Components of the VM-Series for OpenStack Solution

The VM-Series firewall in an OpenStack environment has been tested with the following components.
  • Hypervisor: KVM/Ubuntu 14.04
  • Networking: Contrail 3.0.2
  • OpenStack Distro: Mirantis 8.0 (Liberty)
  • Telemetry: Ceilometer (service scaling only)
  • Orchestration: OpenStack Heat Templates (Version 2015-10-15 or higher)
  • VM-Series for KVM PAN-OS 8.0 or later
VM-Series Hardware Resources
See VM-Series System Requirements for the minimum hardware requirements for your VM-Series model.
In OpenStack, flavors define the CPU, memory, and storage capacity of a compute instance. When setting up your Heat template, choose the compute flavor that meets or exceeds the hardware requirements for the VM-Series model.
Fuel Master
Fuel is a web UI-driven deployment and management tool for OpenStack.
OpenStack Controller
This node runs most of the shared OpenStack services, such API and scheduling. Additionally, the Horizon UI runs on this node.
OpenStack Compute
The compute node contains the virtual machines, including the VM-Series firewall, in the OpenStack deployment. The compute node that houses the VM-Series must meet the following criteria:
  • Instance type OS::Nova::Server
  • Allow configuration of at least three interfaces
  • Accept the VM-Series qcow2 image
  • Accept the compute flavor parameter
Install the OpenStack compute node on a bare-metal server because the VM-Series firewall does not support nested virtualization.
Contrail Controller
The Contrail controller node is a software-defined networking controller used for management, control, and analytics for the virtualized network. It provides routing information to the compute and gateway nodes.
Additionally, the Contrail controller provides the necessary support for service chaining and service scaling.
Contrail Gateway
The Contrail gateway node provides IP connectivity to external networks from virtual networks. MPLS over GRE tunnels from the virtual machines terminate at the gateway node, where packets are decapsulated and sent to their destinations on IP networks.
Ceilometer (OpenStack Telemetry)
In the case of the VM-Series firewall for OpenStack, Ceilometer monitors CPU utilization for service scaling. When CPU utilization meets the defined thresholds, a new service instance of the VM-Series firewall is deployed or shut down.
Heat Orchestration Template Files
Palo Alto Networks provides a sample Heat template for deploying the VM-Series firewall. This template is made up of a main template and an environment template. These files instantiate one VM-Series instance with one management interface and two data interfaces.
In a basic gateway deployment, the template instantiates a Linux server with one interface. The interface of the server attaches to the private network created by the template.
In a service chaining or service scaling deployment, the templates instantiate two Linux servers with one server attached to each data interface of the firewall.
VM-Series Firewall Bootstrap Files
The VM-Series firewall bootstrap files consist of a init-cfg.txt file, bootstrap.xml file, and VM-Series auth codes. Along with the Heat template files, Palo Alto Networks provides a sample init-cfg.txt and bootstrap.xml files. You must provide your own auth codes to license your VM-Series firewall and activate any subscriptions. See Bootstrap the VM-Series Firewall for more information about VM-Series bootstrap files.

Related Documentation