>
    Strata Copilot
    Heat Templates for Service Chaining and Service Scaling
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on OpenStack
    4. Heat Templates for Service Chaining and Service Scaling
    Download PDF
    VM-Series

    Heat Templates for Service Chaining and Service Scaling

    Table of Contents

    Heat Templates for Service Chaining and Service Scaling

    Learn how to set up a heat template for service chaining and service scaling.
    Where Can I Use This?What Do I Need?
    • Openstack
    • VM-Series Firewall License (BYOL)
    • Heat template
    • Panorama
    • VM-Series plugin
    Deploying the VM-Series firewall through service chaining or service scaling is not supported on OpenStack Queens.
    The heat template environment file defines the parameters specific to the VM-Series firewall instance deployed through service chaining or service scaling. The parameters defined in the environment file are divided into sections described below. There are two versions of the heat templates for service chaining—vwire and L3— and one for service scaling.
    Service chaining requires the heat template files and two bootstrap files to launch the VM-Series firewall service instance and two Linux servers in the left and right networks.
    • Template files—This template defines the resources created to support the VM-Series firewall and two Linux servers, such as interfaces and IP addresses.
      • service_chaining_template_vm.yaml for vwire deployments.
      • service_chaining_template_L3.yaml for L3 deployments.
      • service_scaling_template.yaml for service scaling deployments.
    • Environment file—This environment file defines the environment that the VM-Series firewall and Linux servers exist in. Many parameters in the template reference the parameters defined in this file, such as flavor for the VM-Series and the names of the Linux servers.
      • service_chaining_env_vm.yaml for vwire deployments.
      • service_chaining_env_L3.yaml for L3 deployments.
      • service_scaling_env.yaml for service scaling deployments.
    • service_instance.yaml—(Service Scaling only) This is a nested heat template that is reference by Service_Scaling_template.yaml to deploy the service instance. It provides the necessary information to deploy service instances for scaling events.
    • init-cfg.txt—Provides the minimum information required to bootstrap a VM-Series firewall. The init-cfg.txt provided only includes the operational command to enable DHCP on the firewall management interface.
    • <file_name>_bootstrap.xml—Provides basic configuration for the VM-Series firewall. The bootstrap.xml file configures the data interfaces. These values must match the corresponding values in the heat templates files.
    For more information about the init-cfg.txt and bootstrap.xml files, see Bootstrap Configuration Files.

    Virtual Network

    The virtual network configuration parameters in the heat template environment file define the virtual network that connects the VM-Series firewall and the two Linux servers deployed by the heat template.
    Virtual Network (VN Config)
    management_networkThe VM-Series firewall management interface attaches to the network specified in this parameter.
    left_vn or left_networkName of the left virtual network.
    right_vn or right_networkName of the right virtual network.
    left_vn_fqdnFully qualified domain name of the left virtual network.
    right_vn_fqdnFully qualified domain name of the right virtual network
    route_targetEdit this value so the route target configuration matches that of your external gateway.

    Virtual Network

    The virtual network configuration parameters in the heat template environment file define the virtual network that connects the VM-Series firewall and the two Linux servers deployed by the heat template.
    Virtual Network (VN Config)
    management_networkThe VM-Series firewall management interface attaches to the network specified in this parameter.
    left_vn or left_networkName of the left virtual network.
    right_vn or right_networkName of the right virtual network.
    left_vn_fqdnFully qualified domain name of the left virtual network.
    right_vn_fqdnFully qualified domain name of the right virtual network
    route_targetEdit this value so the route target configuration matches that of your external gateway.

    Virtual Machine

    The virtual machine parameters define the left and right Linux servers. The name of the port tuple is defined here and referenced by the heat template. In Contrail, a port tuple is an ordered set of virtual network interfaces connected to the same virtual machine. With a port tuple, you can create ports and pass that information when creating a service instance. The heat template creates the left, right, and management ports and adds them to the port tuple. The port tuple is then linked to the service instance. When you launch the service instance using the heat templates, the port tuple maps the service virtual machine to the virtual machine deployed in OpenStack.
    Virtual Machine (VM Config)
    flavorThe flavor of the left and right virtual machines. The default value is m1.small.
    left_vm_image or right_vm_image or image
    The name of the software image for the left and right virtual machines. Change this value to match the file name of the image you uploaded.
    The default is TestVM, which is a default image provided by OpenStack.
    svm_nameThe name applied to the VM-Series firewall.
    left_vm_name and right_vm_nameThe name of the left and right virtual machines.
    port_tuple_nameThe name of the port tuple used by the two Linux servers and the VM-Series firewall.
    server_keyThe server key is used for accessing virtual machines through SSH. The default value is server_key. You can change this value by entering a new server key in the environment file.

    Service Template

    The service template defines the parameters of the service instance, such as the software image, virtual machine flavor, service type, and interfaces. Service templates are configured within the scope of a domain and can be used on all projects within the specified domain.
    Service Template (ST Config)
    S_Tmp_nameThe name of the service template.
    S_Tmp_versionThe service template version. The default value is 2. Do not change this parameter because service template version 2 is required to support port tuples.
    S_Tmp_service_modeService mode is the network mode used by the VM-Series firewall service instance. For the L3 network template, the default value is in-network. For the virtual wire template, the default value is transparent.
    S_Tmp_service_typeThe type of service being deployed by the template. The default value is firewall and should not be changed when deploying the VM-Series firewall.
    S_Tmp_image_nameThis parameter specifies the VM-Series base image used by the Heat template when deploying the VM-Series firewall. Edit this parameter to match the name of the VM-Series firewall image uploaded to your OpenStack environment.
    S_Tmp_flavorThis parameter defines the hardware resources allocated to the VM-Series firewall. The default value is m1.large.
    S_Tmp_interface_type_mgmt S_Tmp_interface_type_left S_Tmp_interface_type_rightThe parameters define the interface type for management, left, and right interfaces.
    domainThe domain where this service template is tied to. The default value is default-domain.

    Service Instance

    The service instance portion of the heat template environment file provides the name of the individual instance deployed by the heat template and service template.
    Service Instance (SI Config)
    S_Ins_nameThe service instance name. This is the name of the VM-Series firewall instance in Contrail.
    S_Ins_fq_nameThe fully qualified name of the service instance.

    IPAM

    IP address management (IPAM) provides the IP address information for the interfaces of the service instance. Changes these parameters to best suit your environment.
    IPAM (IPAM Config)
    NetIPam_ip_prefix_mgmtThe IP prefix of the management interface on the VM-Series firewall. The default value is 172.2.0.0.
    NetIPam_ip_prefix_len_mgmtThe IP prefix length of the management interface on the VM-Series firewall. The default value is /24.
    NetIPam_ip_prefix_leftThe IP prefix of the left interface on the VM-Series firewall. The default value is 10.10.1.0.
    NetIPam_ip_prefix_len_leftThe IP prefix length of the left interface on the VM-Series firewall. The default value is /24.
    NetIPam_ip_prefix_rightThe IP prefix of the right interface on the VM-Series firewall. The default value is 10.10.2.0.
    NetIPam_ip_prefix_len_rightThe IP prefix length of the right interface on the VM-Series firewall. The default value is /24.
    NetIPam_addr_from_start_trueThis parameter determines how IP addresses are assigned to VMs on the subnets described above. If true, any new VM takes the next available IP address. If false, any new VM is assigned an IP address at random. The default value is true.

    Service Policy

    The service policy defines the traffic redirection rules and policy that point traffic passing between the left and right virtual machines to the VM-Series firewall service instance.
    Service Policy (Policy Config)
    policy_nameThe name of the service policy in Contrail that redirects traffic through the VM-Series firewall. For the L3 template, the default value is PAN_SVM_policy-L3. For the virtual wire template, the default value is PAN_SVM_policy-vw.
    policy_fq_nameThe fully qualified name of the service policy.
    simple_actionThe default action Contrail applies to traffic going to the VM-Series firewall service instance. The default value is pass because the VM-Series firewall will apply its own security policy to the traffic.
    protocolThe protocols allowed by Contrail to pass to the VM-Series firewall. The default value is any.
    src_port_end and src_port_start
    Use this parameter to specify the source ports that should be associated with the policy rule. You can enter a single port, a list of ports separated with commas, or a range of ports in the form of <port>-<port>.
    The default value is -1 in the provided heat templates; meaning any source port.
    directionThis parameter defines the direction of traffic that is allowed by Contrail to pass to the VM-Series firewall. The default value is <> or bidirectional traffic.
    dst_port_end and dst_port_start
    Use this parameter to specify the destination ports that should be associated with the policy rule. You can enter a single port, a list of ports separated with commas, or a range of ports in the form of <port>-<port>.
    The default value is -1 in the provided heat templates; meaning any destination port.

    Alarm

    The alarm parameters are used in service scaling and are not included in the service chaining environment files. These parameters define the thresholds used by Contrail to determine when scaling should take place. This set of parameters is only used in the service scaling heat template.
    The default time configured under the cooldown parameters is intended to allow the firewall enough time to boot up. If you change the cooldown values, leave sufficient time for each new firewall instance to boot up.
    Alarm
    meter_nameThe metric is monitored by Ceilometer and used by contrail to determine when an additional VM-Series firewall should be deployed or brought down. The heat template uses CPU utilization or bytes per second as metrics for service scaling.
    cooldown_initialThe amount time Contrail waits before launching an additional service instance after the initial service instance is launched. The default is 1,200 seconds.
    cooldown_scaleupThe amount of time Contrail waits between launching additional service instance after the first scale-up service instance launch. The default is 1,200 seconds.
    cooldown_scaledownThe amount of time Contrail waits between shutting down additional service instances after the first scale-up service instance shutdown. The default is 1,200 seconds.
    period_highThe interval during which the average CPU load is calculated as high before triggering an alarm. The default value is 300 seconds.
    period_lowThe interval during which the average CPU load is calculated as low before triggering an alarm. The default value is 300 seconds.
    threshold_highThe value of CPU utilization in percentage or bytes per second that Contrail references before launching a scale up event. The default is 40% CPU utilization or 2,800 bytes per second.
    threshold_lowThe value of CPU utilization in percentage or bytes per second that Contrail references before launching a scale down event. The default is 20% CPU utilization or 12,000 bytes per second.

    © 2026 Palo Alto Networks, Inc. All rights reserved.