Supporting Palo Alto Networks Firewalls in CloudStackSupport for Palo Alto profiles • Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’
Post on 22-May-2020
14 Views
Preview:
Transcript
@cloudops_ www.cloudops.com
Supporting Palo Alto Networks Firewalls in CloudStack
April 10, 2014
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Introductions
• Syed Ahmed – Developer @ CloudOps• CloudOps builds and operates clouds of
all shapes and sizes• Develops cloud infrastructure solutions
and operational models• 24x7x365 managed service for CloudStack
based cloud infrastructures• Customers are global• Based in Montreal, Canada
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
To be covered…
• Palo Alto Networks firewall appliance integration
– Feature overview– Challenges and decisions
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Motivations for Palo Alto integration
CloudStack virtual router:For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS.
Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
More reasons why
• Customer driven - Palo Alto is an increasingly popular enterprise security product
• Many enterprises require greater visibility and advanced policies (i.e. content filtering, heuristics, intrusion detection)
• Use cases: Enterprise private clouds, PCI compliance, service providers to enterprise
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Resulting network services
• CloudStack Virtual Router– DHCP– DNS
• Palo Alto Service Provider– Source NAT– Firewall Rules (Ingress & Egress)– Static NAT– Port Forwarding
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Overview of the implementation
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device
• Setup a Virtual Router on the Palo Alto to handle the routing of the Public traffic
• Setup a Static Route for the next hop
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device
• Setup the Public and Private interfaces on the PA
• Pre-configure the Public interface according to the Public IP range in CS
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Add the PA as a service provider
• Add the PA device asa guest network service provider
• Enable the provider
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Create a Network Offering
• Expose the PA througha network offering
• PA provides: Source NAT,Static NAT, Port Forwardingand Firewall services
• Enable the new offering
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Use the Palo Alto
• Add a network using the service offering• Launch a VM on the new network
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
What actually happened• A Source NAT IP is allocated on ‘ae1’• A guest network has been setup on ‘ae2’
• A Source NAT rule now connects the guest network to the public IP
• A policy isolates the guest network
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Egress firewall rules
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Ingress firewall rules
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Static NAT rules
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Port Forwarding rules
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Support for Palo Alto profiles
• Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’
• Globally configured at the device level (for now) and are associated with every ‘allow’ firewall rule
• Enables basic support for IDS/IPS/Network AV threats, Wildfire (Anti-Malware), Data Protection, URL Filtering
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
PA VM Appliance Support
• Special considerations to support the Palo Alto virtual appliance
• Simplify the implementation to the lowest common denominator
• Using sub-interfaces instead of ‘vsys’ for configuration isolation
• Ensuring support for the Palo Alto VM appliance enables support for Palo Alto running on the NetScaler SDX (currently in beta)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Known limitations
• Requires some initial configuration, it is not entirely plug and play (yet)
• Currently only supports a single Public IP range
• Public IP usage tracking is currently not handled
• Fine grain control of ICMP is currently not handled
• Not validating SSL certificates when ACS communicates with the Palo Alto device
top related