Installation Runbook for

Palo Alto Networks virtual Firewall and Juniper Contrail plugin for Fuel

MOS Version 6.1

OpenStack Version Juno

Contrail Fuel plugin version 2.1.0

Contrail bits version 2.21

Application Type virtual Firewall

Application Version PANOS 7.x based image

 Authors:
Katarzyna Orlowska

sdn-team@mirantis.com

Content

Document History
1 Introduction
1.1 Target Audience 2
Application overview
3 Joint Reference Architecture
Logical topology Contrail control plane: 4
Physical & Logical Network Topology
Physical networks topology Logical
networks topology
5 Installation & Configuration
5.1 Overview of Fuel installation steps 5.2
Overview of MOS installation steps
5.3 Overview of the Openstack configuration
5.4 Service chaining configuration through Contrail
5.4.1 Innetwork deployment configuration 5.4.2
Transparent deployment configuration 5.4.3
Service Scale deployment configuration
5.5 Overview of PAVM configuration
5.5.1 Innetwork deployment configuration 5.5.2
Transparent deployment configuration 5.5.3
Service Scale deployment configuration
5.6 Testing
5.6.1 Target use case(s)
5.6.2 Test Tools
5.6.3 Test Results
Appendix

1
2
Document History

Version Revision Date Description

0.1 11172015 Initial Version

3
1 Introduction

This document is to serve as a detailed Deployment Guide for Palo Alto Virtualized Firewall used with
Juniper Contrail plugin for Fuel.
This document describes the reference architecture, installation and configuration steps for Mirantis
Openstack, Juniper Contrail plugin for Fuel and Palo Alto Virtual Firewall to prepare environment with
service chaining.

1.1 Target Audience

This guide is intended for Openstack Administrators who are deploying Mirantis Openstack using
Juniper Contrail as SDN with Palo Alto Virtual Firewall.

2 Application overview
VMSeries firewall
The Palo Alto Networks allows to protect applications and data stored in private, public or hybrid cloud
environments. To learn more about the Palo Alto firewall, please see the official documentation.

4
3 Joint Reference Architecture

Diagrams below show topology of Mirantis Openstack working with Contrail and Palo Alto virtual
firewall.

● Management topology:

5
● Logical topology Contrail control plane:

6
 ● Logical topology Contrail data plane:

Service chaining in contrail:

7
You can find more info about how Service Chaining works in Contrail here:
http://www.juniper.net/techpubs/en_US/contrail1.0/topics/task/configuration/service chainingvnc. html

4 Physical & Logical Network Topology

Physical networks topology

The diagram below shows physical topology of Mirantis Openstack and Contrail environment.

Logical networks topology

Diagram below shows the traffic flow with Palo Alto virtual firewall service.

8
5 Installation & Configuration

Palo Alto Virtualized Firewall can be deployed in three modes:

● Innetwork
● Transparent
● Elastic Scale Out

Diagrams below explains details of each deployment model:

● Innetwork, where virtualized firewall is between at least two networks and packets are routed:

9
 ● Transparent, where virtualized firewall is transparent for communication between
instances and packets are switched:

● Elastic Scale Out / Service Scaling single service instance can use multiple virtual
machines and scale out based on customer demand.

5.1 Overview of Fuel installation steps

10
 ● Download Fuel ISO from Mirantis website.
● For the detailed description how to install Fuel, see the Reference Architecture and the User Guide
in the official Mirantis OpenStack documentation.
● Prior to the deployment procedure, you will need to install and configure Fuel plugin for the
Juniper Contrail. To do that, download the plugin from the Fuel Plugin Catalog, copy to the Fuel
Master node and install (the installation procedure is explained in the Plugin Guide found in the
Fuel Plugin Catalog as well).
● Note, that alongside with the plugin installation, you’ll also need to have the Contrail packages in
place (you have to contact Juniper to obtain those).

5.2 Overview of MOS installation steps

The following nodes and roles will be used in this deployment:

● 3 MOS controllers
● 3 Contrail controllers
● 1 physical compute node

Use the Fuel UI Wizard to create an environment. In Networking Setup, select Neutron with VLAN
segmentation as this is the only networking model supported by 2.0.0 version of the plugin.
Add nodes to the environment using the Add Nodes button:

According to the configuration above, assign Controller, Compute and Operating system (for Contrail)
roles to the nodes:

11
NOTE: Contrail controllers should be named ‘contrailX’, where X is number of
controller. One should start numbering the controllers with “1”. Otherwise, the
deployment will fail. For more details, please check the Plugin Guide for Juniper
Contrail ver. 2.1.0 plugin (can be found in the Fuel Plugin Catalog).

12
In the Networks tab of the Fuel Web UI, fill in information on networks and VLANs:

13
14
Each of the nodes needs to have two network interfaces:
● one for PXE
● the second one for the other networks (mgmt, private, storage and public).

For information on logical networks Fuel uses, please see the official documentation.

Use the gear button on the right to choose “edit interfaces” and assign networks to interfaces:

After you set all the networks and nodes, open the Settings tab of the Fuel Web UI and scroll the page
down.
Select the Fuel contrail plugin checkbox to enable the plugin and choose appropriate Contrail version
for your deployment; in this deployment, Juniper Contrail is used for service chaining:

1
Fill in the pluginspecific information like AS Number, Gateway for Private Network and GW IP (more
details on these parameters can be found in the Plugin Guide shipped with the plugin itself in the Fuel
Plugin Catalog).
Prior to deployment, you can run the network verification check to make sure the networks are
configured correctly.
Once done, click the Deploy changes button and start the deployment.

5.3 Overview of the Openstack configuration

OpenStack can be managed either through the Horizon dashboard (available using HTTP) or the CLI
commands.
One need to spawn an instance with Palo Alto firewall. At least three interfaces need to be created in
following networks: management, trust and untrust. The networks can be created in Network/Networks
tab:

1
You can achieve the same thing using the CLI:

neutron net-create panos-trust

Download PAVMneutron subnet-create
image panos-trust 1.1.1.0/24
from https://support.paloaltonetworks.com (support account needed), from
neutron
section Software net-create
Updates —> PANOSpanos-trust
for VMSeries Base Image, copy to one of the MOS controllers and
import it to neutron
glance: subnet-create panos-untrust 1.1.2.0/24
neutron net-create panos-trust
neutron subnet-create panos-mgmt 1.1.3.0/24

You can achieve the same thing using the CLI:

1
 glance image-create --disk-format qcow2 --file
PA-VM-KVM-7.0.0.nova.dhcp.patch.qcow2 --is-public
True

In this scenario PAVM instance is needed, which will be created in the next steps using the Contrail UI.
Additionally, at least two test VMs need to be created:
● the first one with interface in Trust zone.
● the second one with interface in Untrust Zone.

5.4 Service chaining configuration through Contrail

Sections below cover the configuration of Contrail for:

● Innetwork deployment
● Transparent deployment
● Service scaling deployment

Service chaining has to be configured through the Contrail.

Contrail WebUI is available through the VIP on the HAproxy installed on the MOS controllers through
https on port 8143. For example, if you access Horizon via http://172.16.0.2 then Contrail WebUI is
available at http://172.16.0.2:8143/.

Networks configured through OpenStack are available in Networking/Networks tab of the Contrail
WebUI:

1
5.4.1 In-network deployment configuration

In Services/Service Templates there is a list of available templates. To add a new one, click plus sign in
the upperright corner as shown below:

In the window that opens, please do the following:

● fill in the name of the template (in the example, it’s panosinn)
● set the service type to firewall
● in the service mode, select innetwork

Each firewall requires at least three interfaces.

Use plus sign to add three networks: management, left and right.

1
In Image name dropdown list, there will be a list of available images in Glance, including PAVM image.
In this deployment, we set m1.large flavour, with 4vCPU and 8192MB RAM.

To create a service instance from template, navigate to Service Instances tab and choose the plus sign
in upperright corner.

2
Provide the name and choose the appropriate service template.

After that the interfaces should be mapped to the proper networks.

For innetwork deployment, map interfaces to: management, trust (left) and untrust (right).

To create a service chaining, the policy must be created. This policy has to be assigned to a proper
network.

In Networking/Policies tab, use the plus sign in upperright corner to create a new policy:

2
New policy needs to have the following information:
● name (policypanos)
● action (pass by default)
● source (panostrust)
● destination (panosuntrust)
● direction (<>).

In the example below, the traffic will be allowed in both directions between trust and untrust, for all
protocols.

After selecting services checkbox, a new field will show up, where you can add the service that was
created earlier.

2
After policy is completed and saved, it has to be assigned to networks in Networking/Networks
tab.
Use the sign on the right to edit network in Networking/Networks tab.

Use the network policy name to assign it to trust network and save changes. Repeat the
procedure for the untrust network.

2
5.4.2 Transparent deployment configuration

In Services/Service Templates there is a list of available templates.

To add a new one, click plus sign in the upperright corner as shown below:

2
Fill the name of the template and set the service type firewall. Service mode is “Transparent”. Each
firewall requires at least three interfaces. Use plus sign to add three networks: management, left and
right.

In Image name dropdown list, there will be a list of available images in Glance, including PAVM image.

In this deployment, we use m1.large flavour, with 4vCPU and 8192MB RAM.

2
To create a service instance from template, navigate to Service Instances tab and choose the plus
sign in upperright corner.

Provide the name and choose appropriate service template.

For transparent deployment leave the mapping of all interfaces as it is ( autoconfigured).

2
To create a service chaining, the policy must be created. This policy have to be assigned to a proper
network.
In Networking/Policies tab, use the plus sign in upperright corner to create a new policy:

2
New policy needs to have the following information:
● name
● action (pass by default)
● source
● destination
● direction.

In this example, the traffic will be allowed in both directions between trust and untrust, for all protocols.

After selecting services checkbox, a new field will show up, where you can add the service that was
created earlier.

After policy is complete and saved, it has to be assigned to networks in Networking/Networks

tab.

Use the sign on the right to edit network in Networking/Networks tab:

2
Use the network policy name to assign it to trust network and save changes. One should
do the same for the untrust network:

5.4.3 Service Scale deployment configuration

In Services/Service Templates, there is a list of available templates.

To add a new one, click plus sign in the upperright corner as shown below:

2
Fill in the name of the template and set the service type firewall.
For this example, one should set service mode to InNetwork.

Each firewall requires at least three interfaces. Use plus sign to add three networks: management, left
and right.

3
In Image name dropdown list, there will be a list of available images in Glance, including PAVM image.
In this deployment, we use m1.large flavour, with 4vCPU and 8192MB RAM.

Service scaling checkbox should be checked. It automatically turns on shared ip feature for “left” and
“right” interface type.

To create service instance from template, navigate to Service Instances tab and choose the plus sign
in upperright corner:

3
Provide the name and choose appropriate service template.
After that the interfaces should be mapped to the proper networks.
For innetwork deployment, map interfaces to: management, trust (left) and untrust (right). Set
number of firewall instances in this example, 2.

Created instances have the same IP addresses assigned:

3
To create a service chaining, the policy must be created. This
policy have to be assigned to a proper network.

In Networking/Policies tab, use the plus sign in upperright corner to create a new policy:

New policy needs to have the following information:

● name
● action (pass by default)
● source

3
 ● destination
● direction.

In this example, the traffic will be allowed in both directions between trust and untrust, for all protocols.

After selecting services checkbox, a new field will show up, where one can add the service that was
created earlier.

Despite service instance has interfaces in another autoconfigured network, policy still needs to be set
between trust/untrust networks:

After policy is complete and saved, it has to be assigned to networks in Networking/Networks

tab. Use the sign on the right to edit network in Networking/Networks tab:

3
Use the network policy name to assign it to trust network and save changes. Do the same for the untrust
network.

Despite service instance has interfaces in another autoconfigured network (svcvn*), policy still needs to
be assigned to trust/untrust networks.

5.5 Overview of PA-VM configuration

This section will cover only simple firewall configuration needed for full connectivity between zones.

Sections below cover configuration of Palo Alto virtualized firewall for:

● Innetwork deployment
● vWire or virtualwire deployment
● Service scaling deployment

Configuration can be managed either through the web dashboard (available using HTTPS, on IP from PA-
VM management interface) or the CLI commands.

In Device/Licenses tab one can manage device licenses.

After every license is uploaded, an instance will reboot automatically.

3
In command line, please check if automatic mac detection is enabled:

If admin@PA-VM> configure
automacdetect is missing, one have to turn it on and commit the changes:
Entering configuration mode
[edit]
admin@PA-VM# show deviceconfig setting
setting {
config {
rematch
yes;
}
management {
hostname-type-in-syslog FQDN;
}
}

3
 admin@PA-VM# set deviceconfig setting auto-mac-detect
yes [edit]
admin@PA-VM# commit
...55%75%..98%..........100%
Configuration committed successfully

5.5.1 In-network deployment configuration

In Network/Interfaces tab, there are available interfaces. By

clicking on interface name, it is possible to edit settings:

Interface type depends on the deployment model. In this example we will cover L3 configuration. For each
interface used, Layer3 interface type must be set.

3
Virtual router can be set to default. If extra default router is needed (with static route or routing
protocol), is is possible to add one from this level.

In this scenario, the first interface will be in trust zone, the second one in untrust zone.
Both security zones can be created with New Zone link and applied on interface configuration level:

3
3
In the second tab of interface configuration window, you should set ip address of interface, which was
assigned by Contrail to the device.
You should click Static radiobutton and then add button to create ip address object:

A new management profile can be created and set in the Advanced tab (Optional). Permitted
services should be checked:

4
4
After actions are repeated for both interfaces, each one should have Interface Type, Management
profile, IP Address, Virtual Router and Security Zone assigned, as below:

Changes should be committed by clicking the Commit link in the upperright corner of the dashboard
and confirmed with the Commit button in the popup window:

4
5.5.2 vWire deployment configuration

The available interfaces are listed at the Network/Interfaces tab. By

clicking on interface name it is possible to edit settings:

The Interface type depends on the deployment model. In this example, we will cover Transparent L2
configuration. For each used interface the Virtual Wire interface type must be set.Create new a virtual
wire:

4
Set virtual wire connecting ethernet1/1 and ethernet 1/ 2 interface. Set allowed vlan tag to value
1:

Trust and untrust zones should be created for each interface and assigned on interface configuration
level:

4
4
After actions are repeated for both interfaces, each one should have Interface Type, Virtual Wire and
Security Zone assigned:

Changes should be committed by clicking the Commit link in the upperright corner of the dashboard,
and confirmed with the Commit button in popup window:

5.5.3 Service Scale deployment configuration

The Service scale deployment configuration should be done the same way as the Innetwork Deployment
configuration from 5.5.1, for each firewall created in Contrail at 5.4.3.

4
5.6 Testing
5.6.1 Target use case(s)

Test a simple configuration of firewalling, as blocking HTTP traffic only.

5.6.2 Test Tools

● Two test instances (one in the trust, one in the untrust zone)
● A Simple HTTP server installed on test instances
● PA Monitor
● Curl
● Ping

5.6.3 Test Results

An instance in the untrust zone should act as a HTTP server, with a simple page in
/var/www/index.html which contains the word ‘test’.

root@untrust-ubuntu:/var/www# python -m SimpleHTTPServer

80 Serving
Except HTTP
the default, on 0.0.0.0
two rules will be setport 80 ...
in Policies/Security tab. The first will block HTTP traffic, the
second will allow any other traffic.

Use Add button on the bottom to add a new rule.

Name the rule, set Trust zone as the source and Untrust as the destination, choose
Webbrowsing as Application, and set Action to Deny in Actions tab.

4
4
4
Create the second rule to allow any other traffic. Set applications to Any and action to Allow, as below:

5
5
Rules should look as below:

To test if the traffic is allowed, the first rule will be temporarily disabled. This can be achieved with the
disabled button on the bottom:

Rules should look as below:

And changes should be committed.

Using curl verify that the HTTP traffic is allowed when communicating from the trusted host to the
untrusted one because of the disabled rule. Use Ping to ensure that other traffic (here it’s ICMP) is
allowed:

ubuntu@trust-ubuntu:~$ curl http://1.1.2.7

test
ubuntu@trust-ubuntu:~$
PING 1.1.2.7 (1.1.2.7)
64 bytes from 1.1.2.7:
64 bytes from 1.1.2.7:
ping 1.1.2.7
56(84) bytes of data.
icmp_seq=1 ttl=61 time=2.32 ms
icmp_seq=2 ttl=61 time=1.68 ms

5
On Palo Alto UI, in Monitor tab, in Session browser section, there are available logs with information
about traffic. The state of the sessions is active:

To perform the second test, enable the first rule which will block the HTTP traffic and commit changes:

The access to the http server is blocked:

ubuntu@trust-ubuntu:~$ curl http://1.1.2.7

curl: (56) Recv failure: Connection reset by peer

5
Ping still works:

In ubuntu@trust-ubuntu:~$ ping session

monitor tab, Session Browser Section 1.1.2.7
to HTTP server is available, and state is
PING 1.1.2.7
Discard, as below: (1.1.2.7) 56(84) bytes of data.
64 bytes from 1.1.2.7: icmp_seq=1 ttl=61 time=3.10 ms
64 bytes from 1.1.2.7: icmp_seq=2 ttl=61 time=1.53 ms

Appendix

● Palo Alto Administration Guide

● VMSeries Virtualization Guide