Data Center Automation with the VM-Series



Similar documents
Set Up a VM-Series Firewall on an ESXi Server

VM-Series Firewall Deployment Tech Note PAN-OS 5.0

Set Up a VM-Series Firewall on an ESXi Server

About the VM-Series Firewall

About the VM-Series Firewall

CommandCenter Secure Gateway

Set Up a VM-Series NSX Edition Firewall

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Virtual Appliance Setup Guide

Virtual Appliance Setup Guide

Installing and Configuring vcenter Support Assistant

Installing the PA 100 VM in VMware Workstation 9.x

Installing and Using the vnios Trial

Set Up a VM-Series NSX Edition Firewall

Installing and Configuring vcloud Connector

Getting Started Guide

Set Up Panorama. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks

SonicWALL SRA Virtual Appliance Getting Started Guide

Set Up a VM-Series NSX Edition Firewall

vshield Quick Start Guide vshield Manager 4.1 vshield Edge 1.0 vshield App 1.0 vshield Endpoint 1.0

EMC Data Domain Management Center

VMware vsphere 5.0 Evaluation Guide

Quick Start Guide. for Installing vnios Software on. VMware Platforms

User Guide for VMware Adapter for SAP LVM VERSION 1.2

Technical Note. vsphere Deployment Worksheet on page 2. Express Configuration on page 3. Single VLAN Configuration on page 5

VMware vcenter Log Insight Getting Started Guide

Deployment and Configuration Guide

vshield Quick Start Guide

VMware for Bosch VMS. en Software Manual

VMware vsphere-6.0 Administration Training

Installing and Configuring vcloud Connector

Virtual Managment Appliance Setup Guide

Cisco Prime Collaboration Deployment Troubleshooting

vshield Quick Start Guide

Barracuda Message Archiver Vx Deployment. Whitepaper

Virtual Web Appliance Setup Guide

LifeSize Transit Virtual Appliance Installation Guide June 2011

SOA Software API Gateway Appliance 7.1.x Administration Guide

vrealize Air Compliance OVA Installation and Deployment Guide

Install Guide for JunosV Wireless LAN Controller

Bosch Video Management System High availability with VMware

vsphere Replication for Disaster Recovery to Cloud

Getting Started with ESXi Embedded

HP CloudSystem Enterprise

How to install/upgrade the LANDesk virtual Cloud service appliance (CSA)

Acano solution. Virtualized Deployment R1.1 Installation Guide. Acano. February B

Thinspace deskcloud. Quick Start Guide

vsphere Management Assistant Guide vsphere 4.0 EN

Installing and Administering VMware vsphere Update Manager

VMware Data Recovery. Administrator's Guide EN

NexentaConnect for VMware Virtual SAN

CommandCenter Secure Gateway

NOC PS manual. Copyright Maxnet All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3

Web Application Firewall

vsphere Upgrade vsphere 6.0 EN

OnCommand Performance Manager 1.1

VMware vsphere: Install, Configure, Manage [V5.0]

VMware Identity Manager Connector Installation and Configuration

XMS FULLY AUTOMATED PROVISIONING: SERVER CONFIGURATION AND QUICK START GUIDE

VMware vcenter Log Insight Installation and Administration Guide

vshield Installation and Upgrade Guide

PowerPanel Business Edition Installation Guide

How to Create a Virtual Switch in VMware ESXi

vsphere Replication for Disaster Recovery to Cloud

Virtual Appliance Setup Guide

Active Fabric Manager (AFM) Plug-in for VMware vcenter Virtual Distributed Switch (VDS) CLI Guide

Cisco Prime Collaboration Deployment Administration Guide, Release 10.5(1)

SevOne NMS Download Installation and Implementation Guide

VMware vsphere Replication Administration

Vmware VSphere 6.0 Private Cloud Administration

OnCommand Performance Manager 2.0

VMware vsphere Data Protection Evaluation Guide REVISED APRIL 2015

WF-500 File Analysis

F-Secure Messaging Security Gateway. Deployment Guide

GX-V. Quick Start Guide. VMware vsphere / vsphere Hypervisor. Before You Begin SUMMARY OF TASKS WORKSHEET

Cisco TelePresence Cisco Expressway on Virtual Machine

Virtual Appliances. Virtual Appliances: Setup Guide for Umbrella on VMWare and Hyper-V. Virtual Appliance Setup Guide for Umbrella Page 1

VMWARE PROTECTION USING VBA WITH NETWORKER 8.1

Migrating to ESXi: How To

GX-V. Quick Start Guide. Microsoft Hyper-V Hypervisor. Before You Begin SUMMARY OF TASKS. Before You Begin WORKSHEET VIRTUAL GMS SERVER

RealPresence Platform Director

vsphere Management Assistant Guide vsphere 4.1

Acronis Backup & Recovery 10 Advanced Server Virtual Edition. Quick Start Guide

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

vsphere Host Profiles

Overview Customer Login Main Page VM Management Creation... 4 Editing a Virtual Machine... 6

Barracuda Message Archiver Vx Deployment. Whitepaper

vsphere Networking vsphere 6.0 ESXi 6.0 vcenter Server 6.0 EN

VMware vcenter Support Assistant 5.1.1

vsphere Private Cloud RAZR s Edge Virtualization and Private Cloud Administration

BaseManager & BACnet Manager VM Server Configuration Guide

Virtual LoadMaster for VMware ESX, ESXi using vsphere

Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual

VMware vsphere: Fast Track [V5.0]

Extreme Control Center, NAC, and Purview Virtual Appliance Installation Guide

VMware vcenter Log Insight Security Guide

VMware Host Profiles: Technical Overview

vsphere Networking vsphere 5.5 ESXi 5.5 vcenter Server 5.5 EN

FortiAnalyzer VM (VMware) Install Guide

ESX System Analyzer Version 1.0 Installation Guide

Transcription:

Data Center Automation with the VM-Series Tech Note PAN-OS 5.0 Revision A 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com

Contents Overview... 3 Process... 3 Creating the Gold Standard... 3 Initial Deployment... 3 Licensing and Upgrading... 4 Initial Configuration... 4 Create the Pool... 4 Automated Deployment... 8 Step 1: Convert to Virtual Machine... 9 Step 2: Assign Unique IP Address... 9 Step 3: Move the VM-Series to the New ESXi Host... 10 Step 4: Push Panorama Template... 11 Summary... 11 2012, Palo Alto Networks, Inc. [2]

Overview In a dynamic virtual data center, moves, adds, and changes happen rapidly. If the firewall could only be deployed manually, this would add an unacceptable bottleneck to data center processes. This TechNote explains how to automate the process of deploying a new VM-Series virtual firewall including a method of creating an initial gold standard firewall. Process At a high level, the process for automating VM-Series deployments requires 1) the creation of a gold standard firewall template and 2) an inventory of cloned gold standard firewalls. Once the gold standard is manually created and the inventory is created, the firewalls can be automatically deployed from the inventory. The entire process is introduced below. Gold Template Creation Start Automated VM-Series Deployment Start - OVF template - Temporary Host - vsphere credentials vsphere client: deploy new VM-Series firewall from OVF vcenter API: convert template to guest - template - staging host - staging switch - vsphere credentials vsphere client: power on the VM-Series Firewall PANOS Rest API: assign unique network config, graceful shutdown - guest name - staging host - staging IP - new IP, mask, GW - Panorama config - new IP/mask/GW - update server - FW credentials vsphere client console: configure initial config (IP, netmask, gateway, update server) vcenter API: move the VM-Series firewall to destination host, power on the firewall - Firewall guest name - staging host - destination host - destination PG - new FW IP - authorization code - FW credentials Web UI: bulk license the firewall, upgrade to gold standard version, graceful shutdown Panorama: push template to firewall - Firewall management IP - Panorama credentials - vsphere credentials vsphere Client: convert to template, clone template (1 to n) Automated VM-Series Deployment Complete Gold Template Creation Complete Creating the Gold Standard Initial Deployment The first step is to deploy an initial instance of a VM-Series firewall from the downloaded OVF. This process is covered in the admin guide and the VM-Series Deployment Tech Note and won t be repeated here. 2012, Palo Alto Networks, Inc. [3]

Licensing and Upgrading After the first VM-Series instance has been deployed and the initial configuration has been committed, the VM-Series firewall will need to be licensed. The steps to license are: 1. Get the capacity Auth-Code. 2. Ensure the Device->setup->services->update server = updates.paloaltonetworks.com 3. Device->licenses->Activate feature using auth code-> enter the auth-code 4. Once the device reboots and has a serial number then apply the Support auth-code using step 3 5. Once this is done then going to device->software->check now will show the list of latest software updates The next step is to upgrade the VM-Series to the PAN-OS version you will be standardizing on for your data center. All future automated VM-Series deployments will use this initial firewall as a template and will therefore have this version of software running. When a new software version is adopted in the future for your data center, you will need to upgrade the templates to ensure all future automated deployments are compliant with the new standard. Initial Configuration At this point, the VM-Series instance should be given all configuration details that will be common to all future automated data center deployments. Examples of items to consider include: Administrator accounts Panorama/log server(s) DNS, NTP, update servers Common security policy including o any data center standardized zones o any data center wide whitelisted or blacklisted applications Common addresses and address groups In some cases, it might be beneficial to include a configuration element even if it will need to be modified later. It might take less scripting and less time to modify a configuration you create manually now rather than create it completely from scratch later. As with the software version chosen above, the template configurations will need to be updated and maintained as data center standards and policies evolve over time. Create the Pool The initial VM-Series instance is now the gold standard for the data center. Its configuration should be backed up and changes should be frozen. The next step is to convert the gold standard to a vcenter Server template. This type of template can be stored on a vsphere datastore. Ideally, you should choose a datastore that is shared by the hosts that will eventually run the new VM-Series deployments. If the gold standard is stored on a datastore that is not shared by the target hosts, each automated deployment will require a copy of the virtual machine from one datastore to another greatly increasing the time to deploy (from seconds to several minutes depending on bandwidth, storage contention, etc.) To convert the gold standard to a template you will need to first shutdown the firewall. This can be done in the CLI or Web UI as shown. 2012, Palo Alto Networks, Inc. [4]

warby@phx> request shutdown system Warning: executing this command will leave the system in a shutdown state. Power must be removed and reapplied for the system to restart. Do you want to continue? (y or n) Broadcast message from root (pts/0) (Tue Jun 12 10:03:42 2012): The system is going down for system halt NOW! Depending on your data center and VM-Series deployment design, it might be helpful to maximize the VMNICs in vsphere at this point. Each time a new VMNIC is added to a VM-Series virtual machine, the firewall must be rebooted before the VMNIC can be used. By adding the maximum number of VMNICs (currently VMware limits this to ten total), you can eliminate the need of one or more future reboots. It may help to tie the yet unused interfaces to a virtual port group that is always available for this purpose. The downside to this strategy is the pre-allocation of virtual switch ports that may never be needed but this is a small penalty for most vsphere deployments. Make sure to choose VMXNET3 each time: 2012, Palo Alto Networks, Inc. [5]

Next, use the vsphere Client to connect to vcenter Server and convert the firewall to a template: 2012, Palo Alto Networks, Inc. [6]

Next, you will need to clone the template to populate the gold standard pool: Select the host on the next screen (used to verify the required networks are available.) Next, select the datastore where the template will be stored. Again, ideally this will be a datastore shared by the future target hosts. 2012, Palo Alto Networks, Inc. [7]

Review the settings and select Finish. Repeat the cloning process until your template pool is full. The size of the pool will depend on several factors including where your shared datastores are located, the frequency the firewall will be deployed, the size of your data center, your license type for the VM-Series, etc. For example, if you have one large shared datastore you might need a pool of five or ten gold standard templates. On the other hand, if you have several ESXi clusters that have separate datastores, you might be better off with multiple gold standard template pools with only two or three templates each. Each time a gold standard template is used, it is converted form a template to a virtual machine. This can happen in less than ten seconds (the boot time will take longer than the actual deployment.) After each deployment, your script will need to kick off a background cloning process to replenish the inventory. This process will take longer (several minutes) but is not in the critical path of the automated deployment process. Automated Deployment Now that the gold standard template pool is fully populated, the automated processes can take over. These processes should be part of an overall Data Center Orchestration strategy that coordinates the deployment, maintenance and removal of servers, firewalls and network infrastructure (physical and virtual.) 2012, Palo Alto Networks, Inc. [8]

In the One-VM-Series-per-Host data center model, each ESXi host has one VM-Series deployment with enough layer two interfaces for each VLAN (or subnet or server.) In this model, the VM-Series is only deployed during the initial setup of a new ESXi host. The automated steps to deploy a new VM-Series are as follows: Step 1: Convert to Virtual Machine The first step is to convert a gold standard template into a running machine. This can be done with the vsphere API. In the following example, the Perl vsphere Software Development Kit (SDK) is used. The required command line options for the Perl script are: Hostname or IP Name of the template Universal resource locator (URL) of the vsphere API Credentials Target pool The following example converts the template PHX 2 to a new virtual machine using the vmtemplate.pl script provided with the vsphere Perl SDK: /usr/lib/vmware-vcli/apps/vm/vmtemplate.pl --host <<hostname>> --vmname 'PHX 2' --url https://<<vcenter-ip>>:443/sdk/vimservice --username administrator --password <<password>> --operation VM --pool <<pool-name>> After the new VM-Series firewall has been deployed, it will need to be powered on again using the vsphere Perl SDK: /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --url https://<<vcenterip>>:443/sdk/vimservice --host <<hostname>> --username administrator --password <<password>> --vmname 'PHX 2' --operation poweron Once PAN-OS has finished loading, the new VM-Series firewall will be reachable only on its temporary IP address. Step 2: Assign Unique IP Address Because the firewall will always have the same initial IP address (192.168.1.1), it will need to be on a separate virtual switch with only access to the server running the vsphere SDK scripts. If the management interface is tied to a shared virtual switch, it could create a conflict (or simply be unreachable.) Initially, the new VM-Series instance will have a non-unique IP address on a dead-end virtual switch. Next, the VM-Series firewall will be given a unique management interface IP address (and default gateway) using the PAN-OS XML API. Finally, the new VM-Series firewall can be safely moved to the shared management virtual switch using the vsphere SDK. These three steps are illustrated below. 2012, Palo Alto Networks, Inc. [9]

1: New VM-Series Non-Unique IP 2: New VM-Series Unique IP 3: New VM-Series Management Virtual Switch ESXi Host ESXi Host ESXi Host Management Virtual Switch Management Virtual Switch Management Virtual Switch 15.0.0.100/24 15.0.0.100/24 15.0.0.100/24 vsphere SDK Server vsphere SDK Server vsphere SDK Server 192.168.1.2/24 192.168.1.2/24 192.168.1.2/24 Deployment Virtual Switch 192.168.1.1/24 Deployment Virtual Switch 15.0.0.101/24 Deployment Virtual Switch 15.0.0.101/24 New VM- Series New VM- Series New VM- Series To assign the unique IP address, the PAN-OS XML API is used. In the example below I used the PAN-Perl package: /phoenix/pan-perl-20120107/bin/panxapi -h 192.168.1.1 K "<<API-key>>" -S "<ip-address>15.0.0.101</ip-address>" "/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system" /phoenix/pan-perl-20120107/bin/panxapi -h 192.168.1.1 -K "<<API-key>>" -C "<commit></commit>" Finally, the management interface of the new VM-Series firewall needs to be moved to the management virtual switch. So we are back to the vsphere Perl SDK: /usr/lib/vmware-vcli/apps/vm/updatevmportgroup.pl --url https://<<vcenter-ip>>:443/sdk/vimservice -- username administrator --password <<password>> --server <<vcenter-ip>> --vmname "PHX 2" --vnic 1 -- portgroup "Management Virtual Switch" Step 3: Move the VM-Series to the New ESXi Host In this step, the new VM-Series firewall is ready to be located on the new ESXi host. Because I used a datastore that is common to both the staging host and the destination host, no storage copying is required. I simply need to power down the firewall and do a migration to the new host and then power up. Because the VM-Series firewall cannot run VMWare Tools, hot migration (i.e. vmotion) is not an option here. But this is a new firewall that is not yet in production so vmotion is not a requirement. First, I will shut down the firewall using the PAN-OS XML API: /phoenix/pan-perl-20120107/bin/panxapi -h 15.0.0.101 -K "<<API-key>>" -C "<request><shutdown><system></system></shutdown></request>" 2012, Palo Alto Networks, Inc. [10]

Next I migrated to the destination host using the vsphere Perl SDK: /usr/lib/vmware-vcli/apps/vm/vmmigrate.pl --url https://<<vcenterip>>:443/sdk/vimservice --username administrator --password <<password>> --sourcehost <<source>> --targethost <<destination>> --vmname PHX 2 Finally, I boot the VM-Series firewall one last time: /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --url https://<<vcenterip>>:443/sdk/vimservice --host <<newhost>> --username administrator --password <<password>> --vmname 'PHX 2' --operation poweron Step 4: Push Panorama Template At this point, the VM-Series firewall is up and running with a unique management IP address. How to proceed from here will vary widely depending on your requirements but a common approach might be to now use Panorama to push a template with common configuration elements. The gold standard VM-Series template should include configuration elements for Panorama. If that can t be included (perhaps because there is more than one possible Panorama to choose from) then the PAN-OS XML API can be used to configure the VM-Series firewall to use the correct Panorama server. In addition, Panorama will need to have the serial number of the new VM-Series firewall. The serial number can be extracted from the VM-Series XML API and added to using the Panorama XML API. An alternative to Panorama would be to use the VM-Series XML API to push configuration elements as needed. This again will be heavily dependent on run time specifics and examples are not shown here. Summary Using a combination of the vsphere API and the PAN-OS API, most and possibly all VM-Series firewall operations can be fully integrated with data center orchestration. Operations like creating a new firewall, applying an initial configuration, applying common security policy and maintaining that policy can all be automated. In a large, dynamic data center with a high rate of change, this automation not only improves response times for firewall changes but also reduces the chance of outages caused by firewall administrator errors. Any data center orchestration strategy should include the VM-Series as part of the automated infrastructure and the VM- Series firewalls should be treated like any other part of the data center infrastructure. 2012, Palo Alto Networks, Inc. [11]

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information