ax series for palo alto networks firewall load … guide for palo alto networks fwlb 5 3...

Deployment Guide

AX Series for Palo Alto Networks

Firewall Load Balancing

DG_PAFWLB_120718.1

Deployment Guide for Palo Alto Networks FWLB

2

TABLE OF CONTENTS

1 Overview ................................................................................................................................................ 4

2 Deployment Prerequisites ...................................................................................................................... 4

3 Architecture Overview ............................................................................................................................ 5

4 Access Credentials ................................................................................................................................ 7

5 Configuration Overview.......................................................................................................................... 7

5.1 External AX Series and PA Series Configuration ......................................................................... 9

5.2 External AX Series Configuration.................................................................................................. 9

5.2.1 Server Gateway Configuration ................................................................................................ 10

5.2.2 Server Group Configuration .................................................................................................... 11

5.2.3 Virtual Server Configuration .................................................................................................... 13

5.2.4 Access Control List Configuration ........................................................................................... 13

5.2.5 External Wildcard VIP Configuration ....................................................................................... 14

5.3 PA Series Interface Configuration ............................................................................................... 17

5.3.1 Interface Configuration ............................................................................................................ 18

5.3.2 Zone Configuration .................................................................................................................. 19

5.3.3 Virtual Wire Configuration ....................................................................................................... 20

5.3.4 Palo Alto Network Policy Configuration .................................................................................. 21

6 Internal AX Series Configuration ......................................................................................................... 22

6.1 Firewall Path Configuration ......................................................................................................... 22

6.2 Service Group Configuration ....................................................................................................... 24

6.3 Internal Wildcard VIP Configuration ............................................................................................ 25

7 Layer 3 Configuration for Firewall Load Balancing .............................................................................. 28

8 Summary and Conclusion .................................................................................................................... 28

9 Configuration Samples......................................................................................................................... 28


3

9.1 External L2 CLI Configuration ..................................................................................................... 29

9.2 Internal AX CLI Configuration ..................................................................................................... 31


4

1 OVERVIEW

A10 Networks and Palo Alto Networks offer a comprehensive and detailed solution for high performance

Firewall Load Balancing (FWLB). This deployment guide shows how to configure and deploy the

A10 Networks AX Series Application Delivery Controller (ADC) with Palo Alto Networks' PA Series

Firewall.

The tested solution is based on a "sandwich-style" architecture that calls for two or more AX Series

appliances to load balance the external and internal zones of a network. The FWLB deployment

described in this guide was tested to work with AX Series 2.6.1. Support for persistence with certain

protocols, e.g. SIP and FTP, are supported in the 2.7.0 release. For more information on A10 Networks,

please visit www.a10networks.com, and for more information on Palo Alto Networks please visit

www.paloaltonetworks.com.

2 DEPLOYMENT PREREQUISITES

The FWLB solution tested for this guide consisted of the following:

AX Series with Release 2.6.1 and 2.7.0 (as mentioned above)

Palo Alto Networks PA Series Firewall with Release 4.1.6

Virtual Wire deployment of the Palo Networks appliance

Note: The deployment configuration tested for and presented in this guide is based on one (1) AX Series

per zone (internal and external). A10 Networks strongly recommends deploying the AX Series in High

Availability (HA) pairs for redundancy.

http://www.a10networks.com/

http://www.paloaltonetworks.com/


5

3 ARCHITECTURE OVERVIEW

This section illustrates a joint FWLB solution using A10 Networks' AX Series appliances with Palo Alto

Networks' PA Series Firewalls.

Diagram 1: FWLB load balancing design overview

The following diagram shows a typical packet flow in an AX Series and PA Series FWLB deployment.


6

Diagram 2: Firewall load balancing traffic call flow

When an internal client sends a request, the internal AX Series selects a PA firewall for the request, and

sends the request to the selected firewall. The firewall inspects the request and, if the request is allowed,

forwards the request to the external AX Series. The external AX Series then sends the request to the

application/Internet.


7

4 ACCESS CREDENTIALS

This section lists the default access credentials for the AX Series and the PA Series.

A10 Networks AX Series access defaults:

Default username is “admin”.

Default password is “a10”.

Default management IP address of the device is “172.31.31.31”.

Palo Alto Networks PA Series access defaults:

Default username is “admin”.

Default password is “admin”.

Default management IP address of the device is “192.168.1.1”.

Note: Both AX Series and PA Series appliances can support a Graphical User Interface (GUI) and

Command Line Interface (CLI).To access the CLI on the AX Series and PA Series, an SSH client such

as putty.exe is required.

5 CONFIGURATION OVERVIEW

This section shows the GUI procedures for configuring the AX Series for the FWLB solution. The

procedures are organized as follows:

External AX Series Configuration

PA Series Interface Configuration

Internal AX Series Configuration

The procedures focus on the FWLB-specific portions of the configuration. Configuration of the data

interfaces is not shown. However, the sample configurations at the end of this guide include the

commands for configuring the AX Series interfaces.

Note: This section assumes the PA Series firewalls are connected to the AX Series at Layer 2.

Note: The AX Series has a feature called Role-Based Administration (RBA) that allows administrators to

configure and view network and load balancing resources based on administrative domains (partitions).

While the procedures below do not include creation of a partition, the first command line of each sample


8

configuration at the end of this guide creates a partition. RBA may sometimes be referred to as

Application Delivery Partitions (ADPs); RBA is an element of an ADP.


9

5.1 EXTERNAL AX SERIES AND PA SERIES CONFIGURATION

The procedures in this section describe how to configure FWLB on the external AX Series and PA Series.

5.2 EXTERNAL AX SERIES CONFIGURATION

These procedures apply to the section of the topology highlighted in blue in the following diagram.

Diagram 3: External AX configuration


10

SERVER GATEWAY CONFIGURATION 5.2.1

To create a server configuration for the server gateway:

1. Navigate to Config Mode > Service > SLB > Server.

2. Enter the Name of the Server: "server-gateway".

3. Enter the IP Address/Host: 16.1.1.253.

Note: Health monitoring does not apply to wildcard ports. If you leave health monitoring enabled on a

wildcard port, the health check will result in the port being marked down. Client traffic will not reach its

destination.

4. Repeat as applicable for any additional server gateways. Make sure to use a unique name and

IP address for each configuration.

Diagram 4: AX server configuration

5. In the Port section, enter port number 0 (zero) and select "TCP" from the Type drop-down list.

Then click Add.

6. Create a UDP port with port number 0. This is the same as the previous step, except "UDP"

instead of "TCP" should be selected.

Note: In IP protocol load balancing, port 0 (zero) is used as a wildcard port and matches on any port

number.


11

Diagram 5: Server port configuration

7. Click OK, then click the Save button at the top of the GUI window to save the configuration.

SERVER GROUP CONFIGURATION 5.2.2

The steps in this section place the client gateways into a service group.

1. Navigate to Config Mode > Service > SLB > Service Group. There are two (2) service groups

required in the configuration. In this example, they are named: "sg_tcp" and "sg_udp".

Diagram 6: TCP server group configuration


12

2. In the Server section:

a. From the Server drop-down list, select the servers configured in the previous section.

b. Enter "0" in the Port field.

c. Click Add, and then click OK.

Diagram 7: Server-group configuration

3. Create a UDP service group. The steps are similar to those above for a TCP service group,

except the name is different, and the type is "UDP" instead of "TCP".

Diagram 8: UDP server group configuration


13

4. Add the firewalls to the UDP service group. For reference, see step 2 above.

Diagram 9: Server group configuration

5. Click OK, and then save the configuration.

VIRTUAL SERVER CONFIGURATION 5.2.3

This section describes how to configure the Virtual IP (VIP). FWLB uses a wildcard VIP. A wildcard VIP

has IPv4 address 0.0.0.0 or IPv6 address:: (double colon).

Wildcard VIPs also have the following configuration requirements:

Access Control List (ACL) to specify the traffic allowed to access the VIP (described in the

following subsection)

Promiscuous mode on the interface connected to clients (shown in the sample configurations at

the end of the guide)

Note: For simplicity, this guide uses an ACL that permits all traffic. You can more tightly control traffic by

using more specific source and destination information in the ACL.

ACCESS CONTROL LIST CONFIGURATION 5.2.4

This section shows how to configure the ACL for the wildcard VIP.

1. Navigate to Config Mode > Network > ACL > Extended.

2. Click Add.


14

3. Enter or select the following values:

ACL ID: "100"

Select Entry

Action: Permit

Protocol: IP

Source Address: Any

Destination Address: Any

VLAN ID: VLAN ID, if applicable

Diagram 10: ACL configuration


EXTERNAL WILDCARD VIP CONFIGURATION 5.2.5

This section describes how to configure the wildcard VIP on the external AX Series.

1. Navigate to Config Mode > Service > SLB > Virtual Server.

2. Click Add.


15


Name: "outside_in_to_out".

Wildcard: Select this checkbox to display the Access List drop-down list.

Access List: Select the ACL configured in the previous section.

IPv4/IPv6: Select the applicable IP version.

Diagram 11: Wildcard VIP configuration

4. In the Virtual Server Port section, click Add and enter the virtual port information for the TCP

virtual port:

Type: TCP.

Port: 0.

Service Group: "sg-tcp".

Use default server selection when preferred method fails: Select this option to enable it.

Use received hop for response: Select this option to enable it.


16

Diagram 12: Virtual server TCP port configuration

5. Click OK.

6. Click Add to add the UDP wildcard port. Select "UDP" as the Type and select Service Group "sg-

udp".

Diagram 13: Virtual server UDP port configuration

Note: The use received hop for response option is required in FWLB. This option sends replies to

clients back through the last hop on which the request for the virtual port's service was received.


8. To validate the configuration, navigate to Config Mode > SLB > Virtual Service.

Diagram 14: Validate configuration

Note: The virtual service name is assigned automatically.


17

5.3 PA SERIES INTERFACE CONFIGURATION

This section shows how to configure the PA Series firewalls. Configuration consists of the following items:

Zone

Interface Configuration

Policies

The configuration settings for each item must be the same on each firewall. The only settings that should

differ are network settings such as IP addresses.

Note: Although not shown in this guide, you also can deploy the firewalls HA mode for quick configuration

synchronization to all in-service firewalls.

Diagram 15: Palo Alto Networks diagram


18

INTERFACE CONFIGURATION 5.3.1

On the PA Series:

1. Navigate to Network > Interfaces.

2. Select the interface you wish to use for Virtual Wire

3. On the Interface Type drop-down menu select Virtual Wire

Diagram 16: Palo Alto Ethernet interface configuration

4. Click OK and save the configuration.


19

Diagram 17: Palo Alto Zone configuration


ZONE CONFIGURATION 5.3.2

On the PA Series:

10. Navigate to Network > Zone.

11. Click Add.

12. Create the following configurations for Names, Locations and Type:


20

Table 1: Trusted and untrusted zone requirements for Palo Alto Network Appliance

Note: The "Trusted" network segment is located in the internal section of the network topology. The

"Untrusted" network segment is the external section of the network topology, see the Diagram 15 above.

The steps have to be repeated for both interfaces. Interfaces have to be assigned to trust and untrust

interfaces.

On the PA Series, the "vsys" is equivalent to an RBA partition on the AX Series. On the PA Series,

partitions such as "vsys1" from the example above can be created dynamically.

VIRTUAL WIRE CONFIGURATION 5.3.3

To configure the Virtual Wire:

1. Navigate to Network > Virtual Wires.

2. Click Add.

3. Enter the Name of the Virtual Wire: FWLB

4. From the Interface 1 menu, select the interface you have created for outbound.

5. From the Interface 2 menu, select the interface you have created for inbound.



21

PALO ALTO NETWORK POLICY CONFIGURATION 5.3.4

This section shows how to configure the security policy rules of the firewall.

1. Navigate to "Policies" and click Add.

2. Enter the following configuration values for the traffic you wish to allow or deny. The following

policy information is required:

General

Source

User

Destination

Application

Service/URL Category

Actions

Diagram 18: Palo Alto Networks policy configuration

Note: Every network will have its own policy, so the configuration within the Palo Alto Networks appliance

will be used as a reference configuration.

3. Click Save to commit the configuration.


22

6 INTERNAL AX SERIES CONFIGURATION

This section shows how to configure the internal AX Series for FWLB. These procedures apply to the

section of the topology highlighted in blue in the following diagram.

Diagram 19: FWLB internal AX overview

6.1 FIREWALL PATH CONFIGURATION

To create server configurations for the paths through the firewalls:

1. Navigate to Config Mode > SLB > Server.

2. Click Add.

3. Enter Name: "FW1_PATH"


23

4. Enter the IP Address/Host: 5.1.3.2

Diagram 20: Internal server configuration


6. In the Port section, enter port number 0 (zero) and select "TCP" from the Type drop-down list.

Then click Add.


Diagram 21: Internal AX TCP port configuration

8. Create a UDP port with port number 0. This is the same as the previous step, except "UDP"

instead of "TCP" should be selected.

Diagram 22: Internal AX UDP port configuration


24

6.2 SERVICE GROUP CONFIGURATION

To configure the service group for the firewall paths:

1. Navigate to Config Mode > SLB > Service Group.

2. Enter the following values:

Name: "LB_Paths_TCP"

Type: TCP

Algorithm: Round Robin

Note: The AX Series also comes with other algorithm options such as Least Connection, Least Request,

and so on.

3. In the Server section, add each of the firewall paths (server configurations).

Diagram 23: AX service group TCP configuration


25


5. Create a UDP service group. The steps are similar to those above for a TCP service group,

except the name is different, and the type is "UDP" instead of "TCP".


Diagram 24: AX service group UDP configuration

6.3 INTERNAL WILDCARD VIP CONFIGURATION

This section describes how to configure the wildcard VIP on the internal AX Series.

1. Navigate to Config Mode > Service > SLB > Virtual Server.

2. Click Add.


Name: "wildcard_v4_101_server"


26

Wildcard: Select this checkbox to display the Access List drop-down list.

Access List: Select the ACL configured in the previous section.

IPv4/IPv6: Select the applicable IP version.

Note: The example name shown above indicates that this wildcard VIP is for IPv4 and uses ACL 101.

Configuration of the ACL is not shown here. However, the steps are the same as those in Access Control

List Configuration.

4. In the Virtual Server Port section, click Add and enter the virtual port information for the TCP

virtual port:

Type: TCP.

Port: 0.

Service Group: "LB_Paths_TCP".

Use default server selection when preferred method fails: Select this option to enable it.

Use received hop for response: Select this option to enable it.

Note: The use received hop for response option is required in FWLB. This option sends replies to clients

back through the last hop on which the request for the virtual port's service was received.

Diagram 25: AX virtual server TCP port configuration

5. Click Add to add the UDP wildcard port. Select "UDP" as the Type and select Service Group

"LB_Paths_UDP".


27

Diagram 26: AX virtual server UDP port configuration


This is how the wildcard VIP configuration should appear after the steps above:

Diagram 27: Internal VIP wildcard configuration


28

7 LAYER 3 CONFIGURATION FOR FIREWALL LOAD BALANCING

The AX Series also supports Layer 3 connection to the firewalls. In this case, configure Layer 3 interfaces

for untagged routed traffic, and define layer sub interfaces for traffic with specific VLAN tags. These

configuration changes can be made if you navigate to Network > Interfaces > Interfaces.

In layer 3 firewall configuration, the Palo Alto appliance has to be configured such that layer 3 interfaces

are added for untagged routed traffic and sub-interfaces for traffic with specific VLAN tags. For detailed

information on Layer 3 deployment, contact your Palo Alto Networks SE or refer to the Palo Alto Networks

Administration Guide.

8 SUMMARY AND CONCLUSION

The sections above show how to deploy the AX device with the Palo Alto Networks device for optimized

Firewall Load Balancing. By using the AX device to load balance a pool of Palo Alto Networks appliance,

the following key advantages are achieved:

High-availability for firewalls to prevent downtime and access failure, with no adverse impact on

user access to applications

Seamless distribution of client traffic across multiple firewall appliances for site scalability

Higher connection counts and overall scalability

Improved site performance and availability to end users

For more information about AX Series products, please refer to the following URLs:

http://www.a10networks.com/products/axseries.php

http://www.a10networks.com/resources/solutionsheets.php

http:/www.a10networks.com/resources/casestudies.php

9 CONFIGURATION SAMPLES

This section shows sample configuration files for the internal and external AX devices.

http://www.a10networks.com/products/axseries.php

http://www.a10networks.com/resources/solutionsheets.php

http://a10networks.com/resources/casestudies.php


29

9.1 EXTERNAL L2 CLI CONFIGURATION

hostname 3000-11.78

clock timezone America/Los_Angeles

# customer should setup their own vlan number scheme. This setup will require

at least 4 vlans. The vlan IDs and IP addresses that you see in this

configuration are all made up.

vlan 16

untagged ethernet 18 to 19

router-interface ve 16

access-list 100 permit ip any any vlan 2


interface management

ip address 192.168.223.78 255.255.255.192

ip default-gateway 192.168.223.65

interface ethernet 4

disable


disable


disable


disable


disable


disable


disable


disable


disable


disable


disable


disable


30


disable


ip allow-promiscuous-vip

disable




disable

interface ve 16

ip address 16.1.1.78 255.255.0.0


tftp blksize 32768

slb server server-gateway 16.1.1.253

port 0 udp

no health-check

port 0 tcp

no health-check

slb service-group sg-tcp tcp

member server-gateway:0

slb service-group sg-udp udp

member server-gateway:0

slb virtual-server outside_in_to_out 0.0.0.0 acl 100

port 0 tcp

name _wildcard_v4_TCP_65535

service-group sg-tcp

use-rcv-hop-for-resp

use-default-if-no-server

no-dest-nat

port 0 udp

name _wildcard_v4_UDP_65535

service-group sg-udp


no-dest-nat

enable-management service ssh ve 16

no terminal auto-size

terminal width 80

terminal length 25

end


31

9.2 INTERNAL AX CLI CONFIGURATION

partition p3 network-partition

hostname 3000-11.79

clock timezone America/Los_Angeles

# customer should setup their own vlan number scheme. This setup will require

at least 4 vlans. The vlan IDs and IP addresses that you see in this

configuration are all made up.


interface management

ip address 192.168.223.79 255.255.255.192

ip default-gateway 192.168.223.65


disable


disable


disable


disable


disable


disable


disable


disable


disable


disable


disable


disable


disable


disable


32





interface ve 2

ip address 5.1.1.1 255.255.255.240

interface ve 3

ip address 5.1.1.17 255.255.255.240

interface ve 4

ip address 15.1.1.1 255.255.255.0

interface ve 274

ip address 24.24.112.1 255.255.255.192

ip route 0.0.0.0 /0 5.1.1.2

tftp blksize 32768

slb server FW1_route 5.1.1.18

port 0 tcp

no health-check

port 0 udp

no health-check

slb server FW2_route 5.1.1.2

port 0 tcp

no health-check

port 0 udp

no health-check

slb service-group LB_Paths_UDP udp

member FW1_route:0

member FW2_route:0

slb service-group LB_Paths_TCP tcp

slb virtual-server wildcard_v4_101_vserver 0.0.0.0 acl 100

port 0 tcp

name Inside_in_to_out



no-dest-nat

port 0 udp

name Inside_in_to_out_UDP


33

service-group LB_Paths_UDP



no-dest-nat

no terminal auto-size

terminal width 80

terminal length 25

end

ax series for palo alto networks firewall load … guide for palo alto networks fwlb 5 3...

Documents