Configuring Palo Alto Networks firewalls
The following topics provide information about Pod and Container Management (PCM) changes and requirements to manage the Palo Alto firewalls by using BMC Network Automation as part of a BMC Cloud Lifecycle Management implementation:
Dedicated mode
The Palo Alto PA-4050 firewall is a physical box with interfaces. It is a zone-based firewall with traffic filtering based on zone-based policies. (See "Zone-based firewalls" in the BMC Network Automation documentation.) Security service providers and enterprises can deploy a single pair of firewalls (high availability) and enable a series of virtual firewall instances (virtual systems). Each virtual system has a separate management instance and behaves like a separate device. Depending on the hardware model, the administrator can create multiple virtual systems. PA-4050 supports 25 virtual systems with the base license and a maximum of 125 virtual systems with additional licenses. In BMC Cloud Lifecycle Management, you must create a dedicated virtual system for each virtual firewall (VFW) in a container.
Creating the pod blueprint and the pod in the dedicated mode
- In the pod blueprint, define an address pool blueprint for Management network and optionally, define address range blueprints for Customer network, Outside network, and so on.
- (Optional) Define VLAN pool blueprints for Customer network and VLAN blueprint for Management VLAN depending upon your requirement.
Define one Integer pool blueprint for creating virtual systems.
Note
The value of this pool must be between 2 to 255 because 1 is reserved for the default value, vsys. This integer value is used for the virtual system ID.
The following code block shows a snippet of the<integerPoolBlueprints>
tag:- In the node blueprints, define a node for the Palo Alto firewall host device.
Define one or more Param blueprints to receive input for the trunk interface name or ID for the Customer network interface or Outside network interface.
You can configure a physical interface with sub-interfaces.Note
In the sample Palo Alto content, SamplePodBlueprintPaloAlto.xml, specify only the ID as the input value for the trunk Interface, for example, 1/3, instead of specifying ethernet ID.
The following code block shows a snippet of the<nodeBlueprint>
tag:
Creating the container blueprint and container in the dedicated mode
- In the container blueprint, define an address pool blueprint for Customer networks.The address pool blueprint can get the pool value from the pod range or address space blueprint.
- (Optional) Include an external network blueprint to define an Outside or Multiprotocol Label Switching (MPLS) network.
- In the node blueprints, define a node for the Palo Alto firewall host device.
- Define the configureActionInfoBlueprint and unconfigureActionInfoBlueprint actions in this node to create and destroy the virtual system respectively.
Define virtualGuestBlueprint under containerFirewallHostBlueprint to encapsulate the VFW.
The virtualGuestBlueprint has configureActionInfoBlueprints of type mergeActionInfoBlueprint defined to initialize the VFW. The initialization includes creating sub-interfaces for Customer networks, assigning sub-interfaces to virtual systems, creating a virtual router, attaching the created sub-interfaces to the router, and creating zones.The zones are then associated to the sub-interfaces of the respective networks.Note
Do not assign a separate Management IP address to a dedicated virtual system. BMC Network Automation logs on to the host firewall and then, changes its configuration mode to virtual systems.- Set the
<useHostAddressForGuest>
tag to true. - Specify the guest device name, vsys${container.integers[vsysId]} of the virtual system.
The value of vsys must be an integer between 2 to 255. In Palo Alto, the virtual system is always referenced by using the vsys ID.The virtual system name is used only for display. For configuration purposes, the vsys ID is always used. - Map the Managed Interface blueprint directly to the firewall zone.
The sub-interfaces of various networks are attached to the respective zones. The zone for each Managed Interface blueprint is created in the Initialize template with following format:
<manage Interface Blueprint Name>-zone In Managed Interfaces, always set Enable Path Updates to NO for Outbound ACL because the device supports single access control lists (ACLs) only.
Note
The maximum character limit for the zone name is 15. Therefore, the name of the Managed Interface blueprint must not exceed 10 characters.
The following code snippet shows the sample node for the Palo Alto firewall host:
Note
File transfer mode in Palo Alto VFW guest and host device
The Palo Alto firewall device added with a user-defined security context supports Tunneled transfer mode only. The value for this user-defined security context is the vsys ID. In case you have a user-defined security context, the BMC Network Automation device adapter first logs on to the host device and then switches to vsys mode with the defined vsys ID. Snapshot and Deploy to Active span actions with FTP/TFTP are not possible for a specific vsys ID. You can add the pod host device with the security context as "None" and any file transfer mode but the VFW guest device that you add in BMC Network Automation by using a user-defined security context should always have the file transfer mode as Tunneled. In the device adapter for Palo Alto, <requiresTunnelingForUserContexts>
is set to true to specify the transfer mode as Tunneledin the VFW guest device.
Sample templates
This section lists the sample templates shipped with the product:
Create Virtual System
set vsys vsys${container.integers[vsysId]} display-name ${container.node.guestDevice.name}
# Creates a virtual system
Destroy Virtual System
delete vsys vsys${container.integers[vsysId]}
# Deletes a virtual system
Initialize VFW
exit
# Exits from the vsys mode to configure the sub-interface in the host firewall first
set network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params
[TrunkPort]} layer3
#Sets the trunk physical interface to layer 3
set network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params
[TrunkPort]} layer3 units ethernet${pod.nodes[PaloAlto
Firewall Host].params[TrunkPort]}.${container.vlans[OUTSIDE]} tag
${container.vlans[OUTSIDE]} ip ${container.nodes[VFW].addresses[OUTSIDE]}
/${container.nodes[VFW].addresses[OUTSIDE].subnetMask.CIDR}
set network interface ethernet ethernet${pod.nodes[PaloAlto Firewall
Host].params[TrunkPort]} layer3 units ethernet${pod.nodes[PaloAlto
Firewall Host].params[TrunkPort]}.${container.vlans[Service 1]} tag
${container.vlans[Service 1]} ip ${container.nodes[VFW].addresses[Firewall-Customer-1-IP]}
/${container.nodes[VFW].addresses[Firewall-Customer-1-IP].subnetMask.CIDR}
set network interface ethernet ethernet${pod.nodes[PaloAlto Firewall
Host].params[TrunkPort]} layer3 units ethernet${pod.nodes[PaloAlto
Firewall Host].params[TrunkPort]}.${container.vlans[Service 2]} tag
${container.vlans[Service 2]} ip ${container.nodes[VFW].addresses[Firewall-Customer-2-IP]}
/${container.nodes[VFW].addresses[Firewall-
Customer-2-IP].subnetMask.CIDR}
# Creates a sub-interface
edit vsys vsys${container.integers[vsysId]}
# Enters the vsys mode
set import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[OUTSIDE]}
set import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[Service 1]}
set import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[Service 2]}
# Imports the created sub-interfaces to the virtual system
set network virtual-router VR${container.id} interface [ethernet${pod.nodes[PaloAlto Firewall
Host].params[TrunkPort]}.${container.vlans[OUTSIDE]}
ethernet${pod.nodes[PaloAlto Firewall
Host].params[TrunkPort]}.${container.vlans[Service 1]}
ethernet${pod.nodes[PaloAlto Firewall
Host].params[TrunkPort]}.${container.vlans[Service 2]} ]
# Creates the virtual router and associates all sub-interfaces to it
set zone ${container.nodes[VFW].managedInterfaces[Service-1].sanitizedName}-zone
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[Service 1]}
set zone ${container.nodes[VFW].managedInterfaces[Service-2].sanitizedName}-zone
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[Service 2]}
set zone ${container.nodes[VFW].managedInterfaces[Outside].sanitizedName}-zone
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[OUTSIDE]}
# Creates a network zone and attaches respective sub-interfaces to it
Uninitialize VFW
delete zone ${container.nodes[VFW].managedInterfaces[Service-1].sanitizedName}-zone
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 1]}
delete zone ${container.nodes[VFW].managedInterfaces[Service-2].sanitizedName}-zone
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 2]}
delete zone ${container.nodes[VFW].managedInterfaces[Outside].sanitizedName}-zone
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[OUTSIDE]}
# Deletes a zone from vsys
delete import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[OUTSIDE]}
delete import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 1]}
delete import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 2]}
# Deletes a zone from vsys
delete network virtual-router VR${container.id}
# Deletes a virtual router from the host firewall
delete network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]} layer3 units
ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[OUTSIDE]}
delete network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]} layer3 units
ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 1]}
delete network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]} layer3 units
ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 2]}
# Deletes sub-interfaces from the host firewall
Configure StaticNat
set rulebase nat rules natrule${runtime.privateAddress} service any from ${runtime.insideInterfaceName}-zone to
${runtime.outsideInterfaceName}-zone source ${runtime.privateAddress}/32 destination any source-translation static-ip bi-directional yes
translated-address ${runtime.publicAddress}/32
# Adds a NAT rule with the source NAT bidirectional set to true
Unconfigure Static Nat
delete rulebase nat rules natrule${runtime.privateAddress}
# Removes a NAT rule
Shared mode
Due to licensing constraints, if you cannot create dedicated virtual systems, you can share the underlying firewall so that multiple containers exist on the same physical device.
Note
Creating the pod blueprint and the pod in the shared mode
- In the PaloAlto Firewall Host node, add a pod-level host device.
The host device is not used but is required because of the design. Add a pod-level guest device, which is configured during container creation and policy creation.
Note
The guest device must not have a space or a period in the name; otherwise, container creation fails.- When adding the device to BMC Network Automation, for both the host device and the guest device, set Security Context to Not a Security Context.
Creating the container blueprint and container in the shared mode
In the container blueprint, set
<guestDeviceName>
to point to the pod firewall guest device.<guestDeviceName>${container.nodes[PaloAlto Firewall Host].podGuestDevice.name}</guestDeviceName>
Set
<useExistingGuestDeviceFlag>
to true to use an an existing guest.
This setting ensures that the container uses the guest node from the pod and does not configure a new one.Note
In containerFirewallHostBlueprint, do not define configureActionInfoBlueprints and unconfigureActionInfoBlueprints. However, you will need these blueprints for virtualGuestBlueprint.- For virtualGuestBlueprint, define configureActionInfoBlueprints and unconfigureActionInfoBlueprints to initialize and uninitialize the firewall.
- Under managedInterfaceBlueprint, set the following tags:
<name>
: Defines the logical name for managedInterfaceBlueprint; for example,<name>Outside</name>
.<nameWithinFirewall>
: Defines the substitution parameter to pass to the underlying firewall device to configure the interface or create a unique zone; for example,<nameWithinFirewall>Outside${container.integers[InterfaceId]}</nameWithinFirewall>
.Warning
The Palo Alto firewall does not allow the zone name to be more than 15 characters. Ensure that the value resolved for
<nameWithinFirewall>
does not exceed 10 characters because BMC Network Automation internally appends “-zone” to the value of<nameWithinFirewall>
.
Under addressTranslatorBlueprint, set
<insideInterfaceName>
and<outsideInterfaceName>
to the value of the<name>
tag in the manageInterfaceBlueprint.Under integerBlueprint, acquire a unique integer by using
<integerName>InterfaceId</integerName>
, which in turn acquires an integer from the pod integerPoolBlueprint.
The unique integer is required to create unique zones in the firewall for each conatiner.
Sample pod and container blueprints
You can find sample pod and container blueprints and related templates in the BCAN_HOME\public\bmc\bca-networks\csm\samples\sampleWithPaloAlto directory on the BMC Network Automation application server. For additional information about the sample pod and container blueprints for use with a Palo Alto firewall, see Pod model and Container model.
Comments
Log in or register to comment.