Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
www.paloaltonetworks.com www.cloudops.com
Palo Alto Networks firewall
orchestration using CloudStack
June 25th, 2013
Brian...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Overview
Intro to speakers
Project objectives
Approac...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Who?
Ian Rae
Founder and CEO
CloudOps
Brian Torres-Gi...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
CloudOps Overview
• CloudOps specializes in building,...
www.paloaltonetworks.com www.cloudops.com
Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first custo...
www.paloaltonetworks.com www.cloudops.com
Palo Alto - Safe application enablement
• Identify, control, and safely enable
a...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Why?
CloudStack virtual router:
For Advanced Networki...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
More Why.
Some clouds have important security
require...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
What?
Project Objectives
• Support of CloudStack adva...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
How?
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Example external device NSP
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
How, in a picture.
Solution
overview
Note:
VRs are
no...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device
• Setup the Public...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Add the PA as a service provider
• Add the PA device ...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Create a Network Offering
• Expose the PA through
a n...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Use the Palo Alto
• Add a network using the service o...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Check what happened on the PA
• A Source NAT IP is al...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Egress firewall rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Static NAT rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Port Forwarding rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Ingress firewall rules
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
FAQ
Q: Is it open source?
A: Yes - will be contribute...
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
More Information
Documentation is here!
https://cwiki...
Upcoming SlideShare
Loading in …5
×

Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go

807 views

Published on

Published in: Technology
  • Be the first to comment

Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go

  1. 1. www.paloaltonetworks.com www.cloudops.com Palo Alto Networks firewall orchestration using CloudStack June 25th, 2013 Brian Torres-Gil Ian Rae
  2. 2. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Overview Intro to speakers Project objectives Approach Solution overview Demo (demo gods permitting) FAQ Next Steps
  3. 3. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Who? Ian Rae Founder and CEO CloudOps Brian Torres-Gil Solutions Architect Palo Alto Networks
  4. 4. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com CloudOps Overview • CloudOps specializes in building, supporting and operating cloud computing platforms (private, public, and hybrid) • Unique expertise with load balancing built over 14 years of experience • Unique expertise with EUEM and APM from Coradiant background • Develops best-in-class cloud architectures and operational models • Customers in Canada, US and Europe • Based in Montreal, Canada
  5. 5. www.paloaltonetworks.com www.cloudops.com Palo Alto Networks at a glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 1,000+ employees globally
  6. 6. www.paloaltonetworks.com www.cloudops.com Palo Alto - Safe application enablement • Identify, control, and safely enable all applications by user • Inspect content for known and unknown threats in real time • High throughput and performance • Simplify infrastructure and reduce TCO • Enable diverse deployment scenarios Our fundamentally new approach:
  7. 7. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Why? CloudStack virtual router: For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS. Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
  8. 8. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com More Why. Some clouds have important security requirements not met by CS-VR There is often a need for greater visibility and advanced security services (i.e. content filtering) Typical examples: Enterprise private clouds, PCI compliance for online business, Enterprise-targeted service providers, often telecom providers.
  9. 9. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com What? Project Objectives • Support of CloudStack advanced network topology. • Support of multiple Palo Alto Networks firewalls. • Support of parallel deployment with hardware load-balancer (e.g.: Netscaler). • Configuration of connectivity with Palo Alto Networks firewall through CloudStack UI and persistence of this information. • Allow the selection of Palo Alto firewall when defining CloudStack network service offering for: – Firewall (Ingress & Egress) – Source NAT – Static NAT – Port forwarding • Communication layer with Palo Alto APIs. • Mapping of CloudStack APIs to corresponding Palo Alto APIs. • Proper display of Palo Alto connectivity status in CloudStack UI. • Functional/Integration testing on PA-3020 platform (version 5.0.0) • Full documentation of the solution (architecture, design, APIs)
  10. 10. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com How?
  11. 11. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Example external device NSP
  12. 12. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com How, in a picture. Solution overview Note: VRs are not actually “inline”
  13. 13. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Pre-configure the Palo Alto device • Setup the Public and Private interfaces on the PA. • Pre-configure the Public interface according to the Public IP range in CS.
  14. 14. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Add the PA as a service provider • Add the PA device as a guest network service provider. • Enable the provider.
  15. 15. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Create a Network Offering • Expose the PA through a network offering. • PA provides: Source NAT, Static NAT, Port Forwarding and Firewall services. • Enable the new offering.
  16. 16. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Use the Palo Alto • Add a network using the service offering. • Launch a VM on the new network.
  17. 17. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Check what happened on the PA • A Source NAT IP is allocated on ‘ae1’. • A guest network has been setup on ‘ae2’. • A Source NAT rule now connects the guest network to the public IP. • A policy isolates the guest network.
  18. 18. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Egress firewall rules
  19. 19. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Static NAT rules
  20. 20. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Port Forwarding rules
  21. 21. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com Ingress firewall rules
  22. 22. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com FAQ Q: Is it open source? A: Yes - will be contributed to CloudStack. Q: What is it based on? A: Current dev is based on 4.2 Master branch circa a few weeks ago Q: Which release of CS will it be included in A: Depending on the next steps and funding, probably 4.3 Q: What’s planned next? A: Glad you asked
  23. 23. www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com More Information Documentation is here! https://cwiki.apache.org/CLOUDSTACK/pal o-alto-firewall-integration.html Code is here: https://github.com/cloudops/cs_palo_alto /tree/palo_alto Contact: @ianrae and @CloudOps_

×