CLI Configuration: Setting up a VM-Series Gateway on a CentOS 6.x Bare-Metal Server using KVM
Resolution
Summary:
This solution illustrates the CLI steps for setting up a Palo Alto Networks VM Series instance on a bare CentOS 6.x server using KVM virtualization.
Topology:
Please note that public IP addresses have been replaced with RFC 1918 addresses for the Internet-facing interfaces in the topology below.
Details:
- Start with a CentOS 6.x “bare install” server outfitted with two NICs. As of PAN-OS 7.0.1, Palo Alto Networks recommends CentOS 6.5 or higher on the CentOS 6.x train.
-
Download the PAN-OS for VM Series KVM base image from support.paloaltonetworks.com, e.g. PA-VM-KVM-7.0.1.qcow2
You can either use wget on the CentOS server or download the image using a desktop browser and then copy it to the server into the /opt folder.
-
Prepare and install KVM (Kernel-based Virtual Machine) on the server.
Verify that the server if up-to-date and supports hardware virtualization:
Check CentOS version:
$ cat /etc/issue
CentOS release 6.7 (Final)
Kernel \r on an \m
Update the server:
$ yum -y update
Verify hardware virtualization support:
$ grep -E 'svm|vmx' /proc/cpuinfo
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm arat epb xsaveopt pln pts dts tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms
If the output from the above command is blank, it is a good idea to stop here and procure a server with hardware virtualization support.
Install KVM binaries and libraries:
$ yum install kvm python-virtinst libvirt libvirt-python virt-manager virt-viewer libguestfs-tool
$ yum install policycoreutils-python bridge-utils
Configure libvirtd to start automatically on boot:
$ chkconfig libvirtd on
$ shutdown -r now
Following reboot, you should see a new virbr0 interface that gets installed by the libvirt installation:
$ ifconfig virbr0
-
Create the two additional bridge interfaces using network init scripts:
Disable Network Manager and rely on network init scripts:
$ cd /etc/sysconfig/network-scripts/
$ chkconfig NetworkManager off
Note that if NetworManager is not installed on your CentOS instance, this command will generate an error, which is okay and you can proceed ahead.
$ chkconfig network on
Create backup files for potential rollback:
$ cp ifcfg-eth0 bak.ifcfg-eth0
$ cp ifcfg-eth1 bak.ifcfg-eth1
Also, if eth1 has secondary addresses, these should be copied as follows:
$ cp ifcfg-eth1-range0 ifcfg-br1-range0
$ mv ifcfg-eth1-range0 bak.ifcfg-eth1-range0
Likewise, if you have a route file for the private interface, such as route-eth0 as an example for this topology, it should be copied as follows:
$ cp route-eth0 route-br0
$ mv route-eth0 bak.route-eth0
Create a copy of the ifcfg-eth0 script as ifcfg-br0 and edit it to look similar to this, noting that Type=Bridge is a case-sensitive statement:
$ cp ifcfg-eth0 ifcfg-br0
$ vi ifcfg-br0
DEVICE=br0
BOOTPROTO=static
Type=Bridge
ONBOOT=yes
DELAY=0
NM_CONTROLLED=no
IPADDR=10.18.143.144
NETMASK=255.255.255.192
Modify the original ifcfg-eth0 script to remove any IP addresses and add the BRIDGE=br0 statement so that the script finally looks similar to this:
$ vi ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:25:90:xx:yy:zz (replace with your MAC address)
NM_CONTROLLED=no
BRIDGE=br0
Create a copy of the ifcfg-eth1 script as ifcfg-br1 and edit it to look similar to this, noting that Type=Bridge is a case-sensitive statement:
$ cp ifcfg-eth1 ifcfg-br1
$ vi ifcfg-br1
DEVICE=br1
BOOTPROTO=static
Type=Bridge
ONBOOT=yes
DELAY=0
NM_CONTROLLED=no
IPADDR=192.168.234.238
NETMASK=255.255.255.248
GATEWAY=192.168.234.233
Modify the original ifcfg-eth1 script to remove any IP addresses and add the BRIDGE=br1 statement so that the script finally looks similar to this:
$ vi ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
HWADDR=00:25:90:xx:yy:zz (replace with your MAC address)
NM_CONTROLLED=no
BRIDGE=br1
Disable netfilter on the bridge interfaces by editing /etc/sysctl.conf and adding the 3 lines below:
$ cp /etc/sysctl.conf /etc/sysctl.conf.bak
$ vi /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
$ sysctl -p /etc/sysctl.conf
While the two new br0 and br1 interfaces should come up on restart automatically, as an additional precautionary measure, add the following statements to /etc/rc.local:
$ vi /etc/rc.local
ifup br0
ifup br1
Restart networking for the changes to take effect and then reboot to ensure that the new interfaces come up following bootup. Sometimes a reboot is required for the addresses to change.
WARNING: Before rebooting, review the ifconfig-br1 file to ensure that all the settings look correct and make sure that you have out-of-band management access to this server / console in the event that the Internet-facing interface does not come up.
$ service network restart
$ ifconfig
$ shutdown –r now
-
Copy the image to /var/lib/libvirt/images and install the VM:
$ cp /opt/PA-VM-KVM-7.0.1.qcow2 /var/lib/libvirt/images
$ virt-install --connect qemu:///system --name=pa-vm --disk path=/var/lib/libvirt/images/PA-VM-KVM-7.0.1.qcow2,format=qcow2,bus=virtio,cache=writethrough --vcpus=4 --ram=4096 --network bridge=virbr0 --network bridge=br0 --network bridge=br1 --os-type=linux --os-variant=rhel6 --import
-
Log into the console and set up the management interface:
$ virsh console pa-vm
> configure
# set deviceconfig system ip-address 192.168.122.3 netmask 255.255.255.0 default-gateway 192.168.122.1 dns-setting servers primary 8.8.8.8
# commit
-
Verify connectivity from the CentOS server:
$ ssh admin@192.168.122.3
-
After logging in to the vm-series via ssh:
> debug show vm-series interfaces all
Phoenix_interface Base-OS_port Base-OS_MAC PCI-ID Driver
mgt eth0 52:54:00:yy:yy:27 0000:00:03.0 virtio_net
Ethernet1/1 eth1 52:54:00:yy:yy:a5 0000:00:04.0 virtio_net
Ethernet1/2 eth2 52:54:00:yy:yy:6d 0000:00:05.0 virtio_net
admin@PA-VM>
-
Configure the firewall via CLI and commit the changes.
Configure the e1/1 interface as a member of the Layer 3 trust zone. Please note that this is reversed from the typical Palo Alto Networks topology of e1/1 in the Untrust zone to match the bare-metal server interface nomenclature.
# set network interface ethernet ethernet1/1 layer3 ip 10.18.143.145/26
# set zone trust network layer3 ethernet1/1
# set network virtual-router default interface ethernet1/1
Configure the Untrust e1/2 interface and zone:
# set network interface ethernet ethernet1/2 layer3 ip 172.16.77.170/30
# set zone untrust network layer3 ethernet1/2
# set network virtual-router default interface ethernet1/2
Define default route in the default VR:
# set network virtual-router default routing-table ip static-route default destination 0.0.0.0/0 nexthop ip-address 172.16.77.169
Enable ssh and ping on the private interface:
# set network profiles interface-management-profile allow_ping_ssh ping yes ssh yes
# set network interface ethernet ethernet1/1 layer3 interface-management-profile allow_ping_ssh
Enable ssh and ping on the private interface:
# set network profiles interface-management-profile allow_ping ping yes
# set network interface ethernet ethernet1/2 layer3 interface-management-profile allow_ping
Commit the config:
# commit