www.paloaltonetworks.com www.cloudops.com
Palo Alto Networks firewall
orchestration using CloudStack
June 25th, 2013
Brian...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Overview
Intro to speakers
Project objectives
Approac...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Who?
Ian Rae
Founder and CEO
CloudOps
Brian Torres-Gi...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
CloudOps Overview
• CloudOps specializes in building,...
www.paloaltonetworks.com www.cloudops.com
Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first custo...
www.paloaltonetworks.com www.cloudops.com
Palo Alto - Safe application enablement
• Identify, control, and safely enable
a...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Why?
CloudStack virtual router:
For Advanced Networki...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
More Why.
Some clouds have important security
require...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
What?
Project Objectives
• Support of CloudStack adva...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
How?
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Example external device NSP
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
How, in a picture.
Solution
overview
Note:
VRs are
no...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device
• Setup the Public...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Add the PA as a service provider
• Add the PA device ...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Create a Network Offering
• Expose the PA through
a n...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Use the Palo Alto
• Add a network using the service o...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Check what happened on the PA
• A Source NAT IP is al...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Egress firewall rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Static NAT rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Port Forwarding rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Ingress firewall rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
FAQ
Q: Is it open source?
A: Yes - will be contribute...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
More Information
Documentation is here!
https://cwiki...
Upcoming SlideShare
Loading in …5
×

Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go

609 views
547 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
609
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go

  1. 1. www.paloaltonetworks.com www.cloudops.com Palo Alto Networks firewall orchestration using CloudStack June 25th, 2013 Brian Torres-Gil Ian Rae
  2. 2. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Overview Intro to speakers Project objectives Approach Solution overview Demo (demo gods permitting) FAQ Next Steps
  3. 3. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Who? Ian Rae Founder and CEO CloudOps Brian Torres-Gil Solutions Architect Palo Alto Networks
  4. 4. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com CloudOps Overview • CloudOps specializes in building, supporting and operating cloud computing platforms (private, public, and hybrid) • Unique expertise with load balancing built over 14 years of experience • Unique expertise with EUEM and APM from Coradiant background • Develops best-in-class cloud architectures and operational models • Customers in Canada, US and Europe • Based in Montreal, Canada
  5. 5. www.paloaltonetworks.com www.cloudops.com Palo Alto Networks at a glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally
  6. 6. www.paloaltonetworks.com www.cloudops.com Palo Alto - Safe application enablement • Identify, control, and safely enable all applications by user • Inspect content for known and unknown threats in real time • High throughput and performance • Simplify infrastructure and reduce TCO • Enable diverse deployment scenarios Our fundamentally new approach:
  7. 7. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Why? CloudStack virtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
  8. 8. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com More Why. Some clouds have important security requirements not met by CS-VR There is often a need for greater visibility and advanced security services (i.e. content filtering) Typical examples: Enterprise private clouds, PCI compliance for online business, Enterprise-targeted service providers, often telecom providers.
  9. 9. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com What? Project Objectives • Support of CloudStack advanced network topology. • Support of multiple Palo Alto Networks firewalls. • Support of parallel deployment with hardware load-balancer (e.g.: Netscaler). • Configuration of connectivity with Palo Alto Networks firewall through CloudStack UI and persistence of this information. • Allow the selection of Palo Alto firewall when defining CloudStack network service offering for: – Firewall (Ingress & Egress) – Source NAT – Static NAT – Port forwarding • Communication layer with Palo Alto APIs. • Mapping of CloudStack APIs to corresponding Palo Alto APIs. • Proper display of Palo Alto connectivity status in CloudStack UI. • Functional/Integration testing on PA-3020 platform (version 5.0.0) • Full documentation of the solution (architecture, design, APIs)
  10. 10. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com How?
  11. 11. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Example external device NSP
  12. 12. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com How, in a picture. Solution overview Note: VRs are not actually “inline”
  13. 13. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Pre-configure the Palo Alto device • Setup the Public and Private interfaces on the PA. • Pre-configure the Public interface according to the Public IP range in CS.
  14. 14. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Add the PA as a service provider • Add the PA device as a guest network service provider. • Enable the provider.
  15. 15. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Create a Network Offering • Expose the PA through a network offering. • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services. • Enable the new offering.
  16. 16. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Use the Palo Alto • Add a network using the service offering. • Launch a VM on the new network.
  17. 17. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Check what happened on the PA • A Source NAT IP is allocated on ‘ae1’. • A guest network has been setup on ‘ae2’. • A Source NAT rule now connects the guest network to the public IP. • A policy isolates the guest network.
  18. 18. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Egress firewall rules
  19. 19. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Static NAT rules
  20. 20. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Port Forwarding rules
  21. 21. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Ingress firewall rules
  22. 22. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com FAQ Q: Is it open source? A: Yes - will be contributed to CloudStack. Q: What is it based on? A: Current dev is based on 4.2 Master branch circa a few weeks ago Q: Which release of CS will it be included in A: Depending on the next steps and funding, probably 4.3 Q: What’s planned next? A: Glad you asked
  23. 23. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com More Information Documentation is here! https://cwiki.apache.org/CLOUDSTACK/pal o-alto-firewall-integration.html Code is here: https://github.com/cloudops/cs_palo_alto /tree/palo_alto Contact: @ianrae and @CloudOps_

×