Setup a Palo Alto Networks Firewall

Functionality Provided

This implementation enables the orchestration of a Palo Alto Networks Firewall from within CloudStack UI and API.

The following features are supported:

  • List/Add/Delete Palo Alto Networks service provider

  • List/Add/Delete Palo Alto Networks network service offering

  • List/Add/Delete Palo Alto Networks network using the above service offering

  • Add an instance to a Palo Alto Networks network

  • Source NAT management on network create and delete

  • List/Add/Delete Ingress Firewall rule

  • List/Add/Delete Egress Firewall rule (both ‘Allow’ and ‘Deny’ default rules supported)

  • List/Add/Delete Port Forwarding rule

  • List/Add/Delete Static NAT rule

  • Apply a Threat Profile to all firewall rules (more details in the Additional Features section)

  • Apply a Log Forwarding profile to all firewall rules (more details in the Additional Features section)

Initial Palo Alto Networks Firewall Configuration

Anatomy of the Palo Alto Networks Firewall

  • In ‘Network > Interfaces’ there is a list of physical interfaces as well as aggregated physical interfaces which are used for managing traffic in and out of the Palo Alto Networks Firewall device.

  • In ‘Network > Zones’ there is a list of the different configuration zones. This implementation will use two zones; a public (defaults to ‘untrust’) and private (defaults to ‘trust’) zone.

  • In ‘Network > Virtual Routers’ there is a list of VRs which handle traffic routing for the Palo Alto Firewall. We only use a single Virtual Router on the firewall and it is used to handle all the routing to the next network hop.

  • In ‘Objects > Security Profile Groups’ there is a list of profiles which can be applied to firewall rules. These profiles are used to better understand the types of traffic that is flowing through your network. Configured when you add the firewall provider to CloudStack.

  • In ‘Objects > Log Forwarding’ there is a list of profiles which can be applied to firewall rules. These profiles are used to better track the logs generated by the firewall. Configured when you add the firewall provider to CloudStack.

  • In ‘Policies > Security’ there is a list of firewall rules that are currently configured. You will not need to modify this section because it will be completely automated by CloudStack, but you can review the firewall rules which have been created here.

  • In ‘Policies > NAT’ there is a list of the different NAT rules. You will not need to modify this section because it will be completely automated by CloudStack, but you can review the different NAT rules that have been created here. Source NAT, Static NAT and Destination NAT (Port Forwarding) rules will show up in this list.

Configure the Public / Private Zones on the firewall

No manual configuration is required to setup these zones because CloudStack will configure them automatically when you add the Palo Alto Networks firewall device to CloudStack as a service provider. This implementation depends on two zones, one for the public side and one for the private side of the firewall.

  • The public zone (defaults to ‘untrust’) will contain all of the public interfaces and public IPs.

  • The private zone (defaults to ‘trust’) will contain all of the private interfaces and guest network gateways.

The NAT and firewall rules will be configured between these zones.

Configure the Public / Private Interfaces on the firewall

This implementation supports standard physical interfaces as well as grouped physical interfaces called aggregated interfaces. Both standard interfaces and aggregated interfaces are treated the same, so they can be used interchangeably. For this document, we will assume that we are using ‘ethernet1/1’ as the public interface and ‘ethernet1/2’ as the private interface. If aggregated interfaces where used, you would use something like ‘ae1’ and ‘ae2’ as the interfaces.

This implementation requires that the ‘Interface Type’ be set to ‘Layer3’ for both the public and private interfaces. If you want to be able to use the ‘Untagged’ VLAN tag for public traffic in CloudStack, you will need to enable support for it in the public ‘ethernet1/1’ interface (details below).

Steps to configure the Public Interface:

  1. Log into Palo Alto Networks Firewall

  2. Navigate to ‘Network > Interfaces’

  3. Click on ‘ethernet1/1’ (for aggregated ethernet, it will probably be called ‘ae1’)

  4. Select ‘Layer3’ from the ‘Interface Type’ list

  5. Click ‘Advanced’

  6. Check the ‘Untagged Subinterface’ check-box

  7. Click ‘OK’

Steps to configure the Private Interface:

  1. Click on ‘ethernet1/2’ (for aggregated ethernet, it will probably be called ‘ae2’)

  2. Select ‘Layer3’ from the ‘Interface Type’ list

  3. Click ‘OK’

Configure a Virtual Router on the firewall

The Virtual Router on the Palo Alto Networks Firewall is not to be confused with the Virtual Routers that CloudStack provisions. For this implementation, the Virtual Router on the Palo Alto Networks Firewall will ONLY handle the upstream routing from the Firewall to the next hop.

Steps to configure the Virtual Router:

  1. Log into Palo Alto Networks Firewall

  2. Navigate to ‘Network > Virtual Routers’

  3. Select the ‘default’ Virtual Router or Add a new Virtual Router if there are none in the list

    • If you added a new Virtual Router, you will need to give it a ‘Name’

  4. Navigate to ‘Static Routes > IPv4’

  5. ‘Add’ a new static route

    • Name: next_hop (you can name it anything you want)

    • Destination: 0.0.0.0/0 (send all traffic to this route)

    • Interface: ethernet1/1 (or whatever you set your public interface as)

    • Next Hop: (specify the gateway IP for the next hop in your network)

    • Click ‘OK’

  6. Click ‘OK’

Configure the default Public Subinterface

The current implementation of the Palo Alto Networks firewall integration uses CIDRs in the form of ‘w.x.y.z/32’ for the public IP addresses that CloudStack provisions. Because no broadcast or gateway IPs are in this single IP range, there is no way for the firewall to route the traffic for these IPs. To route the traffic for these IPs, we create a single subinterface on the public interface with an IP and a CIDR which encapsulates the CloudStack public IP range. This IP will need to be inside the subnet defined by the CloudStack public range netmask, but outside the CloudStack public IP range. The CIDR should reflect the same subnet defined by the CloudStack public range netmask. The name of the subinterface is determined by the VLAN configured for the public range in CloudStack.

To clarify this concept, we will use the following example.

Example CloudStack Public Range Configuration:

  • Gateway: 172.30.0.1

  • Netmask: 255.255.255.0

  • IP Range: 172.30.0.100 - 172.30.0.199

  • VLAN: Untagged

Configure the Public Subinterface:

  1. Log into Palo Alto Networks Firewall

  2. Navigate to ‘Network > Interfaces’

  3. Select the ‘ethernet1/1’ line (not clicking on the name)

  4. Click ‘Add Subinterface’ at the bottom of the window

  5. Enter ‘Interface Name’: ‘ethernet1/1’ . ‘9999’

    • 9999 is used if the CloudStack public range VLAN is ‘Untagged’

    • If the CloudStack public range VLAN is tagged (eg: 333), then the name will reflect that tag

  6. The ‘Tag’ is the VLAN tag that the traffic is sent to the next hop with, so set it accordingly. If you are passing ‘Untagged’ traffic from CloudStack to your next hop, leave it blank. If you want to pass tagged traffic from CloudStack, specify the tag.

  7. Select ‘default’ from the ‘Config > Virtual Router’ drop-down (assuming that is what your virtual router is called)

  8. Click the ‘IPv4’ tab

  9. Select ‘Static’ from the ‘Type’ radio options

  10. Click ‘Add’ in the ‘IP’ section

  11. Enter ‘172.30.0.254/24’ in the new line

    • The IP can be any IP outside the CloudStack public IP range, but inside the CloudStack public range netmask (it can NOT be the gateway IP)

    • The subnet defined by the CIDR should match the CloudStack public range netmask

  12. Click ‘OK’

Commit configuration on the Palo Alto Networks Firewall

In order for all the changes we just made to take effect, we need to commit the changes.

  1. Click the ‘Commit’ link in the top right corner of the window

  2. Click ‘OK’ in the commit window overlay

  3. Click ‘Close’ to the resulting commit status window after the commit finishes

Setup the Palo Alto Networks Firewall in CloudStack

Add the Palo Alto Networks Firewall as a Service Provider

  1. Navigate to ‘Infrastructure > Zones > ZONE_NAME > Physical Network > NETWORK_NAME (guest) > Configure; Network Service Providers’

  2. Click on ‘Palo Alto’ in the list

  3. Click ‘View Devices’

  4. Click ‘Add Palo Alto Device’

  5. Enter your configuration in the overlay. This example will reflect the details previously used in this guide.

    • IP Address: (the IP of the Palo Alto Networks Firewall)

    • Username: (the admin username for the firewall)

    • Password: (the admin password for the firewall)

    • Type: Palo Alto Firewall

    • Public Interface: ethernet1/1 (use what you setup earlier as the public interface if it is different from my examples)

    • Private Interface: ethernet1/2 (use what you setup earlier as the private interface if it is different from my examples)

    • Number of Retries: 2 (the default is fine)

    • Timeout: 300 (the default is fine)

    • Public Network: untrust (this is the public zone on the firewall and did not need to be configured)

    • Private Network: trust (this is the private zone on the firewall and did not need to be configured)

    • Virtual Router: default (this is the name of the Virtual Router we setup on the firewall)

    • Palo Alto Threat Profile: (not required. name of the ‘Security Profile Groups’ to apply. more details in the ‘Additional Features’ section)

    • Palo Alto Log Profile: (not required. name of the ‘Log Forwarding’ profile to apply. more details in the ‘Additional Features’ section)

    • Capacity: (not required)

    • Dedicated: (not required)

  6. Click ‘OK’

  7. Click on ‘Palo Alto’ in the breadcrumbs to go back one screen.

  8. Click on ‘Enable Provider’ button to enable or disable feature.

Add a Network Service Offering to use the new Provider

There are 6 ‘Supported Services’ that need to be configured in the network service offering for this functionality. They are DHCP, DNS, Firewall, Source NAT, Static NAT and Port Forwarding. For the other settings, there are probably additional configurations which will work, but I will just document a common case.

  1. Navigate to ‘Service Offerings’

  2. In the drop-down at the top, select ‘Network Offerings’

  3. Click ‘Add Network Offering’

    • Name: (name it whatever you want)

    • Description: (again, can be whatever you want)

    • Guest Type: Isolated

    • Supported Services:

      • DHCP: Provided by ‘VirtualRouter’

      • DNS: Provided by ‘VirtualRouter’

      • Firewall: Provided by ‘PaloAlto’

      • Source NAT: Provided by ‘PaloAlto’

      • Static NAT: Provided by ‘PaloAlto’

      • Port Forwarding: Provided by ‘PaloAlto’

    • System Offering for Router: System Offering For Software Router

    • Supported Source NAT Type: Per account (this is the only supported option)

    • Default egress policy: (both ‘Allow’ and ‘Deny’ are supported)

  4. Click ‘OK’

  5. Click on the newly created service offering

  6. Click ‘Enable network offering’ button to enable or disable feature.

When adding networks in CloudStack, select this network offering to use the Palo Alto Networks firewall.

Additional Features

In addition to the standard functionality exposed by CloudStack, we have added a couple additional features to this implementation. We did not add any new screens to CloudStack, but we have added a couple fields to the ‘Add Palo Alto Service Provider’ screen which will add functionality globally for the device.

Palo Alto Networks Threat Profile

This feature allows you to specify a ‘Security Profile Group’ to be applied to all of the firewall rules which are created on the Palo Alto Networks firewall device.

To create a ‘Security Profile Group’ on the Palo Alto Networks firewall, do the following:

  1. Log into the Palo Alto Networks firewall

  2. Navigate to ‘Objects > Security Profile Groups’

  3. Click ‘Add’ at the bottom of the page to add a new group

  4. Give the group a Name and specify the profiles you would like to include in the group

  5. Click ‘OK’

  6. Click the ‘Commit’ link in the top right of the screen and follow the on screen instructions

Once you have created a profile, you can reference it by Name in the ‘Palo Alto Threat Profile’ field in the ‘Add the Palo Alto Networks Firewall as a Service Provider’ step.

Palo Alto Networks Log Forwarding Profile

This feature allows you to specify a ‘Log Forwarding’ profile to better manage where the firewall logs are sent to. This is helpful for keeping track of issues that can arise on the firewall.

To create a ‘Log Forwarding’ profile on the Palo Alto Networks Firewall, do the following:

  1. Log into the Palo Alto Networks firewall

  2. Navigate to ‘Objects > Log Forwarding’

  3. Click ‘Add’ at the bottom of the page to add a new profile

  4. Give the profile a Name and specify the details you want for the traffic and threat settings

  5. Click ‘OK’

  6. Click the ‘Commit’ link in the top right of the screen and follow the on screen instructions

Once you have created a profile, you can reference it by Name in the ‘Palo Alto Log Profile’ field in the ‘Add the Palo Alto Networks Firewall as a Service Provider’ step.

Limitations

  • The implementation currently only supports a single public IP range in CloudStack

  • Usage tracking is not yet implemented