Palo Alto internal VM with Network segmentation

Introduction:

Setting up the Palo Alto VM internal to the Nodegrid to segment the traffics from different virtual networks.  The public IP is passthrough to the internal PA and allows access to all internal Networks that are configured behind the PA. 

Figure 1

Design:

in this design the backplane connection is used as a trunk to carry all the VLANs between the PA VM and the netS# Ethernet ports or internal Nodegrid defined interfaces.

Configuration:

Configure the backplane (bp) 0 or 1 be the trunk, in this example we set the backplane1 (bp1).  In the Nodegrid Web UI select Network::Switch::VLAN then Add a VLAN.

Enter the VLAN number then Add the backplane1 to be Tagged and any netS port in the same VLAN. do the same for all other VLANs then Save after each of the configuration

Figure 2

Create a bridge on the trunk connection (bp1), this bridge will be pass onto the PA as an interface.  From the Nodegrid Web UI Network::connections then Add

Required Field to be set in this configuration:

      Name = INTERNAL (example)      Type = Bridge      Connect Automatically = (checked)

      IPv4 Mode = No IPv4 Address      Bridge Interfaces = backplane1 (Since we're using the backplane1 for the trunk)

      Enable Spanning Tree Protocol = (uncheck)

      The interface name br1 in the figure above is defined by the Nodegrid and it will not show up in the configuration.

In the Palo Alto configuration of the VM example of the interfaces that being pass through to the PA from the Nodegrid (NG).  From the console as a root user:  "shell sudo su -" enter in the admin shell

virsh edit <Palo Alto VM name> The name can be seen from the command "virsh list" in the Nodegrid root prompt

Figure 4

Above, are the VM interfaces passed into the PA.  The Bridge is passed in as the second data interface of the PA.

In the PA Network::Interfaces create a layer 2 sub interface and attached a VLAN interface into the sub interface.

Figure 5

In the VLAN interface assigned an IP address to this interface.  Example in Figure 6

Figure 6

Testing connectivity of the PA and the Nodegrid VLAN interface

Figure 7

We have assigned an IP address to the sub interface of the PA, now the VLAN interface needed to be created in the Nodegrid.

In the Nodegrid Web UI Network::Connections click Add to add the Interface

Figure 8

Required Parameters for creating the VLAN interface in the br1 bridge.

Name = VLAN2-intf1 or some helpful name      Type = VLAN      Interface = br1 The Bridge interface created between the Nodegrid and PA

Connect Automatically = (Checked)      IPv4 Mode = 10.10.1.1/24 Static and assign an gateway IP address of the same network that was assigned to PA

VLAN ID = 2 Same VLAN as what is assigned in the PA VLAN interface

Saved the config setting.

Open a console to the Nodegrid and go to the root shell "shell sudo su -".  From here ping can be tested to the PA VLAN interface.

ping From the Nodegrid to the PA VLAN interface

From the Nodegrid Web UI Access tab, open a console to the PA VM and ping from the PA VLAN interface to the Nodegrid VLAN interface

• Related Articles

• PaloAlto VM installation in the Nodegrid

  Why have a PaloAlto VM in the Nodegrid Having a PaloAlto VM running in the Nodegrid provides a secured OOB network.  Stopping the back-door access into the production network.  Not only securing the OOB network, The PaloAlto can also secured the ...

• How To: Live Backup VM and Restore VM on Nodegrid

  There are several ways to backup virtual machines and as Nodegrid becomes a popular choice for hosting virtual machines in the data center or at the edge running on our Nodegrid Service Routers, administrators need a way to backup and restore the VM. ...

• Network Configuration via CLI

  Example of configuring the ETH0 interface via CLI (please, replace the network values with your own information). Log in as admin to the Nodegrid console port or HDMI Type the following commands (in bold): [admin@nodegrid /]# cd ...

• How to Configure Network Bridge on the Nodegrid Serial Console

  Nodegrid Serial Console cascades, or daisy chains, network ports by implementing a network bridge between ports ETH0 and ETH1. In this configuration several NSC units can be used in cascade mode, all sharing the same network switch port, saving a ...

• Network Failover with Huawei E3276 USB Wireless Modem

  The E3276 USB wireless modem reports itself as a network device. So you will have to add a network connection in Nodegrid that binds to it. Here are the steps: 1. Login as admin in the Web UI and browse to Network, then Connections. Click Add and ...