.5 U2, U3
ESXi 6.0 U1, U2, U3
8.0.2 +
(Plugin 1.0+)6.3.0 +
ESXi 5.5 U2, U3
ESXi 6.0 U1, U2, U3
ESXi 6.5 U1
https://www.vmware.com/resources/compatibility/search.php?deviceCategory=security
VMworld 2017 Content: Not fo
r publication or distri
bution
Alternative Security Policy Workflows
Less Spray and More Belay
CONFIDENTIAL21
VMworld 2017 Content: Not fo
r publication or distri
bution
Operational Workflows within VMware NSX: Before PAN-OS 8.0
NSX Manager Security Admin
Apply Security Tags to Workloads3
Create Security Tags1
Create Traffic Redirection Policies to VM-
Series5
Apply App-Id and Advanced Security
Policies between Security Tags4
Create Dynamic Address Groups to
Synchronize with Security Tags2
VMworld 2017 Content: Not fo
r publication or distri
bution
Security policy lifecycle management within VMware NSX: PAN-OS 8.0
NSX Manager Security Admin
Create Security Tags1
Apply Security Tags to Workloads3
Create Traffic Redirection Policies to VM-
Series2 Apply App-Id and Advanced Security
Policies between DAGs2
Create Dynamic Address Groups with
special NSX tags1
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Admin
(Performs Step 2)
Security Admin
(Performs Steps 1 & 3)
Automated Security Policy Creation Workflow
24
PCI
Define security tag
membership within NSX2
Create security tags within
Panorama
PCI DMZ
PROD DEV
1
Automated update of security tags
information to NSX manager1
Automated creation of redirection policies on NSX manager3
Create security policies in Panorama based on security tags3
NSX manager
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoPanorama Driven Security Policy Workflows
28
VMworld 2017 Content: Not fo
r publication or distri
bution
Automated Security Response
Para Gliding
CONFIDENTIAL29
VMworld 2017 Content: Not fo
r publication or distri
bution
Automate Security Actions
30
…with Panorama driven security event triggers
Threat Prevention logsMalware and phishing
logsCorrelated Event logs
System logsData filtering logs
… ...
10.3.4.122 Compromised
Dynamic Address Group
Policy Source Action
Compromised
hosts
Dynamic
Address
Group
Enforce multi-factor
authentication
1. Granular log filtering 2. Automated actions on the NGFW
HT
TP
/S
AUTO-TAG
3. Automated actions on third party systems
VM-Series and Wildfire C2
alerts on 10.3.4.122
Any REST API
VMworld 2017 Content: Not fo
r publication or distri
bution
Scaling Beyond A Single NSX Manager
In Sight
32
VMworld 2017 Content: Not fo
r publication or distri
bution
Panorama Multiple NSX Manager Support*
33
*Qualification pending for scale and performance metrics.
Disaster recovery CICD – Dev/Test/Prod Environments
M&AVMworld 2017 Content: N
ot for publicatio
n or distribution
Multi-NSX manager deployment topology
ActivePassive
NSX Manager 1
(primary)
NSX Manager 2
(secondary)
NSX Manager 16
(secondary)
vCenter <…>VMworld 2017 Content: N
ot for publicatio
n or distribution
Enterprise security challenges
36 | ©
2015, P
alo Alto
Networ
ks.
Confide
ntial
and
…extend beyond the confines of software defined data center
Cloud
Secure Multi Cloud
Architectures
Secure Remote Office/
Branch OfficeVMworld 2017 Content: N
ot for publicatio
n or distribution
Enterprise perimeter is now everywhere
Public Cloud
Software as a Service (SaaS)
Mobile Users
Private Cloud Remote Networks/Locations
VMware Cloud(VMC) on AWS
Challenging to scale
globally and manage
rapid changes
VMworld 2017 Content: Not fo
r publication or distri
bution
Use Case: Secure Multi-Cloud…extending VMware NSX and VM-Series integration into public clouds protected by VM-Series
Internet
Secure connectivity between
private and public clouds (via
IPSec tunnels)
uniform security policy across
corporate networks, clouds and
mobile end points
VMC on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
Use Case: Secure Multi-Cloud with GlobalProtect cloud service…extending enterprise security posture to VMC on AWS via GlobalProtect cloud service
Headquarters
GlobalProtect cloud service
IPSec/SSL VPN
VMC on AWS
VMworld 2017 Content: Not fo
r publication or distri
bution
Use Case: Branch in a Box
40 | ©
2015, P
alo Alto
Networ
ks.
Confide
ntial
and
…extending NSX distributed firewall and VM-Series advanced security to remote offices
VM VM
Branch Services
SD-WAN
Internet
MPLS
Remote Office/Branch Office
Branch in a Box Use Case
VMworld 2017 Content: Not fo
r publication or distri
bution
Use Case: Secure Remote Office…leveraging GlobalProtect cloud service with SD-WAN integration
Headquarters
GlobalProtect cloud service
IPSec
SD-WAN
FABRIC
Traffic Flow
Internet
VMworld 2017 Content: Not fo
r publication or distri
bution
In Summary
• Learn more about VM-Series virtual firewall running with the latest PAN-OS 8.0 software
– New Features, Enhanced Performance and More Choices
– https://www.paloaltonetworks.com/products/new/new-panos8-0
• Try out our updated Hands-On-Lab at VMworld 2017 – SPL1823
• Meet our Subject Matter Experts at our booth #627 on the solutions exchange floor
42
VMworld 2017 Content: Not fo
r publication or distri
bution