![Page 1: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/1.jpg)
@cloudops_ www.cloudops.com
Palo Alto Networks firewall orchestration using CloudStack
June 25th, 2013
![Page 2: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/2.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Pre-configure the Palo Alto device• Setup the Public and Private
interfaces on the PA.
• Pre-configure the Public interface according to the Public IP range in CS.
![Page 3: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/3.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Add the PA as a service provider• Add the PA device as
a guest network service provider.
• Enable the provider.
![Page 4: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/4.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Create a Network Offering
• Expose the PA througha network offering.
• PA provides: Source NAT,Static NAT, Port Forwardingand Firewall services.
• Enable the new offering.
![Page 5: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/5.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Use the Palo Alto
• Add a network using the service offering.
• Launch a VM on the new network.
![Page 6: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/6.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Check what happened on the PA• A Source NAT IP is allocated on ‘ae1’.• A guest network has been setup on
‘ae2’.
• A Source NAT rule now connects the guest network to the public IP.
• A policy isolates the guest network.
![Page 7: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/7.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Egress firewall rules
![Page 8: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/8.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Ingress firewall rules
![Page 9: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/9.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Static NAT rules
![Page 10: @cloudops_ Palo Alto Networks firewall orchestration using CloudStack June 25 th, 2013](https://reader036.vdocuments.net/reader036/viewer/2022062718/56649e7c5503460f94b7e7ee/html5/thumbnails/10.jpg)
@cloudops_ www.cloudops.com@cloudops_ www.cloudops.com
Port Forwarding rules