plugins/network-elements/palo-alto/src/main/java/com/cloud/network/element/PaloAltoExternalFirewallElement.java - cloudstack - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 package com.cloud.network.element;

 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;

 import javax.inject.Inject;

 import org.apache.log4j.Logger;

 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.network.ExternalNetworkDeviceManager.NetworkDevice;

 import com.cloud.api.ApiDBUtils;
 import com.cloud.api.commands.AddPaloAltoFirewallCmd;
 import com.cloud.api.commands.ConfigurePaloAltoFirewallCmd;
 import com.cloud.api.commands.DeletePaloAltoFirewallCmd;
 import com.cloud.api.commands.ListPaloAltoFirewallNetworksCmd;
 import com.cloud.api.commands.ListPaloAltoFirewallsCmd;
 import com.cloud.api.response.PaloAltoFirewallResponse;
 import com.cloud.configuration.Config;
 import com.cloud.configuration.ConfigurationManager;
 import com.cloud.dc.DataCenter;
 import com.cloud.dc.DataCenter.NetworkType;
 import com.cloud.dc.dao.DataCenterDao;
 import com.cloud.deploy.DeployDestination;
 import com.cloud.exception.ConcurrentOperationException;
 import com.cloud.exception.InsufficientCapacityException;
 import com.cloud.exception.InsufficientNetworkCapacityException;
 import com.cloud.exception.InvalidParameterValueException;
 import com.cloud.exception.ResourceUnavailableException;
 import com.cloud.host.Host;
 import com.cloud.host.dao.HostDao;
 import com.cloud.host.dao.HostDetailsDao;
 import com.cloud.network.ExternalFirewallDeviceManagerImpl;
 import com.cloud.network.Network;
 import com.cloud.network.Network.Capability;
 import com.cloud.network.Network.Provider;
 import com.cloud.network.Network.Service;
 import com.cloud.network.NetworkModel;
 import com.cloud.network.PhysicalNetwork;
 import com.cloud.network.PhysicalNetworkServiceProvider;
 import com.cloud.network.PublicIpAddress;
 import com.cloud.network.dao.ExternalFirewallDeviceDao;
 import com.cloud.network.dao.ExternalFirewallDeviceVO;
 import com.cloud.network.dao.ExternalFirewallDeviceVO.FirewallDeviceState;
 import com.cloud.network.dao.NetworkDao;
 import com.cloud.network.dao.NetworkExternalFirewallDao;
 import com.cloud.network.dao.NetworkExternalFirewallVO;
 import com.cloud.network.dao.NetworkServiceMapDao;
 import com.cloud.network.dao.NetworkVO;
 import com.cloud.network.dao.PhysicalNetworkDao;
 import com.cloud.network.dao.PhysicalNetworkVO;
 import com.cloud.network.resource.PaloAltoResource;
 import com.cloud.network.rules.FirewallRule;
 import com.cloud.network.rules.PortForwardingRule;
 import com.cloud.network.rules.StaticNat;
 import com.cloud.offering.NetworkOffering;
 import com.cloud.offerings.dao.NetworkOfferingDao;
 import com.cloud.utils.NumbersUtil;
 import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.exception.CloudRuntimeException;
 import com.cloud.vm.NicProfile;
 import com.cloud.vm.ReservationContext;
 import com.cloud.vm.VirtualMachineProfile;

 public class PaloAltoExternalFirewallElement extends ExternalFirewallDeviceManagerImpl implements SourceNatServiceProvider, FirewallServiceProvider,
         PortForwardingServiceProvider, IpDeployer, PaloAltoFirewallElementService, StaticNatServiceProvider {

     private static final Logger s_logger = Logger.getLogger(PaloAltoExternalFirewallElement.class);

     private static final Map<Service, Map<Capability, String>> capabilities = setCapabilities();

     @Inject
     NetworkModel _networkManager;
     @Inject
     HostDao _hostDao;
     @Inject
     ConfigurationManager _configMgr;
     @Inject
     NetworkOfferingDao _networkOfferingDao;
     @Inject
     NetworkDao _networksDao;
     @Inject
     DataCenterDao _dcDao;
     @Inject
     PhysicalNetworkDao _physicalNetworkDao;
     @Inject
     ExternalFirewallDeviceDao _fwDevicesDao;
     @Inject
     NetworkExternalFirewallDao _networkFirewallDao;
     @Inject
     NetworkDao _networkDao;
     @Inject
     NetworkServiceMapDao _ntwkSrvcDao;
     @Inject
     HostDetailsDao _hostDetailDao;
     @Inject
     ConfigurationDao _configDao;
     @Inject
     EntityManager _entityMgr;

     private boolean canHandle(Network network, Service service) {
         DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
         if (zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() != Network.GuestType.Isolated) {
             s_logger.trace("Element " + getProvider().getName() + "is not handling network type = " + network.getGuestType());
             return false;
         }

         if (service == null) {
             if (!_networkManager.isProviderForNetwork(getProvider(), network.getId())) {
                 s_logger.trace("Element " + getProvider().getName() + " is not a provider for the network " + network);
                 return false;
             }
         } else {
             if (!_networkManager.isProviderSupportServiceInNetwork(network.getId(), service, getProvider())) {
                 s_logger.trace("Element " + getProvider().getName() + " doesn't support service " + service.getName() + " in the network " + network);
                 return false;
             }
         }

         return true;
     }

     @Override
     public boolean implement(Network network, NetworkOffering offering, DeployDestination dest, ReservationContext context) throws ResourceUnavailableException,
         ConcurrentOperationException, InsufficientNetworkCapacityException {
         DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());

         // don't have to implement network is Basic zone
         if (zone.getNetworkType() == NetworkType.Basic) {
             s_logger.debug("Not handling network implement in zone of type " + NetworkType.Basic);
             return false;
         }

         if (!canHandle(network, null)) {
             return false;
         }

         try {
             return manageGuestNetworkWithExternalFirewall(true, network);
         } catch (InsufficientCapacityException capacityException) {
             // TODO: handle out of capacity exception in more gracefule manner when multiple providers are present for
             // the network
             s_logger.error("Fail to implement the Palo Alto for network " + network, capacityException);
             return false;
         }
     }

     @Override
     public boolean prepare(Network config, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
         throws ConcurrentOperationException, InsufficientNetworkCapacityException, ResourceUnavailableException {
         return true;
     }

     @Override
     public boolean release(Network config, NicProfile nic, VirtualMachineProfile vm, ReservationContext context) {
         return true;
     }

     @Override
     public boolean shutdown(Network network, ReservationContext context, boolean cleanup) throws ResourceUnavailableException, ConcurrentOperationException {
         DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());

         // don't have to implement network is Basic zone
         if (zone.getNetworkType() == NetworkType.Basic) {
             s_logger.debug("Not handling network shutdown in zone of type " + NetworkType.Basic);
             return false;
         }

         if (!canHandle(network, null)) {
             return false;
         }
         try {
             return manageGuestNetworkWithExternalFirewall(false, network);
         } catch (InsufficientCapacityException capacityException) {
             // TODO: handle out of capacity exception
             return false;
         }
     }

     @Override
     public boolean destroy(Network config, ReservationContext context) {
         return true;
     }

     @Override
     public boolean applyFWRules(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
         if (!canHandle(config, Service.Firewall)) {
             return false;
         }

         return applyFirewallRules(config, rules);
     }

     @Override
     public Provider getProvider() {
         return Provider.PaloAlto;
     }

     @Override
     public Map<Service, Map<Capability, String>> getCapabilities() {
         return capabilities;
     }

     private static Map<Service, Map<Capability, String>> setCapabilities() {
         Map<Service, Map<Capability, String>> capabilities = new HashMap<Service, Map<Capability, String>>();

         // Set capabilities for Firewall service
         Map<Capability, String> firewallCapabilities = new HashMap<Capability, String>();
         firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
         firewallCapabilities.put(Capability.SupportedEgressProtocols, "tcp,udp,icmp,all");
         firewallCapabilities.put(Capability.MultipleIps, "true");
         firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
         firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress");
         capabilities.put(Service.Firewall, firewallCapabilities);

         capabilities.put(Service.Gateway, null);

         Map<Capability, String> sourceNatCapabilities = new HashMap<Capability, String>();
         // Specifies that this element supports either one source NAT rule per account;
         sourceNatCapabilities.put(Capability.SupportedSourceNatTypes, "peraccount");
         capabilities.put(Service.SourceNat, sourceNatCapabilities);

         // Specifies that port forwarding rules are supported by this element
         capabilities.put(Service.PortForwarding, null);

         // Specifies that static NAT rules are supported by this element
         capabilities.put(Service.StaticNat, null);

         return capabilities;
     }

     @Override
     public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
         if (!canHandle(network, Service.PortForwarding)) {
             return false;
         }

         return applyPortForwardingRules(network, rules);
     }

     @Override
     public boolean isReady(PhysicalNetworkServiceProvider provider) {

         List<ExternalFirewallDeviceVO> fwDevices = _fwDevicesDao.listByPhysicalNetworkAndProvider(provider.getPhysicalNetworkId(), Provider.PaloAlto.getName());
         // true if at-least one Palo Alto device is added in to physical network and is in configured (in enabled state) state
         if (fwDevices != null && !fwDevices.isEmpty()) {
             for (ExternalFirewallDeviceVO fwDevice : fwDevices) {
                 if (fwDevice.getDeviceState() == FirewallDeviceState.Enabled) {
                     return true;
                 }
             }
         }
         return false;
     }

     @Override
     public boolean shutdownProviderInstances(PhysicalNetworkServiceProvider provider, ReservationContext context) throws ConcurrentOperationException,
         ResourceUnavailableException {
         // TODO Auto-generated method stub
         return true;
     }

     @Override
     public boolean canEnableIndividualServices() {
         return true;
     }

     @Override
     public List<Class<?>> getCommands() {
         List<Class<?>> cmdList = new ArrayList<Class<?>>();
         cmdList.add(AddPaloAltoFirewallCmd.class);
         cmdList.add(ConfigurePaloAltoFirewallCmd.class);
         cmdList.add(DeletePaloAltoFirewallCmd.class);
         cmdList.add(ListPaloAltoFirewallNetworksCmd.class);
         cmdList.add(ListPaloAltoFirewallsCmd.class);
         return cmdList;
     }

     @Override
     public ExternalFirewallDeviceVO addPaloAltoFirewall(AddPaloAltoFirewallCmd cmd) {
         String deviceName = cmd.getDeviceType();
         if (!deviceName.equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
             throw new InvalidParameterValueException("Invalid Palo Alto firewall device type");
         }
         return addExternalFirewall(cmd.getPhysicalNetworkId(), cmd.getUrl(), cmd.getUsername(), cmd.getPassword(), deviceName, new PaloAltoResource());
     }

     @Override
     public boolean deletePaloAltoFirewall(DeletePaloAltoFirewallCmd cmd) {
         Long fwDeviceId = cmd.getFirewallDeviceId();

         ExternalFirewallDeviceVO fwDeviceVO = _fwDevicesDao.findById(fwDeviceId);
         if (fwDeviceVO == null || !fwDeviceVO.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
             throw new InvalidParameterValueException("No Palo Alto firewall device found with ID: " + fwDeviceId);
         }
         return deleteExternalFirewall(fwDeviceVO.getHostId());
     }

     @Override
     public ExternalFirewallDeviceVO configurePaloAltoFirewall(ConfigurePaloAltoFirewallCmd cmd) {
         Long fwDeviceId = cmd.getFirewallDeviceId();
         Long deviceCapacity = cmd.getFirewallCapacity();

         ExternalFirewallDeviceVO fwDeviceVO = _fwDevicesDao.findById(fwDeviceId);
         if (fwDeviceVO == null || !fwDeviceVO.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
             throw new InvalidParameterValueException("No Palo Alto firewall device found with ID: " + fwDeviceId);
         }

         if (deviceCapacity != null) {
             // check if any networks are using this Palo Alto device
             List<NetworkExternalFirewallVO> networks = _networkFirewallDao.listByFirewallDeviceId(fwDeviceId);
             if ((networks != null) && !networks.isEmpty()) {
                 if (deviceCapacity < networks.size()) {
                     throw new CloudRuntimeException("There are more number of networks already using this Palo Alto firewall device than configured capacity");
                 }
             }
             if (deviceCapacity != null) {
                 fwDeviceVO.setCapacity(deviceCapacity);
             }
         }

         fwDeviceVO.setDeviceState(FirewallDeviceState.Enabled);
         _fwDevicesDao.update(fwDeviceId, fwDeviceVO);
         return fwDeviceVO;
     }

     @Override
     public List<ExternalFirewallDeviceVO> listPaloAltoFirewalls(ListPaloAltoFirewallsCmd cmd) {
         Long physcialNetworkId = cmd.getPhysicalNetworkId();
         Long fwDeviceId = cmd.getFirewallDeviceId();
         PhysicalNetworkVO pNetwork = null;
         List<ExternalFirewallDeviceVO> fwDevices = new ArrayList<ExternalFirewallDeviceVO>();

         if (physcialNetworkId == null && fwDeviceId == null) {
             throw new InvalidParameterValueException("Either physical network Id or load balancer device Id must be specified");
         }

         if (fwDeviceId != null) {
             ExternalFirewallDeviceVO fwDeviceVo = _fwDevicesDao.findById(fwDeviceId);
             if (fwDeviceVo == null || !fwDeviceVo.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
                 throw new InvalidParameterValueException("Could not find Palo Alto firewall device with ID: " + fwDeviceId);
             }
             fwDevices.add(fwDeviceVo);
         }

         if (physcialNetworkId != null) {
             pNetwork = _physicalNetworkDao.findById(physcialNetworkId);
             if (pNetwork == null) {
                 throw new InvalidParameterValueException("Could not find phyical network with ID: " + physcialNetworkId);
             }
             fwDevices = _fwDevicesDao.listByPhysicalNetworkAndProvider(physcialNetworkId, Provider.PaloAlto.getName());
         }

         return fwDevices;
     }

     @Override
     public List<? extends Network> listNetworks(ListPaloAltoFirewallNetworksCmd cmd) {
         Long fwDeviceId = cmd.getFirewallDeviceId();
         List<NetworkVO> networks = new ArrayList<NetworkVO>();

         ExternalFirewallDeviceVO fwDeviceVo = _fwDevicesDao.findById(fwDeviceId);
         if (fwDeviceVo == null || !fwDeviceVo.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
             throw new InvalidParameterValueException("Could not find Palo Alto firewall device with ID " + fwDeviceId);
         }

         List<NetworkExternalFirewallVO> networkFirewallMaps = _networkFirewallDao.listByFirewallDeviceId(fwDeviceId);
         if (networkFirewallMaps != null && !networkFirewallMaps.isEmpty()) {
             for (NetworkExternalFirewallVO networkFirewallMap : networkFirewallMaps) {
                 NetworkVO network = _networkDao.findById(networkFirewallMap.getNetworkId());
                 networks.add(network);
             }
         }

         return networks;
     }

     @Override
     public PaloAltoFirewallResponse createPaloAltoFirewallResponse(ExternalFirewallDeviceVO fwDeviceVO) {
         PaloAltoFirewallResponse response = new PaloAltoFirewallResponse();
         Map<String, String> fwDetails = _hostDetailDao.findDetails(fwDeviceVO.getHostId());
         Host fwHost = _hostDao.findById(fwDeviceVO.getHostId());

         response.setId(fwDeviceVO.getUuid());
         PhysicalNetwork pnw = ApiDBUtils.findPhysicalNetworkById(fwDeviceVO.getPhysicalNetworkId());
         if (pnw != null) {
             response.setPhysicalNetworkId(pnw.getUuid());
         }
         response.setDeviceName(fwDeviceVO.getDeviceName());
         if (fwDeviceVO.getCapacity() == 0) {
             long defaultFwCapacity = NumbersUtil.parseLong(_configDao.getValue(Config.DefaultExternalFirewallCapacity.key()), 50);
             response.setDeviceCapacity(defaultFwCapacity);
         } else {
             response.setDeviceCapacity(fwDeviceVO.getCapacity());
         }
         response.setProvider(fwDeviceVO.getProviderName());
         response.setDeviceState(fwDeviceVO.getDeviceState().name());
         response.setIpAddress(fwHost.getPrivateIpAddress());
         response.setPublicInterface(fwDetails.get("publicInterface"));
         response.setUsageInterface(fwDetails.get("usageInterface"));
         response.setPrivateInterface(fwDetails.get("privateInterface"));
         response.setPublicZone(fwDetails.get("publicZone"));
         response.setPrivateZone(fwDetails.get("privateZone"));
         response.setNumRetries(fwDetails.get("numRetries"));
         response.setTimeout(fwDetails.get("timeout"));
         response.setObjectName("paloaltofirewall");
         return response;
     }

     @Override
     public boolean verifyServicesCombination(Set<Service> services) {
         if (!services.contains(Service.Firewall)) {
             s_logger.warn("Palo Alto must be used as Firewall Service Provider in the network");
             return false;
         }
         return true;
     }

     @Override
     public IpDeployer getIpDeployer(Network network) {
         return this;
     }

     @Override
     public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddress, Set<Service> service) throws ResourceUnavailableException {
         // return true, as IP will be associated as part of static NAT/port forwarding rule configuration
         return true;
     }

     @Override
     public boolean applyStaticNats(Network config, List<? extends StaticNat> rules) throws ResourceUnavailableException {
         if (!canHandle(config, Service.StaticNat)) {
             return false;
         }
         return applyStaticNatRules(config, rules);
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	package com.cloud.network.element;

	import java.util.ArrayList;
	import java.util.HashMap;
	import java.util.List;
	import java.util.Map;
	import java.util.Set;

	import javax.inject.Inject;

	import org.apache.log4j.Logger;

	import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
	import org.apache.cloudstack.network.ExternalNetworkDeviceManager.NetworkDevice;

	import com.cloud.api.ApiDBUtils;
	import com.cloud.api.commands.AddPaloAltoFirewallCmd;
	import com.cloud.api.commands.ConfigurePaloAltoFirewallCmd;
	import com.cloud.api.commands.DeletePaloAltoFirewallCmd;
	import com.cloud.api.commands.ListPaloAltoFirewallNetworksCmd;
	import com.cloud.api.commands.ListPaloAltoFirewallsCmd;
	import com.cloud.api.response.PaloAltoFirewallResponse;
	import com.cloud.configuration.Config;
	import com.cloud.configuration.ConfigurationManager;
	import com.cloud.dc.DataCenter;
	import com.cloud.dc.DataCenter.NetworkType;
	import com.cloud.dc.dao.DataCenterDao;
	import com.cloud.deploy.DeployDestination;
	import com.cloud.exception.ConcurrentOperationException;
	import com.cloud.exception.InsufficientCapacityException;
	import com.cloud.exception.InsufficientNetworkCapacityException;
	import com.cloud.exception.InvalidParameterValueException;
	import com.cloud.exception.ResourceUnavailableException;
	import com.cloud.host.Host;
	import com.cloud.host.dao.HostDao;
	import com.cloud.host.dao.HostDetailsDao;
	import com.cloud.network.ExternalFirewallDeviceManagerImpl;
	import com.cloud.network.Network;
	import com.cloud.network.Network.Capability;
	import com.cloud.network.Network.Provider;
	import com.cloud.network.Network.Service;
	import com.cloud.network.NetworkModel;
	import com.cloud.network.PhysicalNetwork;
	import com.cloud.network.PhysicalNetworkServiceProvider;
	import com.cloud.network.PublicIpAddress;
	import com.cloud.network.dao.ExternalFirewallDeviceDao;
	import com.cloud.network.dao.ExternalFirewallDeviceVO;
	import com.cloud.network.dao.ExternalFirewallDeviceVO.FirewallDeviceState;
	import com.cloud.network.dao.NetworkDao;
	import com.cloud.network.dao.NetworkExternalFirewallDao;
	import com.cloud.network.dao.NetworkExternalFirewallVO;
	import com.cloud.network.dao.NetworkServiceMapDao;
	import com.cloud.network.dao.NetworkVO;
	import com.cloud.network.dao.PhysicalNetworkDao;
	import com.cloud.network.dao.PhysicalNetworkVO;
	import com.cloud.network.resource.PaloAltoResource;
	import com.cloud.network.rules.FirewallRule;
	import com.cloud.network.rules.PortForwardingRule;
	import com.cloud.network.rules.StaticNat;
	import com.cloud.offering.NetworkOffering;
	import com.cloud.offerings.dao.NetworkOfferingDao;
	import com.cloud.utils.NumbersUtil;
	import com.cloud.utils.db.EntityManager;
	import com.cloud.utils.exception.CloudRuntimeException;
	import com.cloud.vm.NicProfile;
	import com.cloud.vm.ReservationContext;
	import com.cloud.vm.VirtualMachineProfile;

	public class PaloAltoExternalFirewallElement extends ExternalFirewallDeviceManagerImpl implements SourceNatServiceProvider, FirewallServiceProvider,
	PortForwardingServiceProvider, IpDeployer, PaloAltoFirewallElementService, StaticNatServiceProvider {

	private static final Logger s_logger = Logger.getLogger(PaloAltoExternalFirewallElement.class);

	private static final Map<Service, Map<Capability, String>> capabilities = setCapabilities();

	@Inject
	NetworkModel _networkManager;
	@Inject
	HostDao _hostDao;
	@Inject
	ConfigurationManager _configMgr;
	@Inject
	NetworkOfferingDao _networkOfferingDao;
	@Inject
	NetworkDao _networksDao;
	@Inject
	DataCenterDao _dcDao;
	@Inject
	PhysicalNetworkDao _physicalNetworkDao;
	@Inject
	ExternalFirewallDeviceDao _fwDevicesDao;
	@Inject
	NetworkExternalFirewallDao _networkFirewallDao;
	@Inject
	NetworkDao _networkDao;
	@Inject
	NetworkServiceMapDao _ntwkSrvcDao;
	@Inject
	HostDetailsDao _hostDetailDao;
	@Inject
	ConfigurationDao _configDao;
	@Inject
	EntityManager _entityMgr;

	private boolean canHandle(Network network, Service service) {
	DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
	if (zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() != Network.GuestType.Isolated) {
	s_logger.trace("Element " + getProvider().getName() + "is not handling network type = " + network.getGuestType());
	return false;
	}

	if (service == null) {
	if (!_networkManager.isProviderForNetwork(getProvider(), network.getId())) {
	s_logger.trace("Element " + getProvider().getName() + " is not a provider for the network " + network);
	return false;
	}
	} else {
	if (!_networkManager.isProviderSupportServiceInNetwork(network.getId(), service, getProvider())) {
	s_logger.trace("Element " + getProvider().getName() + " doesn't support service " + service.getName() + " in the network " + network);
	return false;
	}
	}

	return true;
	}

	@Override
	public boolean implement(Network network, NetworkOffering offering, DeployDestination dest, ReservationContext context) throws ResourceUnavailableException,
	ConcurrentOperationException, InsufficientNetworkCapacityException {
	DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());

	// don't have to implement network is Basic zone
	if (zone.getNetworkType() == NetworkType.Basic) {
	s_logger.debug("Not handling network implement in zone of type " + NetworkType.Basic);
	return false;
	}

	if (!canHandle(network, null)) {
	return false;
	}

	try {
	return manageGuestNetworkWithExternalFirewall(true, network);
	} catch (InsufficientCapacityException capacityException) {
	// TODO: handle out of capacity exception in more gracefule manner when multiple providers are present for
	// the network
	s_logger.error("Fail to implement the Palo Alto for network " + network, capacityException);
	return false;
	}
	}

	@Override
	public boolean prepare(Network config, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context)
	throws ConcurrentOperationException, InsufficientNetworkCapacityException, ResourceUnavailableException {
	return true;
	}

	@Override
	public boolean release(Network config, NicProfile nic, VirtualMachineProfile vm, ReservationContext context) {
	return true;
	}

	@Override
	public boolean shutdown(Network network, ReservationContext context, boolean cleanup) throws ResourceUnavailableException, ConcurrentOperationException {
	DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());

	// don't have to implement network is Basic zone
	if (zone.getNetworkType() == NetworkType.Basic) {
	s_logger.debug("Not handling network shutdown in zone of type " + NetworkType.Basic);
	return false;
	}

	if (!canHandle(network, null)) {
	return false;
	}
	try {
	return manageGuestNetworkWithExternalFirewall(false, network);
	} catch (InsufficientCapacityException capacityException) {
	// TODO: handle out of capacity exception
	return false;
	}
	}

	@Override
	public boolean destroy(Network config, ReservationContext context) {
	return true;
	}

	@Override
	public boolean applyFWRules(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
	if (!canHandle(config, Service.Firewall)) {
	return false;
	}

	return applyFirewallRules(config, rules);
	}

	@Override
	public Provider getProvider() {
	return Provider.PaloAlto;
	}

	@Override
	public Map<Service, Map<Capability, String>> getCapabilities() {
	return capabilities;
	}

	private static Map<Service, Map<Capability, String>> setCapabilities() {
	Map<Service, Map<Capability, String>> capabilities = new HashMap<Service, Map<Capability, String>>();

	// Set capabilities for Firewall service
	Map<Capability, String> firewallCapabilities = new HashMap<Capability, String>();
	firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
	firewallCapabilities.put(Capability.SupportedEgressProtocols, "tcp,udp,icmp,all");
	firewallCapabilities.put(Capability.MultipleIps, "true");
	firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
	firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress");
	capabilities.put(Service.Firewall, firewallCapabilities);

	capabilities.put(Service.Gateway, null);

	Map<Capability, String> sourceNatCapabilities = new HashMap<Capability, String>();
	// Specifies that this element supports either one source NAT rule per account;
	sourceNatCapabilities.put(Capability.SupportedSourceNatTypes, "peraccount");
	capabilities.put(Service.SourceNat, sourceNatCapabilities);

	// Specifies that port forwarding rules are supported by this element
	capabilities.put(Service.PortForwarding, null);

	// Specifies that static NAT rules are supported by this element
	capabilities.put(Service.StaticNat, null);

	return capabilities;
	}

	@Override
	public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
	if (!canHandle(network, Service.PortForwarding)) {
	return false;
	}

	return applyPortForwardingRules(network, rules);
	}

	@Override
	public boolean isReady(PhysicalNetworkServiceProvider provider) {

	List<ExternalFirewallDeviceVO> fwDevices = _fwDevicesDao.listByPhysicalNetworkAndProvider(provider.getPhysicalNetworkId(), Provider.PaloAlto.getName());
	// true if at-least one Palo Alto device is added in to physical network and is in configured (in enabled state) state
	if (fwDevices != null && !fwDevices.isEmpty()) {
	for (ExternalFirewallDeviceVO fwDevice : fwDevices) {
	if (fwDevice.getDeviceState() == FirewallDeviceState.Enabled) {
	return true;
	}
	}
	}
	return false;
	}

	@Override
	public boolean shutdownProviderInstances(PhysicalNetworkServiceProvider provider, ReservationContext context) throws ConcurrentOperationException,
	ResourceUnavailableException {
	// TODO Auto-generated method stub
	return true;
	}

	@Override
	public boolean canEnableIndividualServices() {
	return true;
	}

	@Override
	public List<Class<?>> getCommands() {
	List<Class<?>> cmdList = new ArrayList<Class<?>>();
	cmdList.add(AddPaloAltoFirewallCmd.class);
	cmdList.add(ConfigurePaloAltoFirewallCmd.class);
	cmdList.add(DeletePaloAltoFirewallCmd.class);
	cmdList.add(ListPaloAltoFirewallNetworksCmd.class);
	cmdList.add(ListPaloAltoFirewallsCmd.class);
	return cmdList;
	}

	@Override
	public ExternalFirewallDeviceVO addPaloAltoFirewall(AddPaloAltoFirewallCmd cmd) {
	String deviceName = cmd.getDeviceType();
	if (!deviceName.equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
	throw new InvalidParameterValueException("Invalid Palo Alto firewall device type");
	}
	return addExternalFirewall(cmd.getPhysicalNetworkId(), cmd.getUrl(), cmd.getUsername(), cmd.getPassword(), deviceName, new PaloAltoResource());
	}

	@Override
	public boolean deletePaloAltoFirewall(DeletePaloAltoFirewallCmd cmd) {
	Long fwDeviceId = cmd.getFirewallDeviceId();

	ExternalFirewallDeviceVO fwDeviceVO = _fwDevicesDao.findById(fwDeviceId);
	if (fwDeviceVO == null \|\| !fwDeviceVO.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
	throw new InvalidParameterValueException("No Palo Alto firewall device found with ID: " + fwDeviceId);
	}
	return deleteExternalFirewall(fwDeviceVO.getHostId());
	}

	@Override
	public ExternalFirewallDeviceVO configurePaloAltoFirewall(ConfigurePaloAltoFirewallCmd cmd) {
	Long fwDeviceId = cmd.getFirewallDeviceId();
	Long deviceCapacity = cmd.getFirewallCapacity();

	ExternalFirewallDeviceVO fwDeviceVO = _fwDevicesDao.findById(fwDeviceId);
	if (fwDeviceVO == null \|\| !fwDeviceVO.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
	throw new InvalidParameterValueException("No Palo Alto firewall device found with ID: " + fwDeviceId);
	}

	if (deviceCapacity != null) {
	// check if any networks are using this Palo Alto device
	List<NetworkExternalFirewallVO> networks = _networkFirewallDao.listByFirewallDeviceId(fwDeviceId);
	if ((networks != null) && !networks.isEmpty()) {
	if (deviceCapacity < networks.size()) {
	throw new CloudRuntimeException("There are more number of networks already using this Palo Alto firewall device than configured capacity");
	}
	}
	if (deviceCapacity != null) {
	fwDeviceVO.setCapacity(deviceCapacity);
	}
	}

	fwDeviceVO.setDeviceState(FirewallDeviceState.Enabled);
	_fwDevicesDao.update(fwDeviceId, fwDeviceVO);
	return fwDeviceVO;
	}

	@Override
	public List<ExternalFirewallDeviceVO> listPaloAltoFirewalls(ListPaloAltoFirewallsCmd cmd) {
	Long physcialNetworkId = cmd.getPhysicalNetworkId();
	Long fwDeviceId = cmd.getFirewallDeviceId();
	PhysicalNetworkVO pNetwork = null;
	List<ExternalFirewallDeviceVO> fwDevices = new ArrayList<ExternalFirewallDeviceVO>();

	if (physcialNetworkId == null && fwDeviceId == null) {
	throw new InvalidParameterValueException("Either physical network Id or load balancer device Id must be specified");
	}

	if (fwDeviceId != null) {
	ExternalFirewallDeviceVO fwDeviceVo = _fwDevicesDao.findById(fwDeviceId);
	if (fwDeviceVo == null \|\| !fwDeviceVo.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
	throw new InvalidParameterValueException("Could not find Palo Alto firewall device with ID: " + fwDeviceId);
	}
	fwDevices.add(fwDeviceVo);
	}

	if (physcialNetworkId != null) {
	pNetwork = _physicalNetworkDao.findById(physcialNetworkId);
	if (pNetwork == null) {
	throw new InvalidParameterValueException("Could not find phyical network with ID: " + physcialNetworkId);
	}
	fwDevices = _fwDevicesDao.listByPhysicalNetworkAndProvider(physcialNetworkId, Provider.PaloAlto.getName());
	}

	return fwDevices;
	}

	@Override
	public List<? extends Network> listNetworks(ListPaloAltoFirewallNetworksCmd cmd) {
	Long fwDeviceId = cmd.getFirewallDeviceId();
	List<NetworkVO> networks = new ArrayList<NetworkVO>();

	ExternalFirewallDeviceVO fwDeviceVo = _fwDevicesDao.findById(fwDeviceId);
	if (fwDeviceVo == null \|\| !fwDeviceVo.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
	throw new InvalidParameterValueException("Could not find Palo Alto firewall device with ID " + fwDeviceId);
	}

	List<NetworkExternalFirewallVO> networkFirewallMaps = _networkFirewallDao.listByFirewallDeviceId(fwDeviceId);
	if (networkFirewallMaps != null && !networkFirewallMaps.isEmpty()) {
	for (NetworkExternalFirewallVO networkFirewallMap : networkFirewallMaps) {
	NetworkVO network = _networkDao.findById(networkFirewallMap.getNetworkId());
	networks.add(network);
	}
	}

	return networks;
	}

	@Override
	public PaloAltoFirewallResponse createPaloAltoFirewallResponse(ExternalFirewallDeviceVO fwDeviceVO) {
	PaloAltoFirewallResponse response = new PaloAltoFirewallResponse();
	Map<String, String> fwDetails = _hostDetailDao.findDetails(fwDeviceVO.getHostId());
	Host fwHost = _hostDao.findById(fwDeviceVO.getHostId());

	response.setId(fwDeviceVO.getUuid());
	PhysicalNetwork pnw = ApiDBUtils.findPhysicalNetworkById(fwDeviceVO.getPhysicalNetworkId());
	if (pnw != null) {
	response.setPhysicalNetworkId(pnw.getUuid());
	}
	response.setDeviceName(fwDeviceVO.getDeviceName());
	if (fwDeviceVO.getCapacity() == 0) {
	long defaultFwCapacity = NumbersUtil.parseLong(_configDao.getValue(Config.DefaultExternalFirewallCapacity.key()), 50);
	response.setDeviceCapacity(defaultFwCapacity);
	} else {
	response.setDeviceCapacity(fwDeviceVO.getCapacity());
	}
	response.setProvider(fwDeviceVO.getProviderName());
	response.setDeviceState(fwDeviceVO.getDeviceState().name());
	response.setIpAddress(fwHost.getPrivateIpAddress());
	response.setPublicInterface(fwDetails.get("publicInterface"));
	response.setUsageInterface(fwDetails.get("usageInterface"));
	response.setPrivateInterface(fwDetails.get("privateInterface"));
	response.setPublicZone(fwDetails.get("publicZone"));
	response.setPrivateZone(fwDetails.get("privateZone"));
	response.setNumRetries(fwDetails.get("numRetries"));
	response.setTimeout(fwDetails.get("timeout"));
	response.setObjectName("paloaltofirewall");
	return response;
	}

	@Override
	public boolean verifyServicesCombination(Set<Service> services) {
	if (!services.contains(Service.Firewall)) {
	s_logger.warn("Palo Alto must be used as Firewall Service Provider in the network");
	return false;
	}
	return true;
	}

	@Override
	public IpDeployer getIpDeployer(Network network) {
	return this;
	}

	@Override
	public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddress, Set<Service> service) throws ResourceUnavailableException {
	// return true, as IP will be associated as part of static NAT/port forwarding rule configuration
	return true;
	}

	@Override
	public boolean applyStaticNats(Network config, List<? extends StaticNat> rules) throws ResourceUnavailableException {
	if (!canHandle(config, Service.StaticNat)) {
	return false;
	}
	return applyStaticNatRules(config, rules);
	}
	}