Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing

Deployment Guide AX Series for Palo Alto Networks Firewall Load Balancing DG_PAFWLB_120718.1

TABLE OF CONTENTS 1 Overview... 4 2 Deployment Prerequisites... 4 3 Architecture Overview... 5 4 Access Credentials... 7 5 Configuration Overview... 7 5.1 External AX Series and PA Series Configuration... 9 5.2 External AX Series Configuration... 9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.5 Server Gateway Configuration... 10 Server Group Configuration... 11 Virtual Server Configuration... 13 Access Control List Configuration... 13 External Wildcard VIP Configuration... 14 5.3 PA Series Interface Configuration... 17 5.3.1 5.3.2 5.3.3 5.3.4 Interface Configuration... 18 Zone Configuration... 19 Virtual Wire Configuration... 20 Palo Alto Network Policy Configuration... 21 6 Internal AX Series Configuration... 22 6.1 Firewall Path Configuration... 22 6.2 Service Group Configuration... 23 6.3 Internal Wildcard VIP Configuration... 25 7 Layer 3 Configuration for Firewall Load Balancing... 28 8 Summary and Conclusion... 28 9 Configuration Samples... 28 2

9.1 External L2 CLI Configuration... 29 9.2 Internal AX CLI Configuration... 31 3

1 OVERVIEW A10 Networks and Palo Alto Networks offer a comprehensive and detailed solution for high performance Firewall Load Balancing (FWLB). This deployment guide shows how to configure and deploy the A10 Networks AX Series Application Delivery Controller (ADC) with Palo Alto Networks' PA Series Firewall. The tested solution is based on a "sandwich-style" architecture that calls for two or more AX Series appliances to load balance the external and internal zones of a network. The FWLB deployment described in this guide was tested to work with AX Series 2.6.1. Support for persistence with certain protocols, e.g. SIP and FTP, are supported in the 2.7.0 release. For more information on A10 Networks, please visit www.a10networks.com, and for more information on Palo Alto Networks please visit www.paloaltonetworks.com. 2 DEPLOYMENT PREREQUISITES The FWLB solution tested for this guide consisted of the following: AX Series with Release 2.6.1 and 2.7.0 (as mentioned above) Palo Alto Networks PA Series Firewall with Release 4.1.6 Virtual Wire deployment of the Palo Networks appliance Note: The deployment configuration tested for and presented in this guide is based on one (1) AX Series per zone (internal and external). A10 Networks strongly recommends deploying the AX Series in High Availability (HA) pairs for redundancy. 4

3 ARCHITECTURE OVERVIEW This section illustrates a joint FWLB solution using A10 Networks' AX Series appliances with Palo Alto Networks' PA Series Firewalls. Diagram 1: FWLB load balancing design overview The following diagram shows a typical packet flow in an AX Series and PA Series FWLB deployment. 5

Diagram 2: Firewall load balancing traffic call flow When an internal client sends a request, the internal AX Series selects a PA firewall for the request, and sends the request to the selected firewall. The firewall inspects the request and, if the request is allowed, forwards the request to the external AX Series. The external AX Series then sends the request to the application/internet. 6

4 ACCESS CREDENTIALS This section lists the default access credentials for the AX Series and the PA Series. A10 Networks AX Series access defaults: Default username is admin. Default password is a10. Default management IP address of the device is 172.31.31.31. Palo Alto Networks PA Series access defaults: Default username is admin. Default password is admin. Default management IP address of the device is 192.168.1.1. Note: Both AX Series and PA Series appliances can support a Graphical User Interface (GUI) and Command Line Interface (CLI).To access the CLI on the AX Series and PA Series, an SSH client such as putty.exe is required. 5 CONFIGURATION OVERVIEW This section shows the GUI procedures for configuring the AX Series for the FWLB solution. The procedures are organized as follows: External AX Series Configuration PA Series Interface Configuration Internal AX Series Configuration The procedures focus on the FWLB-specific portions of the configuration. Configuration of the data interfaces is not shown. However, the sample configurations at the end of this guide include the commands for configuring the AX Series interfaces. Note: This section assumes the PA Series firewalls are connected to the AX Series at Layer 2. Note: The AX Series has a feature called Role-Based Administration (RBA) that allows administrators to configure and view network and load balancing resources based on administrative domains (partitions). While the procedures below do not include creation of a partition, the first command line of each sample 7

configuration at the end of this guide creates a partition. RBA may sometimes be referred to as Application Delivery Partitions (ADPs); RBA is an element of an ADP. 8

5.1 EXTERNAL AX SERIES AND PA SERIES CONFIGURATION The procedures in this section describe how to configure FWLB on the external AX Series and PA Series. 5.2 EXTERNAL AX SERIES CONFIGURATION These procedures apply to the section of the topology highlighted in blue in the following diagram. Diagram 3: External AX configuration 9

5.2.1 SERVER GATEWAY CONFIGURATION To create a server configuration for the server gateway: 1. Navigate to Config Mode > Service > SLB > Server. 2. Enter the Name of the Server: "server-gateway". 3. Enter the IP Address/Host: 203.0.113.253. Note: Health monitoring does not apply to wildcard ports. If you leave health monitoring enabled on a wildcard port, the health check will result in the port being marked down. Client traffic will not reach its destination. 4. Repeat as applicable for any additional server gateways. Make sure to use a unique name and IP address for each configuration. Diagram 4: AX server configuration 5. In the Port section, enter port number 0 (zero) and select "TCP" from the Type drop-down list. Then click Add. 6. Create a UDP port with port number 0. This is the same as the previous step, except "UDP" instead of "TCP" should be selected. Note: In IP protocol load balancing, port 0 (zero) is used as a wildcard port and matches on any port number. 10

Diagram 5: Server port configuration 7. Click OK, then click the Save button at the top of the GUI window to save the configuration. 5.2.2 SERVER GROUP CONFIGURATION The steps in this section place the client gateways into a service group. 1. Navigate to Config Mode > Service > SLB > Service Group. There are two (2) service groups required in the configuration. In this example, they are named: "sg_tcp" and "sg_udp". Diagram 6: TCP server group configuration 11

2. In the Server section: a. From the Server drop-down list, select the servers configured in the previous section. b. Enter "0" in the Port field. c. Click Add, and then click OK. Diagram 7: Server-group configuration 3. Create a UDP service group. The steps are similar to those above for a TCP service group, except the name is different, and the type is "UDP" instead of "TCP". Diagram 8: UDP server group configuration 12

4. Add the firewalls to the UDP service group. For reference, see step 2 above. Diagram 9: Server group configuration 5. Click OK, and then save the configuration. 5.2.3 VIRTUAL SERVER CONFIGURATION This section describes how to configure the Virtual IP (VIP). FWLB uses a wildcard VIP. A wildcard VIP has IPv4 address 0.0.0.0 or IPv6 address:: (double colon). Wildcard VIPs also have the following configuration requirements: Access Control List (ACL) to specify the traffic allowed to access the VIP (described in the following subsection) Promiscuous mode on the interface connected to clients (shown in the sample configurations at the end of the guide) Note: For simplicity, this guide uses an ACL that permits all traffic. You can more tightly control traffic by using more specific source and destination information in the ACL. 5.2.4 ACCESS CONTROL LIST CONFIGURATION This section shows how to configure the ACL for the wildcard VIP. 1. Navigate to Config Mode > Network > ACL > Extended. 2. Click Add. 13

3. Enter or select the following values: ACL ID: "100" Select Entry Action: Permit Protocol: IP Source Address: Any Destination Address: Any VLAN ID: VLAN ID, if applicable Diagram 10: ACL configuration 4. Click OK, and then save the configuration. 5.2.5 EXTERNAL WILDCARD VIP CONFIGURATION This section describes how to configure the wildcard VIP on the external AX Series. 1. Navigate to Config Mode > Service > SLB > Virtual Server. 2. Click Add. 14

3. Enter or select the following values: Name: "outside_in_to_out". Wildcard: Select this checkbox to display the Access List drop-down list. Access List: Select the ACL configured in the previous section. IPv4/IPv6: Select the applicable IP version. Diagram 11: Wildcard VIP configuration 4. In the Virtual Server Port section, click Add and enter the virtual port information for the TCP virtual port: Type: TCP. Port: 0. Service Group: "sg-tcp". Use default server selection when preferred method fails: Select this option to enable it. Use received hop for response: Select this option to enable it. 15

Diagram 12: Virtual server TCP port configuration 5. Click OK. 6. Click Add to add the UDP wildcard port. Select "UDP" as the Type and select Service Group "sgudp". Diagram 13: Virtual server UDP port configuration Note: The use received hop for response option is required in FWLB. This option sends replies to clients back through the last hop on which the request for the virtual port's service was received. 7. Click OK, and then save the configuration. 8. To validate the configuration, navigate to Config Mode > SLB > Virtual Service. Diagram 14: Validate configuration Note: The virtual service name is assigned automatically. 16

5.3 PA SERIES INTERFACE CONFIGURATION This section shows how to configure the PA Series firewalls. Configuration consists of the following items: Zone Interface Configuration Policies The configuration settings for each item must be the same on each firewall. The only settings that should differ are network settings such as IP addresses. Note: Although not shown in this guide, you also can deploy the firewalls HA mode for quick configuration synchronization to all in-service firewalls. Diagram 15: Palo Alto Networks diagram 17

5.3.1 INTERFACE CONFIGURATION On the PA Series: 1. Navigate to Network > Interfaces. 2. Select the interface you wish to use for Virtual Wire 3. On the Interface Type drop-down menu select Virtual Wire Diagram 16: Palo Alto Ethernet interface configuration 4. Click OK and save the configuration. 18

Diagram 17: Palo Alto Zone configuration 9. Click OK and save the configuration. 5.3.2 ZONE CONFIGURATION On the PA Series: 10. Navigate to Network > Zone. 11. Click Add. 12. Create the following configurations for Names, Locations and Type: 19

Table 1: Trusted and untrusted zone requirements for Palo Alto Network Appliance Note: The "Trusted" network segment is located in the internal section of the network topology. The "Untrusted" network segment is the external section of the network topology, see the Diagram 15 above. The steps have to be repeated for both interfaces. Interfaces have to be assigned to trust and untrust interfaces. On the PA Series, the "vsys" is equivalent to an RBA partition on the AX Series. On the PA Series, partitions such as "vsys1" from the example above can be created dynamically. 5.3.3 VIRTUAL WIRE CONFIGURATION To configure the Virtual Wire: 1. Navigate to Network > Virtual Wires. 2. Click Add. 3. Enter the Name of the Virtual Wire: FWLB 4. From the Interface 1 menu, select the interface you have created for outbound. 5. From the Interface 2 menu, select the interface you have created for inbound. 6. Click OK and save the configuration. 20

5.3.4 PALO ALTO NETWORK POLICY CONFIGURATION This section shows how to configure the security policy rules of the firewall. 1. Navigate to "Policies" and click Add. 2. Enter the following configuration values for the traffic you wish to allow or deny. The following policy information is required: General Source User Destination Application Service/URL Category Actions Diagram 18: Palo Alto Networks policy configuration Note: Every network will have its own policy, so the configuration within the Palo Alto Networks appliance will be used as a reference configuration. 3. Click Save to commit the configuration. 21

6 INTERNAL AX SERIES CONFIGURATION This section shows how to configure the internal AX Series for FWLB. These procedures apply to the section of the topology highlighted in blue in the following diagram. Diagram 19: FWLB internal AX overview 6.1 FIREWALL PATH CONFIGURATION To create server configurations for the paths through the firewalls: 1. Navigate to Config Mode > SLB > Server. 2. Click Add. 3. Enter Name: "FW1_PATH" 4. Enter the IP Address/Host: 5.1.3.2 22

Diagram 20: Internal server configuration 5. Click OK and save the configuration. 6. In the Port section, enter port number 0 (zero) and select "TCP" from the Type drop-down list. Then click Add. 7. Click OK and save the configuration. Diagram 21: Internal AX TCP port configuration 8. Create a UDP port with port number 0. This is the same as the previous step, except "UDP" instead of "TCP" should be selected. Diagram 22: Internal AX UDP port configuration 6.2 SERVICE GROUP CONFIGURATION To configure the service group for the firewall paths: 23

1. Navigate to Config Mode > SLB > Service Group. 2. Enter the following values: Name: "LB_Paths_TCP" Type: TCP Algorithm: Round Robin Note: The AX Series also comes with other algorithm options such as Least Connection, Least Request, and so on. 3. In the Server section, add each of the firewall paths (server configurations). Diagram 23: AX service group TCP configuration 4. Click OK and save the configuration. 5. Create a UDP service group. The steps are similar to those above for a TCP service group, except the name is different, and the type is "UDP" instead of "TCP". 24

6. Click OK and save the configuration. Diagram 24: AX service group UDP configuration 6.3 INTERNAL WILDCARD VIP CONFIGURATION This section describes how to configure the wildcard VIP on the internal AX Series. 1. Navigate to Config Mode > Service > SLB > Virtual Server. 2. Click Add. 3. Enter or select the following values: Name: "wildcard_v4_101_server" Wildcard: Select this checkbox to display the Access List drop-down list. Access List: Select the ACL configured in the previous section. 25

IPv4/IPv6: Select the applicable IP version. Note: The example name shown above indicates that this wildcard VIP is for IPv4 and uses ACL 101. Configuration of the ACL is not shown here. However, the steps are the same as those in Access Control List Configuration. 4. In the Virtual Server Port section, click Add and enter the virtual port information for the TCP virtual port: Type: TCP. Port: 0. Service Group: "LB_Paths_TCP". Use default server selection when preferred method fails: Select this option to enable it. Use received hop for response: Select this option to enable it. Note: The use received hop for response option is required in FWLB. This option sends replies to clients back through the last hop on which the request for the virtual port's service was received. Diagram 25: AX virtual server TCP port configuration 5. Click Add to add the UDP wildcard port. Select "UDP" as the Type and select Service Group "LB_Paths_UDP". 26

Diagram 26: AX virtual server UDP port configuration 6. Click OK and save the configuration. This is how the wildcard VIP configuration should appear after the steps above: Diagram 27: Internal VIP wildcard configuration 27

7 LAYER 3 CONFIGURATION FOR FIREWALL LOAD BALANCING The AX Series also supports Layer 3 connection to the firewalls. In this case, configure Layer 3 interfaces for untagged routed traffic, and define layer sub interfaces for traffic with specific VLAN tags. These configuration changes can be made if you navigate to Network > Interfaces > Interfaces. In layer 3 firewall configuration, the Palo Alto appliance has to be configured such that layer 3 interfaces are added for untagged routed traffic and sub-interfaces for traffic with specific VLAN tags. For detailed information on Layer 3 deployment, contact your Palo Alto Networks SE or refer to the Palo Alto Networks Administration Guide. 8 SUMMARY AND CONCLUSION The sections above show how to deploy the AX device with the Palo Alto Networks device for optimized Firewall Load Balancing. By using the AX device to load balance a pool of Palo Alto Networks appliance, the following key advantages are achieved: High-availability for firewalls to prevent downtime and access failure, with no adverse impact on user access to applications Seamless distribution of client traffic across multiple firewall appliances for site scalability Higher connection counts and overall scalability Improved site performance and availability to end users For more information about AX Series products, please refer to the following URLs: http://www.a10networks.com/products/axseries.php http://www.a10networks.com/resources/solutionsheets.php http:/www.a10networks.com/resources/casestudies.php 9 CONFIGURATION SAMPLES This section shows sample configuration files for the internal and external AX devices. 28

9.1 EXTERNAL L2 CLI CONFIGURATION hostname 3000-11.78 clock timezone America/Los_Angeles # customer should setup their own vlan number scheme. This setup will require at least 4 vlans. The vlan IDs and IP addresses that you see in this configuration are all made up. vlan 16 untagged ethernet 18 to 19 router-interface ve 16 access-list 100 permit ip any any vlan 2 access-list 100 permit ip any any vlan 3 interface management ip address 192.168.223.78 255.255.255.192 ip default-gateway 192.168.223.65 interface ethernet 4 interface ethernet 5 interface ethernet 6 interface ethernet 7 interface ethernet 8 interface ethernet 9 interface ethernet 10 interface ethernet 11 interface ethernet 12 interface ethernet 13 interface ethernet 14 interface ethernet 15 interface ethernet 16 29

interface ethernet 18 ip allow-promiscuous-vip interface ethernet 19 ip allow-promiscuous-vip interface ethernet 20 interface ve 16 ip address 203.0.113.78 255.255.0.0 ip allow-promiscuous-vip tftp blksize 32768 slb server server-gateway 203.0.113.253 port 0 udp no health-check port 0 tcp no health-check slb service-group sg-tcp tcp member server-gateway:0 slb service-group sg-udp udp member server-gateway:0 slb virtual-server outside_in_to_out 0.0.0.0 acl 100 port 0 tcp name _wildcard_v4_tcp_65535 service-group sg-tcp use-rcv-hop-for-resp use-default-if-no-server no-dest-nat port 0 udp name _wildcard_v4_udp_65535 service-group sg-udp use-rcv-hop-for-resp no-dest-nat enable-management service ssh ve 16 no terminal auto-size terminal width 80 terminal length 25 end 30

9.2 INTERNAL AX CLI CONFIGURATION hostname 3000-11.79 clock timezone America/Los_Angeles # customer should setup their own vlan number scheme. This setup will require at least 4 vlans. The vlan IDs and IP addresses that you see in this configuration are all made up. access-list 100 permit ip any any vlan 274 interface management ip address 192.168.223.79 255.255.255.192 ip default-gateway 192.168.223.65 interface ethernet 3 interface ethernet 4 interface ethernet 5 interface ethernet 6 interface ethernet 7 interface ethernet 8 interface ethernet 9 interface ethernet 10 interface ethernet 11 interface ethernet 12 interface ethernet 13 interface ethernet 14 interface ethernet 15 interface ethernet 16 interface ethernet 17 31

interface ethernet 18 interface ethernet 19 interface ethernet 20 interface ve 2 ip address 192.0.2.1 255.255.255.240 interface ve 3 ip address 192.0.2.17 255.255.255.240 interface ve 4 ip address 192.0.2.1 255.255.255.0 ip route 0.0.0.0 /0 192.0.2.2 tftp blksize 32768 slb server FW1_route 192.0.2.18 port 0 tcp no health-check port 0 udp no health-check slb server FW2_route 192.0.2.2 port 0 tcp no health-check port 0 udp no health-check slb service-group LB_Paths_UDP udp member FW1_route:0 member FW2_route:0 slb service-group LB_Paths_TCP tcp slb virtual-server wildcard_v4_101_vserver 0.0.0.0 acl 100 port 0 tcp name Inside_in_to_out use-rcv-hop-for-resp use-default-if-no-server no-dest-nat port 0 udp name Inside_in_to_out_UDP service-group LB_Paths_UDP use-rcv-hop-for-resp use-default-if-no-server no-dest-nat 32

no terminal auto-size terminal width 80 terminal length 25 end 33