Page
Deploy Palo Alto firewalls to your environment
After preparing the Palo Alto image, making it available as a PVC, and creating the necessary networks, you are ready to start your deployment of the Palo Alto VM-Series firewall. This lesson will cover a manual deployment as well as a more advanced version.
Prerequisites:
- Palo Alto firewall image downloaded and configured.
- Created and configured the networks for the firewall to be deployed on.
In this lesson, you will:
- Deploy the Palo Alto firewall.
Verify storage and network
First, we will cover a more manual version of the deployment process. This will include configuring the firewall interfaces and licenses, which will take about 20 minutes. If you’re interested in a more automated configuration that takes a little longer to set up (approximately 30 minutes), proceed to the advanced deployments section of this lesson.
Before proceeding with either of these, however, we must first verify the storage and network. Let’s verify that the previous steps have been completed correctly:
To verify if the PVC (the VM-Series firewall image) is ready for us to use, run the following command:
$ oc get pvc -n $namespace NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE pa-vm-kvm-11-1-4-h13 Bound pvc-a9595744-c83d-4219-927a-a788cf11bd71 65Gi RWO lvms-vg1 <unset> 17h $Make sure that networking is configured correctly. Using the examples from earlier, you will look for a single NodeNetworkConfigurationPolicy and four NetworkAttachmentDefinition objects for VLANs 3, 30, 31, and 90:
$ oc get nncp NAME STATUS REASON eno8303-br0 Available SuccessfullyConfigured $ oc get net-attach-def -n demo-pan NAME AGE vlan3 17h vlan30 6h10m vlan31 6h9m vlan90 6h10m
Deploy the VM-Series firewall (manual)
Now we can deploy a sample firewall using the previously created QCOW2 and network objects like this. Notice that there are variables for the firewall name, namespace, and StorageClass being used in the example below. These could all be different within your own environment:
$ export storageclass=lvms-vg1
$ export hostname=pa-fw-01
$ export namespace=demo-pan
# Edit the following YAML according to your environment:
---
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
name: $hostname
namespace: $namespace
spec:
runStrategy: Always
dataVolumeTemplates:
- metadata:
name: $hostname-rootdisk
spec:
source:
pvc:
namespace: $namespace
name: pa-vm-kvm-11-1-4-h13
pvc:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 70Gi
storageClassName: $storageclass
template:
spec:
domain:
devices:
disks:
- name: rootdisk
disk:
bus: virtio
interfaces:
- bridge: {}
macAddress: '02:a7:fe:00:15:05'
model: virtio
name: management
- bridge: {}
macAddress: '02:a7:fe:00:15:06'
model: virtio
name: trust
- bridge: {}
macAddress: '02:a7:fe:00:15:07'
model: virtio
name: untrust
- bridge: {}
macAddress: '02:a7:fe:00:15:08'
model: virtio
name: dmz
resources:
requests:
memory: 8Gi
cpu: "4"
volumes:
- name: rootdisk
dataVolume:
name: $hostname-rootdisk
networks:
- name: management
multus:
networkName: vlan3
- name: trust
multus:
networkName: vlan30
- name: untrust
multus:
networkName: vlan90
- name: dmz
multus:
networkName: vlan31If you deployed everything correctly, you will see a couple of Pod objects spin up in the same Namespace, which can be very useful in troubleshooting (should you miss something):
*-source-pod: This Pod performs a clone of the PVC you created earlier and mounts this as the primary boot disk for the VM-Series firewall. This PVC is treated similarly to a golden image, and as long as you follow this same deployment model, you can continue to keep referencing thepa-vm-kvm-11-1-4h13PVC as your source image.virt-launcher-*: This Pod performs the network and storage plumbing for the virtual machine. You can think of this in the same way that KVM would normally provide network and storage for a VM, but instead, that process is containerized, which means that you can read the logs for this process by going into the pod and clicking the Logs tab.
You’ve now successfully performed a basic install of a Palo Alto VM-Series firewall on OpenShift! But with all things, there is room for improvement. The next section will go a little deeper into auto-provisioning the Palo Alto VM-Series with the following:
- Preconfigured IP address.
- Pre-licensed firewall.
- Autocommunication with a Panorama Management server.
In order to improve on our basic deployment, we will be using something called the Palo Alto Bootstrap Package to auto-configure some initial settings for the VM-Series firewall. Most organizations will want this level of automation in the field, so it’s a critical step towards automating their firewall deployments and improving their overall VM deployment workflow on OpenShift.
Advanced deployments for the VM-Series firewall
There are a couple of command-line tools that we need for this section. They’re very easy to obtain for both MacOS and Linux. Follow these steps:
If you use homebrew for MacOS, you can install and run the following small packages locally:
$ brew install qemu cdrtoolsIf you’re using Red Hat Enterprise Linux (RHEL) or Fedora, you can install the following item:
$ sudo dnf install qemu-img genisoimageNow you have to create a couple of folders and files. You can perform this on either MacOS or Linux; both work the same. See the following:
$ mkdir -p {palo-iso/config,palo-iso/content,palo-iso/license,palo-iso/software} $ touch {palo-iso/config/init-cfg.txt,palo-iso/license/authcodes}This will result in a directory/file structure that looks like the following:
$ tree palo-iso palo-iso ├── config │ └── init-cfg.txt ├── content ├── license │ └── authcodes └── software 5 directories, 2 filesNow, for the
palo-iso/config/init-cfg.txtfile, add the following contents. This continues to use the examples above, but expands them to include IP addresses for the Management network, which is VLAN 3 and has a network subnet of 192.168.3.0/24:type=static ip-address=192.168.3.41 default-gateway=192.168.3.1 netmask=255.255.255.0 ipv6-address=2001:473:eba1:3::41 ipv6-default-gateway=2001:473:eba1:3::1 hostname=pa-fw-01 panorama-server=192.168.3.95 panorama-server-2=192.168.3.96 tplname= dgname= dns-primary=192.168.3.5 dns-secondary=192.168.3.6 op-command-modes= dhcp-send-hostname= dhcp-send-client-id= dhcp-accept-server-hostname= dhcp-accept-server-domain= vm-auth-key=This also sets networking for the VM-Series firewall to static and configures this IP address as part of the bootstrap process.
- Next, use
vimornanoto edit thepalo-iso/license/authcodesfile. Only place the authcode in this file: nothing more, nothing less (and no new lines or whites paces). Your customer authcode can be found on https://support.paloaltonetworks.com/. - Once you’re logged into the Palo Alto Networks support portal, navigate to Products > Software/Cloud NGFS Credits and click your Software NGFW Credits details link.
Once there, look to the far right side to view your AUTH CODE. It should be an 8-character alphanumeric code that you can place into the
palo-iso/license/authcodesfile directly. Here’s a non-working example:E8461742Save your file, as this is the only entry that needs to be in that file.
Once you have edited these two files, run the following command to create an ISO image of your work:
$ export hostname=pa-fw-01 $ mkisofs -o panos-bootstrap-$hostname.iso -V bootstrap -l -allow-lowercase -allow-multidot -iso-level 3 -D -r -J palo-isoThis will produce an
ISO named panos-bootstrap-pa-fw-01.isothat we can use in our next step.Hint: If you want to validate the contents of this ISO file, you can use the following command to explore its contents (this example is for MacOS, but it’s just as simple in RHEL):
$ hdiutil attach panos-bootstrap-$hostname.iso /dev/disk4 /Volumes/bootstrap $ tree /Volumes/bootstrap /Volumes/bootstrap ├── config │ └── init-cfg.txt ├── content ├── license │ └── authcodes └── software 5 directories, 2 filesNow you can upload this ISO as a PVC using the following command. Notice the variables for
hostnameandnamespace:$ export hostname=pa-fw-01 $ export namespace=demo-pan $ virtctl image-upload pvc panos-bootstrap-$hostname-config-iso \ --size 1Gi \ --image-path=panos-bootstrap-$hostname.iso \ --namespace=$namespace \ --force-bind \ --volume-mode=block \ --insecureWith the PVC now created, you can run a slightly modified/improved version of the VM manifest we used earlier. In this improved manifest below, we’ve attached the ISO image as a cloud-init image that is presented to the Palo Alto VM-Series firewall. This will be used to autoconfigure the IP address, license the firewall, and initialize communication with the Panorama Management server:
$ export hostname=pa-fw-01 $ export namespace=demo-pan # Edit the following YAML according to your environment: --- apiVersion: kubevirt.io/v1 kind: VirtualMachine metadata: name: $hostname namespace: $namespace spec: runStrategy: Always dataVolumeTemplates: - metadata: name: $hostname-rootdisk spec: source: pvc: namespace: $namespace name: pa-vm-kvm-11-1-4-h133 pvc: accessModes: - ReadWriteOnce resources: requests: storage: 70Gi storageClassName: $storageclass template: spec: domain: devices: disks: - name: rootdisk disk: bus: virtio - name: $hostname-config-iso cdrom: bus: sata interfaces: - bridge: {} macAddress: '02:a7:fe:00:15:05' model: virtio name: management - bridge: {} macAddress: '02:a7:fe:00:15:06' model: virtio name: trust - bridge: {} macAddress: '02:a7:fe:00:15:07' model: virtio name: untrust - bridge: {} macAddress: '02:a7:fe:00:15:08' model: virtio name: dmz resources: requests: memory: 8Gi cpu: "4" volumes: - name: rootdisk dataVolume: name: $hostname-rootdisk - name: $hostname-config-iso persistentVolumeClaim: claimName: panos-bootstrap-$hostname-config-iso networks: - name: management multus: networkName: vlan3 - name: trust multus: networkName: vlan30 - name: untrust multus: networkName: vlan90 - name: dmz multus: networkName: vlan31Notice that the manifest above adds two small additional sections:
Under disks, there’s a new cdrom disk which maps the ISO to the virtual machine.
Under volumes, there’s a PVC that maps to a disk for the ISO we just uploaded.
Now, when your VM is powered on, you will notice that it will automatically be assigned a static IP address, and it can talk to Panorama.
The only thing that a Palo Alto administrator needs to do after the VM is powered on is accept the VM-Series firewall into management and start pushing firewall policies for the firewall. It can be a Universal CPE device or it can be a data center device; it doesn’t really matter.
With OpenShift Virtualization and Palo Alto VM-Series Firewalls, administrators can leverage new deployment strategies such as GitOps using ArgoCD for their firewall instances. When using Red Hat Advanced Cluster Manager with OpenShift, they can manage an entire fleet of virtual machines through one unified, single pane of glass.
Summary
As shown in earlier sections of this learning path, there are multiple deployment options where the VM-Series can be used to secure OpenShift Virtualization and OpenShift Virtualization Engine (OVE). We walked through one of these options with examples. But the real value to customers is that they can easily transition to an alternative hypervisor platform with either their existing VM-Series firewalls using the Migration Toolkit for Virtualization (MTV), or they can leverage a whole new automation workflow to speed up their current security deployment model. The core competencies and use cases that organizations expect from the VM-Series can be applied to their Red Hat OpenShift Virtualization infrastructures:
- Simplified operations: Leverage scalable central management for uniform security enforcement across all applications and environments.
- Protected workloads: Increase security, visibility, and control with application awareness and application-layer threat blocking.
- Safe network segmentation: Prevent lateral spread across security boundaries from trusted but compromised workloads.
- Agility and automation: Orchestrate application deployment and security deployment with IaC, CI/CD pipelines, and GitOps models.
- Enhanced observability: Improve visibility with OpenShift Network Observability and Palo Alto Networks traffic inspection.
You can get started with OpenShift Virtualization here and with Palo Alto Networks VM-Series here.
Red Hat and Palo Alto Networks have had a long history of bringing technical integrations to the market. The joint solutions that our joint teams have worked together on consist of:
- Prisma Cloud securing OpenShift Container Platform for cloud native container security and vulnerability detection.
- CN-Series for pod/cluster level firewall protection.
- VM-Series securing OpenStack deployments.
- Prisma AIRS firewall protection for Container and VM-based applications and workloads with AI security features (link pending cert).
- PAN-OS Certified Ansible Automation Platform Collection to deploy, maintain, and configure firewalls and integrates with Panorama.
You can find out more about these joint solutions in Red Hat’s Ecosystem Catalog.
Ready to learn more about Red Hat OpenShift Virtualization?
Try these learning paths:
