Professional Documents
Culture Documents
Palo Alto Networks virtual Firewall and Juniper Contrail plugin for Fuel
sdn-team@mirantis.com
Content
Document History
1 Introduction
1.1 Target Audience 2
Application overview
3 Joint Reference Architecture
Logical topology Contrail control plane: 4
Physical & Logical Network Topology
Physical networks topology Logical
networks topology
5 Installation & Configuration
5.1 Overview of Fuel installation steps 5.2
Overview of MOS installation steps
5.3 Overview of the Openstack configuration
5.4 Service chaining configuration through Contrail
5.4.1 Innetwork deployment configuration 5.4.2
Transparent deployment configuration 5.4.3
Service Scale deployment configuration
5.5 Overview of PAVM configuration
5.5.1 Innetwork deployment configuration 5.5.2
Transparent deployment configuration 5.5.3
Service Scale deployment configuration
5.6 Testing
5.6.1 Target use case(s)
5.6.2 Test Tools
5.6.3 Test Results
Appendix
1
2
Document History
3
1 Introduction
This document is to serve as a detailed Deployment Guide for Palo Alto Virtualized Firewall used with
Juniper Contrail plugin for Fuel.
This document describes the reference architecture, installation and configuration steps for Mirantis
Openstack, Juniper Contrail plugin for Fuel and Palo Alto Virtual Firewall to prepare environment with
service chaining.
This guide is intended for Openstack Administrators who are deploying Mirantis Openstack using
Juniper Contrail as SDN with Palo Alto Virtual Firewall.
2 Application overview
VMSeries firewall
The Palo Alto Networks allows to protect applications and data stored in private, public or hybrid cloud
environments. To learn more about the Palo Alto firewall, please see the official documentation.
4
3 Joint Reference Architecture
Diagrams below show topology of Mirantis Openstack working with Contrail and Palo Alto virtual
firewall.
● Management topology:
5
● Logical topology Contrail control plane:
6
● Logical topology Contrail data plane:
7
You can find more info about how Service Chaining works in Contrail here:
http://www.juniper.net/techpubs/en_US/contrail1.0/topics/task/configuration/service chainingvnc. html
The diagram below shows physical topology of Mirantis Openstack and Contrail environment.
Diagram below shows the traffic flow with Palo Alto virtual firewall service.
8
5 Installation & Configuration
● Innetwork
● Transparent
● Elastic Scale Out
● Innetwork, where virtualized firewall is between at least two networks and packets are routed:
9
● Transparent, where virtualized firewall is transparent for communication between
instances and packets are switched:
● Elastic Scale Out / Service Scaling single service instance can use multiple virtual
machines and scale out based on customer demand.
10
● Download Fuel ISO from Mirantis website.
● For the detailed description how to install Fuel, see the Reference Architecture and the User Guide
in the official Mirantis OpenStack documentation.
● Prior to the deployment procedure, you will need to install and configure Fuel plugin for the
Juniper Contrail. To do that, download the plugin from the Fuel Plugin Catalog, copy to the Fuel
Master node and install (the installation procedure is explained in the Plugin Guide found in the
Fuel Plugin Catalog as well).
● Note, that alongside with the plugin installation, you’ll also need to have the Contrail packages in
place (you have to contact Juniper to obtain those).
● 3 MOS controllers
● 3 Contrail controllers
● 1 physical compute node
Use the Fuel UI Wizard to create an environment. In Networking Setup, select Neutron with VLAN
segmentation as this is the only networking model supported by 2.0.0 version of the plugin.
Add nodes to the environment using the Add Nodes button:
According to the configuration above, assign Controller, Compute and Operating system (for Contrail)
roles to the nodes:
11
NOTE: Contrail controllers should be named ‘contrailX’, where X is number of
controller. One should start numbering the controllers with “1”. Otherwise, the
deployment will fail. For more details, please check the Plugin Guide for Juniper
Contrail ver. 2.1.0 plugin (can be found in the Fuel Plugin Catalog).
12
In the Networks tab of the Fuel Web UI, fill in information on networks and VLANs:
13
14
Each of the nodes needs to have two network interfaces:
● one for PXE
● the second one for the other networks (mgmt, private, storage and public).
For information on logical networks Fuel uses, please see the official documentation.
Use the gear button on the right to choose “edit interfaces” and assign networks to interfaces:
After you set all the networks and nodes, open the Settings tab of the Fuel Web UI and scroll the page
down.
Select the Fuel contrail plugin checkbox to enable the plugin and choose appropriate Contrail version
for your deployment; in this deployment, Juniper Contrail is used for service chaining:
1
Fill in the pluginspecific information like AS Number, Gateway for Private Network and GW IP (more
details on these parameters can be found in the Plugin Guide shipped with the plugin itself in the Fuel
Plugin Catalog).
Prior to deployment, you can run the network verification check to make sure the networks are
configured correctly.
Once done, click the Deploy changes button and start the deployment.
OpenStack can be managed either through the Horizon dashboard (available using HTTP) or the CLI
commands.
One need to spawn an instance with Palo Alto firewall. At least three interfaces need to be created in
following networks: management, trust and untrust. The networks can be created in Network/Networks
tab:
1
You can achieve the same thing using the CLI:
1
glance image-create --disk-format qcow2 --file
PA-VM-KVM-7.0.0.nova.dhcp.patch.qcow2 --is-public
True
In this scenario PAVM instance is needed, which will be created in the next steps using the Contrail UI.
Additionally, at least two test VMs need to be created:
● the first one with interface in Trust zone.
● the second one with interface in Untrust Zone.
Contrail WebUI is available through the VIP on the HAproxy installed on the MOS controllers through
https on port 8143. For example, if you access Horizon via http://172.16.0.2 then Contrail WebUI is
available at http://172.16.0.2:8143/.
Networks configured through OpenStack are available in Networking/Networks tab of the Contrail
WebUI:
1
5.4.1 In-network deployment configuration
In Services/Service Templates there is a list of available templates. To add a new one, click plus sign in
the upperright corner as shown below:
1
In Image name dropdown list, there will be a list of available images in Glance, including PAVM image.
In this deployment, we set m1.large flavour, with 4vCPU and 8192MB RAM.
To create a service instance from template, navigate to Service Instances tab and choose the plus sign
in upperright corner.
2
Provide the name and choose the appropriate service template.
To create a service chaining, the policy must be created. This policy has to be assigned to a proper
network.
In Networking/Policies tab, use the plus sign in upperright corner to create a new policy:
2
New policy needs to have the following information:
● name (policypanos)
● action (pass by default)
● source (panostrust)
● destination (panosuntrust)
● direction (<>).
In the example below, the traffic will be allowed in both directions between trust and untrust, for all
protocols.
After selecting services checkbox, a new field will show up, where you can add the service that was
created earlier.
2
After policy is completed and saved, it has to be assigned to networks in Networking/Networks
tab.
Use the sign on the right to edit network in Networking/Networks tab.
Use the network policy name to assign it to trust network and save changes. Repeat the
procedure for the untrust network.
2
5.4.2 Transparent deployment configuration
2
Fill the name of the template and set the service type firewall. Service mode is “Transparent”. Each
firewall requires at least three interfaces. Use plus sign to add three networks: management, left and
right.
In Image name dropdown list, there will be a list of available images in Glance, including PAVM image.
In this deployment, we use m1.large flavour, with 4vCPU and 8192MB RAM.
2
To create a service instance from template, navigate to Service Instances tab and choose the plus
sign in upperright corner.
2
To create a service chaining, the policy must be created. This policy have to be assigned to a proper
network.
In Networking/Policies tab, use the plus sign in upperright corner to create a new policy:
2
New policy needs to have the following information:
● name
● action (pass by default)
● source
● destination
● direction.
In this example, the traffic will be allowed in both directions between trust and untrust, for all protocols.
After selecting services checkbox, a new field will show up, where you can add the service that was
created earlier.
2
Use the network policy name to assign it to trust network and save changes. One should
do the same for the untrust network:
2
Fill in the name of the template and set the service type firewall.
For this example, one should set service mode to InNetwork.
Each firewall requires at least three interfaces. Use plus sign to add three networks: management, left
and right.
3
In Image name dropdown list, there will be a list of available images in Glance, including PAVM image.
In this deployment, we use m1.large flavour, with 4vCPU and 8192MB RAM.
Service scaling checkbox should be checked. It automatically turns on shared ip feature for “left” and
“right” interface type.
To create service instance from template, navigate to Service Instances tab and choose the plus sign
in upperright corner:
3
Provide the name and choose appropriate service template.
After that the interfaces should be mapped to the proper networks.
For innetwork deployment, map interfaces to: management, trust (left) and untrust (right). Set
number of firewall instances in this example, 2.
3
To create a service chaining, the policy must be created. This
policy have to be assigned to a proper network.
In Networking/Policies tab, use the plus sign in upperright corner to create a new policy:
3
● destination
● direction.
In this example, the traffic will be allowed in both directions between trust and untrust, for all protocols.
After selecting services checkbox, a new field will show up, where one can add the service that was
created earlier.
Despite service instance has interfaces in another autoconfigured network, policy still needs to be set
between trust/untrust networks:
3
Use the network policy name to assign it to trust network and save changes. Do the same for the untrust
network.
Despite service instance has interfaces in another autoconfigured network (svcvn*), policy still needs to
be assigned to trust/untrust networks.
This section will cover only simple firewall configuration needed for full connectivity between zones.
● Innetwork deployment
● vWire or virtualwire deployment
● Service scaling deployment
Configuration can be managed either through the web dashboard (available using HTTPS, on IP from PA-
VM management interface) or the CLI commands.
3
In command line, please check if automatic mac detection is enabled:
If admin@PA-VM> configure
automacdetect is missing, one have to turn it on and commit the changes:
Entering configuration mode
[edit]
admin@PA-VM# show deviceconfig setting
setting {
config {
rematch
yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
3
admin@PA-VM# set deviceconfig setting auto-mac-detect
yes [edit]
admin@PA-VM# commit
...55%75%..98%..........100%
Configuration committed successfully
Interface type depends on the deployment model. In this example we will cover L3 configuration. For each
interface used, Layer3 interface type must be set.
3
Virtual router can be set to default. If extra default router is needed (with static route or routing
protocol), is is possible to add one from this level.
In this scenario, the first interface will be in trust zone, the second one in untrust zone.
Both security zones can be created with New Zone link and applied on interface configuration level:
3
3
In the second tab of interface configuration window, you should set ip address of interface, which was
assigned by Contrail to the device.
You should click Static radiobutton and then add button to create ip address object:
A new management profile can be created and set in the Advanced tab (Optional). Permitted
services should be checked:
4
4
After actions are repeated for both interfaces, each one should have Interface Type, Management
profile, IP Address, Virtual Router and Security Zone assigned, as below:
Changes should be committed by clicking the Commit link in the upperright corner of the dashboard
and confirmed with the Commit button in the popup window:
4
5.5.2 vWire deployment configuration
The Interface type depends on the deployment model. In this example, we will cover Transparent L2
configuration. For each used interface the Virtual Wire interface type must be set.Create new a virtual
wire:
4
Set virtual wire connecting ethernet1/1 and ethernet 1/ 2 interface. Set allowed vlan tag to value
1:
Trust and untrust zones should be created for each interface and assigned on interface configuration
level:
4
4
After actions are repeated for both interfaces, each one should have Interface Type, Virtual Wire and
Security Zone assigned:
Changes should be committed by clicking the Commit link in the upperright corner of the dashboard,
and confirmed with the Commit button in popup window:
The Service scale deployment configuration should be done the same way as the Innetwork Deployment
configuration from 5.5.1, for each firewall created in Contrail at 5.4.3.
4
5.6 Testing
5.6.1 Target use case(s)
● Two test instances (one in the trust, one in the untrust zone)
● A Simple HTTP server installed on test instances
● PA Monitor
● Curl
● Ping
An instance in the untrust zone should act as a HTTP server, with a simple page in
/var/www/index.html which contains the word ‘test’.
Name the rule, set Trust zone as the source and Untrust as the destination, choose
Webbrowsing as Application, and set Action to Deny in Actions tab.
4
4
4
Create the second rule to allow any other traffic. Set applications to Any and action to Allow, as below:
5
5
Rules should look as below:
To test if the traffic is allowed, the first rule will be temporarily disabled. This can be achieved with the
disabled button on the bottom:
Using curl verify that the HTTP traffic is allowed when communicating from the trusted host to the
untrusted one because of the disabled rule. Use Ping to ensure that other traffic (here it’s ICMP) is
allowed:
5
On Palo Alto UI, in Monitor tab, in Session browser section, there are available logs with information
about traffic. The state of the sessions is active:
To perform the second test, enable the first rule which will block the HTTP traffic and commit changes:
5
Ping still works:
Appendix