Installation Runbook for Palo Alto Networks virtual Firewall and Juniper Contrail plugin for Fuel

MOS Version 6.1

OpenStack Version Juno

Contrail Fuel plugin version 2.1.0

Contrail bits version 2.21

Application Type virtual Firewall

Application Version PAN­OS 7.x based image

Authors: Katarzyna Orlowska

sdn-team@mirantis.com

Content

Document History 1 Introduction

1.1 Target Audience 2 Application overview 3 Joint Reference Architecture Logical topology ­ Contrail control plane: 4 Physical & Logical Network Topology

Physical networks topology Logical networks topology

5 Installation & Configuration 5.1 Overview of Fuel installation steps 5.2 Overview of MOS installation steps 5.3 Overview of the Openstack configuration 5.4 Service chaining configuration through Contrail

5.4.1 In­network deployment configuration 5.4.2 Transparent deployment configuration 5.4.3 Service Scale deployment configuration

5.5 Overview of PA­VM configuration 5.5.1 In­network deployment configuration 5.5.2 Transparent deployment configuration 5.5.3 Service Scale deployment configuration

5.6 Testing 5.6.1 Target use case(s) 5.6.2 Test Tools 5.6.3 Test Results

Appendix

1

2

Document History

Version Revision Date Description

0.1 11­17­2015 Initial Version

3

1 Introduction This document is to serve as a detailed Deployment Guide for Palo Alto Virtualized Firewall used with Juniper Contrail plugin for Fuel. This document describes the reference architecture, installation and configuration steps for Mirantis Openstack, Juniper Contrail plugin for Fuel and Palo Alto Virtual Firewall to prepare environment with service chaining.

1.1 Target Audience This guide is intended for Openstack Administrators who are deploying Mirantis Openstack using Juniper Contrail as SDN with Palo Alto Virtual Firewall.

2 Application overview VM­Series firewall The Palo Alto Networks allows to protect applications and data stored in private, public or hybrid cloud environments. To learn more about the Palo Alto firewall, please see the official documentation.

4

3 Joint Reference Architecture Diagrams below show topology of Mirantis Openstack working with Contrail and Palo Alto virtual firewall.

Management topology:

5

Logical topology ­ Contrail control plane:

6

Logical topology ­ Contrail data plane:

Service chaining in contrail:

7

You can find more info about how Service Chaining works in Contrail here: http://www.juniper.net/techpubs/en_US/contrail1.0/topics/task/configuration/service­chaining­vnc.html

4 Physical & Logical Network Topology

Physical networks topology The diagram below shows physical topology of Mirantis Openstack and Contrail environment.

Logical networks topology Diagram below shows the traffic flow with Palo Alto virtual firewall service.

8

5 Installation & Configuration Palo Alto Virtualized Firewall can be deployed in three modes:

In­network Transparent Elastic Scale Out

Diagrams below explains details of each deployment model:

In­network, where virtualized firewall is between at least two networks and packets are routed:

9

Transparent, where virtualized firewall is transparent for communication between instances and packets are switched:

Elastic Scale Out / Service Scaling ­ single service instance can use multiple virtual machines and scale out based on customer demand.

5.1 Overview of Fuel installation steps

10

Download Fuel ISO from Mirantis website. For the detailed description how to install Fuel, see the Reference Architecture and the

User Guide in the official Mirantis OpenStack documentation. Prior to the deployment procedure, you will need to install and configure Fuel plugin for

the Juniper Contrail. To do that, download the plugin from the Fuel Plugin Catalog, copy to the Fuel Master node and install (the installation procedure is explained in the Plugin Guide found in the Fuel Plugin Catalog as well).

Note, that alongside with the plugin installation, you’ll also need to have the Contrail packages in place (you have to contact Juniper to obtain those).

5.2 Overview of MOS installation steps The following nodes and roles will be used in this deployment:

3 MOS controllers 3 Contrail controllers 1 physical compute node

Use the Fuel UI Wizard to create an environment. In Networking Setup, select Neutron with VLAN segmentation as this is the only networking model supported by 2.0.0 version of the plugin. Add nodes to the environment using the Add Nodes button:

According to the configuration above, assign Controller, Compute and Operating system (for Contrail) roles to the nodes:

11

NOTE: Contrail controllers should be named ‘contrail­X’, where X is number of controller. One should start numbering the controllers with “1”. Otherwise, the deployment will fail. For more details, please check the Plugin Guide for Juniper Contrail ver. 2.1.0 plugin (can be found in the Fuel Plugin Catalog).

12

In the Networks tab of the Fuel Web UI, fill in information on networks and VLANs:

13

14

Each of the nodes needs to have two network interfaces:

one for PXE the second one for the other networks (mgmt, private, storage and public).

For information on logical networks Fuel uses, please see the official documentation. Use the gear button on the right to choose “edit interfaces” and assign networks to interfaces:

After you set all the networks and nodes, open the Settings tab of the Fuel Web UI and scroll the page down. Select the Fuel contrail plugin checkbox to enable the plugin and choose appropriate Contrail version for your deployment; in this deployment, Juniper Contrail is used for service chaining:

15

Fill in the plugin­specific information like AS Number, Gateway for Private Network and GW IP (more details on these parameters can be found in the Plugin Guide shipped with the plugin itself in the Fuel Plugin Catalog). Prior to deployment, you can run the network verification check to make sure the networks are configured correctly. Once done, click the Deploy changes button and start the deployment.

5.3 Overview of the Openstack configuration OpenStack can be managed either through the Horizon dashboard (available using HTTP) or the CLI commands. One need to spawn an instance with Palo Alto firewall. At least three interfaces need to be created in following networks: management, trust and untrust. The networks can be created in Network/Networks tab:

16

You can achieve the same thing using the CLI:

neutron net-create panos-trust

neutron subnet-create panos-trust 1.1.1.0/24

neutron net-create panos-trust

neutron subnet-create panos-untrust 1.1.2.0/24

neutron net-create panos-trust

neutron subnet-create panos-mgmt 1.1.3.0/24

Download PA­VM image from https://support.paloaltonetworks.com (support account needed), from section Software Updates —> PAN­OS for VM­Series Base Image, copy to one of the MOS controllers and import it to glance:

You can achieve the same thing using the CLI:

17

glance image-create --disk-format qcow2 --file

PA-VM-KVM-7.0.0.nova.dhcp.patch.qcow2 --is-public True

--container-format bare --name panos-snapshot

In this scenario PA­VM instance is needed, which will be created in the next steps using the Contrail UI. Additionally, at least two test VMs need to be created:

the first one with interface in Trust zone. the second one with interface in Untrust Zone.

5.4 Service chaining configuration through Contrail Sections below cover the configuration of Contrail for:

In­network deployment Transparent deployment Service scaling deployment

Service chaining has to be configured through the Contrail. Contrail WebUI is available through the VIP on the HAproxy installed on the MOS controllers through https on port 8143. For example, if you access Horizon via http://172.16.0.2 then Contrail WebUI is available at http://172.16.0.2:8143/. Networks configured through OpenStack are available in Networking/Networks tab of the Contrail WebUI:

18

5.4.1 In-network deployment configuration In Services/Service Templates there is a list of available templates. To add a new one, click plus sign in the upper­right corner as shown below:

In the window that opens, please do the following:

fill in the name of the template (in the example, it’s panos­inn) set the service type to firewall in the service mode, select in­network

Each firewall requires at least three interfaces. Use plus sign to add three networks: management, left and right.

19

In Image name drop­down list, there will be a list of available images in Glance, including PA­VM image. In this deployment, we set m1.large flavour, with 4vCPU and 8192MB RAM.

To create a service instance from template, navigate to Service Instances tab and choose the plus sign in upper­right corner.

20

Provide the name and choose the appropriate service template. After that the interfaces should be mapped to the proper networks. For in­network deployment, map interfaces to: management, trust (left) and untrust (right).

To create a service chaining, the policy must be created. This policy has to be assigned to a proper network. In Networking/Policies tab, use the plus sign in upper­right corner to create a new policy:

21

New policy needs to have the following information:

name (policy­panos) action (pass by default) source (panos­trust) destination (panos­untrust) direction (<>).

In the example below, the traffic will be allowed in both directions between trust and untrust, for all protocols. After selecting services checkbox, a new field will show up, where you can add the service that was created earlier.

22

After policy is completed and saved, it has to be assigned to networks in Networking/Networks tab. Use the sign on the right to edit network in Networking/Networks tab.

Use the network policy name to assign it to trust network and save changes. Repeat the procedure for the untrust network.

23

5.4.2 Transparent deployment configuration In Services/Service Templates there is a list of available templates. To add a new one, click plus sign in the upper­right corner as shown below:

24

Fill the name of the template and set the service type firewall. Service mode is “Transparent”. Each firewall requires at least three interfaces. Use plus sign to add three networks: management, left and right.

In Image name drop­down list, there will be a list of available images in Glance, including PA­VM image. In this deployment, we use m1.large flavour, with 4vCPU and 8192MB RAM.

25

To create a service instance from template, navigate to Service Instances tab and choose the plus sign in upper­right corner.

Provide the name and choose appropriate service template. For transparent deployment leave the mapping of all interfaces as it is ( auto­configured).

26

To create a service chaining, the policy must be created. This policy have to be assigned to a proper network. In Networking/Policies tab, use the plus sign in upper­right corner to create a new policy:

27

New policy needs to have the following information: name action (pass by default) source destination direction.

In this example, the traffic will be allowed in both directions between trust and untrust, for all protocols. After selecting services checkbox, a new field will show up, where you can add the service that was created earlier.

After policy is complete and saved, it has to be assigned to networks in Networking/Networks tab. Use the sign on the right to edit network in Networking/Networks tab:

28

Use the network policy name to assign it to trust network and save changes. One should do the same for the untrust network:

5.4.3 Service Scale deployment configuration In Services/Service Templates, there is a list of available templates. To add a new one, click plus sign in the upper­right corner as shown below:

29

Fill in the name of the template and set the service type firewall. For this example, one should set service mode to In­Network. Each firewall requires at least three interfaces. Use plus sign to add three networks: management, left and right.

30

In Image name drop­down list, there will be a list of available images in Glance, including PA­VM image. In this deployment, we use m1.large flavour, with 4vCPU and 8192MB RAM. Service scaling checkbox should be checked. It automatically turns on shared ip feature for “left” and “right” interface type.

To create service instance from template, navigate to Service Instances tab and choose the plus sign in upper­right corner:

31

Provide the name and choose appropriate service template. After that the interfaces should be mapped to the proper networks. For in­network deployment, map interfaces to: management, trust (left) and untrust (right). Set number of firewall instances ­ in this example, 2.

Created instances have the same IP addresses assigned:

32

To create a service chaining, the policy must be created. This policy have to be assigned to a proper network. In Networking/Policies tab, use the plus sign in upper­right corner to create a new policy:

New policy needs to have the following information:

name action (pass by default) source

33

destination direction.

In this example, the traffic will be allowed in both directions between trust and untrust, for all protocols. After selecting services checkbox, a new field will show up, where one can add the service that was created earlier. Despite service instance has interfaces in another ­ autoconfigured network, policy still needs to be set between trust/untrust networks:

After policy is complete and saved, it has to be assigned to networks in Networking/Networks tab. Use the sign on the right to edit network in Networking/Networks tab:

34

Use the network policy name to assign it to trust network and save changes. Do the same for the untrust network. Despite service instance has interfaces in another ­ autoconfigured network (svc­vn*), policy still needs to be assigned to trust/untrust networks.

5.5 Overview of PA-VM configuration This section will cover only simple firewall configuration needed for full connectivity between zones. Sections below cover configuration of Palo Alto virtualized firewall for:

In­network deployment vWire or virtual­wire deployment Service scaling deployment

Configuration can be managed either through the web dashboard (available using HTTPS, on IP from PA­VM management interface) or the CLI commands. In Device/Licenses tab one can manage device licenses. After every license is uploaded, an instance will reboot automatically.

35

In command line, please check if automatic mac detection is enabled:

admin@PA-VM> configure Entering configuration mode [edit] admin@PA-VM# show deviceconfig setting setting config rematch yes; management hostname-type-in-syslog FQDN;

If auto­mac­detect is missing, one have to turn it on and commit the changes:

36

admin@PA-VM# set deviceconfig setting auto-mac-detect yes

[edit]

admin@PA-VM# commit

...55%75%..98%..........100%

Configuration committed successfully

5.5.1 In-network deployment configuration In Network/Interfaces tab, there are available interfaces. By clicking on interface name, it is possible to edit settings:

Interface type depends on the deployment model. In this example we will cover L3 configuration. For each interface used, Layer3 interface type must be set.

37

Virtual router can be set to default. If extra default router is needed (with static route or routing protocol), is is possible to add one from this level. In this scenario, the first interface will be in trust zone, the second one in untrust zone. Both security zones can be created with New Zone link and applied on interface configuration level:

38

39

In the second tab of interface configuration window, you should set ip address of interface, which was assigned by Contrail to the device. You should click Static radio­button and then add button to create ip address object:

A new management profile can be created and set in the Advanced tab (Optional). Permitted services should be checked:

40

41

After actions are repeated for both interfaces, each one should have Interface Type, Management profile, IP Address, Virtual Router and Security Zone assigned, as below:

Changes should be committed by clicking the Commit link in the upper­right corner of the dashboard and confirmed with the Commit button in the pop­up window:

42

5.5.2 vWire deployment configuration The available interfaces are listed at the Network/Interfaces tab. By clicking on interface name it is possible to edit settings:

The Interface type depends on the deployment model. In this example, we will cover Transparent L2 configuration. For each used interface the Virtual Wire interface type must be set.Create new a virtual wire:

43

Set virtual wire connecting ethernet1/1 and ethernet 1/ 2 interface. Set allowed vlan tag to value 1:

Trust and untrust zones should be created for each interface and assigned on interface configuration level:

44

45

After actions are repeated for both interfaces, each one should have Interface Type, Virtual Wire and Security Zone assigned:

Changes should be committed by clicking the Commit link in the upper­right corner of the dashboard, and confirmed with the Commit button in pop­up window:

5.5.3 Service Scale deployment configuration The Service scale deployment configuration should be done the same way as the In­network Deployment configuration from 5.5.1, for each firewall created in Contrail at 5.4.3.

46

5.6 Testing

5.6.1 Target use case(s) Test a simple configuration of firewalling, as blocking HTTP traffic only.

5.6.2 Test Tools

Two test instances (one in the trust, one in the untrust zone) A Simple HTTP server installed on test instances PA Monitor Curl Ping

5.6.3 Test Results An instance in the untrust zone should act as a HTTP server, with a simple page in /var/www/index.html which contains the word ‘test’.

root@untrust-ubuntu:/var/www# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...

Except the default, two rules will be set in Policies/Security tab. The first will block HTTP traffic, the second will allow any other traffic. Use Add button on the bottom to add a new rule. Name the rule, set Trust zone as the source and Untrust as the destination, choose Web­browsing as Application, and set Action to Deny in Actions tab.

47

48

49

Create the second rule to allow any other traffic. Set applications to Any and action to Allow, as below:

50

51

Rules should look as below:

To test if the traffic is allowed, the first rule will be temporarily disabled. This can be achieved with the disabled button on the bottom:

Rules should look as below:

And changes should be committed. Using curl verify that the HTTP traffic is allowed when communicating from the trusted host to the untrusted one because of the disabled rule. Use Ping to ensure that other traffic (here it’s ICMP) is allowed:

ubuntu@trust-ubuntu:~$ curl http://1.1.2.7 test

ubuntu@trust-ubuntu:~$ ping 1.1.2.7 PING 1.1.2.7 (1.1.2.7) 56(84) bytes of data. 64 bytes from 1.1.2.7: icmp_seq=1 ttl=61 time=2.32 ms 64 bytes from 1.1.2.7: icmp_seq=2 ttl=61 time=1.68 ms

52

On Palo Alto UI, in Monitor tab, in Session browser section, there are available logs with information about traffic. The state of the sessions is active:

To perform the second test, enable the first rule which will block the HTTP traffic and commit changes:

The access to the http server is blocked:

ubuntu@trust-ubuntu:~$ curl http://1.1.2.7 curl: (56) Recv failure: Connection reset by peer

53

Ping still works:

ubuntu@trust-ubuntu:~$ ping 1.1.2.7 PING 1.1.2.7 (1.1.2.7) 56(84) bytes of data. 64 bytes from 1.1.2.7: icmp_seq=1 ttl=61 time=3.10 ms 64 bytes from 1.1.2.7: icmp_seq=2 ttl=61 time=1.53 ms

In monitor tab, Session Browser Section session to HTTP server is available, and state is Discard, as below:

Appendix

Palo Alto Administration Guide VM­Series Virtualization Guide

54