Bug Reference

CLOUDSTACK-1275

Branch

The code has been merged into ACS master, so we will be working from that now...

github.com/cloudops/cs_palo_alto
=> 'palo_alto' branch is a work in progress and is the current status of the integration
=> 'master' branch is a point in time of the cloudstack master branch which the 'palo_alto' branch is working from (i pull in changes periodically)

Install instructions below...


Current state of the integration:
WORKING!!!

  • List/Add/Delete Palo Alto service provider
  • List/Add/Delete Palo Alto network service offering
  • List/Add/Delete Palo Alto network with above service offering
  • Add instance to the new network (creates the public IP and private gateway/cidr on the PA as well as the source nat rule)
  • List/Add/Delete Ingress Firewall rule
  • List/Add/Delete Egress Firewall rule
  • List/Add/Delete Port Forwarding rule
  • List/Add/Delete Static Nat rule
  • Basic Unit Tests

IN PROGRESS!!!

  • Add Usage tracking

Introduction

The goal of this project is to enable basic integration of Palo Alto’s firewall products into the Apache CloudStack 4.x platform.

By leveraging CloudStack extension points, this project will allow configuring a Palo Alto firewall as a service provider to override services typically offered by CloudStack’s virtual routers, such as Firewall, NAT & Port forwarding.

Proper orchestration will be developed so that calling the CloudStack APIs for these services will be transparently routed to the corresponding services on the Palo Alto firewall.

Purpose

This document is intended to keep the community abreast with the functionality being added with the integration of Palo Alto firewalls as a service provider.

References

Palo Alto API docs are included at the end of this document.

Feature Specifications

In-Scope
  • Support of CloudStack advanced network topology.
  • Support of multiple Palo Alto firewall.
  • Support of parallel deployment with hardware load-balancer (e.g.: Netscaler).
  • Configuration of connectivity with Palo Alto firewall through CloudStack UI and persistence of this information.
  • Allow selection of Palo Alto firewall when defining CloudStack network service offering for:
    • Firewall (Ingress & Egress)
    • Source NAT
    • Static NAT
    • Port forwarding
  • Support of virtual Palo Alto firewall.
  • Communication layer with Palo Alto APIs.
  • Mapping of CloudStack APIs to corresponding Palo Alto APIs.
  • Proper display of Palo Alto connectivity status in CloudStack UI.
  • Support of virtual Palo Alto firewall.
  • Functional/Integration testing on PA-3020 platform (version 5.0.0)
  • Full documentation of the solution (architecture, design, APIs)
Out-of-scope
  • Support of inline deployment with hardware load-balancer (e.g.: Netscaler).
  • Firewalling between VLANs within an advanced network.
  • Firewalling between VM instances.
  • Exposing any Palo Alto features having no equivalent UI/API in CloudStack.

Architecture and Design description

Here is a basic diagram showing some of the technical detail for the Palo Alto (PA) firewall will handle the CloudStack (CS) networks:

  • AE1 is an Aggregated Interface (or Ethernet interface) which links out to the Public Internet from the PA. If you are using multiple public IP ranges in CS, you will need this to be trunked.
  • AE1 will have one subinterface per public IP range in CS which will be named according to: untagged = ae1.9999 | public vlan tags of x and y = ae1.x and ae1.y
  • Each subinterface on AE1 will include a non-/32 IP which will need to be preconfigured and will define the subnet to route that public range's traffic upstream to the next hop
  • AE2 is an Aggregated Interface (or Ethernet interface) which connects the PA device over a trunked connection to CS and the Hypervisor (eg: Xen)
  • Each CS network will have a dedicated L3 subinterface on the PA through the AE2 aggregate interface (eg: AE2.3301, AE2.3302 and AE2.3303)
  • Each subinterface on AE2 (eg: AE2.3301) will act as the default gateway for its corresponding CS network
  • Each CS network will have SourceNAT rules between an IP on the public subinterface on AE1 and its corresponding AE2 subinterface (eg: AE2.3301)
  • Each CS network will have a unique and CS valid VLAN ID (color coordinated in diagram)
  • Each CS network will have a non-overlapping CIDR (subnet) and the default gateway subinterface on the PA will be the first ip in this range
  • The public interface AE1 will be in the Untrusted Zone
  • The private interface AE2 will be in the Trusted Zone
  • CS will manage Firewall rules between the untrusted zone and the trusted zone through cidrs (subnets)
  • CS will manage StaticNAT rules between a Public IP on the public subinterface and with the IP of a VM in CS
  • CS will manage Port Forwarding rules between a Public CIDR and the IP of a specific VM on specified ports
  • There will be one Virtual Router on PA which will handle all of the routing
  • Each CS network will have an associated VR in CS which will handle services not yet handled by the PA (eg: DNS, DHCP, ...)

Install Instructions

Compile the code with the 'nonoss' flag.

Pre-configuration Requirements

  • For each public IP range configured in CS, you will need to create a subinterface in AE1 with an IP which is outside the range configured in CS but within the CIDR which includes the whole range. The IP can be any IP that is not in the public IP range, but is included in the public CIDR.
  • The subinterface on AE1 needs to be named using the public VLAN tag configured in CS. Untagged will be named using 9999, aka - AE1.9999. If you are using an untagged interface, you need to allow 'untagged subinterface' in the advanced tab of the parent interface. Palo Alto does not support both untagged and tagged interfaces on the same interface, so keep that in mind when defining your public ranges in CloudStack.
  • You need one Static Route created on the PA Virtual Router which will route destination 0.0.0.0/0 to the gateway of the next hop.

Examples (more in UI flow below):
1 IP Range in CS:
Gateway:172.30.0.1, Netmask:255.255.255.0, IP Range:172.30.0.100-172.30.0.199, VLAN:untagged
=> You would configure an IP on AE1.9999 with something like: 172.30.0.254/24

2 IP Ranges in CS:
Gateway:172.30.0.1, Netmask:255.255.255.0, IP Range:172.30.0.100-172.30.0.199, VLAN:3030
Gateway:172.30.1.1, Netmask:255.255.255.0, IP Range:172.30.1.100-172.30.1.199, VLAN:3031
=> You would configure an IP on AE1.3030 with something like: 172.30.0.2/24
=> You would configure an IP on AE1.3031 with something like: 172.30.1.2/24

UI flow

Pre-configure the Palo Alto firewall
Initial setup of the Palo Alto interfaces (in this case Aggregate Ethernet)

Initial Public and Private interface config on Palo Alto (does not have to be Aggregate Ethernet)



Initial configuration of CloudStack
Configure service providers

Add Palo Alto as a service provider

Enable the Palo Alto service provider

Add a new Palo Alto network service offering

Enable Palo Alto network service offering



Setup and use a Palo Alto network
Add a new network using the Palo Alto network service offering

Launch a VM on the newly created network

The network details for the newly created VM

Results on the Palo Alto: Sub-interfaces have been created for the Public IP and the Private Gateway

A Source NAT rule has been created to link the sub-interfaces



Egress Firewall Rules
CloudStack config

Resulting Security Policy on the Palo Alto



Ingress Firewall Rules
CloudStack config (for a specific IP)

Resulting Security Policy on the Palo Alto



Port Forwarding Rules (Destination NAT)
View IP addresses for your network.

Acquire an IP

Configure a Port Forwarding rule for this new IP



Resulting Port Forwarding rule on the Palo Alto



Static NAT Rules
View IP addresses for your network

Acquire an IP

Enable Static NAT

Associate the Static NAT rule with a VM

Resulting Static NAT rule on the Palo Alto

Web Services APIs

CloudStack API commands

commands.properties.in
#### Palo Alto firewall commands
addExternalFirewall=1
deleteExternalFirewall=1
listExternalFirewalls=1

addPaloAltoFirewall=1
deletePaloAltoFirewall=1
configurePaloAltoFirewall=1
listPaloAltoFirewalls=1
listPaloAltoFirewallNetworks=1

IP Clearance

I do not intend to use any code outside of CloudStack. I will be using the Palo Alto APIs which is documented in:
XML-API-5-1.0-RevA.pdf
XML_API_Training.pdf

Unit Tests

Here is the result of the tests without additional detail: palo_alto_tests_without_logging.txt
Here is the result of the tests with additional detail: palo_alto_tests_with_logging.txt

There is a flag in the unit tests that can be used to turn the detail on and off.

Because this plugin requires communication with a 3rd party API, the detailed view of the tests will show a play-by-play of the API commands being run and their results.

Presentations

Here is a presentation which was given at the CloudStack Collaboration Conference: CS_PA_Integration.pptx

  • No labels