Product Documentation

Palo Alto Networks VM-Series

Note: Provisioning Palo Alto VM-Series instances on a Citrix ADC SDX appliance is supported only on Citrix ADC release 10.1.e.

Palo Alto Networks VM-Series virtual firewalls use the same PAN-OS feature set that is available in the company’s physical security appliances, providing all key network security functions. VM-Series on Citrix SDX enables consolidation of advanced security and ADC capabilities on a single platform, for secure, reliable access to applications by businesses, business units, and service-provider customers. The combination of VM-Series on Citrix SDX also provides a complete, validated, security and ADC solution for Citrix XenApp and XenDesktop deployments.

You can provision, monitor, manage, and troubleshoot an instance from the Management Service.

Points to note:

  • The total number of instances that you can provision on an SDX appliance depends on the SDX hardware resources available .
  • You must upgrade your XenServer version to version 6.1.0 and install the xs-netscaler-6.1.0-2.6.32.43 -0.4.1.xs1.6.10.777.170770-100012 supplemental pack.
  • SR-IOV interfaces (1/x and 10/x) that are part of a channel do not appear in the list of interfaces because channels are not supported on a Websense protector instance. For more information about Palo Alto Network VM-Series, see [[Palo Alto Network Documentation.

Provisioning a PaloAlto VM-Series Instance

Before you can provision a Palo Alto VM-Series instance, you must download an XVA image from the Palo Alto Networks website. After you have downloaded the XVA image, upload it to the SDX appliance. Make sure you are using Management Service version 10.1 build 120.130403.e or later on the SDX appliance.

To upload an XVA image to the SDX appliance:

  1. On the Configuration tab, navigate to PaloAlto VM-Series > Software Images.
  2. In the details pane, under XVA Files, from the Action drop-down list, click Upload.
  3. In the dialog box that appears, click Browse, and then select the XVA file that you want to upload.
  4. Click Upload. The XVA file appears in the XVA Files pane.

To provision a Palo Alto VM-Series instance:

  1. On the Configuration tab, navigate to PaloAlto VM-Series > Instances.
  2. In the details pane, click Add.
  3. In the Provision PaloAlto VM-Series wizard, follow the instructions on the screen.
  4. Click Finish, and then click Close.

After you provision the instance, log on to the instance and perform the detailed configuration.

To modify the values of the parameters of a provisioned instance, in the details pane, select the instance that you want to modify, and then click Modify. In the Modify PaloAlto VM-Series wizard, set the parameters to values suitable for your environment.

Note: If you modify any of the interface parameters or the name of the instance, the instance stops and restarts to put the change into effect.

Monitoring a Palo Alto VM-Series Instance

The SDX appliance collects statistics, such as the version of SDXTools running on the instance, of a Palo Alto VM-Series instance.

To view the statistics related to a Palo Alto VM-Series instance:

  1. Navigate to PaloAlto VM-Series > Instances.
  2. In the details pane, click the arrow next to the name of the instance.

Managing a PaloAlto VM-Series Instance

You can start, stop, restart, force stop, or force restart a PaloAlto VM-Series instance from the Management Service.

On the Configuration tab, expand PaloAlto VM-Series.

  1. Navigate to PaloAlto VM-Series > Instances.
  2. In the details pane, select the instance on which you want to perform the operation, and then select one of the following options:
    • Start
    • Shut Down
    • Reboot
    • Force Shutdown
    • Force Reboot
  3. In the Confirm message box, click Yes.

Troubleshooting a PaloAlto VM-Series Instance

You can ping a PaloAlto VM-Series instance from the Management Service to check whether the device is reachable. You can trace the route of a packet from the Management Service to an instance to determine the number of hops involved in reaching the instance.

You can rediscover an instance to view the latest state and configuration of an instance. During rediscovery, the Management Service fetches the configuration and the version of the PaloAlto VM-Series running on the SDX appliance. By default, the Management Service schedules instances for rediscovery once every 30 minutes.

On the Configuration tab, expand PaloAlto VM-Series.

To Ping an instance:

  1. Click Instances.
  2. In the details pane, select the instance that you want to ping, and from the Action list, click Ping. The Pingmessage box shows whether the ping is successful.

To Trace the route an instance:

  1. Click Instances.
  2. In the details pane, select the instance that you want to ping, and from the Action list, click TraceRoute. The Traceroute message box displays the route to the instance.

To rediscover an instance:

  1. Click Instances.
  2. In the details pane, select the instance that you want to rediscover, and from the Action list, click Rediscover.
  3. In the Confirm message box, click Yes.