Palo Alto Networks (PAN) has a fast growing ecosystem of resellers, technology partners and customers. This ecosystem needs complete, fully featured PAN environments for - demos, PoCs and testing. Public clouds like AWS or Google are ideal for these transient workloads. However, due to the inherent Layer 2 networking limitations of the cloud like multicast/broadcast, VMACs and VLANs, it is difficult to create representative PAN environments in AWS or Google. Ravello's nested virtualization and overlay networking solves this problem.
You are welcome to check out our webinar on Palo Alto Networks Smart Lab on AWS and Google Cloud.
The webinar will took place on Tuesday, April 28th at 10AM PST.
We covered :
Palo Alto Networks next-gen firewall has featured as an industry leader in Gartner’s Magic Quadrant due to its rich feature-set and ease of use. With 17.6% share of the unified threat management market (IDC Reports), it has shown impressive growth in recent years. With each new VM series release, PAN has added new functionality that has made it even more appealing to enterprises. Before they buy, almost all enterprises like to see a demo of the impressive technology built into VM Series - necessitating a fully featured demo & PoC environment. In addition, Palo Alto Networks has an impressive list of resellers, technology partners and customers - all of which need their own complete, fully featured PAN environment for demos, PoCs, upgrade and application testing.
Organizations have explored ‘beefing-up’ their data-center to run transient workloads for demo, PoC, training, upgrade and development test environments - but it is expensive to provision additional capacity. In most cases, it takes from weeks to months to procure, provision the hardware, and get the environment running, and there are opportunity costs associated when the environment is not being used.
Public clouds, such as AWS and Google provide the flexibility to move to a usage-based pricing model and avoid these opportunity costs, but this approach entails a long migration process. And once migrated, the application environment on the cloud looks very different from the one in data center - due to different IP addresses, gateways, subnets etc. To complicate matters further, the Amazon Machine Image (AMI) of the PAN VM Series appliance itself supports a only a subset of the functionality compared to PAN VM Series VMware or KVM appliance - which makes it impossible to replicate the data-center environment on AWS or Google for many deployment scenarios.
|Feature||PAN VM Series VMware / KVM Appliance||PAN VM Series Amazon Machine Image|
|Virtual wire deployment mode (non-intrusive FW deployment)||Supported||Unsupported|
|Layer 2 deployment mode (network segment & switching deployment)||Supported||Unsupported|
|Layer 2 networking||Supported||Unsupported|
|Number of interfaces supported||25||8|
Nested virtualization platform with software defined networking overlay - such as Ravello - brings together financial benefits of moving to cloud while avoiding technological limitations (such lack of L2 networking, VLAN tags, VMACs, multicast, broadcast, and inability to support certain deployment scenarios). This allows organizations to recreate an exact replica of their complex data center environment on Google cloud and AWS - running the same version and configuration of the PAN VMware or KVM virtual appliance as they do in their data center.
The advantages of Ravello’s nested virtualization platform doesn’t stop there. The platform gives the ability to snapshot or ‘blue-print’ a multi-VM application including PAN VM series complete with complex networking, and spin up as many copies as needed at the click of a button or through a REST API call. Want to make a change to the infrastructure or configuration - just take a ‘blue-print’, and one has ‘version control’ on the entire infrastructure and configuration. Stuck with an unworkable environment after some configuration missteps - going back to an earlier working state is as easy spinning up a new environment based on an earlier blueprint. Need help to debug an issue - just take a blueprint and share - reproducing an issue has never been easier. The possibilities are endless! I decided to put all these use-cases to test, but the first step was moving my PAN data center environment to run on Google cloud/AWS using Ravello.
My data center PAN VM series contains three interfaces - one each connected to external and internal networks, and the third configured as management. Three hosts sit behind the firewall on the internal network - two ubuntu linux machines and a windows 2012 machine (see below). The external interface is connected to the internet.
Re-creating this environment in Ravello was simple 3 step process -
I used the Ravello VM uploader to upload my multi-VM environment.
|1. Ravello VM uploader gave me multiple options - ranging from directly uploading my multi-VM environment from VMware vSphere™/ VMware vCenter™ to uploading OVFs or VMDKs or QCOW or ISOs individually. Siding with their recommendation, I chose to directly upload from vSphere.|
|2. After entering my vSphere credentials on the next screen, the upload process began. was able to track the VM upload progress from Ravello’s user interface.|
|1. Verification started by asking for a VM name for the PAN VM Series 100|
|2. Clicking ‘Next’, I entered the amount of resources (VCPUs and Memory) that I wanted my PAN VM Series to run on.|
|3. Clicking ‘Next’, I was taken to the Disk tab. It was already pre-populated with the right disk-size and controller.|
|4. Clicking ‘Next’ I landed at Network tab. Here I unselected AutoMac for each of the interfaces, and entered the specific MAC addresses grabbed from my data center PAN installation by typing “show interface management” and “show interface all”.|
|5. Next I entered the static IPs & netmasks for each of the PAN interfaces (management, internal and external) completing the network configuration.|
|6. Clicking ‘Next’, I created a https service on the management interface so that Ravello opened the port 443 for me so that I could access it over a web-browser|
|7. I went through the steps 1-6 for my other VMs - linux & windows hosts ending up with a total of 4 VMs on my application canvas|
|1. With my application canvas complete, I clicked ‘Publish’ to run it on Google Cloud. My environment took roughly 5 minutes to come alive.|
|2. Clicking on the networking tab, one can see this closely mirrors my data center setup.|
|3. Once the PAN was up, I pointed my web-browser at the Public IP/ URL listed in the ‘Summary’ tab and was presented with PAN’s management UI.|
To verify that the PAN is working as expected, I created a security rule that allowed access to google.com, but logged an alert every time it was accessed by one of the hosts behind the firewall.
As you can see from the screenshot below, when my windows host (192.168.0.4) accesses google.com, it is logged on the monitor tab in PAN.
Just for the kicks, I created a rule on PAN which prevented any internal hosts from http access to the internet.
As expected, the URL showed up as blocked on the web-browser
I could also see it logged as blocked under the monitoring tab, proving that PAN was operating as expected.
Ravello’s nested virtualization and overlay networking provides a straightforward easy way run PAN VM Series appliance demos, PoCs and testing using Google cloud & AWS with the same VMware/KVM virtual appliances as deployed in Data Center. Just sign up for a free Ravello trial, and drop us a line – we can share the PAN config referenced, and also help you get your PAN VM series appliance running ‘as-is’ in Ravello in no time.