Embed Size (px)
Citation preview
www.paloaltonetworks.com www.cloudops.com
Palo Alto Networks firewall orchestration using CloudStack
June 25th, 2013
Brian Torres-GilIan Rae
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Overview
Intro to speakersProject objectivesApproachSolution overviewDemo (demo gods permitting)FAQNext Steps
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Who?
Ian RaeFounder and CEOCloudOps
Brian Torres-GilSolutions ArchitectPalo Alto Networks
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
CloudOps Overview
• CloudOps specializes in building, supporting and operating cloud computing platforms (private, public, and hybrid)
• Unique expertise with load balancing built over 14 years of experience
• Unique expertise with EUEM and APM from Coradiant background
• Develops best-in-class cloud architectures and operational models
• Customers in Canada, US and Europe• Based in Montreal, Canada
www.paloaltonetworks.com www.cloudops.com
Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
1,000+ employees globally
www.paloaltonetworks.com www.cloudops.com
Palo Alto - Safe application enablement
• Identify, control, and safely enableall applications by user
• Inspect content for known and unknown threats in real time
• High throughput and performance
• Simplify infrastructure and reduce TCO
• Enable diverse deployment scenarios
Our fundamentally new approach:
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Why?
CloudStack virtual router:For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS.
Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
More Why.
Some clouds have important security requirements not met by CS-VR
There is often a need for greater visibility and advanced security services (i.e. content filtering)
Typical examples: Enterprise private clouds, PCI compliance for online business, Enterprise-targeted service providers, often telecom providers.
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
What? Project Objectives• Support of CloudStack advanced network topology.• Support of multiple Palo Alto Networks firewalls.• Support of parallel deployment with hardware load-balancer (e.g.:
Netscaler).• Configuration of connectivity with Palo Alto Networks firewall
through CloudStack UI and persistence of this information.• Allow the selection of Palo Alto firewall when defining CloudStack
network service offering for:– Firewall (Ingress & Egress)– Source NAT– Static NAT– Port forwarding
• Communication layer with Palo Alto APIs. • Mapping of CloudStack APIs to corresponding Palo Alto APIs.• Proper display of Palo Alto connectivity status in CloudStack UI.• Functional/Integration testing on PA-3020 platform (version 5.0.0)• Full documentation of the solution (architecture, design, APIs)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
How?
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Example external device NSP
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
How, in a picture.
Solution overview
Note: VRs are not actually “inline”
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device• Setup the Public and Private
interfaces on the PA.
• Pre-configure the Public interface according to the Public IP range in CS.
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Add the PA as a service provider• Add the PA device as
a guest network service provider.
• Enable the provider.
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Create a Network Offering
• Expose the PA througha network offering.
• PA provides: Source NAT,Static NAT, Port Forwardingand Firewall services.
• Enable the new offering.
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Use the Palo Alto
• Add a network using the service offering.
• Launch a VM on the new network.
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Check what happened on the PA• A Source NAT IP is allocated on ‘ae1’.• A guest network has been setup on
‘ae2’.
• A Source NAT rule now connects the guest network to the public IP.
• A policy isolates the guest network.
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Egress firewall rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Static NAT rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Port Forwarding rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Ingress firewall rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
FAQ
Q: Is it open source?A: Yes - will be contributed to CloudStack.
Q: What is it based on?A: Current dev is based on 4.2 Master branch circa a few weeks ago
Q: Which release of CS will it be included inA: Depending on the next steps and funding, probably 4.3
Q: What’s planned next?A: Glad you asked
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
More Information
Documentation is here!https://cwiki.apache.org/CLOUDSTACK/palo-alto-firewall-integration.html
Code is here:https://github.com/cloudops/cs_palo_alto/tree/palo_alto
Contact:@ianrae and @CloudOps_
