VMware Networking Community
yhum
Contributor
Contributor
‎09-22-2022 08:29 AM

NSX-T integration with Palo Alto VM-Series - E-W host-based deployment

Hello Everyone,

I have two data centers running NSX-T 3.2 on vSphere environment where each data center has two clusters (Prod and Non-Prod). We need to integrate NSX-T with PAN VM-series firewall for East-West traffic in host-based model. I'm confused on how many service definitions, device groups, and templates I should create in Panorama.
Should that be one service definition per DC (for both clusters) or two service definitions per DC (one SD per cluster)?

The documentation says "You cannot reuse a template stack or a device group assigned to one service definition in another service definition." I'm not sure how this statement will affect the design.

I will appreciate any feedback/suggestion 

Regards

0 Kudos
2 Replies
Sreec
VMware Employee
VMware Employee
‎09-23-2022 01:38 AM

From my experience, it totally depends upon the design. Dedicated/Multi-tenant requirements are critical factors I have usually seen. You can have a unique Service Definition per Tenant as well if there is a real need. 

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
yhum
Contributor
Contributor
‎09-23-2022 03:35 PM

Thank you Sree.

We don't have multi-tenant environment as such. We three clusters (Lets say Windows_cluster, Linux_cluster, DMZ_cluster) in a data center. both Production and Dev applications are spread across all three clusters. so my question is if I should create just one service definition for all three clusters which means all PAN firewalls running in three clusters will be part of one device group and one template stack. That means firewall policies will get pushed to all firewalls in the data centers.
On other hand, if I create separate service definition for each cluster, that means separate device group and template stack for each cluster, and so firewall configuration and policies will be managed for each cluster separately.
That where I need some guidance which option to choose for give situation.

I will appreciate your feedback.

0 Kudos