Your SlideShare is downloading. ×
  • Like
Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go



Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Palo Alto Networks firewall orchestration using CloudStack June 25th, 2013 Brian Torres-Gil Ian Rae
  • 2. Overview Intro to speakers Project objectives Approach Solution overview Demo (demo gods permitting) FAQ Next Steps
  • 3. Who? Ian Rae Founder and CEO CloudOps Brian Torres-Gil Solutions Architect Palo Alto Networks
  • 4. CloudOps Overview • CloudOps specializes in building, supporting and operating cloud computing platforms (private, public, and hybrid) • Unique expertise with load balancing built over 14 years of experience • Unique expertise with EUEM and APM from Coradiant background • Develops best-in-class cloud architectures and operational models • Customers in Canada, US and Europe • Based in Montreal, Canada
  • 5. Palo Alto Networks at a glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally
  • 6. Palo Alto - Safe application enablement • Identify, control, and safely enable all applications by user • Inspect content for known and unknown threats in real time • High throughput and performance • Simplify infrastructure and reduce TCO • Enable diverse deployment scenarios Our fundamentally new approach:
  • 7. Why? CloudStack virtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
  • 8. More Why. Some clouds have important security requirements not met by CS-VR There is often a need for greater visibility and advanced security services (i.e. content filtering) Typical examples: Enterprise private clouds, PCI compliance for online business, Enterprise-targeted service providers, often telecom providers.
  • 9. What? Project Objectives • Support of CloudStack advanced network topology. • Support of multiple Palo Alto Networks firewalls. • Support of parallel deployment with hardware load-balancer (e.g.: Netscaler). • Configuration of connectivity with Palo Alto Networks firewall through CloudStack UI and persistence of this information. • Allow the selection of Palo Alto firewall when defining CloudStack network service offering for: – Firewall (Ingress & Egress) – Source NAT – Static NAT – Port forwarding • Communication layer with Palo Alto APIs. • Mapping of CloudStack APIs to corresponding Palo Alto APIs. • Proper display of Palo Alto connectivity status in CloudStack UI. • Functional/Integration testing on PA-3020 platform (version 5.0.0) • Full documentation of the solution (architecture, design, APIs)
  • 10. How?
  • 11. Example external device NSP
  • 12. How, in a picture. Solution overview Note: VRs are not actually “inline”
  • 13. Pre-configure the Palo Alto device • Setup the Public and Private interfaces on the PA. • Pre-configure the Public interface according to the Public IP range in CS.
  • 14. Add the PA as a service provider • Add the PA device as a guest network service provider. • Enable the provider.
  • 15. Create a Network Offering • Expose the PA through a network offering. • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services. • Enable the new offering.
  • 16. Use the Palo Alto • Add a network using the service offering. • Launch a VM on the new network.
  • 17. Check what happened on the PA • A Source NAT IP is allocated on ‘ae1’. • A guest network has been setup on ‘ae2’. • A Source NAT rule now connects the guest network to the public IP. • A policy isolates the guest network.
  • 18. Egress firewall rules
  • 19. Static NAT rules
  • 20. Port Forwarding rules
  • 21. Ingress firewall rules
  • 22. FAQ Q: Is it open source? A: Yes - will be contributed to CloudStack. Q: What is it based on? A: Current dev is based on 4.2 Master branch circa a few weeks ago Q: Which release of CS will it be included in A: Depending on the next steps and funding, probably 4.3 Q: What’s planned next? A: Glad you asked
  • 23. More Information Documentation is here! o-alto-firewall-integration.html Code is here: /tree/palo_alto Contact: @ianrae and @CloudOps_