Bug Reference
CLOUDSTACK-1275
Branch
The code has been merged into ACS master, so we will be working from that now...
github.com/cloudops/cs_palo_alto
=> 'palo_alto' branch is a work in progress and is the current status of the integration
=> 'master' branch is a point in time of the cloudstack master branch which the 'palo_alto' branch is working from (i pull in changes periodically)
Install instructions below...
Current state of the integration:
WORKING!!!
- List/Add/Delete Palo Alto service provider
- List/Add/Delete Palo Alto network service offering
- List/Add/Delete Palo Alto network with above service offering
- Add instance to the new network (creates the public IP and private gateway/cidr on the PA as well as the source nat rule)
- List/Add/Delete Ingress Firewall rule
- List/Add/Delete Egress Firewall rule
- List/Add/Delete Port Forwarding rule
- List/Add/Delete Static Nat rule
- Basic Unit Tests
IN PROGRESS!!!
Introduction
The goal of this project is to enable basic integration of Palo Alto’s firewall products into the Apache CloudStack 4.x platform.
By leveraging CloudStack extension points, this project will allow configuring a Palo Alto firewall as a service provider to override services typically offered by CloudStack’s virtual routers, such as Firewall, NAT & Port forwarding.
Proper orchestration will be developed so that calling the CloudStack APIs for these services will be transparently routed to the corresponding services on the Palo Alto firewall.
Purpose
This document is intended to keep the community abreast with the functionality being added with the integration of Palo Alto firewalls as a service provider.
References
Palo Alto API docs are included at the end of this document.
Feature Specifications
In-Scope
- Support of CloudStack advanced network topology.
- Support of multiple Palo Alto firewall.
- Support of parallel deployment with hardware load-balancer (e.g.: Netscaler).
- Configuration of connectivity with Palo Alto firewall through CloudStack UI and persistence of this information.
- Allow selection of Palo Alto firewall when defining CloudStack network service offering for:
- Firewall (Ingress & Egress)
- Source NAT
- Static NAT
- Port forwarding
- Support of virtual Palo Alto firewall.
- Communication layer with Palo Alto APIs.
- Mapping of CloudStack APIs to corresponding Palo Alto APIs.
- Proper display of Palo Alto connectivity status in CloudStack UI.
- Support of virtual Palo Alto firewall.
- Functional/Integration testing on PA-3020 platform (version 5.0.0)
- Full documentation of the solution (architecture, design, APIs)
Out-of-scope
- Support of inline deployment with hardware load-balancer (e.g.: Netscaler).
- Firewalling between VLANs within an advanced network.
- Firewalling between VM instances.
- Exposing any Palo Alto features having no equivalent UI/API in CloudStack.
Architecture and Design description
Here is a basic diagram showing some of the technical detail for the Palo Alto (PA) firewall will handle the CloudStack (CS) networks:
- AE1 is an Aggregated Interface (or Ethernet interface) which links out to the Public Internet from the PA. If you are using multiple public IP ranges in CS, you will need this to be trunked.
- AE1 will have one subinterface per public IP range in CS which will be named according to: untagged = ae1.9999 | public vlan tags of x and y = ae1.x and ae1.y
- Each subinterface on AE1 will include a non-/32 IP which will need to be preconfigured and will define the subnet to route that public range's traffic upstream to the next hop
- AE2 is an Aggregated Interface (or Ethernet interface) which connects the PA device over a trunked connection to CS and the Hypervisor (eg: Xen)
- Each CS network will have a dedicated L3 subinterface on the PA through the AE2 aggregate interface (eg: AE2.3301, AE2.3302 and AE2.3303)
- Each subinterface on AE2 (eg: AE2.3301) will act as the default gateway for its corresponding CS network
- Each CS network will have SourceNAT rules between an IP on the public subinterface on AE1 and its corresponding AE2 subinterface (eg: AE2.3301)
- Each CS network will have a unique and CS valid VLAN ID (color coordinated in diagram)
- Each CS network will have a non-overlapping CIDR (subnet) and the default gateway subinterface on the PA will be the first ip in this range
- The public interface AE1 will be in the Untrusted Zone
- The private interface AE2 will be in the Trusted Zone
- CS will manage Firewall rules between the untrusted zone and the trusted zone through cidrs (subnets)
- CS will manage StaticNAT rules between a Public IP on the public subinterface and with the IP of a VM in CS
- CS will manage Port Forwarding rules between a Public CIDR and the IP of a specific VM on specified ports
- There will be one Virtual Router on PA which will handle all of the routing
- Each CS network will have an associated VR in CS which will handle services not yet handled by the PA (eg: DNS, DHCP, ...)
Install Instructions
Compile the code with the 'nonoss' flag.
Pre-configuration Requirements
- For each public IP range configured in CS, you will need to create a subinterface in AE1 with an IP which is outside the range configured in CS but within the CIDR which includes the whole range. The IP can be any IP that is not in the public IP range, but is included in the public CIDR.
- The subinterface on AE1 needs to be named using the public VLAN tag configured in CS. Untagged will be named using 9999, aka - AE1.9999. If you are using an untagged interface, you need to allow 'untagged subinterface' in the advanced tab of the parent interface. Palo Alto does not support both untagged and tagged interfaces on the same interface, so keep that in mind when defining your public ranges in CloudStack.
- You need one Static Route created on the PA Virtual Router which will route destination 0.0.0.0/0 to the gateway of the next hop.
Examples (more in UI flow below):
1 IP Range in CS:
Gateway:172.30.0.1, Netmask:255.255.255.0, IP Range:172.30.0.100-172.30.0.199, VLAN:untagged
=> You would configure an IP on AE1.9999 with something like: 172.30.0.254/24
2 IP Ranges in CS:
Gateway:172.30.0.1, Netmask:255.255.255.0, IP Range:172.30.0.100-172.30.0.199, VLAN:3030
Gateway:172.30.1.1, Netmask:255.255.255.0, IP Range:172.30.1.100-172.30.1.199, VLAN:3031
=> You would configure an IP on AE1.3030 with something like: 172.30.0.2/24
=> You would configure an IP on AE1.3031 with something like: 172.30.1.2/24
UI flow
Pre-configure the Palo Alto firewall
Initial setup of the Palo Alto interfaces (in this case Aggregate Ethernet)
Initial Public and Private interface config on Palo Alto (does not have to be Aggregate Ethernet)
Initial configuration of CloudStack
Configure service providers
Add Palo Alto as a service provider
Enable the Palo Alto service provider
Add a new Palo Alto network service offering
Enable Palo Alto network service offering
Setup and use a Palo Alto network
Add a new network using the Palo Alto network service offering
Launch a VM on the newly created network
The network details for the newly created VM
Results on the Palo Alto: Sub-interfaces have been created for the Public IP and the Private Gateway
A Source NAT rule has been created to link the sub-interfaces
Egress Firewall Rules
CloudStack config
Resulting Security Policy on the Palo Alto
Ingress Firewall Rules
CloudStack config (for a specific IP)
Resulting Security Policy on the Palo Alto
Port Forwarding Rules (Destination NAT)
View IP addresses for your network.
Acquire an IP
Configure a Port Forwarding rule for this new IP
Resulting Port Forwarding rule on the Palo Alto
Static NAT Rules
View IP addresses for your network
Acquire an IP
Enable Static NAT
Associate the Static NAT rule with a VM
Resulting Static NAT rule on the Palo Alto
Web Services APIs
CloudStack API commands
#### Palo Alto firewall commands
addExternalFirewall=1
deleteExternalFirewall=1
listExternalFirewalls=1
addPaloAltoFirewall=1
deletePaloAltoFirewall=1
configurePaloAltoFirewall=1
listPaloAltoFirewalls=1
listPaloAltoFirewallNetworks=1
IP Clearance
I do not intend to use any code outside of CloudStack. I will be using the Palo Alto APIs which is documented in:
XML-API-5-1.0-RevA.pdf
XML_API_Training.pdf
Unit Tests
Here is the result of the tests without additional detail: palo_alto_tests_without_logging.txt
Here is the result of the tests with additional detail: palo_alto_tests_with_logging.txt
There is a flag in the unit tests that can be used to turn the detail on and off.
Because this plugin requires communication with a 3rd party API, the detailed view of the tests will show a play-by-play of the API commands being run and their results.
Presentations
Here is a presentation which was given at the CloudStack Collaboration Conference: CS_PA_Integration.pptx