Palo Alto Virtual firewall deployment guide on OpenStack Cloud
3 likes2,522 views
This document provides instructions for setting up a Palo Alto Networks firewall using CloudStack. It describes adding the Palo Alto firewall as a service provider in CloudStack, creating a network service offering, and configuring the firewall with public and private interfaces, zones, virtual routers, and default routing. Firewall and NAT rules will be automatically configured by CloudStack. Additional options like threat profiles and log forwarding can also be applied.
Palo Alto Virtual firewall deployment guide on OpenStack Cloud
- 1. Setup a Palo Alto Networks Firewall Functionality Provided This implementation enables the orchestration of a Palo Alto Networks Firewall from within CloudStack UI and API. The following features are supported: • List/Add/Delete Palo Alto Networks service provider • List/Add/Delete Palo Alto Networks network service offering • List/Add/Delete Palo Alto Networks network using the above service offering • Add an instance to a Palo Alto Networks network • Source NAT management on network create and delete • List/Add/Delete Ingress Firewall rule • List/Add/Delete Egress Firewall rule (both 'Allow' and 'Deny' default rules supported) • List/Add/Delete Port Forwarding rule • List/Add/Delete Static NAT rule • Apply a Threat Profile to all firewall rules (more details in the Additional Features section) • Apply a Log Forwarding profile to all firewall rules (more details in the Additional Features section) Initial Palo Alto Networks Firewall Configuration Anatomy of the Palo Alto Networks Firewall • In 'Network > Interfaces' there is a list of physical interfaces as well as aggregated physical interfaces which are used for managing traffic in and out of the Palo Alto Networks Firewall device. • In 'Network > Zones' there is a list of the different configuration zones. This implementation will use two zones; a public (defaults to 'untrust') and private (defaults to 'trust') zone. • In 'Network > Virtual Routers' there is a list of VRs which handle traffic routing for the Palo Alto Firewall. We only use a single Virtual Router on the firewall and it is used to handle all the routing to the next network hop. • In 'Objects > Security Profile Groups' there is a list of profiles which can be applied to firewall rules. These profiles are used to better understand the types of traffic that is flowing through your network. Configured when you add the firewall provider to OpenStack. • In 'Objects > Log Forwarding' there is a list of profiles which can be applied to firewall rules. These profiles are used to better track the logs generated by the firewall. Configured when you add the firewall provider to OpenStack. • In 'Policies > Security' there is a list of firewall rules that are currently configured. You will not need to modify this section because it will be completely automated by OpenStack, but
- 2. you can review the firewall rules which have been created here. • In 'Policies > NAT' there is a list of the different NAT rules. You will not need to modify this section because it will be completely automated by OpenStack, but you can review the different NAT rules that have been created here. Source NAT, Static NAT and Destination NAT (Port Forwarding) rules will show up in this list. Configure the Public / Private Zones on the firewall No manual configuration is required to setup these zones because OpenStack will configure them automatically when you add the Palo Alto Networks firewall device to OpenStack as a service provider. This implementation depends on two zones, one for the public side and one for the private side of the firewall. • The public zone (defaults to 'untrust') will contain all of the public interfaces and public IPs. • The private zone (defaults to 'trust') will contain all of the private interfaces and guest network gateways. The NAT and firewall rules will be configured between these zones. Configure the Public / Private Interfaces on the firewall This implementation supports standard physical interfaces as well as grouped physical interfaces called aggregated interfaces. Both standard interfaces and aggregated interfaces are treated the same, so they can be used interchangeably. For this document, we will assume that we are using 'ethernet1/1' as the public interface and 'ethernet1/2' as the private interface. If aggregated interfaces where used, you would use something like 'ae1' and 'ae2' as the interfaces. This implementation requires that the 'Interface Type' be set to 'Layer3' for both the public and private interfaces. If you want to be able to use the 'Untagged' VLAN tag for public traffic in OpenStack, you will need to enable support for it in the public 'ethernet1/1' interface (details below). Steps to configure the Public Interface: 1. Log into Palo Alto Networks Firewall 2. Navigate to 'Network > Interfaces' 3. Click on 'ethernet1/1' (for aggregated ethernet, it will probably be called 'ae1') 4. Select 'Layer3' from the 'Interface Type' list 5. Click 'Advanced' 6. Check the 'Untagged Subinterface' check-box 7. Click 'OK' Steps to configure the Private Interface: 1. Click on 'ethernet1/2' (for aggregated ethernet, it will probably be called 'ae2') 2. Select 'Layer3' from the 'Interface Type' list 3. Click 'OK'
- 3. Configure a Virtual Router on the firewall The Virtual Router on the Palo Alto Networks Firewall is not to be confused with the Virtual Routers that OpenStack provisions. For this implementation, the Virtual Router on the Palo Alto Networks Firewall will ONLY handle the upstream routing from the Firewall to the next hop. Steps to configure the Virtual Router: 1. Log into Palo Alto Networks Firewall 2. Navigate to 'Network > Virtual Routers' 3. Select the 'default' Virtual Router or Add a new Virtual Router if there are none in the list • If you added a new Virtual Router, you will need to give it a 'Name' 4. Navigate to 'Static Routes > IPv4' 5. 'Add' a new static route • Name: next_hop (you can name it anything you want) • Destination: 0.0.0.0/0 (send all traffic to this route) • Interface: ethernet1/1 (or whatever you set your public interface as) • Next Hop: (specify the gateway IP for the next hop in your network) • Click 'OK' 6. Click 'OK' Configure the default Public Subinterface The current implementation of the Palo Alto Networks firewall integration uses CIDRs in the form of 'w.x.y.z/32' for the public IP addresses that OpenStack provisions. Because no broadcast or gateway IPs are in this single IP range, there is no way for the firewall to route the traffic for these IPs. To route the traffic for these IPs, we create a single subinterface on the public interface with an IP and a CIDR which encapsulates the OpenStack public IP range. This IP will need to be inside the subnet defined by the OpenStack public range netmask, but outside the OpenStack public IP range. The CIDR should reflect the same subnet defined by the OpenStack public range netmask. The name of the subinterface is determined by the VLAN configured for the public range in OpenStack. To clarify this concept, we will use the following example. Example OpenStack Public Range Configuration: • Gateway: 172.30.0.1 • Netmask: 255.255.255.0 • IP Range: 172.30.0.100 - 172.30.0.199 • VLAN: Untagged Configure the Public Subinterface: 1. Log into Palo Alto Networks Firewall 2. Navigate to 'Network > Interfaces' 3. Select the 'ethernet1/1' line (not clicking on the name) 4. Click 'Add Subinterface' at the bottom of the window 5. Enter 'Interface Name': 'ethernet1/1' . '9999'
- 4. • 9999 is used if the OpenStack public range VLAN is 'Untagged' • If the OpenStack public range VLAN is tagged (eg: 333), then the name will reflect that tag 6. The 'Tag' is the VLAN tag that the traffic is sent to the next hop with, so set it accordingly. If you are passing 'Untagged' traffic from OpenStack to your next hop, leave it blank. If you want to pass tagged traffic fromOpenStack, specify the tag. 7. Select 'default' from the 'Config > Virtual Router' drop-down (assuming that is what your virtual router is called) 8. Click the 'IPv4' tab 9. Select 'Static' from the 'Type' radio options 10.Click 'Add' in the 'IP' section 11.Enter '172.30.0.254/24' in the new line • The IP can be any IP outside the OpenStack public IP range, but inside the OpenStack public range netmask (it can NOT be the gateway IP) • The subnet defined by the CIDR should match theOpenStack public range netmask 12.Click 'OK' Commit configuration on the Palo Alto Networks Firewall In order for all the changes we just made to take effect, we need to commit the changes. 1. Click the 'Commit' link in the top right corner of the window 2. Click 'OK' in the commit window overlay 3. Click 'Close' to the resulting commit status window after the commit finishes Setup the Palo Alto Networks Firewall in OpenStack Add the Palo Alto Networks Firewall as a Service Provider 1. Navigate to 'Infrastructure > Zones > ZONE_NAME > Physical Network > NETWORK_NAME (guest) > Configure; Network Service Providers' 2. Click on 'Palo Alto' in the list 3. Click 'View Devices' 4. Click 'Add Palo Alto Device' 5. Enter your configuration in the overlay. This example will reflect the details previously used in this guide. • IPAddress: (the IP of the Palo Alto Networks Firewall) • Username: (the admin username for the firewall) • Password: (the admin password for the firewall) • Type: Palo Alto Firewall • Public Interface: ethernet1/1 (use what you setup earlier as the public interface if it is different from my examples) • Private Interface: ethernet1/2 (use what you setup earlier as the private interface if it is different from my examples) • Number of Retries: 2 (the default is fine)
- 5. • Timeout: 300 (the default is fine) • Public Network: untrust (this is the public zone on the firewall and did not need to be configured) • Private Network: trust (this is the private zone on the firewall and did not need to be configured) • Virtual Router: default (this is the name of the Virtual Router we setup on the firewall) • Palo Alto Threat Profile: (not required. name of the 'Security Profile Groups' to apply. more details in the 'Additional Features' section) • Palo Alto Log Profile: (not required. name of the 'Log Forwarding' profile to apply. more details in the 'Additional Features' section) • Capacity: (not required) • Dedicated: (not required) 6. Click 'OK' 7. Click on 'Palo Alto' in the breadcrumbs to go back one screen. 8. Click on 'Enable Provider' 9. Add a Network Service Offering to use the new Provider There are 6 'Supported Services' that need to be configured in the network service offering for this functionality. They are DHCP, DNS, Firewall, Source NAT, Static NAT and Port Forwarding. For the other settings, there are probably additional configurations which will work, but I will just document a common case. 1. Navigate to 'Service Offerings' 2. In the drop-down at the top, select 'Network Offerings' 3. Click 'Add Network Offering' • Name: (name it whatever you want) • Description: (again, can be whatever you want) • Guest Type: Isolated • Supported Services: • DHCP: Provided by 'VirtualRouter' • DNS: Provided by 'VirtualRouter' • Firewall: Provided by 'PaloAlto' • Source NAT: Provided by 'PaloAlto' • Static NAT: Provided by 'PaloAlto' • Port Forwarding: Provided by 'PaloAlto' • System Offering for Router: System Offering For Software Router • Supported Source NAT Type: Per account (this is the only supported option) • Default egress policy: (both 'Allow' and 'Deny' are supported) 4. Click 'OK' 5. Click on the newly created service offering 6. Click 'Enable network offering'
- 6. When adding networks in OpenStack, select this network offering to use the Palo Alto Networks firewall. Palo Alto Networks Threat Profile This feature allows you to specify a 'Security Profile Group' to be applied to all of the firewall rules which are created on the Palo Alto Networks firewall device. To create a 'Security Profile Group' on the Palo Alto Networks firewall, do the following: 1. Log into the Palo Alto Networks firewall 2. Navigate to 'Objects > Security Profile Groups' 3. Click 'Add' at the bottom of the page to add a new group 4. Give the group a Name and specify the profiles you would like to include in the group 5. Click 'OK' 6. Click the 'Commit' link in the top right of the screen and follow the on screen instructions Once you have created a profile, you can reference it by Name in the 'Palo Alto Threat Profile' field in the 'Add the Palo Alto Networks Firewall as a Service Provider' step. Palo Alto Networks Log Forwarding Profile This feature allows you to specify a 'Log Forwarding' profile to better manage where the firewall logs are sent to. This is helpful for keeping track of issues that can arise on the firewall. To create a 'Log Forwarding' profile on the Palo Alto Networks Firewall, do the following: 1. Log into the Palo Alto Networks firewall 2. Navigate to 'Objects > Log Forwarding' 3. Click 'Add' at the bottom of the page to add a new profile 4. Give the profile a Name and specify the details you want for the traffic and threat settings 5. Click 'OK' 6. Click the 'Commit' link in the top right of the screen and follow the on screen instructions Once you have created a profile, you can reference it by Name in the 'Palo Alto Log Profile' field in the 'Add the Palo Alto Networks Firewall as a Service Provider' step.
- 7. the VM-Series supports a wide range of networking features that allows you to more easily integrate our security features into your existing network Thanks In Advance Guys and enjoy with My refer VMs Series Firewall Deployment Guide.