Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go
-
Upload
buildacloud -
Category
Technology
-
view
340 -
download
2
Transcript of Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go
![Page 1: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/1.jpg)
www.paloaltonetworks.com www.cloudops.com
Palo Alto Networks firewall orchestration using CloudStack
June 25th, 2013
Brian Torres-GilIan Rae
![Page 2: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/2.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Overview
Intro to speakersProject objectivesApproachSolution overviewDemo (demo gods permitting)FAQNext Steps
![Page 3: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/3.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Who?
Ian RaeFounder and CEOCloudOps
Brian Torres-GilSolutions ArchitectPalo Alto Networks
![Page 4: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/4.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
CloudOps Overview
• CloudOps specializes in building, supporting and operating cloud computing platforms (private, public, and hybrid)
• Unique expertise with load balancing built over 14 years of experience
• Unique expertise with EUEM and APM from Coradiant background
• Develops best-in-class cloud architectures and operational models
• Customers in Canada, US and Europe• Based in Montreal, Canada
![Page 5: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/5.jpg)
www.paloaltonetworks.com www.cloudops.com
Palo Alto Networks at a glance
Corporate highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Able to address all network security needs
Exceptional ability to support global customers
Experienced technology and management team
1,000+ employees globally
![Page 6: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/6.jpg)
www.paloaltonetworks.com www.cloudops.com
Palo Alto - Safe application enablement
• Identify, control, and safely enableall applications by user
• Inspect content for known and unknown threats in real time
• High throughput and performance
• Simplify infrastructure and reduce TCO
• Enable diverse deployment scenarios
Our fundamentally new approach:
![Page 7: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/7.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Why?
CloudStack virtual router:For Advanced Networking it often handles NAT, LB, FW, VPN in addition to DHCP, DNS.
Great approach for horizontally scaled commodity networking services BUT can be a bottleneck and a bit of a black box security wise
![Page 8: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/8.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
More Why.
Some clouds have important security requirements not met by CS-VR
There is often a need for greater visibility and advanced security services (i.e. content filtering)
Typical examples: Enterprise private clouds, PCI compliance for online business, Enterprise-targeted service providers, often telecom providers.
![Page 9: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/9.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
What? Project Objectives• Support of CloudStack advanced network topology.• Support of multiple Palo Alto Networks firewalls.• Support of parallel deployment with hardware load-balancer (e.g.:
Netscaler).• Configuration of connectivity with Palo Alto Networks firewall
through CloudStack UI and persistence of this information.• Allow the selection of Palo Alto firewall when defining CloudStack
network service offering for:– Firewall (Ingress & Egress)– Source NAT– Static NAT– Port forwarding
• Communication layer with Palo Alto APIs. • Mapping of CloudStack APIs to corresponding Palo Alto APIs.• Proper display of Palo Alto connectivity status in CloudStack UI.• Functional/Integration testing on PA-3020 platform (version 5.0.0)• Full documentation of the solution (architecture, design, APIs)
![Page 10: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/10.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
How?
![Page 11: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/11.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Example external device NSP
![Page 12: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/12.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
How, in a picture.
Solution overview
Note: VRs are not actually “inline”
![Page 13: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/13.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device• Setup the Public and Private
interfaces on the PA.
• Pre-configure the Public interface according to the Public IP range in CS.
![Page 14: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/14.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Add the PA as a service provider• Add the PA device as
a guest network service provider.
• Enable the provider.
![Page 15: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/15.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Create a Network Offering
• Expose the PA througha network offering.
• PA provides: Source NAT,Static NAT, Port Forwardingand Firewall services.
• Enable the new offering.
![Page 16: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/16.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Use the Palo Alto
• Add a network using the service offering.
• Launch a VM on the new network.
![Page 17: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/17.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Check what happened on the PA• A Source NAT IP is allocated on ‘ae1’.• A guest network has been setup on
‘ae2’.
• A Source NAT rule now connects the guest network to the public IP.
• A policy isolates the guest network.
![Page 18: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/18.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Egress firewall rules
![Page 19: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/19.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Static NAT rules
![Page 20: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/20.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Port Forwarding rules
![Page 21: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/21.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
Ingress firewall rules
![Page 22: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/22.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
FAQ
Q: Is it open source?A: Yes - will be contributed to CloudStack.
Q: What is it based on?A: Current dev is based on 4.2 Master branch circa a few weeks ago
Q: Which release of CS will it be included inA: Depending on the next steps and funding, probably 4.3
Q: What’s planned next?A: Glad you asked
![Page 23: Ian rae panel cloud stack & cloud storage where are we at, and where do we need to go](https://reader035.fdocuments.in/reader035/viewer/2022062703/554d2310b4c905ca208b4d2b/html5/thumbnails/23.jpg)
www.paloaltonetworks.com www.cloudops.com@cloudops_ www.cloudops.com
More Information
Documentation is here!https://cwiki.apache.org/CLOUDSTACK/palo-alto-firewall-integration.html
Code is here:https://github.com/cloudops/cs_palo_alto/tree/palo_alto
Contact:@ianrae and @CloudOps_