Bootstrapping Palo Alto Network VMSeries on GCP
Palo Atlo VMSeries devices on GCP can definitely look complicated, but deploying them doesn’t have to be. This example is one approach using Terraform to automate the bootstrapping of a PAN BYOL (Bring your Own License) 904 device on GCP.
The design we will work with is setting up a PAN VMSeries firewall to support a 2 tier web app.
What gets built
|Name||What is it||Description|
|bootstrap_bucket||GCS Bucket||Containers directories, configuration files, policies, software and licensing required to bootstrap the device|
|management||VPC||VPC Network for managing PAN device|
|trust-web||VPC||Trust network for web traffic|
|trust-db||VPC||Trust network for db traffic|
|pan-vm-series||GCE Instance||The deployed PAN device GCE Instance|
What’s not getting built
The configuration being applied to this device is pretty static as coming up with the specific config is outside of the scope of this example. There are many ways to generate a config for a PAN device - export from an existing, apply from Panorama, dynamically build with automation tools such as Terraform/Ansible etc. Additionally, we assume that a GCP project and a service account with enough access to create GCE instances and VPCs exist and credentials on hand.
The folllowing steps is a highlevel view of what is being automated:
- Create the GCS bootstrap_bucket
- Create the bootstrap directories in the bucket
- Copy content to the corresponding bucket directory
- Create the VPCS’s
- Create the VPC subnets
- Create a GCE instance with a bootdisk set to the PAN image and a metadata value for the bootstrap_bucket
Ok great, but what’s really happening? First terraform is going to set the stage for us by creating a GCS bucket and populating it with folders and content accordingly. More details on what folders and content are needed for the PAN bootstrap process (also known as the Bootstrap Package) can be found here. Terraform also creates a different VPC for each interface being configured on the PAN device - in this example a vpc for management, untrust, trust-db and trust-web are created in addition to respective subnets. Once all the staging is out of the way, terraform creates a GCE instance with the bootdisk set to the PAN image, and a metadata value for the bootstrap bucket. The PAN device will then come online and apply the configurations found in the bootstrap bucket.
The code for this has been published to an ArctiqTeam GitHub repo accessible here.
The only file you need to edit is terraform.tfvars unless you want to change some of the default variables. Also included are the simple init-cfg.txt setting the management interface to be DHCP and a static bootstrap.xml with specific demo configurations. Both of these files can be swapped for your own.
Final note: there is no authcode file included. This demo will bring the device online, but it will not pass traffic until a valid license has been applied.
This terraform and approach will get you an automated deployment of a singular PAN device in GCP. Could this be extended and implemented as a Managed Instance group with a GCP LoadBalancer front end? Absolutely. Also, some of this functionality should be wrapped up into more modules instead of leaving it all in the root module as well, but that might be a future blog….