: Install the VM-Series Firewall in a Basic Gateway Deployment
Focus
Focus

Install the VM-Series Firewall in a Basic Gateway Deployment

Table of Contents

Install the VM-Series Firewall in a Basic Gateway Deployment

Complete the following steps to prepare the heat templates, bootstrap files, and software images needed to deploy the VM-Series firewall in OpenStack. After preparing the files, deploy the VM-Series firewall and Linux server.
  1. Download the Heat template and bootstrap files.
    Download the Heat template package from the GitHub repository.
  2. Download the VM-Series base image.
    1. Login in to the Palo Alto Networks Customer Support Portal.
    2. Select Software Updates and choose PAN-OS for VM-Series KVM Base Images from the Filter By drop-down.
    3. Download the VM-Series for KVMqcow2 file.
  3. Download Ubuntu 14.04 and upload the image to the OpenStack controller.
    The Heat template needs an Ubuntu image for launching the Linux server.
    1. Download Ubuntu 14.04.
    2. Log in to the Horizon UI.
    3. Select ProjectComputeImagesCreate Image.
    4. Name the image Ubuntu 14.04 to match the parameter in the pan_basic_gw_env.yaml file.
    5. Set Image Source to Image File.
    6. Click Choose File and navigate to your Ubuntu image file.
    7. Set the Format to match the file format of your Ubuntu image.
    8. Click Create Image.
  4. Upload the VM-Series for KVM base image to the OpenStack controller.
    1. Log in to the Horizon UI.
    2. Select ProjectComputeImagesCreate Image.
    3. Name the image to match the image name in your Heat template.
    4. Set Image Source to Image File.
    5. Click Choose File and navigate to your VM-Series image file.
    6. Set the Format to QCOW2-QEMU Emulator.
    7. Click Create Image.
  5. Upload the bootstrap files. You have two options for passing bootstrapping files to OpenStack—file injection (personality files) or user data. To pass the bootstrap files using user-data, you must place the files in a tar ball (.tgz file) and encode that tar ball with base64.
    File injection is no longer supported beginning with OpenStack Queens; you must use user data instead.
    • For file injection, upload the init-cfg.txt, bootstrap.xml, and your VM-Series auth codes to your OpenStack controller or a web server that the OpenStack controller can access.
    • If using the --user-data method to pass the bootstrap package to the config-drive, you can use the following command to create the tar ball and encode the tar ball (.tgz file) with base64:
      tar -cvzf <file-name>.tgz config/
      license software content
      base64 -i <in-file> -o <outfile>
  6. Edit the pan_basic_gw.yaml template to point to the bootstrap files and auth codes.
    • If you are using personality files, specify the file path or web server address to the location of your files under personality. Uncomment whichever lines you are not using.
        pan_fw_instance: 
          type: OS::Nova::Server 
          properties: 
            image: { get_param: pan_image } 
            flavor: { get_param: pan_flavor } 
            networks: 
              - network: { get_param: mgmt_network } 
              - port: { get_resource: pan_untrust_port } 
              - port: { get_resource: pan_trust_port } 
            user_data_format: RAW 
            config_drive: true 
            personality: 
              /config/init-cfg.txt: {get_file: "/opt/pan_bs/init-cfg.txt"} 
      #        /config/init-cfg.txt: { get_file: "http://web_server_name_ip/pan_bs/init-cfg.txt" } 
              /config/bootstrap.xml: {get_file: "/opt/pan_bs/bootstrap.xml"} 
      #        /config/bootstrap.xml: { get_file: "http://web_server_name_ip/pan_bs/bootstrap.xml" } 
              /license/authcodes: {get_file: "/opt/pan_bs/authcodes"} 
      #        /license/authcodes: {get_file: "http://web_server_name_ip/pan_bs/authcodes"} 
    • If you are using user-data, specify the file path or web server address to the location of your files under user_data. If you have more than one
      pan_fw_instance:
          type: OS::Nova::Server
          properties:
            image: { get_param: pan_image }
            flavor: { get_param: pan_flavor }
            networks:
              - port: { get_resource: mgmt_port }
              - port: { get_resource: pan_untrust_port }
              - port: { get_resource: pan_trust_port }
            user_data_format: RAW
            config_drive: true
            user_data:
      #        get_file: http://10.0.2.100/pub/repository/panos/images/openstack/userdata/boot.tgz
              get_file: /home/stack/newhot/bootfiles.tgz
  7. Edit the pan_basic_gw_env.yaml template environment file to suit your environment. Make sure that the management and public network values match those that you created in your OpenStack environment. Set the pan_image to match the name you assigned to the VM-Series base image file. You can also change your server key here.
    root@node-2:~# cat basic_gateway/pan_basic_gw_env.yaml 
    parameters: 
      mgmt_network: mgmt_ext_net 
      public_network: public_net 
      pan_image: pa-vm-image 
      pan_flavor: m1.medium 
      server_image: Ubuntu-14.04 
      server_flavor: m1.small 
      server_key: server_key 
  8. Deploy the Heat template.
    1. Execute the command source openrc
    2. Execute the command heat stack-create <stack-name> -f <template> -e ./<env-template>
  9. Verify that your VM-Series firewall is deployed successfully.
    You can use the following commands to check the creation status of the stack.
    • Check the stack status with heat stack-list
    • View a detailed list of events that occurred during stack creation with heat event-list
    • View details about your stack with heat stack-show
  10. Verify that the VM-Series firewall is bidirectionally inspecting traffic accessing the Linux server.
    1. Log in to the firewall.
    2. Select MonitorLogsTraffic to view the SSH session.