Install the VM-Series Firewall in a
Basic Gateway Deployment
Complete the following steps to prepare the
heat templates, bootstrap files, and software images needed to deploy
the VM-Series firewall in OpenStack. After preparing the files,
deploy the VM-Series firewall and Linux server.
- Download the Heat template and bootstrap files.Download the Heat template package from the GitHub repository.
- Download the VM-Series base image.
- Login in to the Palo Alto Networks Customer Support Portal.
- SelectSoftware Updatesand choosePAN-OS for VM-Series KVM Base Imagesfrom theFilter Bydrop-down.
- Download the VM-Series for KVMqcow2file.
- Download Ubuntu 14.04 and upload the image to the OpenStack controller.The Heat template needs an Ubuntu image for launching the Linux server.
- Download Ubuntu 14.04.
- Log in to the Horizon UI.
- Select.ProjectComputeImagesCreate Image
- Namethe image Ubuntu 14.04 to match the parameter in the pan_basic_gw_env.yaml file.
- Set Image Source toImage File.
- ClickChoose Fileand navigate to your Ubuntu image file.
- Set the Format to match the file format of your Ubuntu image.
- ClickCreate Image.
- Upload the VM-Series for KVM base image to the OpenStack controller.
- Log in to the Horizon UI.
- Select.ProjectComputeImagesCreate Image
- Namethe image to match the image name in your Heat template.
- Set Image Source toImage File.
- ClickChoose Fileand navigate to your VM-Series image file.
- Set the Format toQCOW2-QEMU Emulator.
- ClickCreate Image.
- Upload the bootstrap files. You have two options for passing bootstrapping files to OpenStack—file injection (personality files) or user data. To pass the bootstrap files using user-data, you must place the files in a tar ball (.tgz file) and encode that tar ball with base64.File injection is no longer supported beginning with OpenStack Queens; you must use user data instead.
- For file injection, upload the init-cfg.txt, bootstrap.xml, and your VM-Series auth codes to your OpenStack controller or a web server that the OpenStack controller can access.
- If using the--user-datamethod to pass the bootstrap package to the config-drive, you can use the following command to create the tar ball and encode the tar ball (.tgz file) with base64:tar -cvzf<file-name>.tgz config/ license software content base64 -i <in-file> -o <outfile>
- Edit the pan_basic_gw.yaml template to point to the bootstrap files and auth codes.
- If you are using personality files, specify the file path or web server address to the location of your files under personality. Uncomment whichever lines you are not using.pan_fw_instance: type: OS::Nova::Server properties: image: { get_param: pan_image } flavor: { get_param: pan_flavor } networks: - network: { get_param: mgmt_network } - port: { get_resource: pan_untrust_port } - port: { get_resource: pan_trust_port } user_data_format: RAW config_drive: true personality: /config/init-cfg.txt: {get_file: "/opt/pan_bs/init-cfg.txt"} # /config/init-cfg.txt: { get_file: "http://web_server_name_ip/pan_bs/init-cfg.txt" } /config/bootstrap.xml: {get_file: "/opt/pan_bs/bootstrap.xml"} # /config/bootstrap.xml: { get_file: "http://web_server_name_ip/pan_bs/bootstrap.xml" } /license/authcodes: {get_file: "/opt/pan_bs/authcodes"} # /license/authcodes: {get_file: "http://web_server_name_ip/pan_bs/authcodes"}
- If you are using user-data, specify the file path or web server address to the location of your files under user_data. If you have more than onepan_fw_instance: type: OS::Nova::Server properties: image: { get_param: pan_image } flavor: { get_param: pan_flavor } networks: - port: { get_resource: mgmt_port } - port: { get_resource: pan_untrust_port } - port: { get_resource: pan_trust_port } user_data_format: RAW config_drive: true user_data: # get_file: http://10.0.2.100/pub/repository/panos/images/openstack/userdata/boot.tgz get_file: /home/stack/newhot/bootfiles.tgz
- Edit the pan_basic_gw_env.yaml template environment file to suit your environment. Make sure that the management and public network values match those that you created in your OpenStack environment. Set the pan_image to match the name you assigned to the VM-Series base image file. You can also change your server key here.root@node-2:~#cat basic_gateway/pan_basic_gw_env.yamlparameters: mgmt_network: mgmt_ext_net public_network: public_net pan_image: pa-vm-image pan_flavor: m1.medium server_image: Ubuntu-14.04 server_flavor: m1.small server_key: server_key
- Deploy the Heat template.
- Execute the commandsource openrc
- Execute the commandheat stack-create<stack-name>-f<template>-e ./<env-template>
- Verify that your VM-Series firewall is deployed successfully.You can use the following commands to check the creation status of the stack.
- Check the stack status withheat stack-list
- View a detailed list of events that occurred during stack creation withheat event-list
- View details about your stack withheat stack-show
- Verify that the VM-Series firewall is bidirectionally inspecting traffic accessing the Linux server.
- Log in to the firewall.
- Selectto view the SSH session.MonitorLogsTraffic
Recommended For You
Recommended Videos
Recommended videos not found.