End-of-Life (EoL)
The heat template environment file defines the parameters specific to the VM-Series firewall instance deployed through service chaining or service scaling. The parameters defined in the environment file are divided into sections described below. There are two versions of the heat templates for service chaining—vwire and L3— and one for service scaling.
Service chaining requires the heat template files and two bootstrap files to launch the VM-Series firewall service instance and two Linux servers in the left and right networks.
Template file— This template defines the resources created to support the VM-Series firewall and two Linux servers, such as interfaces and IP addresses. service_chaining_template_vm.yaml for vwire deployments. service_chaining_template_L3.yaml for L3 deployments. service_scaling_template.yaml for service scaling deployments. Environment file— This environment file defines the environment that the VM-Series firewall and Linux servers exist in. Many parameters in the template reference the parameters defined in this file, such as flavor for the VM-Series and the names of the Linux servers. service_chaining_env_vm.yaml for vwire deployments. service_chaining_env_L3.yaml for L3 deployments. service_scaling_env.yaml for service scaling deployments. service_instance.yaml—(Service Scaling only) This is a nested heat template that is reference by Service_Scaling_template.yaml to deploy the service instance. It provides the necessary information to deploy service instances for scaling events. init-cfg.txt—Provides the minimum information required to bootstrap a VM-Series firewall. The init-cfg.txt provided only includes the operational command to enable DHCP on the firewall management interface. <file_name>_bootstrap.xml—Provides basic configuration for the VM-Series firewall. The bootstrap.xml file configures the data interfaces. These values must match the corresponding values in the heat templates files.
For more information about the init-cfg.txt and bootstrap.xml files, see Bootstrap Configuration Files.
The following tables describe the parameters of the environment file.
Virtual Network
The virtual network configuration parameters in the heat template environment file define the virtual network that connects the VM-Series firewall and the two Linux servers deployed by the heat template.
Virtual Network (VN Config)
management_network The VM-Series firewall management interface attaches to the network specified in this parameter.
left_vn or left_network Name of the left virtual network.
right_vn or right_network Name of the right virtual network.
left_vn_fqdn Fully qualified domain name of the left virtual network.
right_vn_fqdn Fully qualified domain name of the right virtual network.
route_target Edit this value so route target configuration matches that of your external gateway.
Virtual Machine
The virtual machine parameters define the left and right Linux servers. The name of the port tuple is defined here and referenced by the heat template. In Contrail, a port tuple is an ordered set of virtual network interfaces connected to the same virtual machine. With a port tuple, you can create ports and pass that information when creating a service instance. The heat template creates the left, right, and management ports and adds them to the port tuple. The port tuple is then linked to the service instance. When you launch the service instance using the heat templates, the port tuple maps the service virtual machine to the virtual machine deployed in OpenStack.
Virtual Machine (VM Config)
flavor The flavor of the left and right virtual machines. The default value is m1.small.
left_vm_image or right_vm_image or image The name of the software image for the left and right virtual machines. Change this value to match the file name of the image you uploaded. The default is TestVM, which is a default image provided by OpenStack.
svm_name The name applied to the VM-Series firewall.
left_vm_name and right_vm_name The name of the left and right virtual machines.
port_tuple_name The name of the port tuple used by the two Linux servers and the VM-Series firewall.
server_key The server key is used for accessing virtual machines through SSH. The default value is server_key. You can change this value by entering a new server key in the environment file.
Service Template
The service template defines the parameters of the service instance, such as the software image, virtual machine flavor, service type, and interfaces. Service templates are configured within the scope of a domain and can be used on all projects within the specified domain.
Service Template (ST Config)
S_Tmp_name The name of the service template.
S_Tmp_version The service template version. The default value is 2. Do not change this parameter because service template version 2 is required to support port tuples.
S_Tmp_service_mode Service mode is the network mode used by the VM-Series firewall service instance. For the L3 network, the default value is in-network. For the virtual wire template, the default value is transparent.
S_Tmp_service_type The type of service being deployed by the template. The default value is firewall and should not be changed when deploying the VM-Series firewall.
S_Tmp_image_name This parameter specifies the VM-Series base image used by the Heat template when deploying the VM-Series firewall. Edit this parameter to match the name of the VM-Series firewall image uploaded to your OpenStack environment.
S_Tmp_flavor This parameter defines the hardware resources allocated to the VM-Series firewall. The default value is m1.large.
S_Tmp_interface_type_mgmt S_Tmp_interface_type_left S_Tmp_interface_type_right These parameters define the interface type for management, left, and right interfaces.
domain The domain where this service template is tied to. The default value is default-domain.
Service Instance
The service instance portion of the heat template environment file provides the name of the individual instance deployed by the heat template and service template.
Service Instance (SI Config)
S_Ins_name The service instance name. This is the name of the VM-Series firewall instance in Contrail.
S_Ins_fq_name The fully qualified name of the service instance.
IPAM
IP address management (IPAM) provides the IP address information for the interfaces of the service instance. Changes these parameters to best suit your environment.
IPAM (IPAM Config)
NetIPam_ip_prefix_mgmt The IP prefix of the management interface on the VM-Series firewall. The default value is 172.2.0.0.
NetIPam_ip_prefix_len_mgmt The IP prefix length of the management interface on the VM-Series firewall. The default value is /24.
NetIPam_ip_prefix_left The IP prefix of the left interface on the VM-Series firewall. The default value is 10.10.1.0.
NetIPam_ip_prefix_len_left The IP prefix length of the left interface on the VM-Series firewall. The default value is /24.
NetIPam_ip_prefix_right The IP prefix of the right interface on the VM-Series firewall. The default value is 10.10.2.0.
NetIPam_ip_prefix_len_right The IP prefix length of the right interface on the VM-Series firewall. The default value is /24.
NetIPam_addr_from_start_true This parameter determines how IP addresses are assigned to VMs on the subnets described above. If true, any new VM takes the next available IP address. If false, any new VM is assigned an IP address at random. The default value is true.
Service Policy
The service policy defines the traffic redirection rules and policy that point traffic passing between the left and right virtual machines to the VM-Series firewall service instance.
Service Policy (Policy Config)
policy_name The name of the service policy in Contrail that redirects traffic through the VM-Series firewall. For the L3 template, the default value is PAN_SVM_policy-L3. For the virtual wire template, the default value is PAN_SVM_policy-vw.
policy_fq_name The fully qualified name of the service policy.
simple_action The default action Contrail applies to traffic going to the VM-Series firewall service instance. The default value is pass because the VM-Series firewall will apply its own security policy to the traffic.
protocol The protocols allowed by Contrail to pass to the VM-Series firewall. The default value is any.
src_port_end and src_port_start Use this parameter to specify source port(s) that should be associated with the policy rule. You can enter a single port, a list of ports separated with commas, or a range of ports in the form of <port>-<port>. The default value is -1 in the provided heat templates; meaning any source port.
direction This parameter defines the direction of traffic that is allowed by Contrail to pass to the VM-Series firewall. The default value is <> or bidirectional traffic.
dst_port_end and dst_port_start Use this parameter to specify destination port(s) that should be associated with the policy rule. You can enter a single port, a list of ports separated with commas, or a range of ports in the form of <port>-<port>. The default value is -1 in the provided heat templates; meaning any destination port.
Alarm
The alarm parameters are used in service scaling and are not included in the service chaining environment files. These parameters define the thresholds used by Contrail to determine when scaling should take place. This set of parameters is only used the service scaling heat template.
The default time configured under the cooldown parameters is intended to allow the firewall enough time to boot up. If you change the cooldown values, leave sufficient time for each new firewall instance to boot up.
Alarm
meter_name The metric monitored by Celiometer and used by contrail to determine when an additional VM-Series firewall should be deployed or brought down. The heat template uses CPU utilization or bytes per second as metrics for service scaling.
cooldown_initial The amount time Contrail waits before launching a additional service instance after the initial service instance is launched. The default is 1200 seconds.
cooldown_scaleup The amount of time Contrail waits between launching additional service instance after the first scale up service instance launch. The default is 1200 seconds.
cooldown_scaledown The amount of time Contrail waits between shutting down additional service instances after the first scale up service instance shut down. The default is 1200 seconds.
period_high The interval during which the average CPU load is calculated as high before triggering an alarm. The default value is 300 seconds.
period_low The interval during which the average CPU load is calculated as low before triggering an alarm. The default value is 300 seconds.
threshold_high The value of CPU utilization in percentage or bytes per second that Contrail references before launching a scale up event. The default is 40% CPU utilization or 2800 bytes per second.
threshold_low The value of CPU utilization in percentage or bytes per second that Contrail references before launching a scale down event. The default is 20% CPU utilization or 12000 bytes per second.

Recommended For You