CLI Configuration: Setting up a VM-Series Gateway on a CentOS 6.x Bare-Metal Server using KVM

CLI Configuration: Setting up a VM-Series Gateway on a CentOS 6.x Bare-Metal Server using KVM

32220
Created On 09/26/18 19:10 PM - Last Modified 06/07/23 02:42 AM


Resolution


 

Summary:

This solution illustrates the CLI steps for setting up a Palo Alto Networks VM Series instance on a bare CentOS 6.x server using KVM virtualization.

 

Topology:

Please note that public IP addresses have been replaced with RFC 1918 addresses for the Internet-facing interfaces in the topology below.

 

Screen Shot 2015-08-26 at 5.26.28 PM.png

 

Details:

  1. Start with a CentOS 6.x “bare install” server outfitted with two NICs. As of PAN-OS 7.0.1, Palo Alto Networks recommends CentOS 6.5 or higher on the CentOS 6.x train.
  2. Download the PAN-OS for VM Series KVM base image from support.paloaltonetworks.com, e.g. PA-VM-KVM-7.0.1.qcow2

    You can either use wget on the CentOS server or download the image using a desktop browser and then copy it to the server into the /opt folder.

  3. Prepare and install KVM (Kernel-based Virtual Machine) on the server.

     

    Verify that the server if up-to-date and supports hardware virtualization:

     

    Check CentOS version:

    $ cat /etc/issue

    CentOS release 6.7 (Final)

    Kernel \r on an \m

     

    Update the server:

    $ yum -y update

     

    Verify hardware virtualization support:

    $ grep -E 'svm|vmx' /proc/cpuinfo

    flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm arat epb xsaveopt pln pts dts tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms

     

    If the output from the above command is blank, it is a good idea to stop here and procure a server with hardware virtualization support.

     

    Install KVM binaries and libraries:

    $ yum install kvm python-virtinst libvirt libvirt-python virt-manager virt-viewer libguestfs-tool

    $ yum install policycoreutils-python bridge-utils

     

    Configure libvirtd to start automatically on boot:

    $ chkconfig libvirtd on

    $ shutdown -r now

     

    Following reboot, you should see a new virbr0 interface that gets installed by the libvirt installation:

    $ ifconfig virbr0

  4. Create the two additional bridge interfaces using network init scripts:

     

    Disable Network Manager and rely on network init scripts:

    $ cd /etc/sysconfig/network-scripts/

    $ chkconfig NetworkManager off

    Note that if NetworManager is not installed on your CentOS instance, this command will generate an error, which is okay and you can proceed ahead.

    $ chkconfig network on

     

    Create backup files for potential rollback:

    $ cp ifcfg-eth0 bak.ifcfg-eth0

    $ cp ifcfg-eth1 bak.ifcfg-eth1

     

    Also, if eth1 has secondary addresses, these should be copied as follows:

    $ cp ifcfg-eth1-range0 ifcfg-br1-range0

    $ mv ifcfg-eth1-range0 bak.ifcfg-eth1-range0

     

    Likewise, if you have a route file for the private interface, such as route-eth0 as an example for this topology, it should be copied as follows:

    $ cp route-eth0 route-br0

    $ mv route-eth0 bak.route-eth0

     

    Create a copy of the ifcfg-eth0 script as ifcfg-br0 and edit it to look similar to this, noting that Type=Bridge is a case-sensitive statement:

    $ cp ifcfg-eth0 ifcfg-br0

    $ vi ifcfg-br0

    DEVICE=br0

    BOOTPROTO=static

    Type=Bridge

    ONBOOT=yes

    DELAY=0

    NM_CONTROLLED=no

    IPADDR=10.18.143.144

    NETMASK=255.255.255.192

     

    Modify the original ifcfg-eth0 script to remove any IP addresses and add the BRIDGE=br0 statement so that the script finally looks similar to this:

    $ vi ifcfg-eth0

    DEVICE=eth0

    BOOTPROTO=none

    ONBOOT=yes

    HWADDR=00:25:90:xx:yy:zz (replace with your MAC address)

    NM_CONTROLLED=no

    BRIDGE=br0

     

    Create a copy of the ifcfg-eth1 script as ifcfg-br1 and edit it to look similar to this, noting that Type=Bridge is a case-sensitive statement:

    $ cp ifcfg-eth1 ifcfg-br1

    $ vi ifcfg-br1

    DEVICE=br1

    BOOTPROTO=static

    Type=Bridge

    ONBOOT=yes

    DELAY=0

    NM_CONTROLLED=no

    IPADDR=192.168.234.238

    NETMASK=255.255.255.248

    GATEWAY=192.168.234.233

     

    Modify the original ifcfg-eth1 script to remove any IP addresses and add the BRIDGE=br1 statement so that the script finally looks similar to this:

    $ vi ifcfg-eth1

    DEVICE=eth1

    BOOTPROTO=none

    ONBOOT=yes

    HWADDR=00:25:90:xx:yy:zz (replace with your MAC address)

    NM_CONTROLLED=no

    BRIDGE=br1

     

    Disable netfilter on the bridge interfaces by editing /etc/sysctl.conf and adding the 3 lines below:

    $ cp /etc/sysctl.conf /etc/sysctl.conf.bak

    $ vi /etc/sysctl.conf

    net.bridge.bridge-nf-call-ip6tables = 0

    net.bridge.bridge-nf-call-iptables = 0

    net.bridge.bridge-nf-call-arptables = 0

    $ sysctl -p /etc/sysctl.conf

     

    While the two new br0 and br1 interfaces should come up on restart automatically, as an additional precautionary measure, add the following statements to /etc/rc.local:

    $ vi /etc/rc.local

    ifup br0

    ifup br1

     

    Restart networking for the changes to take effect and then reboot to ensure that the new interfaces come up following bootup. Sometimes a reboot is required for the addresses to change.

    WARNING: Before rebooting, review the ifconfig-br1 file to ensure that all the settings look correct and make sure that you have out-of-band management access to this server / console in the event that the Internet-facing interface does not come up.

    $ service network restart

    $ ifconfig

    $ shutdown –r now

  5. Copy the image to /var/lib/libvirt/images and install the VM:

    $ cp /opt/PA-VM-KVM-7.0.1.qcow2 /var/lib/libvirt/images

    $ virt-install --connect qemu:///system --name=pa-vm --disk path=/var/lib/libvirt/images/PA-VM-KVM-7.0.1.qcow2,format=qcow2,bus=virtio,cache=writethrough --vcpus=4 --ram=4096 --network bridge=virbr0 --network bridge=br0 --network bridge=br1 --os-type=linux --os-variant=rhel6 --import

  6. Log into the console and set up the management interface:

    $ virsh console pa-vm

    > configure

    # set deviceconfig system ip-address 192.168.122.3 netmask 255.255.255.0 default-gateway 192.168.122.1 dns-setting servers primary 8.8.8.8

    # commit

  7. Verify connectivity from the CentOS server:

    $ ssh admin@192.168.122.3

  8.  After logging in to the vm-series via ssh:

    > debug show vm-series interfaces all

    Phoenix_interface   Base-OS_port     Base-OS_MAC             PCI-ID         Driver

    mgt                     eth0         52:54:00:yy:yy:27       0000:00:03.0   virtio_net

    Ethernet1/1             eth1         52:54:00:yy:yy:a5       0000:00:04.0   virtio_net

    Ethernet1/2             eth2        52:54:00:yy:yy:6d       0000:00:05.0   virtio_net

    admin@PA-VM>

  9.  Configure the firewall via CLI and commit the changes.

     

    Configure the e1/1 interface as a member of the Layer 3 trust zone. Please note that this is reversed from the typical Palo Alto Networks topology of e1/1 in the Untrust zone to match the bare-metal server interface nomenclature.

    # set network interface ethernet ethernet1/1 layer3 ip 10.18.143.145/26

    # set zone trust network layer3 ethernet1/1

    # set network virtual-router default interface ethernet1/1

     

    Configure the Untrust e1/2 interface and zone:

    # set network interface ethernet ethernet1/2 layer3 ip 172.16.77.170/30

    # set zone untrust network layer3 ethernet1/2

    # set network virtual-router default interface ethernet1/2

     

    Define default route in the default VR:

    # set network virtual-router default routing-table ip static-route default destination 0.0.0.0/0 nexthop ip-address 172.16.77.169

     

    Enable ssh and ping on the private interface:

    # set network profiles interface-management-profile allow_ping_ssh ping yes ssh yes

    # set network interface ethernet ethernet1/1 layer3 interface-management-profile allow_ping_ssh

     

    Enable ssh and ping on the private interface:

    # set network profiles interface-management-profile allow_ping ping yes

    # set network interface ethernet ethernet1/2 layer3 interface-management-profile allow_ping

     

    Commit the config:

    # commit

     

     



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2lCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language