| .. Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information# |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| http://www.apache.org/licenses/LICENSE-2.0 |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| |
| Setup a Palo Alto Networks Firewall |
| ----------------------------------- |
| |
| |
| Functionality Provided |
| ~~~~~~~~~~~~~~~~~~~~~~ |
| |
| This implementation enables the orchestration of a Palo Alto Networks Firewall |
| from within CloudStack UI and API. |
| |
| **The following features are supported**: |
| |
| - List/Add/Delete Palo Alto Networks service provider |
| |
| - List/Add/Delete Palo Alto Networks network service offering |
| |
| - List/Add/Delete Palo Alto Networks network using the above service offering |
| |
| - Add an instance to a Palo Alto Networks network |
| |
| - Source NAT management on network create and delete |
| |
| - List/Add/Delete Ingress Firewall rule |
| |
| - List/Add/Delete Egress Firewall rule (both 'Allow' and 'Deny' default rules |
| supported) |
| |
| - List/Add/Delete Port Forwarding rule |
| |
| - List/Add/Delete Static NAT rule |
| |
| - Apply a Threat Profile to all firewall rules (more details in the |
| Additional Features section) |
| |
| - Apply a Log Forwarding profile to all firewall rules (more details in the |
| Additional Features section) |
| |
| |
| |
| Initial Palo Alto Networks Firewall Configuration |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Anatomy of the Palo Alto Networks Firewall |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - In **'Network > Interfaces'** there is a list of physical interfaces as |
| well as aggregated physical interfaces which are used for managing traffic |
| in and out of the Palo Alto Networks Firewall device. |
| |
| - In **'Network > Zones'** there is a list of the different configuration |
| zones. This implementation will use two zones; a public (defaults to |
| 'untrust') and private (defaults to 'trust') zone. |
| |
| - In **'Network > Virtual Routers'** there is a list of VRs which handle |
| traffic routing for the Palo Alto Firewall. We only use a single Virtual |
| Router on the firewall and it is used to handle all the routing to the next |
| network hop. |
| |
| - In **'Objects > Security Profile Groups'** there is a list of profiles |
| which can be applied to firewall rules. These profiles are used to better |
| understand the types of traffic that is flowing through your network. |
| Configured when you add the firewall provider to CloudStack. |
| |
| - In **'Objects > Log Forwarding'** there is a list of profiles which can be |
| applied to firewall rules. These profiles are used to better track the |
| logs generated by the firewall. Configured when you add the firewall |
| provider to CloudStack. |
| |
| - In **'Policies > Security'** there is a list of firewall rules that are |
| currently configured. You will not need to modify this section because it |
| will be completely automated by CloudStack, but you can review the firewall |
| rules which have been created here. |
| |
| - In **'Policies > NAT'** there is a list of the different NAT rules. You |
| will not need to modify this section because it will be completely |
| automated by CloudStack, but you can review the different NAT rules that |
| have been created here. Source NAT, Static NAT and Destination NAT (Port |
| Forwarding) rules will show up in this list. |
| |
| |
| |
| Configure the Public / Private Zones on the firewall |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| No manual configuration is required to setup these zones because CloudStack |
| will configure them automatically when you add the Palo Alto Networks firewall |
| device to CloudStack as a service provider. This implementation depends on |
| two zones, one for the public side and one for the private side of the |
| firewall. |
| |
| - The public zone (defaults to 'untrust') will contain all of the public |
| interfaces and public IPs. |
| |
| - The private zone (defaults to 'trust') will contain all of the private |
| interfaces and guest network gateways. |
| |
| The NAT and firewall rules will be configured between these zones. |
| |
| |
| |
| Configure the Public / Private Interfaces on the firewall |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| This implementation supports standard physical interfaces as well as grouped |
| physical interfaces called aggregated interfaces. Both standard interfaces |
| and aggregated interfaces are treated the same, so they can be used |
| interchangeably. For this document, we will assume that we are using |
| 'ethernet1/1' as the public interface and 'ethernet1/2' as the private |
| interface. If aggregated interfaces where used, you would use something |
| like 'ae1' and 'ae2' as the interfaces. |
| |
| This implementation requires that the 'Interface Type' be set to 'Layer3' for |
| both the public and private interfaces. If you want to be able to use the |
| 'Untagged' VLAN tag for public traffic in CloudStack, you will need to enable |
| support for it in the public 'ethernet1/1' interface (details below). |
| |
| **Steps to configure the Public Interface**: |
| |
| #. Log into Palo Alto Networks Firewall |
| |
| #. Navigate to 'Network > Interfaces' |
| |
| #. Click on 'ethernet1/1' (for aggregated ethernet, it will probably be called |
| 'ae1') |
| |
| #. Select 'Layer3' from the 'Interface Type' list |
| |
| #. Click 'Advanced' |
| |
| #. Check the 'Untagged Subinterface' check-box |
| |
| #. Click 'OK' |
| |
| **Steps to configure the Private Interface**: |
| |
| #. Click on 'ethernet1/2' (for aggregated ethernet, it will probably be called |
| 'ae2') |
| |
| #. Select 'Layer3' from the 'Interface Type' list |
| |
| #. Click 'OK' |
| |
| |
| |
| Configure a Virtual Router on the firewall |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| The Virtual Router on the Palo Alto Networks Firewall is not to be confused |
| with the Virtual Routers that CloudStack provisions. For this implementation, |
| the Virtual Router on the Palo Alto Networks Firewall will ONLY handle the |
| upstream routing from the Firewall to the next hop. |
| |
| **Steps to configure the Virtual Router**: |
| |
| #. Log into Palo Alto Networks Firewall |
| |
| #. Navigate to 'Network > Virtual Routers' |
| |
| #. Select the 'default' Virtual Router or Add a new Virtual Router if there |
| are none in the list |
| |
| - If you added a new Virtual Router, you will need to give it a 'Name' |
| |
| #. Navigate to 'Static Routes > IPv4' |
| |
| #. 'Add' a new static route |
| |
| - **Name**: next_hop (you can name it anything you want) |
| |
| - **Destination**: 0.0.0.0/0 (send all traffic to this route) |
| |
| - **Interface**: ethernet1/1 (or whatever you set your public interface |
| as) |
| |
| - **Next Hop**: (specify the gateway IP for the next hop in your network) |
| |
| - Click 'OK' |
| |
| #. Click 'OK' |
| |
| |
| |
| Configure the default Public Subinterface |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| The current implementation of the Palo Alto Networks firewall integration uses |
| CIDRs in the form of 'w.x.y.z/32' for the public IP addresses that CloudStack |
| provisions. Because no broadcast or gateway IPs are in this single IP range, |
| there is no way for the firewall to route the traffic for these IPs. To route |
| the traffic for these IPs, we create a single subinterface on the public |
| interface with an IP and a CIDR which encapsulates the CloudStack public IP |
| range. This IP will need to be inside the subnet defined by the CloudStack |
| public range netmask, but outside the CloudStack public IP range. The CIDR |
| should reflect the same subnet defined by the CloudStack public range netmask. |
| The name of the subinterface is determined by the VLAN configured for the |
| public range in CloudStack. |
| |
| To clarify this concept, we will use the following example. |
| |
| **Example CloudStack Public Range Configuration**: |
| |
| - **Gateway**: 172.30.0.1 |
| |
| - **Netmask**: 255.255.255.0 |
| |
| - **IP Range**: 172.30.0.100 - 172.30.0.199 |
| |
| - **VLAN**: Untagged |
| |
| **Configure the Public Subinterface**: |
| |
| #. Log into Palo Alto Networks Firewall |
| |
| #. Navigate to 'Network > Interfaces' |
| |
| #. Select the 'ethernet1/1' line (not clicking on the name) |
| |
| #. Click 'Add Subinterface' at the bottom of the window |
| |
| #. Enter 'Interface Name': 'ethernet1/1' . '9999' |
| |
| - 9999 is used if the CloudStack public range VLAN is 'Untagged' |
| |
| - If the CloudStack public range VLAN is tagged (eg: 333), then the name |
| will reflect that tag |
| |
| #. The 'Tag' is the VLAN tag that the traffic is sent to the next hop with, so |
| set it accordingly. If you are passing 'Untagged' traffic from CloudStack |
| to your next hop, leave it blank. If you want to pass tagged traffic from |
| CloudStack, specify the tag. |
| |
| #. Select 'default' from the 'Config > Virtual Router' drop-down (assuming |
| that is what your virtual router is called) |
| |
| #. Click the 'IPv4' tab |
| |
| #. Select 'Static' from the 'Type' radio options |
| |
| #. Click 'Add' in the 'IP' section |
| |
| #. Enter '172.30.0.254/24' in the new line |
| |
| - The IP can be any IP outside the CloudStack public IP range, but inside |
| the CloudStack public range netmask (it can NOT be the gateway IP) |
| |
| - The subnet defined by the CIDR should match the CloudStack public range |
| netmask |
| |
| #. Click 'OK' |
| |
| |
| Commit configuration on the Palo Alto Networks Firewall |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| In order for all the changes we just made to take effect, we need to commit |
| the changes. |
| |
| #. Click the 'Commit' link in the top right corner of the window |
| |
| #. Click 'OK' in the commit window overlay |
| |
| #. Click 'Close' to the resulting commit status window after the commit |
| finishes |
| |
| |
| |
| Setup the Palo Alto Networks Firewall in CloudStack |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| |
| Add the Palo Alto Networks Firewall as a Service Provider |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| #. Navigate to 'Infrastructure > Zones > ZONE_NAME > Physical Network > |
| NETWORK_NAME (guest) > Configure; Network Service Providers' |
| |
| #. Click on 'Palo Alto' in the list |
| |
| #. Click 'View Devices' |
| |
| #. Click 'Add Palo Alto Device' |
| |
| #. Enter your configuration in the overlay. This example will reflect the |
| details previously used in this guide. |
| |
| - **IP Address**: (the IP of the Palo Alto Networks Firewall) |
| |
| - **Username**: (the admin username for the firewall) |
| |
| - **Password**: (the admin password for the firewall) |
| |
| - **Type**: Palo Alto Firewall |
| |
| - **Public Interface**: ethernet1/1 (use what you setup earlier as the |
| public interface if it is different from my examples) |
| |
| - **Private Interface**: ethernet1/2 (use what you setup earlier as the |
| private interface if it is different from my examples) |
| |
| - **Number of Retries**: 2 (the default is fine) |
| |
| - **Timeout**: 300 (the default is fine) |
| |
| - **Public Network**: untrust (this is the public zone on the firewall and |
| did not need to be configured) |
| |
| - **Private Network**: trust (this is the private zone on the firewall and |
| did not need to be configured) |
| |
| - **Virtual Router**: default (this is the name of the Virtual Router we |
| setup on the firewall) |
| |
| - **Palo Alto Threat Profile**: (not required. name of the 'Security |
| Profile Groups' to apply. more details in the 'Additional Features' |
| section) |
| |
| - **Palo Alto Log Profile**: (not required. name of the 'Log Forwarding' |
| profile to apply. more details in the 'Additional Features' section) |
| |
| - **Capacity**: (not required) |
| |
| - **Dedicated**: (not required) |
| |
| #. Click 'OK' |
| |
| #. Click on 'Palo Alto' in the breadcrumbs to go back one screen. |
| |
| #. Click on 'Enable Provider' |EnableDisableFeature.png| |
| |
| |
| Add a Network Service Offering to use the new Provider |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| There are 6 'Supported Services' that need to be configured in the network |
| service offering for this functionality. They are DHCP, DNS, Firewall, Source |
| NAT, Static NAT and Port Forwarding. For the other settings, there are |
| probably additional configurations which will work, but I will just document a |
| common case. |
| |
| #. Navigate to 'Service Offerings' |
| |
| #. In the drop-down at the top, select 'Network Offerings' |
| |
| #. Click 'Add Network Offering' |
| |
| - **Name**: (name it whatever you want) |
| |
| - **Description**: (again, can be whatever you want) |
| |
| - **Guest Type**: Isolated |
| |
| - **Supported Services**: |
| |
| - **DHCP**: Provided by 'VirtualRouter' |
| |
| - **DNS**: Provided by 'VirtualRouter' |
| |
| - **Firewall**: Provided by 'PaloAlto' |
| |
| - **Source NAT**: Provided by 'PaloAlto' |
| |
| - **Static NAT**: Provided by 'PaloAlto' |
| |
| - **Port Forwarding**: Provided by 'PaloAlto' |
| |
| - **System Offering for Router**: System Offering For Software Router |
| |
| - **Supported Source NAT Type**: Per account (this is the only supported |
| option) |
| |
| - **Default egress policy**: (both 'Allow' and 'Deny' are supported) |
| |
| #. Click 'OK' |
| |
| #. Click on the newly created service offering |
| |
| #. Click 'Enable network offering' |EnableDisableFeature.png| |
| |
| When adding networks in CloudStack, select this network offering to use the |
| Palo Alto Networks firewall. |
| |
| |
| Additional Features |
| ~~~~~~~~~~~~~~~~~~~ |
| |
| In addition to the standard functionality exposed by CloudStack, we have added |
| a couple additional features to this implementation. We did not add any new |
| screens to CloudStack, but we have added a couple fields to the 'Add Palo Alto |
| Service Provider' screen which will add functionality globally for the device. |
| |
| |
| Palo Alto Networks Threat Profile |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| This feature allows you to specify a 'Security Profile Group' to be applied to |
| all of the firewall rules which are created on the Palo Alto Networks firewall |
| device. |
| |
| To create a 'Security Profile Group' on the Palo Alto Networks firewall, do |
| the following: |
| |
| #. Log into the Palo Alto Networks firewall |
| |
| #. Navigate to 'Objects > Security Profile Groups' |
| |
| #. Click 'Add' at the bottom of the page to add a new group |
| |
| #. Give the group a Name and specify the profiles you would like to include in |
| the group |
| |
| #. Click 'OK' |
| |
| #. Click the 'Commit' link in the top right of the screen and follow the on |
| screen instructions |
| |
| Once you have created a profile, you can reference it by Name in the 'Palo |
| Alto Threat Profile' field in the 'Add the Palo Alto Networks Firewall as a |
| Service Provider' step. |
| |
| |
| Palo Alto Networks Log Forwarding Profile |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| This feature allows you to specify a 'Log Forwarding' profile to better manage |
| where the firewall logs are sent to. This is helpful for keeping track of |
| issues that can arise on the firewall. |
| |
| To create a 'Log Forwarding' profile on the Palo Alto Networks Firewall, do |
| the following: |
| |
| #. Log into the Palo Alto Networks firewall |
| |
| #. Navigate to 'Objects > Log Forwarding' |
| |
| #. Click 'Add' at the bottom of the page to add a new profile |
| |
| #. Give the profile a Name and specify the details you want for the traffic |
| and threat settings |
| |
| #. Click 'OK' |
| |
| #. Click the 'Commit' link in the top right of the screen and follow the on |
| screen instructions |
| |
| Once you have created a profile, you can reference it by Name in the 'Palo |
| Alto Log Profile' field in the 'Add the Palo Alto Networks Firewall as a |
| Service Provider' step. |
| |
| |
| |
| Limitations |
| ~~~~~~~~~~~ |
| |
| - The implementation currently only supports a single public IP range in |
| CloudStack |
| |
| - Usage tracking is not yet implemented |
| |
| .. |EnableDisableFeature.png| image:: /_static/images/enable-disable-autoscale.png |
| :alt: button to enable or disable feature. |