Professional Documents
Culture Documents
Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 1
Overview
Securely move or extend application workloads from Oracle E-Business Suite or PeopleSoft® in the cloud using Palo Alto Networks
VM-Series Virtual Next-Generation Firewalls (NGFWs). VM-Series NGFWs secure multi-cloud environments by providing full visi-
bility and control over traffic to and from custom applications, consistent cross-cloud firewall management and policy enforcement,
exfiltration and threat prevention powered by machine learning (ML), and automated deployment and provisioning capabilities to
keep up with even the most dynamic environments.
Security in the cloud is based on a shared responsibility model. In this model, Oracle is responsible for the security of the under-
lying infrastructure, such as data center facilities as well as the hardware and software to manage cloud operations and services.
Customers, meanwhile, are responsible for securing their workloads and configuring their services and applications securely to
meet their compliance obligations.
VM-Series firewalls provide consistent threat prevention and inline network security across cloud environments, helping network
security teams regain visibility and control over traffic in their cloud networks. The key features of the VM-Series include Layer 7
firewall functionality, cloud-delivered security subscriptions, and consolidated security management.
VM-
Series
TP UF WF DNS GP PN
Layer 7 Panorama
Threat URL WildFire DNS GlobalProtect
Stateful (Consolidated
Prevention Filtering Malware Security
Firewall Security
Prevention
Management)
Architecture
This reference architecture illustrates how organizations can protect Oracle applications, like Oracle E-Business Suite and
PeopleSoft, deployed in Oracle Cloud Infrastructure (OCI) using VM-Series NGFWs.
To protect these traffic flows, Palo Alto Networks recommends segmenting the network using a hub-and-spoke topology, where
traffic is routed through a central hub and connected to multiple distinct networks (spokes). All traffic between spokes—whether
to and from the internet, to and from on-premises infrastructure, or to the Oracle Services Network—is routed through the hub,
where the VM-Series NGFW’s multilayered threat prevention technologies provide inspection.
Deploy each tier of your application in its own virtual cloud network (VCN), which acts as a spoke. The hub VCN contains a
VM-Series NGFW high availability cluster, Oracle internet gateway, dynamic routing gateway (DRG), Oracle Service Gateway, and
local peering gateways (LPGs).
The hub VCN connects to the spoke VCNs through LPGs or by attaching secondary virtual network interface cards (VNIC) to
the VM-Series NGFW. All spoke traffic uses route table rules to route traffic through the LPGs to the hub for inspection by the
VM-Series NGFW high availability cluster.
You can configure and manage the VM-Series NGFW locally, or you can manage it centrally using Panorama™ network security man-
agement. Panorama helps reduce complexity and administrative overhead in managing configuration, policies, software, and dynamic
Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 2
content updates. Using device groups and templates on Panorama, you can effectively manage firewall-specific configuration locally on
a firewall and enforce shared policies across all firewalls or device groups. Figure 2 illustrates this reference architecture.
Peered
Connection
Spoke Subnet 7
Web/Application Web/Application
Virtual Machine Virtual Machine
Spoke Route Table
8 Load LPG Spoke
Balancer
Destination CIDR Route Target
10.0.0.0/24
Spoke VCN
Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 3
North-South Outbound Traffic
Figure 4 illustrates how outgoing connections from the web application and database tiers to the internet provide software updates
and access to external web services. This configuration ensures that the source NAT is configured in your Palo Alto Networks VM
Series firewall policy for the relevant networks.
VM-Series VM-Series
Firewall vNIC2 Firewall
vNIC2
DRG
4 172.16.0.0/12
Peered
3 Connection
Spoke Subnet
Web/Application Web/Application
Virtual Machine Virtual Machine 2
1 Spoke Route Table
Load LPG Spoke
Balancer Destination CIDR Route Target
10.0.0.0/24
Spoke VCN
192.168.0.0/16
10.0.0.0/24
WebApp Tier Subnet WebApp Spoke Route Table
LPG
Web/Application Destination CIDR Route Target WebApp Spoke
Virtual Machine
7 1 0.0.0.0/0 LPG WebApp Spoke 2
DST = 10.0.1.10 Load
Balancer
WebApp Tier
Spoke VCN
Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 4
East-West Traffic: Database to Web
Figure 6 illustrates how traffic moves from the database tier to the web application.
192.168.0.0/16
10.0.0.0/24
WebApp Tier Subnet
LPG
Web/Application
WebApp Spoke
Virtual Machine
3 8
Load
Balancer
10.0.0.10
WebApp Tier
Spoke VCN
Series 6
vNIC2
VM-Series Firewall 7
Oracle Services
Network
Destination CIDR Route Target
LPG Hub 3
Peered
Connection
LPG
WebApp Spoke
10.0.0.0/24
WebApp Tier Subnet WebApp Spoke Route Table
Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 5
East-West Traffic (Oracle Services Network to Web Application)
Figure 8 illustrates how traffic moves from the Oracle Services Network to the web application.
192.168.0.0/16
Trust Subnet
Destination Target
DST=10.0.0.10
4 5
HUB
VCN
LPG Hub
Peered
Connection
LPG
10.0.0.0/24 WebApp Spoke
WebApp Tier Subnet
6
Web/Application
Virtual Machine
Load
Balancer
10.0.0.10
WebApp Tier
Spoke VCN
Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 6
• Database tier spoke VCN: This VCN contains a private subnet for hosting Oracle databases.
• Load balancer: The OCI Load Balancing service provides automated traffic distribution from a single entry point to multiple
servers in the backend.
• Security list: For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be
allowed in and out of the subnet.
• Route table: Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gate-
ways. In the hub VCN, you have the following route tables:
• Management route table attached to the management subnet, which has a default route connected to the internet gateway.
• Untrust route table attached to the untrust subnet or default VCN for routing traffic from the hub VCN to the internet or
on-premises targets.
• Trust route table attached to the trust subnet, pointing to the CIDR block of the spoke VCNs through the associated LPGs.
• High availability route table attached to the high availability subnet, which manages high availability between VM-Series
NGFWs.
• A distinct route table defined and attached to an associated LPG for each spoke attached to the hub. These route tables for-
ward all traffic (0.0.0.0/0) from the associated spoke LPG through the VM-Series NGFW trust interface floating IP.
• Oracle Service Gateway route table attached to the Oracle Service Gateway for Oracle Services Network communication. This
route forwards all traffic (0.0.0.0/0) to the VM-Series NGFW trust floating IP.
• Routes to maintain traffic symmetry added to each VM-Series NGFW to point the CIDR block of spoke traffic to trust (internal)
subnet’s default gateway IP (default gateway IP available in the trust subnet on the hub VCN).
• Internet gateway: This allows traffic between the public subnets in a VCN and the public internet.
• NAT gateway: This enables private resources in a VCN to access hosts on the internet, without exposing those resources to in-
coming internet connections.
• Local peering gateway (LPG): An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs
communicate via private IP addresses without the traffic traversing the internet or routing through your on-premises network.
• Dynamic routing gateway (DRG): The DRG is a virtual router that provides a path for private network traffic between a VCN
and a network outside the region, such as a VCN in another OCI region, an on-premises network, or a network in another cloud
provider.
• Service gateway: This provides access from a VCN to other services, such as OCI Object Storage. The traffic from the VCN to the
Oracle service travels over the Oracle network fabric and never traverses the internet.
• OCI FastConnect: This provides an easy way to create a dedicated private connection between your data center and OCI.
FastConnect provides higher bandwidth options and a more reliable networking experience when compared with internet-based
connections.
• VNIC: The services in OCI data centers have physical network interface cards (NICs). VM instances communicate using VNICs as-
sociated with the physical NICs. Each instance has a primary VNIC that is automatically created and attached during launch and
available during the instance’s lifetime. DHCP is offered to the primary VNIC only. You can add secondary VNICs after instance
launch, and you set static IPs for each interface.
• Private IPs: Each VNIC has a primary private IPv4 address and related information for addressing an instance, and you can add
and remove secondary private IPs. The primary private IP address on an instance is attached during instance launch and does not
change during the instance’s lifetime. Secondary IPs belong to the same CIDR as the VNIC’s subnet. The secondary IP is used as
a floating IP because it can move between VNICs on different instances within the same subnet. You can also use it as a different
endpoint to host different services.
• Public IPs: The networking services define a public IPv4 address chosen by Oracle that is mapped to a private IP. Public IPs have
the following types:
• Ephemeral: This address is temporary and exists for the lifetime of the instance.
• Reserved: This address persists beyond the lifetime of the instance. It can be unassigned and reassigned to another instance.
• Source and destination check: Every VNIC performs source and destination checks on its network traffic. Disabling this flag
enables the VM-Series NGFW to handle network traffic that is not targeted for the firewall.
• Compute shape: The shape of a compute instance specifies the number of CPUs and amount of memory allocated to the instance.
It also determines the number of VNICs and maximum bandwidth available for the instance.
Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 7
Recommendations
We recommend the following as a starting point to secure Oracle E-Business Suite or PeopleSoft workloads on OCI using VM-Series NGFWs.
VCN
When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources
you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space. You should also se-
lect CIDR blocks that do not overlap with any other network (i.e., in OCI, your on-premises data center, or another cloud provider)
to which you intend to set up private connections. After you create a VCN, you can change, add, and remove its CIDR blocks.
When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier
or role to the same subnet, which can serve as a security boundary. Use regional subnets.
Verify the maximum number of LPGs per VCN in your service limits in case you want to extend this architecture for multiple
environments and applications.
VM-Series NGFWs
Deploy a high availability cluster. Whenever possible, deploy in distinct fault domains (at a minimum) or different availability
domains. You should ensure that MTU is set to 9000 on all VNICs, and utilize VFIO interfaces.
Considerations
When securing Oracle E-Business Suite or PeopleSoft workloads on OCI using VM-Series NGFWs, consider these factors:
Performance
Selecting the proper instance size, which is determined by the compute shape, determines the maximum available throughput,
CPU, RAM, and number of interfaces. You need to know what types of traffic traverse your environment, determine the ap-
propriate risk levels, and apply proper security controls as needed. Different combinations of enabled security controls impact
performance.
Consider adding dedicated interfaces for FastConnect or VPN services. You should also consider using large compute shapes for
higher throughput and access to more network interfaces. Finally, run performance tests to validate the design can sustain the
performance and throughput you require.
Security
Deploying VM-Series NGFWs on OCI allows for centralized security policy configuration and monitoring of all physical and
virtual Palo Alto Networks NGFWs. Define distinct identity and access management (IAM) dynamic group or policy per cluster
deployment.
Availability
Deploy your architecture to distinct geographic regions for the greatest redundancy. Configure site-to-site VPNs with relevant
organizational networks for redundant connectivity with on-premises networks.
Cost
VM-Series NGFWs are available in bring-your-own-license (BYOL) and pay-as-you-go (PAYG) license models for Bundle 1 and
Bundle 2 in the Oracle Cloud Marketplace.
• Bundle 1 includes the VM-Series capacity license, Threat Prevention license, and a Premium Support entitlement.
• Bundle 2 includes the VM-Series capacity license with the complete suite of subscription licenses, including Threat Prevention,
WildFire®, URL Filtering, DNS Security, GlobalProtect™, and a Premium Support entitlement.
Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 8
Deployment Steps
To secure Oracle E-Business Suite or PeopleSoft workloads on OCI using VM-Series NGFWs, perform the following steps:
1. Set up the required networking infrastructure as shown in the architecture diagram (figure 2). See Set up a hub-and-spoke
etwork topology in Oracle’s technical documentation.
n
2. Deploy the application (Oracle E-Business Suite or PeopleSoft) in your environment.
3. Oracle Cloud Marketplace has multiple stacks for different configurations and licensing requirements. For example, the following
stacks feature bring-your-own-license (BYOL). For each stack you choose, click Get App and follow the on-screen prompts:
• VM-Series Firewall—BYOL
• VM-Series Firewall—Listings
4. You can also refer to the GitHub Repository to deploy the architecture included in this document and relevant configuration steps
on the VM-Series NGFW.
More Information
These resources offer more detail about the features of this architecture and related information:
• Oracle documentation:
• Best practices framework for Oracle Cloud Infrastructure
• Learn about deploying Oracle E-Business Suite on Oracle Cloud Infrastructure
• Oracle Cloud Infrastructure Security Guide
• GitHub:
• Deploying a VM-Series NGFW on OCI using Terraform
3000 Tannery Way © 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered t rademark
Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at https://www.
paloaltonetworks.com/company/trademarks.html. All other marks men-
Main: +1.408.753.4000 tioned herein may be trademarks of their respective companies. strata_wp_
Sales: +1.866.320.4788 secure-workloads-vm-series-oracle_041421
Support: +1.866.898.9087
www.paloaltonetworks.com