Supporting Palo Alto Networks Firewalls in CloudStackSupport for Palo Alto profiles • Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’

@cloudops_ www.cloudops.com

Supporting Palo Alto Networks Firewalls in CloudStack

April 10, 2014

@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com

Introductions

• Syed Ahmed – Developer @ CloudOps• CloudOps builds and operates clouds of

all shapes and sizes• Develops cloud infrastructure solutions

and operational models• 24x7x365 managed service for CloudStack

based cloud infrastructures• Customers are global• Based in Montreal, Canada


To be covered…

• Palo Alto Networks firewall appliance integration

– Feature overview– Challenges and decisions


Motivations for Palo Alto integration

CloudStack virtual router:For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS.

Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise


More reasons why

• Customer driven - Palo Alto is an increasingly popular enterprise security product

• Many enterprises require greater visibility and advanced policies (i.e. content filtering, heuristics, intrusion detection)

• Use cases: Enterprise private clouds, PCI compliance, service providers to enterprise


Resulting network services

• CloudStack Virtual Router– DHCP– DNS

• Palo Alto Service Provider– Source NAT– Firewall Rules (Ingress & Egress)– Static NAT– Port Forwarding


Overview of the implementation


Pre-configure the Palo Alto device

• Setup a Virtual Router on the Palo Alto to handle the routing of the Public traffic

• Setup a Static Route for the next hop


Pre-configure the Palo Alto device

• Setup the Public and Private interfaces on the PA

• Pre-configure the Public interface according to the Public IP range in CS


Add the PA as a service provider

• Add the PA device asa guest network service provider

• Enable the provider


Create a Network Offering

• Expose the PA througha network offering

• PA provides: Source NAT,Static NAT, Port Forwardingand Firewall services

• Enable the new offering


Use the Palo Alto

• Add a network using the service offering• Launch a VM on the new network


What actually happened• A Source NAT IP is allocated on ‘ae1’• A guest network has been setup on ‘ae2’

• A Source NAT rule now connects the guest network to the public IP

• A policy isolates the guest network


Egress firewall rules


Ingress firewall rules


Static NAT rules


Port Forwarding rules


Support for Palo Alto profiles

• Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’

• Globally configured at the device level (for now) and are associated with every ‘allow’ firewall rule

• Enables basic support for IDS/IPS/Network AV threats, Wildfire (Anti-Malware), Data Protection, URL Filtering


PA VM Appliance Support

• Special considerations to support the Palo Alto virtual appliance

• Simplify the implementation to the lowest common denominator

• Using sub-interfaces instead of ‘vsys’ for configuration isolation

• Ensuring support for the Palo Alto VM appliance enables support for Palo Alto running on the NetScaler SDX (currently in beta)


Known limitations

• Requires some initial configuration, it is not entirely plug and play (yet)

• Currently only supports a single Public IP range

• Public IP usage tracking is currently not handled

• Fine grain control of ICMP is currently not handled

• Not validating SSL certificates when ACS communicates with the Palo Alto device

Supporting Palo Alto Networks Firewalls in CloudStackSupport for Palo Alto profiles • Added support for Palo Alto Networks ‘Security Profile Groups’ and ‘Log Forwarding Profiles’

Documents