: Heat Template for a Basic Gateway Deployment
Focus
Focus

Heat Template for a Basic Gateway Deployment

Table of Contents

Heat Template for a Basic Gateway Deployment

The heat template file includes the following four files to help you launch the VM-Series firewall on KVM in OpenStack. All four files are required to deploy the VM-Series firewall and Linux server.
  • pan_basic_gw.yaml—Defines the resources created to support the VM-Series firewall and Linux server on the compute node, such as interfaces and IP addresses.
  • pan_basic_gw_env.yaml—Defines the environment that the VM-Series firewall and Linux server exist in. Many parameters in the pan_basic_gw.yaml file reference the parameters defined in this file, such as flavor for the VM-Series and the Linux server.
  • init-cfg.txt—Includes the operational command to enable DHCP on the firewall management interface.
  • bootstrap.xml—Provides basic configuration for the VM-Series firewall. The bootstrap.xml file configures the data interfaces and IP addresses. These values must match the corresponding values in the pan_basic_gw.yaml file.
    Additionally, the bootstrap.xml file includes a NAT rule called untrust2trust. This rule translate the trust port on the server to the untrust port of the VM-Series firewall.
You have two options for passing bootstrapping files to OpenStack—file injection (personality files) or user data.
File injection is no longer supported beginning with OpenStack Queens; you must use user data instead.
The table below describes resources that the pan_basic_gw.yaml template file creates and provides the default value, if applicable.
Resource
Description
pan_fw_instance
VM-Series firewall with a management interface and two data interfaces.
server_instance
A Linux server with a single interface.
pan_trust_net
A connection to the internal network to which the trust interface of the firewall and trust interface of the server are attached.
pan_trust_subnet
Subnet attached to the trust interface on the firewall (pan_trust_net) and has a CIDR value of 192.168.100.0/24.
pan_untrust_net
Untrust network to which the untrust port of the firewall is attached.
pan_untrust_subnet
Subnet attached to the untrust interface of the firewall (pan_untrust_net) and has a CIDR value of 192.168.200.0/24.
allow_ssh_https_icmp_secgroup
Security group that allows TCP on ports 22 and 443 and ICMP traffic.
pan_untrust_port
The untrust port of the VM-Series firewall deployed in Layer 3 mode. The Heat template provides a default IP address of 192.168.200.10 to this port.
If you change this IP address in the heat template, you must change the IP address in the bootstrap.xml file.
pan_untrust_floating_ip
A floating IP address assigned from the public_network.
pan_untrust_floating_ip_assoc
This associates the pan_untrust_floating_ip to the pan_untrust_port.
pan_trust_port
The trust port of the VM-Series firewall Layer 3 mode.
server_trust_port
The trust port of the Linux server Layer 3 mode. The Heat template provides a default IP address of 192.168.100.10 to this port.
If you change this IP address in the heat template, you must change the IP address in the bootstrap.xml file.
The pan_basic_gw.yaml file references the pan_basic_gw_env.yaml for many of the values needed to create the resources need to deploy the VM-Series firewall and Linux server. The heat template environment file contains the following parameters.
Parameter
Description
mgmt_network
The VM-Series firewall management interface attaches to the network specified in this parameter. The template does not create the management network; you must create this before deploying the heat templates. The default value is mgmt_ext_net.
public_network
Addresses that the OpenStack cluster and the virtual machines in the cluster use to communicate with the external or public network. The public network provides virtual IP addresses for public endpoints, which are used to connect to OpenStack services APIs. The template does not create the public network; you must create this before deploying the heat templates. The default value is public_net.
pan_image
This parameter specifies the VM-Series base image used by the Heat template when deploying the VM-Series firewall. The default value is pa-vm-7.1.4.
pan_flavor
This parameter defines the hardware resources allocated to the VM-Series firewall. The default value is m1.medium. This value meets the VM-Series on KVM System Requirements described in the Set Up the VM-Series Firewall on KVM chapter.
server_image
This parameter tells the Heat template which image to use for the Linux server. The default value is Ubuntu-14.04.
server_flavor
This parameter defines the hardware resources allocated to the Linux server. The default value is m1.small.
server_key
The server key is used for accessing the Linux server through ssh. The default value is server_key. You can change this value by entering a new server key in the environment file.