We are using hub-and-spoke architecture (often called as star topology) and flexible network load balancer with Palo Alto Networks VM Sereis Firewall. This architecture has a central component (the hub) that's connected to multiple networks around it, like a spoke. We are using Palo Alto Networks VM series firewall BOYL Listing from OCI Marketplace.
For details of the architecture, see Set up a hub-and-spoke network topology.
We have validated v10.0.3 PAN VM Series Firewall for this architecture.
You should complete below pre-requisites before proceeding to next section:
- You have an active Oracle Cloud Infrastructure Account.
- Tenancy OCID, User OCID, Compartment OCID, Private and Public Keys are setup properly.
- Permission to
managethe following types of resources in your Oracle Cloud Infrastructure tenancy:vcns,internet-gateways,route-tables,security-lists,local-peering-gateways,subnets,network-load-balancersandinstances. - Quota to create the following resources: 3 VCNS, 6 subnets, and 6 compute instance.
If you don't have the required permissions and quota, contact your tenancy administrator. See Policy Reference, Service Limits, Compartment Quotas.
You can deploy this architecture using two approach explained in each section:
- Using Oracle Resource Manager
- Using Terraform CLI
In this section you will follow each steps given below to create this architecture:
-
Click
If you aren't already signed in, when prompted, enter the tenancy and user credentials.
-
Review and accept the terms and conditions.
-
Select the region where you want to deploy the stack.
-
Follow the on-screen prompts and instructions to create the stack.
-
After creating the stack, click Terraform Actions, and select Plan from the stack on OCI console UI.
-
Wait for the job to be completed, and review the plan.
To make any changes, return to the Stack Details page, click Edit Stack, and make the required changes. Then, run the Plan action again.
-
If no further changes are necessary, return to the Stack Details page, click Terraform Actions, and select Apply.
-
At this stage your architecture should have been deployed successfully. You can proceed to next section for configuring your Palo Alto Networks VM Series Firewall.
-
If you no longer require your infrastructure, return to the Stack Details page and Terraform Actions, and select Destroy.
In this section you will use Terraform locally to create this architecture:
-
Create a local copy of this repo using below command on your terminal:
git clone https://github.com/oracle-quickstart/oci-paloaltonetworks.git cd oci-paloaltonetworks/nlb-use-case/ ls -
Complete the prerequisites described [here] which are associated to install Terraform locally:(https://github.com/oracle-quickstart/oci-prerequisites#install-terraform). Make sure you have terraform v0.13+ cli installed and accessible from your terminal.
terraform -v Terraform v0.13.0 + provider.oci v4.14.0
-
Create a
terraform.tfvarsfile in your paloaltonetworks-ha directory, and specify the following variables:# Authentication tenancy_ocid = "<tenancy_ocid>" user_ocid = "<user_ocid>" fingerprint = "<finger_print>" private_key_path = "<pem_private_key_pem_file_path>" # SSH Keys ssh_public_key = "<public_ssh_key_string_value>" # Region region = "<oci_region>" # Compartment compute_compartment_ocid = "<compartment_ocid>" network_compartment_ocid = "<network_compartment_ocid>" availability_domain_number = "<availability_domain_number> -
Create the Resources using the following commands:
terraform init terraform plan terraform apply
-
At this stage your architecture should have been deployed successfully. You can proceed to next section for configuring your Palo Alto Networks VM Series Firewall.
-
If you no longer require your infrastructure, you can run this command to destroy the resources:
terraform destroy
This section will include necessary configuration which you need to configure to support active/active use-case.
Once you deploy the infrastructure either using Oracle Resource Manager or Terraform CLI. We have to upload configuration on Palo Alto Networks VM series Firewall.
This section will be automated as Palo Alto Networks personal add bootstrap configuration using either user-data or bucket. You can follow Config Directory directory for the time being to support routes, policies, interfaces config. Make sure that you update below values in xml file before you proceed to load the configuration on Firewall.
Before you proceed to next section, you should setup a admin password through CLI (Instrcutions are printed after a successful run of this code) using below commands:
1. Open an SSH client.
2. Use the following information to connect to the instance
username: admin
IP_Address: ${oci_core_instance.ha-vms.0.public_ip}
SSH Key
For example:
$ ssh –i id_rsa admin@${oci_core_instance.ha-vms.0.public_ip}
3. Set the user password for the administrator.
- Enter the command to go to config mode: configure
- Change the password using command: set mgt-config users admin password
4. Save the configuration. Enter the command: commit
After saving the password, you should run the first time wizard in the VM Series UI:
1. In a web browser,
- Connect to the VM Series UI Firewall-1: https://${oci_core_instance.ha-vms.0.public_ip}
- Connect to the VM Series UI Firewall-2: https://${oci_core_instance.ha-vms.1.public_ip}
Below tables shows that when you use xml configuration atleast you update below three values present in the file either single or multiple times based on your instance values:
| Comment | Current Value in XML File | Expected Value |
|---|---|---|
| Firewall Name | FWA | Make sure you update as per Firewall1 or Firewall2 |
| Firewall Mgmt Interface Private IP | 192.168.0.181 | Make sure you update as per Firewall1 or Firewall2 |
| Firewall Trust Interface Private IP | 192.168.2.233 | Make sure you update as per Firewall1 or Firewall2 |
| Firewall Untrust Interface Private IP | 192.168.1.10 | Make sure you update as per Firewall1 or Firewall2 |
| Web Spoke VM 1 | 10.0.0.11 | Make sure you update as per your Web Spoke VM IPs |
| DB Spoke VM 1 | 10.0.1.48 | Make sure you update as per your DB Spoke VM IPs |
We have added required configuration for Palo Alto Networks Firewall 1 (HA Cluster First Instance) Firewall A Configuration. You can use this as a reference and upload this on your Firewall. Configuration should be same but you can compare your configuration with your Firewall Instances.
- Connect to Firewall UI
- Go to Device > Operation Tab
- Select Import Configuration and Choose FirewallA.xml file described here.
- Now Select Load Configuration and choose file from dropdown which you just imported.
- Verify Configuration; Interfaces, Security Policies, NAT Policies, Default Routes, Address Objects
- Commit your changes
Once you commit your change you won't be able to use your previously set admin password, you should use admin/Pal0Alt0@123 login details to UI now.
At some point you will need to enable jumbo frame you can do this using below steps:
- Connect to Firewall UI
- Select Device > Session > Setting > Setting button
- Check jumbo frame icon.
We are using HTTPS healthprobe configuration on each interfaces to make sure they are healthy behind NLBs. This is included in XML configuration.
We have added required configuration for Palo Alto Networks Firewall 2 (HA Cluster Second Instance) Firewall B Configuration. You can use this as a reference and upload this on your Firewall. Configuration should be same but you can compare your configuration with your Firewall Instances.
- Connect to Firewall UI
- Go to Device > Operation Tab
- Select Import Configuration and Choose FirewallA.xml file described here.
- Now Select Load Configuration and choose file from dropdown which you just imported.
- Verify Configuration; Interfaces, Security Policies, NAT Policies, Default Routes, Address Objects
- Commit your changes
Once you commit your change you won't be able to use your previously set admin password, you should use admin/Pal0Alt0@123 login details to UI now.
At some point you will need to enable jumbo frame you can do this using below steps:
- Connect to Firewall UI
- Select Device > Session > Setting > Setting button
- Check jumbo frame icon.
We are using HTTPS healthprobe configuration on each interfaces to make sure they are healthy behind NLBs. This is included in XML configuration.
I am attaching some sample configuration from one of the Firewall-B for your reference as below:
- Interfaces Configuration
- Ethernet1/1 ; Trust Interface
- Ethernet1/2 ; Untrust Interface
- Security Policies
- Untrust to Trust and Vice Versa
- Intra Zone Policies
- Default Routes Configuration
- Default route via untrust interface gateway (eth1/2)
- Static Routes for Spoke VCNs and Oracle Storage Networks via trust interface gateway (eth1/1)
- NAT Policies
- We have two NAT policies
- First: Traffic between Spoke VCNs so that get translated to trust interface of Firewall
- Second: Traffic towards interent from Spoke VCNs so that get translated to untrust interface of Firewall
- We have two NAT policies
- Jumbo Frame Configuration
- End user need to enable this manually and restart each firewall VM afterwards.
- Below image shows where you need to go to enable jumbo frame.
Feedbacks are welcome to this repo, please open a PR if you have any.