You can deploy a Palo Alto firewall as a VM using the as-is feature in VMWare. In KVM it might be trickier, it depends on how Palo Alto supports KVM. Last time I used Palo Alto it supported only ESX.
You can deploy it in two (or three) L2shared networks. One for WAN, one for Lan, and if needed one for DMZ. Plus an isolated network for the management interface with port forwarding to the management UI or API. On the LAN shared network you then set the gateway to the IP of the firewall, the VMs will receive that default gateway from the VR's DHCP server. On the wan interface you can use just an L2 network in the same VLAN of router upstream from the PaloAlto firewall. Also, as you suggested, you can place the PaloAlto north of the router serving the public IP range for the Zone. Or, the PaloAlto could be the gateway of the public IP range of the Zone. This way you can have multiple public IP ranges, 1 or more going through the PaloAlto and others taking a different path. Or you can scale horizontaly and have several PaloAltos, 1 as the gateway of each Public IP range. There are many many ways to make this work... -----Original Message----- From: Bryan Tiang <bryantian...@hotmail.com> Sent: Thursday, November 16, 2023 6:35 AM To: users@cloudstack.apache.org; users@cloudstack.apache.org Subject: RE: Palo Alto VM Firewall with Cloudstack Hey Alex, Thanks for the response. I’ll try to get a trial VM Firewall from Palo Alto and see if it still works with Cloudstack 4.18. Will update our findings. But in the event that this doesn’t work, we were thinking of still using it, but outside of CloudStack. Meaning we will put the Palo Alto Firewall after the router (filtering all traffic into the cloud tenants). Cloudstack will not know of its existence, and we will need to manage this firewall manually. Will this work? Regards, Bryan On 16 Nov 2023 at 1:11 PM +0800, Alex Mattioli <alex.matti...@shapeblue.com>, wrote: > I've deployed PaloAlto firewalls as VNFs in CloudStack, but didn't use the > integration, it seems to have been abandoned as it didn't work with the > version of PAN-OS I was using. That was back with ACS 4.11, didn't try with > later versions. > > > > > > > -----Original Message----- > From: Bryan Tiang <bryantian...@hotmail.com> > Sent: Thursday, November 16, 2023 6:08 AM > To: users@cloudstack.apache.org; users@cloudstack.apache.org > Subject: Re: Palo Alto VM Firewall with Cloudstack > > Hi Tesfay, > > Thanks for the links. We are using KVM Ubuntu for our hypervisors. > > I’ll take it as Palo Alto integration with Cloudstack UI and API is still > supported. > > Anyone using this setup in production? Is it stable? Any experiences to share? > > Regards, > Bryan > On 16 Nov 2023 at 1:00 PM +0800, Tesfay Tesfamariam > <tes...@ymail.com.INVALID>, wrote: > > Check PaloAlto supported hypervisor page. > > > > https://docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/vms-series-hypervisor-support > > > > CloudStack documentation > > > > http://docs.cloudstack.apache.org/en/4.18.1.0/adminguide/networking/palo_alto_config.html > > > > May be post your question in the community page if none works for you . > > > > https://live.paloaltonetworks.com/ > > ________________________________ > > From: Bryan Tiang <bryantian...@hotmail.com> > > Sent: Wednesday, November 15, 2023 11:02:23 PM > > To: Vivek Kumar via users <users@cloudstack.apache.org> > > Subject: Palo Alto VM Firewall with Cloudstack > > > > Hi Guys, > > > > Has anyone used Cloudstack together with Palo Alto VM Firewall? > > > > I can see Palo Alto is supported in the Documentation but I know some > > documents aren’t updated. > > > > We want to be able to manage the Palo Alto VM Firewall via Cloudstack for a > > fully automated solution. > > > > Regards, > > Bryan
