Special Coverage Series

Network Computing

Special Coverage Series

Commentary

Kurt Marko
Kurt Marko Contributing Editor

Palo Alto Integrates Next-Generation Firewall With VMware NSX

New firewall appliance combines Palo Alto's Panorama central management platform with ESXi VMs by plugging into the NSX virtual network controller.

When VMware launched NSX earlier this year, it promised a network controller -- extensible using published APIs -- that allows higher level network services such as firewalls, load balancers and application accelerators to plug in at any point in a virtual network. VMware touted more than 20 partners working on NSX integration. The vision sounded great, but given VMware's inclusion of several network services in NSX including firewall, load balancing and VPN termination, it was easy to assume that the promised virtual ecosystem was DOA.

Palo Alto Networks has countered that assumption with its firewall appliance for NSX. Selling optional services against a built-in feature is never an easy task, but Palo Alto has taken up the challenge.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

The new appliance marries Palo Alto's next-generation firewall, in virtual appliance form, and Panorama central management platform with ESXi VMs by plugging into the NSX virtual network controller. It's a logical extension of Palo Alto's existing VM-Series by moving the virtual firewall from the VM to the hypervisor, plugging directly into the NSX vSwitch to access all hosts on a given system.

According to Danelle Au, solutions marketing director at Palo Alto Networks, tighter integration into the network control plane via NSX allows better tracking of VM movement, more granular control and easier service insertion to existing VMware infrastructure.

The NSX-Panorama integration means that Palo Alto virtual firewalls now take orders from two masters: the NSX controller for deployment and network insertion (addresses, VLANs, etc.) and the Panorama console for security policy. By using the same security management system as Palo Alto's hardware appliances, while also being integrated with the NSX network controller, the design facilitates keeping security and server management duties separated, according to Au. Security admins continue to set policy, define rules and monitor events from their existing management console while server admins can deploy and move VMs without worrying about changing network or security configurations.

Key to the automation and dynamic updating of security policy configuration is the use of what Palo Alto calls containers that set security policy based on application, user groups or content. As Au wrote in this blog post, the firewall's "dynamic address groups feature can now populate application container context directly from VMware so security policies will incorporate the latest attributes of virtual machines."

Au added that communication between the NSX controller and Panorama security management system results in a fully automated deployment. Once a VM admin provisions applications in the appropriate container, the respective network and security controllers take care of the configuration details. The system also means applications can migrate to different hosts without the server admin having to worry about security implications.

[Read about VMware's licensing scheme for NSX in "VMware Mum On NSX Pricing, Touts License Plan."]

According to Au, the firewall registers as a network service on the NSX controller, which then updates configuration details of VM deployments back to the Panorama platform. The NSX controller automatically deploys the virtual firewall image to all ESXi systems and the firewall uses the NSX vSwitch network services to connect with every VM on the physical host. The virtual firewall gets licenses and policy from Panorama, which also updates any network changes it receives from the NSX controller.

Although NSX also supports KVM and Xen, Palo Alto's product currently only works on ESXi. Au said the company is still profiling the product's performance, but expects to provide 1 Gbps of throughput per VM with full "App-ID" traffic classification enabled. Licensing details have yet to be released, but Au said the NSX-compatible firewall will be available in configurations supporting 2, 4 or 8 virtual ports. Palo Alto's VM-Series for NSX is currently in beta release with general availability planned in the first half of 2014.

The joint development between VMware and Palo Alto is the most concrete example yet of the synergies between virtual network overlays and application services. The product illustrates the improvements in service granularity, automation and separation of administrative roles that is possible in virtual networks. It will be interesting to see if other security, load balancing, WAN optimization and monitoring/forensics products follow Palo Alto's lead by jumping on the NSX bandwagon. Given the elegance of this this design, we expect there will be many.



Related Reading



Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 

Editor's Choice

Research: 2014 State of Server Technology

Research: 2014 State of Server Technology

Buying power and influence are rapidly shifting to service providers. Where does that leave enterprise IT? Not at the cutting edge, thatís for sure: Only 19% are increasing both the number and capability of servers, budgets are level or down for 60% and just 12% are using new micro technology.
Get full survey results now! »

Vendor Turf Wars

Vendor Turf Wars

The enterprise tech market used to be an orderly place, where vendors had clearly defined markets. No more. Driven both by increasing complexity and Wall Street demands for growth, big vendors are duking it out for primacy -- and refusing to work together for IT's benefit. Must we now pick a side, or is neutrality an option?
Get the Digital Issue »

WEBCAST: Software Defined Networking (SDN) First Steps

WEBCAST: Software Defined Networking (SDN) First Steps


Software defined networking encompasses several emerging technologies that bring programmable interfaces to data center networks and promise to make networks more observable and automated, as well as better suited to the specific needs of large virtualized data centers. Attend this webcast to learn the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging.
Register Today »

Related Content

From Our Sponsor

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

Business executives are challenging their IT staffs to convert data centers from cost centers into producers of business value. Data centers can make a significant impact to the bottom line by enabling the business to respond more quickly to market demands. This paper demonstrates, through a series of examples, how data center infrastructure management software tools can simplify operational processes, cut costs, and speed up information delivery.

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Both hot-air and cold-air containment can improve the predictability and efficiency of traditional data center cooling systems. While both approaches minimize the mixing of hot and cold air, there are practical differences in implementation and operation that have significant consequences on work environment conditions, PUE, and economizer mode hours. The choice of hot-aisle containment over cold-aisle containment can save 43% in annual cooling system energy cost, corresponding to a 15% reduction in annualized PUE. This paper examines both methodologies and highlights the reasons why hot-aisle containment emerges as the preferred best practice for new data centers.

Monitoring Physical Threats in the Data Center

Monitoring Physical Threats in the Data Center

Traditional methodologies for monitoring the data center environment are no longer sufficient. With technologies such as blade servers driving up cooling demands and regulations such as Sarbanes-Oxley driving up data security requirements, the physical environment in the data center must be watched more closely. While well understood protocols exist for monitoring physical devices such as UPS systems, computer room air conditioners, and fire suppression systems, there is a class of distributed monitoring points that is often ignored. This paper describes this class of threats, suggests approaches to deploying monitoring devices, and provides best practices in leveraging the collected data to reduce downtime.

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Rack power of 10 kW per rack or more can result from the deployment of high density information technology equipment such as blade servers. This creates difficult cooling challenges in a data center environment where the industry average rack power consumption is under 2 kW. Five strategies for deploying ultra-high power racks are described, covering practical solutions for both new and existing data centers.

Power and Cooling Capacity Management for Data Centers

Power and Cooling Capacity Management for Data Centers

High density IT equipment stresses the power density capability of modern data centers. Installation and unmanaged proliferation of this equipment can lead to unexpected problems with power and cooling infrastructure including overheating, overloads, and loss of redundancy. The ability to measure and predict power and cooling capability at the rack enclosure level is required to ensure predictable performance and optimize use of the physical infrastructure resource. This paper describes the principles for achieving power and cooling capacity management.