Repository: cloudstack-docs-admin
Updated Branches:
  refs/heads/master 26cd1b738 -> 36e506009


CLOUDSTACK-5943: added doc for the Palo Alto Networks firewall integration: 
This closes #9

Signed-off-by: Sebastien Goasguen <run...@gmail.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/commit/ba544d2a
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/tree/ba544d2a
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/diff/ba544d2a

Branch: refs/heads/master
Commit: ba544d2ad6f075325d28e80049a4dc6b80082341
Parents: 8bacccc
Author: Will Stevens <wstev...@cloudops.com>
Authored: Mon May 12 12:56:36 2014 -0400
Committer: Sebastien Goasguen <run...@gmail.com>
Committed: Thu May 15 16:56:41 2014 +0200

----------------------------------------------------------------------
 source/networking2.rst      |   2 +
 source/palo_alto_config.rst | 282 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 284 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/ba544d2a/source/networking2.rst
----------------------------------------------------------------------
diff --git a/source/networking2.rst b/source/networking2.rst
index b020a19..b3743fc 100644
--- a/source/networking2.rst
+++ b/source/networking2.rst
@@ -6952,6 +6952,8 @@ To create a persistent network, perform the following:
 
    Click OK.
 
+.. include:: palo_alto_config.rst
+
 .. |guest-traffic-setup.png| image:: _static/images/guest-traffic-setup.png
    :alt: Depicts a guest traffic setup
 .. |networksinglepod.png| image:: _static/images/network-singlepod.png

http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/ba544d2a/source/palo_alto_config.rst
----------------------------------------------------------------------
diff --git a/source/palo_alto_config.rst b/source/palo_alto_config.rst
new file mode 100644
index 0000000..6c0aa46
--- /dev/null
+++ b/source/palo_alto_config.rst
@@ -0,0 +1,282 @@
+.. Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+   distributed with this work for additional information#
+   regarding copyright ownership.  The ASF licenses this file
+   to you under the Apache License, Version 2.0 (the
+   "License"); you may not use this file except in compliance
+   with the License.  You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing,
+   software distributed under the License is distributed on an
+   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+   KIND, either express or implied.  See the License for the
+   specific language governing permissions and limitations
+   under the License.
+
+
+
+Setup a Palo Alto Networks Firewall
+-----------------------------------
+
+
+Functionality Provided
+~~~~~~~~~~~~~~~~~~~~~~
+
+This implementation enable the orchestration of a Palo Alto Networks Firewall 
from within CloudStack UI and API.  
+
+**The following features are supported**:
+
+- List/Add/Delete Palo Alto Networks service provider
+- List/Add/Delete Palo Alto Networks network service offering
+- List/Add/Delete Palo Alto Networks network using the above service offering
+- Add an instance to a Palo Alto Networks network
+- Source NAT management on network create and delete
+- List/Add/Delete Ingress Firewall rule
+- List/Add/Delete Egress Firewall rule (both 'Allow' and 'Deny' default rules 
supported)
+- List/Add/Delete Port Forwarding rule
+- List/Add/Delete Static NAT rule
+- Apply a Threat Profile to all firewall rules (more details in the Additional 
Features section)
+- Apply a Log Forwarding profile to all firewall rules (more details in the 
Additional Features section)
+
+
+
+Initial Palo Alto Networks Firewall Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Anatomy of the Palo Alto Networks Firewall
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- In **'Network > Interfaces'** there is a list of physical interfaces as well 
as aggregated physical interfaces which are used for managing traffic in and 
out of the Palo Alto Networks Firewall device.
+- In **'Network > Zones'** there is a list of the different configuration 
zones.  This implementation will use two zones; a public (defaults to 
'untrust') and private (defaults to 'trust') zone.
+- In **'Network > Virtual Routers'** there is a list of VRs which handle 
traffic routing for the Palo Alto Firewall.  We only use a single Virtual 
Router on the firewall and it is used to handle all the routing to the next 
network hop.
+- In **'Objects > Security Profile Groups'** there is a list of profiles which 
can be applied to firewall rules.  These profiles are used to better understand 
the types of traffic that is flowing through your network.  Configured when you 
add the firewall provider to CloudStack.
+- In **'Objects > Log Forwarding'** there is a list of profiles which can be 
applied to firewall rules.  These profiles are used to better track the logs 
generated by the firewall.  Configured when you add the firewall provider to 
CloudStack.
+- In **'Policies > Security'** there is a list of firewall rules that are 
currently configured.  You will not need to modify this section because it will 
be completely automated by CloudStack, but you can review the firewall rules 
which have been created here.
+- In **'Policies > NAT'** there is a list of the different NAT rules.  You 
will not need to modify this section because it will be completely automated by 
CloudStack, but you can review the different NAT rules that have been created 
here.  Source NAT, Static NAT and Destination NAT (Port Forwarding) rules will 
show up in this list.
+
+
+
+Configure the Public / Private Zones on the firewall
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+No manual configuration is required to setup these zones because CloudStack 
will configure them automatically when you add the Palo Alto Networks firewall 
device to CloudStack as a service provider.  This implementation depends on two 
zones, one for the public side and one for the private side of the firewall.  
+
+- The public zone (defaults to 'untrust') will contain all of the public 
interfaces and public IPs.
+- The private zone (defaults to 'trust') will contain all of the private 
interfaces and guest network gateways.
+
+The NAT and firewall rules will be configured between these zones.
+
+
+
+Configure the Public / Private Interfaces on the firewall
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This implementation supports standard physical interfaces as well as grouped 
physical interfaces called aggregated interfaces.  Both standard interfaces and 
aggregated interfaces are treated the same, so they can be used 
interchangeably. For this document, we will assume that we are using 
'ethernet1/1' as the public interface and 'ethernet1/2' as the private 
interface.  If aggregated interfaces where used, you would use something like 
'ae1' and 'ae2' as the interfaces.
+
+This implementation requires that the 'Interface Type' be set to 'Layer3' for 
both the public and private interfaces.  If you want to be able to use the 
'Untagged' VLAN tag for public traffic in CloudStack, you will need to enable 
support for it in the public 'ethernet1/1' interface (details below).  
+
+**Steps to configure the Public Interface**:
+
+#. Log into Palo Alto Networks Firewall
+#. Navigate to 'Network > Interfaces'
+#. Click on 'ethernet1/1' (for aggregated ethernet, it will probably be called 
'ae1')
+#. Select 'Layer3' from the 'Interface Type' list
+#. Click 'Advanced'
+#. Check the 'Untagged Subinterface' check-box
+#. Click 'OK'
+
+**Steps to configure the Private Interface**:
+
+#. Click on 'ethernet1/2' (for aggregated ethernet, it will probably be called 
'ae2')
+#. Select 'Layer3' from the 'Interface Type' list
+#. Click 'OK'
+
+
+
+Configure a Virtual Router on the firewall
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The Virtual Router on the Palo Alto Networks Firewall is not to be confused 
with the Virtual Routers that CloudStack provisions.  For this implementation, 
the Virtual Router on the Palo Alto Networks Firewall will ONLY handle the 
upstream routing from the Firewall to the next hop.
+
+**Steps to configure the Virtual Router**:
+
+#. Log into Palo Alto Networks Firewall
+#. Navigate to 'Network > Virtual Routers'
+#. Select the 'default' Virtual Router or Add a new Virtual Router if there 
are none in the list
+
+   - If you added a new Virtual Router, you will need to give it a 'Name'
+
+#. Navigate to 'Static Routes > IPv4'
+#. 'Add' a new static route
+
+   - **Name**: next_hop (you can name it anything you want)
+   - **Destination**: 0.0.0.0/0 (send all traffic to this route)
+   - **Interface**: ethernet1/1 (or whatever you set your public interface as)
+   - **Next Hop**: (specify the gateway IP for the next hop in your network)
+   - Click 'OK'
+
+#. Click 'OK'
+
+
+
+Configure the default Public Subinterface
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The current implementation of the Palo Alto Networks firewall integration uses 
CIDRs in the form of 'w.x.y.z/32' for the public IP addresses that CloudStack 
provisions.  Because no broadcast or gateway IPs are in this single IP range, 
there is no way for the firewall to route the traffic for these IPs.  To route 
the traffic for these IPs, we create a single subinterface on the public 
interface with an IP and a CIDR which encapsulates the CloudStack public IP 
range.  This IP will need to be inside the subnet defined by the CloudStack 
public range netmask, but outside the CloudStack public IP range.  The CIDR 
should reflect the same subnet defined by the CloudStack public range netmask.  
The name of the subinterface is determined by the VLAN configured for the 
public range in CloudStack.
+
+To clarify this concept, we will use the following example.
+
+**Example CloudStack Public Range Configuration**:
+
+- **Gateway**: 172.30.0.1
+- **Netmask**: 255.255.255.0
+- **IP Range**: 172.30.0.100 - 172.30.0.199
+- **VLAN**: Untagged
+
+**Configure the Public Subinterface**:
+
+#. Log into Palo Alto Networks Firewall
+#. Navigate to 'Network > Interfaces'
+#. Select the 'ethernet1/1' line (not clicking on the name)
+#. Click 'Add Subinterface' at the bottom of the window
+#. Enter 'Interface Name': 'ethernet1/1' . '9999' 
+
+   - 9999 is used if the CloudStack public range VLAN is 'Untagged'
+   - If the CloudStack public range VLAN is tagged (eg: 333), then the name 
will reflect that tag
+
+#. The 'Tag' is the VLAN tag that the traffic is sent to the next hop with, so 
set it accordingly.  If you are passing 'Untagged' traffic from CloudStack to 
your next hop, leave it blank.  If you want to pass tagged traffic from 
CloudStack, specify the tag.
+#. Select 'default' from the 'Config > Virtual Router' drop-down (assuming 
that is what your virtual router is called)
+#. Click the 'IPv4' tab
+#. Select 'Static' from the 'Type' radio options
+#. Click 'Add' in the 'IP' section
+#. Enter '172.30.0.254/24' in the new line
+
+   - The IP can be any IP outside the CloudStack public IP range, but inside 
the CloudStack public range netmask (it can NOT be the gateway IP)
+   - The subnet defined by the CIDR should match the CloudStack public range 
netmask
+   
+#. Click 'OK'
+
+
+Commit configuration on the Palo Alto Networks Firewall
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In order for all the changes we just made to take effect, we need to commit 
the changes.
+
+#. Click the 'Commit' link in the top right corner of the window
+#. Click 'OK' in the commit window overlay
+#. Click 'Close' to the resulting commit status window after the commit 
finishes
+
+
+
+Setup the Palo Alto Networks Firewall in CloudStack
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add the Palo Alto Networks Firewall as a Service Provider
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+#. Navigate to 'Infrastructure > Zones > ZONE_NAME > Physical Network > 
NETWORK_NAME (guest) > Configure; Network Service Providers'
+#. Click on 'Palo Alto' in the list
+#. Click 'View Devices'
+#. Click 'Add Palo Alto Device'
+#. Enter your configuration in the overlay.  This example will reflect the 
details previously used in this guide.
+
+   - **IP Address**: (the IP of the Palo Alto Networks Firewall)
+   - **Username**: (the admin username for the firewall)
+   - **Password**: (the admin password for the firewall)
+   - **Type**: Palo Alto Firewall
+   - **Public Interface**: ethernet1/1 (use what you setup earlier as the 
public interface if it is different from my examples)
+   - **Private Interface**: ethernet1/2 (use what you setup earlier as the 
private interface if it is different from my examples)
+   - **Number of Retries**: 2 (the default is fine)
+   - **Timeout**: 300 (the default is fine) 
+   - **Public Network**: untrust (this is the public zone on the firewall and 
did not need to be configured)
+   - **Private Network**: trust (this is the private zone on the firewall and 
did not need to be configured)
+   - **Virtual Router**: default (this is the name of the Virtual Router we 
setup on the firewall)
+   - **Palo Alto Threat Profile**: (not required.  name of the 'Security 
Profile Groups' to apply.  more details in the 'Additional Features' section)
+   - **Palo Alto Log Profile**: (not required.  name of the 'Log Forwarding' 
profile to apply.  more details in the 'Additional Features' section)
+   - **Capacity**: (not required) 
+   - **Dedicated**: (not required)
+
+#. Click 'OK'
+#. Click on 'Palo Alto' in the breadcrumbs to go back one screen.
+#. Click on 'Enable Provider' (its the middle icon that looks like two plugs 
together)
+
+
+Add a Network Service Offering to use the new Provider
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+There are 6 'Supported Services' that need to be configured in the network 
service offering for this functionality.  They are DHCP, DNS, Firewall, Source 
NAT, Static NAT and Port Forwarding.  For the other settings, there are 
probably additional configurations which will work, but I will just document a 
common case.
+
+#. Navigate to 'Service Offerings'
+#. In the drop-down at the top, select 'Network Offerings'
+#. Click 'Add Network Offering'
+
+   - **Name**: (name it whatever you want)
+   - **Description**: (again, can be whatever you want)
+   - **Guest Type**: Isolated
+   - **Supported Services**:
+
+      - **DHCP**: Provided by 'VirtualRouter'
+      - **DNS**: Provided by 'VirtualRouter'
+      - **Firewall**: Provided by 'PaloAlto'
+      - **Source NAT**: Provided by 'PaloAlto'
+      - **Static NAT**: Provided by 'PaloAlto'
+      - **Port Forwarding**: Provided by 'PaloAlto'
+
+   - **System Offering for Router**: System Offering For Software Router
+   - **Supported Source NAT Type**: Per account (this is the only supported 
option)
+   - **Default egress policy**: (both 'Allow' and 'Deny' are supported)
+
+#. Click 'OK'
+#. Click on the newly created service offering
+#. Click 'Enable network offering' (the middle icon that looks like two plugs 
together)
+
+When adding networks in CloudStack, select this network offering to use the 
Palo Alto Networks firewall.
+
+
+Additional Features
+~~~~~~~~~~~~~~~~~~~
+
+In addition to the standard functionality exposed by CloudStack, we have added 
a couple additional features to this implementation.  We did not add any new 
screens to CloudStack, but we have added a couple fields to the 'Add Palo Alto 
Service Provider' screen which will add functionality globally for the device.
+
+
+Palo Alto Networks Threat Profile
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This feature allows you to specify a 'Security Profile Group' to be applied to 
all of the firewall rules which are created on the Palo Alto Networks firewall 
device.
+
+To create a 'Security Profile Group' on the Palo Alto Networks firewall, do 
the following: 
+
+#. Log into the Palo Alto Networks firewall
+#. Navigate to 'Objects > Security Profile Groups'
+#. Click 'Add' at the bottom of the page to add a new group
+#. Give the group a Name and specify the profiles you would like to include in 
the group
+#. Click 'OK'
+#. Click the 'Commit' link in the top right of the screen and follow the on 
screen instructions
+
+Once you have created a profile, you can reference it by Name in the 'Palo 
Alto Threat Profile' field in the 'Add the Palo Alto Networks Firewall as a 
Service Provider' step.
+
+
+Palo Alto Networks Log Forwarding Profile
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+This feature allows you to specify a 'Log Forwarding' profile to better manage 
where the firewall logs are sent to.  This is helpful for keeping track of 
issues that can arise on the firewall.
+
+To create a 'Log Forwarding' profile on the Palo Alto Networks Firewall, do 
the following: 
+
+#. Log into the Palo Alto Networks firewall
+#. Navigate to 'Objects > Log Forwarding'
+#. Click 'Add' at the bottom of the page to add a new profile
+#. Give the profile a Name and specify the details you want for the traffic 
and threat settings
+#. Click 'OK'
+#. Click the 'Commit' link in the top right of the screen and follow the on 
screen instructions
+
+Once you have created a profile, you can reference it by Name in the 'Palo 
Alto Log Profile' field in the 'Add the Palo Alto Networks Firewall as a 
Service Provider' step.
+
+
+
+Limitations
+~~~~~~~~~~~
+
+- The implementation currently only supports a single public IP range in 
CloudStack
+- Usage tracking is not yet implemented
+

Reply via email to