Why have a PaloAlto VM in the Nodegrid

Having a PaloAlto VM running in the Nodegrid provides a secured OOB network.  Stopping the back-door access into the production network.  Not only securing the OOB network, The PaloAlto can also secured the production network at the branch location.

Before the installation of the PaloAlto (PA) VM on a Nodegrid, The nodegrid available resources have to meet the minimum requirements for the VM-Series model.

VM-Series Model	CPUs	Minimum Memory	Minimum Hard Drive	Minimum Network interfaces
VM-50	4	16GB	128GB System or dedicated	1-Managment 1-External Network 1-LTE Modem for fail-over (optional) 1-Internal Network
VM-100VM-200	4	16GB	128GB System or dedicated	1-Managment 1-External Network 1-LTE Modem for fail-over (optional) 1-Internal Network
VM-300VM-1000-HV	4, 8	16GB	128GB System or dedicated	1-Managment 1-External Network 1-LTE Modem for fail-over (optional) 1-Internal Network
VM-500	8	32GB	128GB System or dedicated	1-Managment 1-External Network 1-LTE Modem for fail-over (optional) 1-Internal Network

The following commands can be used to get the Nodegrid resources

Log into the console as root shell of the nodegrid appliance

root@nodegrid# cat /proc/meminfo

root@nodegrid# cat /proc/cpuinfo

After the dedicated hard disk was installed into the Nodegrid unit and it is booted up, is it necessary to add the storage to the platform. The required steps will depend on the actual storage device type and the current state of the storage type, for example, exist already valid partitions on the device or not.

Partition

To gain a quick overview of the current state of the newly added storage you can use the following command on the shell as root user:

fdisk -l /dev/sdb

Note: We assume here that the new hard drive was properly discovered, by default a new hard drive will become the device sdb. Any additional added devices would become sdc and sdd

Example

root@nodegrid:~# fdisk -l /dev/sdb

Disk /dev/sdb: 465.8 GiB, 500107862016 bytes, 976773168 sectors Units: sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 4096 bytes

I/O size (minimum/optimal): 4096 bytes / 4096 bytes

Disklabel type: gpt

Disk identifier: AC52C7CE-4FE6-4CBF-9797-998F42BF2006

Device Start End Sectors Size Type

/dev/sdb1 2048 976773134 976771087 465.8G Linux filesystem

In the above example, we can see that the new hard drive has a size of 465 GB and contains one partition with the full size. Depending on the state of the device, a new partition table might need to be created and the partitions formatted. Please refer here for more information on how to use fdisk and mkfs.ext4

Note: ext2, ext3 and ext4 are the only supported partition types

The newly created partition needs to be mounted to the Nodegrid platform. In case the storage will only be used for Virtual Machines it can be directly mounted into the appropriate storage location.

Note: All data will become unavailable should the new mount point already contain data. Therefore ensure that the mount is empty.

Mount new partition

In order to mount the new partition, a new entry needs to be added to the mount table. follow the below steps as an example, in which we will mount the partition /dev/sdb1 to /var/lib/libvirt/images in order that it can directly be used for Virtual Machines.

1. connect to the Nodegrid Platform as root user to the Shell

2. edit /etc/fstab file

root@nodegrid:~# vi /etc/fstab

/dev/sdb1 /var/lib/libvirt/images ext4 defaults 0 0

4. mount the new partition 

root@nodegrid:~# mount /var/lib/libvirt/images

5. Confirm that the new partition was successfully mounted

root@nodegrid:~# mount

…

/dev/sdb1 on /var/lib/libvirt/images type ext4 (rw) ...

[admin@nodegrid /]# set /settings/services/ enable_virtualization_services=yes

[+admin@nodegrid /]#commit

Purchase the VM-Series model and register the authorization code on the Palo Alto Networks Customer Support web site. See Create a Support Account and Register the VM-Series Firewall.

Obtain the qcow2 image and save it on the Linux server. As a best practice, copy the image to the folder: /var/lib/libvirt/images .

If you plan to deploy more than one instance of the VM-Series firewall, make the required number of copies of the image. Because each instance of the VM-Series firewall maintains a link with the .qcow2 image that was used to deploy the firewall, to prevent any data corruption issues ensure that each image is independent and is used by a single instance of the firewall.

[admin@nodegrid /]# shell sudo su -

root@nodegrid# cd /var/lib/libvirt/images/

The Nodegrid supports failover to LTE modems, if desired the LTE modems connections can be passed through to the PaloAlto VM. The connection can then be used to access the Internet and to create and maintain VPN tunnels or provide dynamic failover connection options between different ISP's.

The LTE connection will be passed to the VM in form of a NATed connection. This means the nodegrid will manage and maintain the LTE modem connection and will pass the traffic through to them, for this purpose the required functionality of the LTE connection should be reviewed before starting with the implementation. By default allows the connection a NATed outbound connection and will not allow any Internet traffic to be directly forwarded to the PaloAlto. In case Incoming from the Internet are required some additional configuration on the Nodegrid platform would be required to forward the traffic.

LTE modem setup

As a first step needs the LTE modem be setup on the Nodegrid. For this follow the normal process as outlined in the user manual. It is imported to decide at what point should the LTE modem connect to the ISP. The modem can automatically connect on start of the Nodegrid, can start in case of an internet outage on the main router and or can be manually started. For the different setup options review the user manual.

After the LTE modem is working and setup on the Nodegrid platform, can the resulting internet connection be exposed to the PaloAlto VM.

VM Interface setup

For the purpose of this guide, will we assume that one LTE modem with one SIM card is present. The Nodegrid by default creates the following devices and connections

1. cdc-wdm0 - Modem Interface. This interface is only used to control the modem and can not be used for a connection
   
2. wwan0 - LTE Network Interface, only present when a connection is established
   

To expose the LTE connection, a new virtual network needs to be created, to which the LTE modem and the VM is connected to. This can be done by first defining the virtual network in xml file. Below is a working example which uses the example values.

Note: The IP addresses can be adjusted as needed, but it should be noted that these IP's are only used for the internal communication between the LTE interface and PaloAlto VM. 192.168.127.1 represents in this example the IP Address of the LTE modem and the PaloAlto will get a IP Address from the defined DHCP pool.

1. <network>
   <name>wwan0nat</name>
   <bridge name="wwan0br0" stp='on' delay='2'/>
   <forward mode="nat" dev='wwan0'/>
   <ip address="192.168.127.1" netmask="255.255.255.252">

   <dhcp>
   <range start="192.168.127.2" end="192.168.127.2"/>

    </dhcp> </ip> 

   </network>

After the configuration was saved as root user in a file i.e. in /tmp/lte-nat.xml can the network be created and activated with the following commands.

virsh net-define /tmp/lte-nat.xml

virsh net-start lte-nat

virsh net-autostart lte-nat

After the network was created, it can now be used in the PaloAlto VM definition with the interface name lte-nat

To allow consistent access to the LTE modem from the VM, is it required to ensure that the created network interface will always use the wwan0 interface for connectivity.

For this run the following commands on the Nodegrid shell.

1. Create new routing tables for the wwan interfaces
   

echo "1510wwan0br0" >> /etc/iproute2/rt_tables

echo "151 wwan1br0" >> /etc/iproute2/rt_tables

1. Create the file 20wwan0br0 following script in /etc/NetworkManager/dispatcher.d
   

1. #!/bin/sh
2. IF=$1
   
3. STATUS=$2
   
4. if [ "x${IF}" == xwwan0 ]; then
5. case ${STATUS} in
6. up)
7. /sbin/ip rule add from 192.168.127.0/30 table ltenat
8. /sbin/ip route add 192.168.127.0/30 dev ltebr0 table ltenat 
9. /sbin/ip route add default dev wwan0 table ltenat
10. ;;
11. esac
12. fi
13. if [ "x${IF}" == xcdc-wdm0 ]; then
    
14. case ${STATUS} in
    
15. down)
16. # route del default returns 'RTNETLINK answers: No such process' #/sbin/ip route del default dev wwan0 table ltenat
17. /sbin/ip route del 192.168.127.0/30 dev ltebr0 table ltenat
18. /sbin/ip rule del from 192.168.127.0/30 table ltenat
19. ;;
20. esac 
21. fi

1. Make the file executable with
   

chmod +x /etc/NetworkManager/dispatcher.d/20wwan0br0

1. 4 Core CPU, of which 2 CPUs will be dedicated to the VM
   
2. 5.5GB of RAM
   
3. 3 Network interfaces
   

1. Eth0 is used as management interface
   
2. Eth1 is used for NFV external communication
   
3. Backplane0 is used for internal communication
   

1. Installation through qcow2 file
   
2. Navigate in root session to /var/lib/libvirt/images
   

[admin@nodegrid /]# shell sudo su -

root@nodegrid# cd /var/lib/libvirt/images/

1. Start the installation with virt-install, Example with: 2 CPU's with 5.5GBMB RAM. Adjust values as needed
   

1. 4 Core CPU, of which 2 CPUs will be dedicated to the VM
   
2. 6.5 GB of RAM
   
3. 4 Network interfaces
   

1. Eth0 is used as management interface
   
2. Eth1 is used for NFV external communication
   
3. lte-nat is used for the LTE fail over communication
   
4. backplane0 is used for internal communication
   

1. Installation through qcow2 file
   
2. Navigate in root session to /var/lib/libvirt/images/
   

[admin@nodegrid /]# shell sudo su -

root@nodegrid# cd /var/lib/libvirt/images

1. Start the installation with virt-install
   

1. virt-install \
   --virt-type kvm \
   --name pa02 \
   --cpu host-passthrough \
   --ram 6656 --vcpus 2 --cpuset=2-3\
   --os-type=linux --os-variant=rhel6.0 \
   --disk PA-VM-KVM-9.0.0.qcow2,format=qcow2,bus=virtio,cache=writethrough \ --import \
   --network type=direct,source=eth0,source_mode=bridge,model=virtio \ --network type=direct,source=eth1,source_mode=bridge,model=virtio \ --network network=wwan0nat \
   --network type=direct,source=backplane0,source_mode=bridge,model=virtio \ --video vga --graphics vnc,listen=0.0.0.0 --noautoconsole \
   --autostart

1. 8 Core CPU, of which 3 CPUs will be dedicated to the VM
   
2. 10GB of RAM
   
3. 5 Network interfaces
   

1. Eth0 is used as management interface
   
2. Eth1 is used for NFV external communication
   
3. lte-nat is used for NFV fail over communication
   
4. back-plane0 is used for internal communication
   
5. back-plane1 is used for internal communication
   

1. Installation through qcow2 file
   
2. Navigate in root session to /var/lib/libvirt/images/
   

[admin@nodegrid /]# shell sudo su -

root@nodegrid# cd /var/lib/libvirt/images/

1. Start the installation with virt-install
   

The Virtual Machine can be directly be managed from the Nodegrid. In the above example the first interface is connected to the internal default network. Create a new Managed Device of the type:

1. virtual_console_kvm
   

Note: In version 4.0.x the the ssh console string needs to be adjusted for both device types to [^@:>]+(@?)([^@:>]?)+(:?)([^@:>]?)+[#\>]

1. Name: Name of the NFV. This has to match the name used during then NFV creation
   
2. Type: virtual_console_kvm
   
3. IP: IP address of the Nodegrid which host the NFV. default: 127.0.0.1
   
4. user name: root
   
5. password: password of the root user
   
6. Web URL: Adjust the URL so this it contains the IP address of the Management Interface
   

1. MKS (Mouse Keyboard and Screen)
   

1. Console
   

1. Open a console session to the Nodegrid
   
2. Login with the admin/admin credential
   
3. Disable DPDK
   

set system setting dpdk-pkt-io off

1. Identify the Managment IP address, if managment interface is connected to the Nodegrid default network, then a IP was assigned through DHCP Server
   

1. DHCP
   

1. admin@PA-VM> show interface management
2. ------------------------------------------------------------------------------
3. Name: Management Interface
4. Link status:
5.   Runtime link speed/duplex/state: 1000/full/up
6.   Configured link speed/duplex/state: auto/auto/auto
7. MAC address:
8. Port MAC address 52:54:00:e3:c9:15
9. Ip address: 192.168.122.245 Netmask: 255.255.255.0
10. Default gateway: 192.168.122.1 Ipv6 address: unknown
11. Ipv6 link local address: fe80::5054:ff:fee3:c915/64
12. Ipv6 default gateway:
13. -------------------------------------------------------------------------------
14. -------------------------------------------------------------------------------
15. -------------
16. Logical interface counters:
17. ------------------------------------------------------------------
18. -------------
19. bytes received 1446469
20. bytes transmitted 25563
21. packets received 1052
22. packets transmitted 246
23. receive errors 0
24. transmit errors 0
25. receive packets dropped 32
26. transmit packets dropped 0
27. multicast packets received 0
28. -----------------------------------------------------------------
    

1. Set a Static IP
   

1. Open a console session to the Palo Alto from the Nodegrid UI
   
2. Enter the following commands to set the IP address for the Palo Alto VM
   

1. configure
2. set deviceconfig system ip-address <Firewall-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>
3. commit
4. exit

1. The system is now accessible through the Management Web Interface