Configuring Palo Alto Networks firewalls

The following topics provide information about Pod and Container Management (PCM) changes and requirements to manage the Palo Alto firewalls by using BMC Network Automation as part of a BMC Cloud Lifecycle Management implementation:

Dedicated mode

The Palo Alto PA-4050 firewall is a physical box with interfaces. It is a zone-based firewall with traffic filtering based on zone-based policies. (See "Zone-based firewalls" in the BMC Network Automation documentation.) Security service providers and enterprises can deploy a single pair of firewalls (high availability) and enable a series of virtual firewall instances (virtual systems). Each virtual system has a separate management instance and behaves like a separate device. Depending on the hardware model, the administrator can create multiple virtual systems. PA-4050 supports 25 virtual systems with the base license and a maximum of 125 virtual systems with additional licenses. In BMC Cloud Lifecycle Management, you must create a dedicated virtual system for each virtual firewall (VFW) in a container.

Creating the pod blueprint and the pod in the dedicated mode

  1. In the pod blueprint, define an address pool blueprint for Management network and optionally, define address range blueprints for Customer network, Outside network, and so on.
  2. (Optional) Define VLAN pool blueprints for Customer network and VLAN blueprint for Management VLAN depending upon your requirement.
  3. Define one Integer pool blueprint for creating virtual systems.

    Note

    The value of this pool must be between 2 to 255 because 1 is reserved for the default value, vsys. This integer value is used for the virtual system ID.


    The following code block shows a snippet of the <integerPoolBlueprints> tag:

     Click here to view a snippet of the integerPoolBlueprints tag.
    <integerPoolBlueprints>
      <integerPoolBlueprint>
        <defaultEndNum>255</defaultEndNum>
        <name>Virtual System ID</name>
        <defaultStartNum>1</defaultStartNum>
      </integerPoolBlueprint>
    </integerPoolBlueprints>
  4. In the node blueprints, define a node for the Palo Alto firewall host device.
  5. Define one or more Param blueprints to receive input for the trunk interface name or ID for the Customer network interface or Outside network interface.

    You can configure a physical interface with sub-interfaces.

    Note

     In the sample Palo Alto content, SamplePodBlueprintPaloAlto.xml, specify only the ID as the input value for the trunk Interface, for example, 1/3, instead of specifying ethernet ID.


    The following code block shows a snippet of the <nodeBlueprint> tag:

     Click here to view a snippet of the <nodeBlueprint> tag.
    <nodeBlueprint xsi:type="podFirewallHostBlueprint" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <balancedParamBlueprints/>
      <category>4</category>
      <defaultShareableFlag>true</defaultShareableFlag>
      <name>PaloAlto Firewall Host</name>
      <optionalFlag>true</optionalFlag>
      <paramBlueprints>
        <paramBlueprint>
          <description>Trunk Interface</description>
          <name>TrunkPort</name>
          <type>String</type>
        </paramBlueprint>
      </paramBlueprints>
      <role>PaloAlto Firewall Host</role>
    </nodeBlueprint>

Back to top

Creating the container blueprint and container in the dedicated mode

  1. In the container blueprint, define an address pool blueprint for Customer networks.The address pool blueprint can get the pool value from the pod range or address space blueprint.
  2. (Optional) Include an external network blueprint to define an Outside or Multiprotocol Label Switching (MPLS) network.
  3. In the node blueprints, define a node for the Palo Alto firewall host device.
    1. Define the configureActionInfoBlueprint and unconfigureActionInfoBlueprint actions in this node to create and destroy the virtual system respectively.
    2. Define virtualGuestBlueprint under containerFirewallHostBlueprint to encapsulate the VFW.

      The virtualGuestBlueprint has configureActionInfoBlueprints of type mergeActionInfoBlueprint defined to initialize the VFW. The initialization includes creating sub-interfaces for Customer networks, assigning sub-interfaces to virtual systems, creating a virtual router, attaching the created sub-interfaces to the router, and creating zones.The zones are then associated to the sub-interfaces of the respective networks.

      Note

      Do not assign a separate Management IP address to a dedicated virtual system. BMC Network Automation logs on to the host firewall and then, changes its configuration mode to virtual systems.
    3. Set the <useHostAddressForGuest> tag to true.
    4. Specify the guest device name, vsys${container.integers[vsysId]} of the virtual system.

      The value of vsys must be an integer between 2 to 255. In Palo Alto, the virtual system is always referenced by using the vsys ID.The virtual system name is used only for display. For configuration purposes, the vsys ID is always used.
    5. Map the Managed Interface blueprint directly to the firewall zone.

      The sub-interfaces of various networks are attached to the respective zones. The zone for each Managed Interface blueprint is created in the Initialize template with following format:
      <manage Interface Blueprint Name>-zone
    6. In Managed Interfaces, always set Enable Path Updates to NO for Outbound ACL because the device supports single access control lists (ACLs) only.


      Note

      The maximum character limit for the zone name is 15. Therefore, the name of the Managed Interface blueprint must not exceed 10 characters.


      The following code snippet shows the sample node for the Palo Alto firewall host:

       Click here to view the sample node blueprint for the Palo Alto firewall host.
      <nodeBlueprint xsi:type="containerFirewallHostBlueprint" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                  <addressBlueprints/>
                  <category>4</category>
                  <configureActionInfoBlueprints>
                      <configureActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                      <condition>-EXISTS- container.nodes['VFW']</condition>
                      <requiresTunneling>true</requiresTunneling>
                      <name>Create Palo Alto Virtual System</name>
                          <templateGroups>
                              <item>Create Palo Alto Virtual System</item>
                          </templateGroups>
                      </configureActionInfoBlueprint>
                  </configureActionInfoBlueprints>
                  <dummyHostFlag>false</dummyHostFlag>
                  <name>PaloAlto Firewall Host</name>
                  <numVrfs>0</numVrfs>
                  <role>PaloAlto Firewall Host</role>
                  <unconfigureActionInfoBlueprints>
                      <unconfigureActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                      <requiresTunneling>true</requiresTunneling>
                      <name>Create Palo Alto Virtual System</name>
                          <templateGroups>
                              <item>Destroy Virtual System</item>
                          </templateGroups>
                      </unconfigureActionInfoBlueprint>
                  </unconfigureActionInfoBlueprints>
                  <virtualGuestBlueprint xsi:type="containerVfwBlueprint">
                      <configureActionInfoBlueprints>
                          <configureActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                          <requiresTunneling>true</requiresTunneling>
                          <name>Sample Palo Alto Initialize VFW</name>
                              <templateGroups>
                                  <item>Sample Palo Alto Initialize VFW</item>
                              </templateGroups>
                          </configureActionInfoBlueprint>
                      </configureActionInfoBlueprints>
                      <guestAddressBlueprints>
                          <guestAddressBlueprint xsi:type="addressBlueprint" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                              <addressName>OUTSIDE</addressName>
                              <gatewayFlag>true</gatewayFlag>
                              <addressPoolName>OUTSIDE</addressPoolName>
                          </guestAddressBlueprint>
                          <guestAddressBlueprint xsi:type="addressBlueprint" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                              <addressName>Firewall-Customer-1-IP</addressName>
                              <gatewayFlag>true</gatewayFlag>
                              <addressPoolName>Service 1</addressPoolName>
                          </guestAddressBlueprint>
                          <guestAddressBlueprint xsi:type="addressBlueprint" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                              <addressName>Firewall-Customer-2-IP</addressName>
                              <gatewayFlag>true</gatewayFlag>
                              <addressPoolName>Service 2</addressPoolName>
                          </guestAddressBlueprint>
                      </guestAddressBlueprints>
                      <useHostAddressForGuest>true</useHostAddressForGuest>
                      <guestDeviceName>vsys${container.integers[vsysId]}</guestDeviceName>
                      <useExistingGuestDeviceFlag>false</useExistingGuestDeviceFlag>
                      <guestNodeName>VFW</guestNodeName>
                      <defaultEnabledFlag>true</defaultEnabledFlag>
                      <independentFlag>true</independentFlag>
                      <natTypeBlueprint>
                          <addressTranslatorBlueprints>
                              <addressTranslatorBlueprint>
                                  <addressPoolNames>
                                      <addressPoolName>Service 1</addressPoolName>
                                  </addressPoolNames>
                                  <insideInterfaceName>Service-1</insideInterfaceName>
                                  <outsideInterfaceName>Outside</outsideInterfaceName>
                              </addressTranslatorBlueprint>
                              <addressTranslatorBlueprint>
                                  <addressPoolNames>
                                      <addressPoolName>Service 2</addressPoolName>
                                  </addressPoolNames>
                                  <insideInterfaceName>Service-2</insideInterfaceName>
                                  <outsideInterfaceName>Outside</outsideInterfaceName>
                              </addressTranslatorBlueprint>
                          </addressTranslatorBlueprints>
                          <createNatActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                              <requiresTunneling>true</requiresTunneling>
                              <name>Sample Palo Alto Configure Static Nat</name>
                              <templateGroups>
                                  <item>Sample Palo Alto Configure Static Nat</item>
                              </templateGroups>
                          </createNatActionInfoBlueprint>
                          <removeNatActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                              <requiresTunneling>true</requiresTunneling>
                              <name>Sample Palo Alto Unconfigure Static Nat</name>
                              <templateGroups>
                                  <item>Sample Palo Alto Unconfigure Static Nat</item>
                              </templateGroups>
                          </removeNatActionInfoBlueprint>
                      </natTypeBlueprint>
                      <sharesVirtualDevice>false</sharesVirtualDevice>
                      <unconfigureActionInfoBlueprints>
                          <unconfigureActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                          <requiresTunneling>true</requiresTunneling>
                          <name>Sample Palo Alto Initialize VFW</name>
                              <templateGroups>
                                  <item>Sample Palo Alto Uninitialize VFW</item>
                              </templateGroups>
                          </unconfigureActionInfoBlueprint>
                      </unconfigureActionInfoBlueprints>
                      <managedInterfaceBlueprints>
                          <managedInterfaceBlueprint>
                              <bridgeInterfaceNames/>
                              <inboundAclBlueprint>
                                  <enablePathUpdates>true</enablePathUpdates>
                                  <name>Service-1-IN</name>
                              </inboundAclBlueprint>
                              <name>Service-1</name>
                              <outboundAclBlueprint>
                                  <enablePathUpdates>false</enablePathUpdates>
                                  <name>Service-1-OUT</name>
                              </outboundAclBlueprint>
                              <servicedSegmentNames>
                                  <servicedSegmentName>Service 1</servicedSegmentName>
                              </servicedSegmentNames>
                          </managedInterfaceBlueprint>
                          <managedInterfaceBlueprint>
                              <bridgeInterfaceNames/>
                              <inboundAclBlueprint>
                                  <enablePathUpdates>true</enablePathUpdates>
                                  <name>Service-2-IN</name>
                              </inboundAclBlueprint>
                              <name>Service-2</name>
                              <outboundAclBlueprint>
                                  <enablePathUpdates>false</enablePathUpdates>
                                  <name>Service-2-OUT</name>
                              </outboundAclBlueprint>
                              <servicedSegmentNames>
                                  <servicedSegmentName>Service 2</servicedSegmentName>
                              </servicedSegmentNames>
                          </managedInterfaceBlueprint>
                          <managedInterfaceBlueprint>
                              <bridgeInterfaceNames/>
                              <inboundAclBlueprint>
                                  <enablePathUpdates>true</enablePathUpdates>
                                  <name>OUTSIDE-IN</name>
                              </inboundAclBlueprint>
                              <name>Outside</name>
                              <outboundAclBlueprint>
                                  <enablePathUpdates>false</enablePathUpdates>
                                  <name>OUTSIDE-OUT</name>
                              </outboundAclBlueprint>
                              <servicedSegmentNames>
                                  <servicedSegmentName>OUTSIDE</servicedSegmentName>
                              </servicedSegmentNames>
                          </managedInterfaceBlueprint>
                      </managedInterfaceBlueprints>
                  </virtualGuestBlueprint>
              </nodeBlueprint>
          </nodeBlueprints>

Note

When adding a rule with TCP/UDP as the transport protocol, you must specify the destination port/range.

Back to top

File transfer mode in Palo Alto VFW guest and host device

The Palo Alto firewall device added with a user-defined security context supports Tunneled transfer mode only. The value for this user-defined security context is the vsys ID. In case you have a user-defined security context, the BMC Network Automation device adapter first logs on to the host device and then switches to vsys mode with the defined vsys ID. Snapshot and Deploy to Active span actions with FTP/TFTP are not possible for a specific vsys ID. You can add the pod host device with the security context as "None" and any file transfer mode but the VFW guest device that you add in BMC Network Automation by using a user-defined security context should always have the file transfer mode as Tunneled. In the device adapter for Palo Alto,  <requiresTunnelingForUserContexts> is set to true to specify the transfer mode as Tunneledin the VFW guest device.

Back to top

Sample templates

This section lists the sample templates shipped with the product:

Create Virtual System

set vsys vsys${container.integers[vsysId]} display-name ${container.node.guestDevice.name}
# Creates a virtual system

Destroy Virtual System

delete vsys vsys${container.integers[vsysId]}
# Deletes a virtual system

Initialize VFW

exit
# Exits from the vsys mode to configure the sub-interface in the host firewall first

set network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params
[TrunkPort]} layer3
#Sets the trunk physical interface to layer 3

set network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params
[TrunkPort]} layer3 units ethernet${pod.nodes[PaloAlto 
Firewall Host].params[TrunkPort]}.${container.vlans[OUTSIDE]} tag 
${container.vlans[OUTSIDE]} ip ${container.nodes[VFW].addresses[OUTSIDE]}
/${container.nodes[VFW].addresses[OUTSIDE].subnetMask.CIDR}

set network interface ethernet ethernet${pod.nodes[PaloAlto Firewall 
Host].params[TrunkPort]} layer3 units ethernet${pod.nodes[PaloAlto 
Firewall Host].params[TrunkPort]}.${container.vlans[Service 1]} tag 
${container.vlans[Service 1]} ip ${container.nodes[VFW].addresses[Firewall-Customer-1-IP]}
/${container.nodes[VFW].addresses[Firewall-Customer-1-IP].subnetMask.CIDR}

set network interface ethernet ethernet${pod.nodes[PaloAlto Firewall 
Host].params[TrunkPort]} layer3 units ethernet${pod.nodes[PaloAlto 
Firewall Host].params[TrunkPort]}.${container.vlans[Service 2]} tag 
${container.vlans[Service 2]} ip ${container.nodes[VFW].addresses[Firewall-Customer-2-IP]}
/${container.nodes[VFW].addresses[Firewall-
Customer-2-IP].subnetMask.CIDR}
# Creates a sub-interface 

edit vsys vsys${container.integers[vsysId]}
# Enters the vsys mode

set import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[OUTSIDE]}
set import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[Service 1]}
set import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[Service 2]}
# Imports the created sub-interfaces to the virtual system

set network virtual-router VR${container.id} interface [ethernet${pod.nodes[PaloAlto Firewall 
Host].params[TrunkPort]}.${container.vlans[OUTSIDE]} 
ethernet${pod.nodes[PaloAlto Firewall 
Host].params[TrunkPort]}.${container.vlans[Service 1]} 
ethernet${pod.nodes[PaloAlto Firewall 
Host].params[TrunkPort]}.${container.vlans[Service 2]} ]
# Creates the virtual router and associates all sub-interfaces to it

set zone ${container.nodes[VFW].managedInterfaces[Service-1].sanitizedName}-zone 
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[Service 1]}
set zone ${container.nodes[VFW].managedInterfaces[Service-2].sanitizedName}-zone 
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[Service 2]}
set zone ${container.nodes[VFW].managedInterfaces[Outside].sanitizedName}-zone 
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}
.${container.vlans[OUTSIDE]}
# Creates a network zone and attaches respective sub-interfaces to it

Uninitialize VFW

delete zone ${container.nodes[VFW].managedInterfaces[Service-1].sanitizedName}-zone 
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 1]}
delete zone ${container.nodes[VFW].managedInterfaces[Service-2].sanitizedName}-zone
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 2]}
delete zone ${container.nodes[VFW].managedInterfaces[Outside].sanitizedName}-zone 
network layer3 ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[OUTSIDE]}
# Deletes a zone from vsys

delete import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[OUTSIDE]}
delete import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 1]}
delete import network interface ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 2]}
# Deletes a zone from vsys

delete network virtual-router VR${container.id}
# Deletes a virtual router from the host firewall

delete network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]} layer3 units 
ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[OUTSIDE]}
delete network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]} layer3 units
ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 1]}
delete network interface ethernet ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]} layer3 units
ethernet${pod.nodes[PaloAlto Firewall Host].params[TrunkPort]}.${container.vlans[Service 2]}
# Deletes sub-interfaces from the host firewall

Configure StaticNat

set rulebase nat rules natrule${runtime.privateAddress}  service any from ${runtime.insideInterfaceName}-zone to 
${runtime.outsideInterfaceName}-zone source ${runtime.privateAddress}/32 destination any source-translation static-ip bi-directional yes 
translated-address ${runtime.publicAddress}/32
# Adds a NAT rule with the source NAT bidirectional set to true

Unconfigure Static Nat

delete rulebase nat rules natrule${runtime.privateAddress}
# Removes a NAT rule

Back to top

Shared mode

Due to licensing constraints, if you cannot create dedicated virtual systems, you can share the underlying firewall so that multiple containers exist on the same physical device.

Note

When you use the Palo Alto device in the Shared mode, ensure that the Multi Virtual System Capability property is set to Off on the Palo Alto device to be able to use the OOB contents.

Creating the pod blueprint and the pod in the shared mode

  1. In the PaloAlto Firewall Host node, add a pod-level host device.

    The host device is not used but is required because of the design.
  2. Add a pod-level guest device, which is configured during container creation and policy creation.

    Note

    The guest device must not have a space or a period in the name; otherwise, container creation fails. 

  3. When adding the device to BMC Network Automation, for both the host device and the guest device, set Security Context to Not a Security Context.

Back to top

Creating the container blueprint and container in the shared mode

  1. In the container blueprint, set <guestDeviceName> to point to the pod firewall guest device.

    <guestDeviceName>${container.nodes[PaloAlto Firewall Host].podGuestDevice.name}</guestDeviceName>
  2. Set <useExistingGuestDeviceFlag> to true to use an an existing guest.
    This setting ensures that the container uses the guest node from the pod and does not configure a new one.

    Note

    In containerFirewallHostBlueprint, do not define configureActionInfoBlueprints and unconfigureActionInfoBlueprints. However, you will need these blueprints for virtualGuestBlueprint.
  3. For virtualGuestBlueprint, define configureActionInfoBlueprints and unconfigureActionInfoBlueprints to initialize and uninitialize the firewall.
  4. Under managedInterfaceBlueprint, set the following tags:
    1. <name>: Defines the logical name for managedInterfaceBlueprint; for example, <name>Outside</name>.
    2. <nameWithinFirewall>: Defines the substitution parameter to pass to the underlying firewall device to configure the interface or create a unique zone; for example, <nameWithinFirewall>Outside${container.integers[InterfaceId]}</nameWithinFirewall>.

      Warning

      The Palo Alto firewall does not allow the zone name to be more than 15 characters. Ensure that the value resolved for <nameWithinFirewall> does not exceed 10 characters because BMC Network Automation internally appends “-zone” to the value of <nameWithinFirewall>.

  5. Under addressTranslatorBlueprint, set <insideInterfaceName> and <outsideInterfaceName> to the value of the <name> tag in the manageInterfaceBlueprint.

  6. Under integerBlueprint, acquire a unique integer by using <integerName>InterfaceId</integerName>, which in turn acquires an integer from the pod integerPoolBlueprint.

    The unique integer is required to create unique zones in the firewall for each conatiner.

     Click here to view an example of containerFirewallHostBlueprint for a shared firewall scenario.
    <nodeBlueprint xsi:type="containerFirewallHostBlueprint">
                <addressBlueprints/>
                <category>4</category>
                <configureActionInfoBlueprints/>
                <dummyHostFlag>true</dummyHostFlag>
                <name>PaloAlto Firewall Host</name>
                <numVrfs>0</numVrfs>
                <role>PaloAlto Firewall Host</role>
                <unconfigureActionInfoBlueprints/>
                <virtualGuestBlueprint xsi:type="containerVfwBlueprint">
                    <configureActionInfoBlueprints>
                        <configureActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                        <requiresTunneling>true</requiresTunneling>
                        <name>Sample Palo Alto Initialize VFW</name>
                            <templateGroups>
                                <item>Sample Palo Alto Initialize Shared VFW</item>
                            </templateGroups>
                        </configureActionInfoBlueprint>
                    </configureActionInfoBlueprints>
                    <guestAddressBlueprints>
                        <guestAddressBlueprint xsi:type="addressBlueprint">
                            <addressName>OUTSIDE</addressName>
                            <gatewayFlag>true</gatewayFlag>
                            <addressPoolName>OUTSIDE</addressPoolName>
                        </guestAddressBlueprint>
                        <guestAddressBlueprint xsi:type="addressBlueprint">
                            <addressName>Firewall-Customer-1-IP</addressName>
                            <gatewayFlag>true</gatewayFlag>
                            <addressPoolName>Service 1</addressPoolName>
                        </guestAddressBlueprint>
                        <guestAddressBlueprint xsi:type="addressBlueprint">
                            <addressName>Firewall-Customer-2-IP</addressName>
                            <gatewayFlag>true</gatewayFlag>
                            <addressPoolName>Service 2</addressPoolName>
                        </guestAddressBlueprint>
                    </guestAddressBlueprints>
                    <useHostAddressForGuest>true</useHostAddressForGuest>
                    <guestDeviceName>${container.nodes[PaloAlto Firewall Host].podGuestDevice.name}</guestDeviceName>
                    <useExistingGuestDeviceFlag>true</useExistingGuestDeviceFlag>
                    <guestNodeName>VFW</guestNodeName>
                    <defaultEnabledFlag>true</defaultEnabledFlag>
                    <independentFlag>true</independentFlag>
                    <natTypeBlueprint>
                        <addressTranslatorBlueprints>
                            <addressTranslatorBlueprint>
                                <addressPoolNames>
                                    <addressPoolName>Service 1</addressPoolName>
                                </addressPoolNames>
                                <insideInterfaceName>Srv1</insideInterfaceName>
                                <outsideInterfaceName>Outside</outsideInterfaceName>
                            </addressTranslatorBlueprint>
                            <addressTranslatorBlueprint>
                                <addressPoolNames>
                                    <addressPoolName>Service 2</addressPoolName>
                                </addressPoolNames>
                                <insideInterfaceName>Srv2</insideInterfaceName>
                                <outsideInterfaceName>Outside</outsideInterfaceName>
                            </addressTranslatorBlueprint>
                        </addressTranslatorBlueprints>
                        <createNatActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                            <requiresTunneling>true</requiresTunneling>
                            <name>Sample Palo Alto Configure Static Nat</name>
                            <templateGroups>
                                <item>Sample Palo Alto Configure Static Nat</item>
                            </templateGroups>
                        </createNatActionInfoBlueprint>
                        <removeNatActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                            <requiresTunneling>true</requiresTunneling>
                            <name>Sample Palo Alto Unconfigure Static Nat</name>
                            <templateGroups>
                                <item>Sample Palo Alto Unconfigure Static Nat</item>
                            </templateGroups>
                        </removeNatActionInfoBlueprint>
                    </natTypeBlueprint>
                    <sharesVirtualDevice>false</sharesVirtualDevice>
                    <unconfigureActionInfoBlueprints>
                        <unconfigureActionInfoBlueprint xsi:type="mergeActionInfoBlueprint">
                        <requiresTunneling>true</requiresTunneling>
                        <name>Sample Palo Alto Initialize VFW</name>
                            <templateGroups>
                                <item>Sample Palo Alto Uninitialize Shared VFW</item>
                            </templateGroups>
                        </unconfigureActionInfoBlueprint>
                    </unconfigureActionInfoBlueprints>
                    <managedInterfaceBlueprints>
                        <managedInterfaceBlueprint>
                            <bridgeInterfaceNames/>
                            <inboundAclBlueprint>
                                <enablePathUpdates>true</enablePathUpdates>
                                <name>Service-1-IN</name>
                            </inboundAclBlueprint>
                            <name>Srv1</name>
                            <nameWithinFirewall>Srv1${container.integers[InterfaceId]}</nameWithinFirewall>
                            <outboundAclBlueprint>
                                <enablePathUpdates>false</enablePathUpdates>
                                <name>Service-1-OUT</name>
                            </outboundAclBlueprint>
                            <servicedSegmentNames>
                                <servicedSegmentName>Service 1</servicedSegmentName>
                            </servicedSegmentNames>
                        </managedInterfaceBlueprint>
                        <managedInterfaceBlueprint>
                            <bridgeInterfaceNames/>
                            <inboundAclBlueprint>
                                <enablePathUpdates>true</enablePathUpdates>
                                <name>Service-2-IN</name>
                            </inboundAclBlueprint>
                            <name>Srv2</name>
                            <nameWithinFirewall>Srv2${container.integers[InterfaceId]}</nameWithinFirewall>
                            <outboundAclBlueprint>
                                <enablePathUpdates>false</enablePathUpdates>
                                <name>Service-2-OUT</name>
                            </outboundAclBlueprint>
                            <servicedSegmentNames>
                                <servicedSegmentName>Service 2</servicedSegmentName>
                            </servicedSegmentNames>
                        </managedInterfaceBlueprint>
                        <managedInterfaceBlueprint>
                            <bridgeInterfaceNames/>
                            <inboundAclBlueprint>
                                <enablePathUpdates>true</enablePathUpdates>
                                <name>OUTSIDE-IN</name>
                            </inboundAclBlueprint>
                            <name>Outside</name>
                            <nameWithinFirewall>Outside${container.integers[InterfaceId]}</nameWithinFirewall>
                            <outboundAclBlueprint>
                                <enablePathUpdates>false</enablePathUpdates>
                                <name>OUTSIDE-OUT</name>
                            </outboundAclBlueprint>
                            <servicedSegmentNames>
                                <servicedSegmentName>OUTSIDE</servicedSegmentName>
                            </servicedSegmentNames>
                        </managedInterfaceBlueprint>
                    </managedInterfaceBlueprints>
                </virtualGuestBlueprint>
            </nodeBlueprint>
        </nodeBlueprints>
        <pairBlueprints/>
        <vipSegmentBlueprints/>
        <vlanBlueprints>
            <vlanBlueprint>
                <vlanName>Service 1</vlanName>
                <vlanPoolName>Customer Vlans</vlanPoolName>
            </vlanBlueprint>
            <vlanBlueprint>
                <vlanName>Service 2</vlanName>
                <vlanPoolName>Customer Vlans</vlanPoolName>
            </vlanBlueprint>
            <vlanBlueprint>
                <vlanName>OUTSIDE</vlanName>
                <vlanPoolName>OUTSIDE</vlanPoolName>
            </vlanBlueprint>
        </vlanBlueprints>
        <integerBlueprints>
            <integerBlueprint>
                <integerName>InterfaceId</integerName>
                <integerPoolName>Virtual System ID</integerPoolName>
            </integerBlueprint>
        </integerBlueprints>
        <vrfIdBlueprints/>
        <zoneBlueprints>
            <zoneBlueprint>
                <description>zone 1</description>
                <name>Service</name>
                <nicSegmentBlueprints>
                    <nicSegmentBlueprint>
                        <name>Service 1</name>
                        <networkName>Service 1</networkName>
                        <addressPoolName>Service 1</addressPoolName>
                        <vlanName>Service 1</vlanName>
                        <customerFlag>true</customerFlag>
                        <managementFlag>false</managementFlag>
                        <defaultEnabledFlag>true</defaultEnabledFlag>
                        <lockedFlag>false</lockedFlag>
                    </nicSegmentBlueprint>
                    <nicSegmentBlueprint>
                        <name>Service 2</name>
                        <networkName>Service 2</networkName>
                        <addressPoolName>Service 2</addressPoolName>
                        <vlanName>Service 2</vlanName>
                        <customerFlag>true</customerFlag>
                        <managementFlag>false</managementFlag>
                        <defaultEnabledFlag>true</defaultEnabledFlag>
                        <lockedFlag>false</lockedFlag>
                    </nicSegmentBlueprint>
                </nicSegmentBlueprints>
                <vipSegmentBlueprints/>
            </zoneBlueprint>
        </zoneBlueprints>
    </containerBlueprint>

Back to top

Sample pod and container blueprints

You can find sample pod and container blueprints and related templates in the BCAN_HOME\public\bmc\bca-networks\csm\samples\sampleWithPaloAlto directory on the BMC Network Automation application server. For additional information about the sample pod and container blueprints for use with a Palo Alto firewall, see Pod model and Container model.

Back to top

Was this page helpful? Yes No Submitting... Thank you

Comments