Install the VM-Series Firewall with Service Chaining or Scaling

Complete the following steps to prepare the heat templates, bootstrap files, and software images needed to deploy the VM-Series firewall. After preparing the files, deploy the VM-Series firewall service and two Linux servers.
  1. Download the Heat template and bootstrap files.
    Download the Heat template package from the GitHub repository.
  2. Download the VM-Series base image.
    1. Login in to the Palo Alto Networks Customer Support Portal.
    2. Select Software Updates and choose PAN-OS for VM-Series KVM Base Images from the Filter By drop-down.
    3. Download the VM-Series for KVM qcow2 file.
  3. Download Ubuntu 14.04 and upload the image to the OpenStack controller.
    For service chaining, you can use the default image provided by OpenStack called TestVM. Skip this step when using TestVM. An Ubuntu image is required for service scaling.
    1. Download Ubuntu 14.04.
    2. Log in to the Horizon UI.
    3. Select ProjectComputeImagesCreate Image.
    4. Name the image Ubuntu 14.04 to match the parameter in the pan_basic_gw_env.yaml file.
    5. Set Image Source to Image File.
    6. Click Choose File and navigate to your Ubuntu image file.
    7. Set the Format to match the file format of your Ubuntu image.
    8. Click Create Image.
    A server key is required when using an Ubuntu image. Ensure that the server key is added to the environment file.
  4. Upload the VM-Series for KVM base image to the OpenStack controller.
    1. Log in to the Horizon UI.
    2. Select ProjectComputeImagesCreate Image.
    3. Name the image to match the image name in your Heat template.
    4. Set Image Source to Image File.
    5. Click Choose File and navigate to your VM-Series image file.
    6. Set the Format to QCOW2-QEMU Emulator.
    7. Click Create Image.
  5. Upload the bootstrap files. The files must be uploaded to the folder structure described here. The heat template uses this folder structure to locate the bootstrap files.
    1. Log in to your OpenStack controller.
    2. Create the following folder structure:
      /root/bootstrap/config/
      /root/bootstrap/license/
    3. Using SCP or FTP, add the init-cfg.txt and bootstrap.xml files to the config folder and add your VM-Series auth codes to the license folder.
  6. Edit the template environment file to suit your environment. Verify that the image names in the environment file match the names you gave the files when you uploaded them.
    parameters:
    # VN config
      management_network: 'mgmt_net'
      left_vn: 'left_net'
      right_vn: 'right_net'
      left_vn_fqdn: 'default-domain:admin:left_net'
      right_vn_fqdn: 'default-domain:admin:right_net'
      route_target: "target:64512:20000"
    # VM config  
      flavor: 'm1.small'
      left_vm_image: 'TestVM'
      right_vm_image: 'TestVM' 
      svm_name: 'PAN_SVM_L3'
      left_vm_name: 'Left_VM_L3'
      right_vm_name: 'Right_VM_L3'
      port_tuple_name: 'port_tuple_L3'
    #ST Config 
      S_Tmp_name: PAN_SVM_template_L3
      S_Tmp_version: 2
      S_Tmp_service_mode: 'in-network'
      S_Tmp_service_type: 'firewall'
      S_Tmp_image_name: 'PA-VM-8.0.0'
      S_Tmp_flavor: 'm1.large'
      S_Tmp_interface_type_mgmt: 'management'
      S_Tmp_interface_type_left: 'left'
      S_Tmp_interface_type_right: 'right'
      domain: 'default-domain'
    # SI Config    
      S_Ins_name: PAN_SVM_Instance_L3
      S_Ins_fq_name: 'default-domain:admin:PAN_SVM_Instance_L3'
    #IPAM Config
      NetIPam_ip_prefix_mgmt: '172.2.0.0'
      NetIPam_ip_prefix_len_mgmt: 24
      NetIPam_ip_prefix_left: '10.10.1.0'
      NetIPam_ip_prefix_len_left: 24
      NetIPam_ip_prefix_right: '10.10.2.0'
      NetIPam_ip_prefix_len_right: 24
      NetIPam_addr_from_start_true: true
    #Policy Config  
      policy_name: 'PAN_SVM_policy-L3'
      policy_fq_name: 'default-domain:admin:PAN_SVM_policy-L3'
      simple_action: 'pass'
      protocol: 'any'
      src_port_end: -1
      src_port_start: -1
      direction: '< >'
      dst_port_end: -1
      dst_port_start: -1
  7. Edit the template files to point to the bootstrap files and auth codes. Under Personality, specify the file path to the location of your files. Uncomment whichever lines you are not using.
    Pan_Svm_instance:
        type: OS::Nova::Server
        depends_on: [ mgmt_InstanceIp, left_InstanceIp, right_InstanceIp ]
        properties:
          name: {get_param: svm_name }
          image: { get_param:  S_Tmp_image_name }
          flavor: { get_param: S_Tmp_flavor }
          networks:
            - port: { get_resource: mgmt_VirtualMachineInterface }
            - port: { get_resource: left_VirtualMachineInterface }
            - port: { get_resource: right_VirtualMachineInterface }
          user_data_format: RAW
          config_drive: true
          personality:
            /config/init-cfg.txt: {get_file: "/root/bootstrap/config/init-cfg.txt"}
    #        /config/init-cfg.txt: { get_file: "http://10.4.1.21/op_test/config/init-cfg.txt" }
            /config/bootstrap.xml: {get_file: "/root/bootstrap/config/Service_Chaining_bootstrap_L3.xml"}
    #        /config/bootstrap.xml: { get_file: "http://10.4.1.21/op_test/config/Service_Chaining_bootstrap_L3.xml" }
    #        /license/authcodes: {get_file: "/root/bootstrap/license/authcodes"}
    #        /license/authcodes: {get_file: "http://10.4.1.21/op_test/license/authcodes"}
  8. Upload the heat template files.
    1. Log in to your OpenStack Controller.
    2. Use SCP or FTP to add the heat template file and environment file.
  9. Deploy the Heat template.
    1. Execute the command source openrc
    2. Execute the command heat stack-create <stack-name> -f <template> -e ./<env-template>
  10. Verify that your VM-Series firewall is deployed successfully.
    You can use the following commands to check the creation status of the stack.
    • Check the stack status with heat stack-list
    • View a detailed list of events that occurred during stack creation with heat event-list
    • View details about your stack with heat stack-show
  11. Verify that the VM-Series firewall is bidirectionally inspecting traffic between the Linux servers.
    1. Log in to the firewall.
    2. Select MonitorLogsTraffic to view the SSH session.

Related Documentation