End-of-Life (EoL)

Install the VM-Series Firewall in a Basic Gateway Deployment

Complete the following steps to prepare the heat templates, bootstrap files, and software images needed to deploy the VM-Series firewall in OpenStack. After preparing the files, deploy the VM-Series firewall and Linux server.
  1. Download the Heat template and bootstrap files.
    Download the Heat template package from the GitHub repository.
  2. Download the VM-Series base image.
    1. Select
      Software Updates
      and choose
      PAN-OS for VM-Series KVM Base Images
      from the
      Filter By
      drop-down.
    2. Download
      PA-VM-KVM-8.0.0.qcow2
      .
  3. Download Ubuntu 14.04 and upload the image to the OpenStack controller.
    The Heat template needs an Ubuntu image for launching the Linux server.
    1. Download Ubuntu 14.04.
    2. Log in to the Horizon UI.
    3. Select
      Project
      Compute
      Images
      Create Image
      .
    4. Name
      the image Ubuntu 14.04 to match the parameter in the pan_basic_gw_env.yaml file.
    5. Set Image Source to
      Image File
      .
    6. Click
      Choose File
      and navigate to your Ubuntu image file.
    7. Set the Format to match the file format of your Ubuntu image.
    8. Click
      Create Image
      .
  4. Upload the VM-Series for KVM base image to the OpenStack controller.
    1. Log in to the Horizon UI.
    2. Select
      Project
      Compute
      Images
      Create Image
      .
    3. Name
      the image pa-vm-8.0.0.
    4. Set Image Source to
      Image File
      .
    5. Click
      Choose File
      and navigate to your VM-Series image file.
    6. Set the Format to
      QCOW2-QEMU Emulator
      .
    7. Click
      Create Image
      .
  5. Upload the bootstrap files.
    You can upload the init-cfg.txt, bootstrap.xml, and your VM-Series auth codes to your OpenStack controller or a web server that the OpenStack controller can access.
  6. Edit the pan_basic_gw.yaml template to point to the bootstrap files and auth codes. Under Personality, specify the file path or web server address to the location of your files. Uncomment whichever lines you are not using.
    pan_fw_instance: type: OS::Nova::Server properties: image: { get_param: pan_image } flavor: { get_param: pan_flavor } networks: - network: { get_param: mgmt_network } - port: { get_resource: pan_untrust_port } - port: { get_resource: pan_trust_port } user_data_format: RAW config_drive: true personality: /config/init-cfg.txt: {get_file: "/opt/pan_bs/init-cfg.txt"} # /config/init-cfg.txt: { get_file: "http://web_server_name_ip/pan_bs/init-cfg.txt" } /config/bootstrap.xml: {get_file: "/opt/pan_bs/bootstrap.xml"} # /config/bootstrap.xml: { get_file: "http://web_server_name_ip/pan_bs/bootstrap.xml" } /license/authcodes: {get_file: "/opt/pan_bs/authcodes"} # /license/authcodes: {get_file: "http://web_server_name_ip/pan_bs/authcodes"}
  7. Edit the pan_basic_gw_env.yaml template environment file to suit your environment. Make sure that the management and public network values match those that you created in your OpenStack environment. Set the pan_image to match the name you assigned to the VM-Series base image file. You can also change your server key here.
    root@node-2:~#
    cat basic_gateway/pan_basic_gw_env.yaml
    parameters: mgmt_network: mgmt_ext_net public_network: public_net pan_image: pa-vm-8.0.0 pan_flavor: m1.medium server_image: Ubuntu-14.04 server_flavor: m1.small server_key: server_key
  8. Deploy the Heat template.
    1. Execute the command
      source openrc
    2. Execute the command
      heat stack-create
      <stack-name>
      -f
      <template>
      -e ./
      <env-template>
    heat_stack_create_output.png
  9. Verify that your VM-Series firewall is deployed successfully.
    You can use the following commands to check the creation status of the stack.
    • Check the stack status with
      heat stack-list
    • View a detailed list of events that occurred during stack creation with
      heat event-list
    • View details about your stack with
      heat stack-show
  10. Verify that the VM-Series firewall is bidirectionally inspecting traffic accessing the Linux server.
    1. Log in to the firewall.
    2. Select
      Monitor
      Logs
      Traffic
      to view the SSH session.

Recommended For You