Managing VM-Series by Panorama
If Panorama is used to manage your Palo Alto VM-Series firewalls, any dynamic route updates initiated by Aviatrix CoPilot are sent to Panorama. CoPilot does not check the health of Panorama; it only checks the health of the VM-Series instances.
CoPilot communicates with Palo Alto Panorama to its private IP address, if Panorama is reachable via private IP.
If you are using two cross-sites, the primary IP address of Panorama can be determined via the Vendor Integration function.
Before you integrate Panorama with CoPilot, you need to first launch and configure Panorama.
|
Launching Panorama
-
Launch Panorama from the AWS portal and SSH in to set the UI password, which is the same as the PAN firewall.
-
Change the Panorama management interface security group to allow port 3978. This is the port used by Panorama and the firewall to exchange information.
-
Install a license in Panorama. Without the correct license, Panorama will not work.
Upgrading Panorama
Panorama must be on the same or higher software version as its managed firewalls. |
If your version of Panorama is lower than version 9.0.6 or 9.1.2, you must upgrade.
-
Go to Panorama > Dynamic Updates, click Check Now, and select the latest version of Panorama in Applications and Threats.
-
Download and install.
-
Navigate to Panorama > Software, select the desired version, download and install. After installation, Panorama will reboot. This will take a few minutes.
Creating Templates and Template Stack
In Panorama, templates and template stacks are used to configure Network properties, such as interfaces, zones, and route tables. This is the one that needs monitoring and updates via the API.
-
Create Template: You should create a template for each firewall group: One for the FireNet primary Gateway and one for the FireNet backup Gateway.
-
Configure Template: Add interfaces (ethernet1/1, ethernet1/2), zones (LAN, WAN), and Virtual Routers (route tables). Do not name the route table as "default" since this may conflict with the firewall’s default route table. Please refer to step 7 and 10 of the Example Config for Palo Alto Network with VM-Series.
-
Create Template Stack: A Template stack is a bundle to bind templates with managed devices. When creating, select Template(s) and Devices. Create one template stack for the primary FireNet Gateway, and another for the backup FireNet Gateway. Make note of the template stack name. Commit and push.
Creating Device Group
A Device Group is used to manage all the firewall policies.
-
Navigate to Panorama > Device Groups.
-
Click Add to create a new device group for both FireNet gateways.
-
Add managed VMs to the device group. Make note of the device group name (for example, "west2-firenet-primary"). You may create two device groups if you want to edit each FireNet gateway separately.
-
(optional if internet traffic is needed) Add an "Outbound" policy to the newly created device group.
-
(optional) If you plan to deploy Egress inspection, add source-nat and security outbound rule policies.
-
Commit and push the changes.
After the above steps, once VM-Series instances are added to Panorama, all configuration should be done through the Panorama console.
Creating Admin Role and Admin User Role
This is the same as for individually managed VM-Series. Create an admin role with XML API permission and create an admin user with the admin role.
-
After you have set up and configured your Panorama, go to Security > FireNet > FireNet Gateways.
-
Next to the FireNet where you want to add the Panorama firewall manager, click the icon and select Vendor Integration.
-
Follow these steps.
Migrating from Individual VM to Panorama
Assuming you have existing individually managed VM-Series in CoPilot and have prepared your Panorama, follow the instructions below to migrate individual VMs to Panorama.
Removing the Firewall Integration as PAN
If any firewall for a FireNet is already integrated with PAN as the Vendor type, you need to remove that configuration.
-
Navigate to Security > Firewall and select a PAN VM-Series firewall.
-
Click the link icon and remove it from the FireNet.
Removing Firewall Configuration
If this is a new VM, skip this step.
From your firewall console, remove the interfaces, zone, virtual router, policies, api admin role and api administrator.
Unresolved include directive in modules/network-security/partials/firewall-panorama-migrate.adoc - include::firewall-panorama-adding.adoc[]
VM-Series API Calls
The integrated functions by the Controller are the following:
-
The Controller monitors the health of Palo Alto Network software by using the VM-series API and performs switch over based on the API return status.
-
The Controller dynamically programs Palo Alto Network route tables for any new propagated new routes discovered both from new Spoke VPC/VNets and new on-premise routes.
Examples of Palo Alto Networks API used:
-
get key:
https://54.149.55.193/api/?password=password&type=keygen&user=apiadmin
-
get route tables:
https://54.149.55.193/api/?type=config&xpath=/config/devices/entry[@name='localhost.localdomain']/network/virtual-router/entry[@name='default']&key=LUFRPT1YQk1SUlpYT2xIT3dqMUFmMlBEaVgxbUxwTmc9RFRlWncrbURXZVpXZUUyMFE3V3ZWVXlaSlFvdkluT2F4dzMzWUZpMGtZaz0=&action=get
-
show interfaces:
https://54.149.55.193/api/?key=LUFRPT1BbkNIbXJZNlVBOVdRMXNMSUNVRis1VWRHaTA9RFRlWncrbURXZVpXZUUyMFE3V3ZWU2ZEZzdCNW8yUEpwU3Q1NXEzeDBnST0=&type=op&cmd=<show><interface>ethernet1/2</interface></show>
-
add route:
https://13.58.10.51/api/?type=config&xpath=/config/devices/entry[@name='localhost.localdomain']/network/virtual-router/entry[@name='default']/routing-table/ip/static-route/entry[@name='test2']&key=LUFRPT1BbkNIbXJZNlVBOVdRMXNMSUNVRis1VWRHaTA9RFRlWncrbURXZVpXZUUyMFE3V3ZWU2ZEZzdCNW8yUEpwU3Q1NXEzeDBnST0=&action=set&element=<nexthop><ip-address>10.201.1.1</ip-address></nexthop><bfd><profile>None</profile></bfd><path-monitor><enable>no</enable><failure-condition>any</failure-condition><hold-time>2</hold-time></path-monitor><metric>10</metric><destination>10.40.0.0/24</destination><route-table><unicast/></route-table>
-
delete route:
https://13.58.10.51/api/?type=config&xpath=/config/devices/entry[@name='localhost.localdomain']/network/virtual-router/entry[@name='default']/routing-table/ip/static-route/entry[@name='test2']&key=LUFRPT1BbkNIbXJZNlVBOVdRMXNMSUNVRis1VWRHaTA9RFRlWncrbURXZVpXZUUyMFE3V3ZWU2ZEZzdCNW8yUEpwU3Q1NXEzeDBnST0=&action=delete
-
commit
https://13.58.10.51/api/?type=commit&key=LUFRPT1BbkNIbXJZNlVBOVdRMXNMSUNVRis1VWRHaTA9RFRlWncrbURXZVpXZUUyMFE3V3ZWU2ZEZzdCNW8yUEpwU3Q1NXEzeDBnST0=&cmd=<commit></commit>