Documente Academic
Documente Profesional
Documente Cultură
DG_PAFWLB_120718.1
TABLE OF CONTENTS
1
Overview ................................................................................................................................................ 4
Configuration Overview.......................................................................................................................... 7
5.1
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.3
5.3.1
5.3.2
5.3.3
5.3.4
6.2
6.3
Configuration Samples......................................................................................................................... 28
9.1
9.2
OVERVIEW
A10 Networks and Palo Alto Networks offer a comprehensive and detailed solution for high performance
Firewall Load Balancing (FWLB). This deployment guide shows how to configure and deploy the
A10 Networks AX Series Application Delivery Controller (ADC) with Palo Alto Networks' PA Series
Firewall.
The tested solution is based on a "sandwich-style" architecture that calls for two or more AX Series
appliances to load balance the external and internal zones of a network. The FWLB deployment
described in this guide was tested to work with AX Series 2.6.1. Support for persistence with certain
protocols, e.g. SIP and FTP, are supported in the 2.7.0 release. For more information on A10 Networks,
please visit www.a10networks.com, and for more information on Palo Alto Networks please visit
www.paloaltonetworks.com.
DEPLOYMENT PREREQUISITES
The FWLB solution tested for this guide consisted of the following:
Note: The deployment configuration tested for and presented in this guide is based on one (1) AX Series
per zone (internal and external). A10 Networks strongly recommends deploying the AX Series in High
Availability (HA) pairs for redundancy.
ARCHITECTURE OVERVIEW
This section illustrates a joint FWLB solution using A10 Networks' AX Series appliances with Palo Alto
Networks' PA Series Firewalls.
The following diagram shows a typical packet flow in an AX Series and PA Series FWLB deployment.
When an internal client sends a request, the internal AX Series selects a PA firewall for the request, and
sends the request to the selected firewall. The firewall inspects the request and, if the request is allowed,
forwards the request to the external AX Series. The external AX Series then sends the request to the
application/Internet.
ACCESS CREDENTIALS
This section lists the default access credentials for the AX Series and the PA Series.
A10 Networks AX Series access defaults:
Note: Both AX Series and PA Series appliances can support a Graphical User Interface (GUI) and
Command Line Interface (CLI).To access the CLI on the AX Series and PA Series, an SSH client such
as putty.exe is required.
CONFIGURATION OVERVIEW
This section shows the GUI procedures for configuring the AX Series for the FWLB solution. The
procedures are organized as follows:
The procedures focus on the FWLB-specific portions of the configuration. Configuration of the data
interfaces is not shown. However, the sample configurations at the end of this guide include the
commands for configuring the AX Series interfaces.
Note: This section assumes the PA Series firewalls are connected to the AX Series at Layer 2.
Note: The AX Series has a feature called Role-Based Administration (RBA) that allows administrators to
configure and view network and load balancing resources based on administrative domains (partitions).
While the procedures below do not include creation of a partition, the first command line of each sample
configuration at the end of this guide creates a partition. RBA may sometimes be referred to as
Application Delivery Partitions (ADPs); RBA is an element of an ADP.
5.1
The procedures in this section describe how to configure FWLB on the external AX Series and PA Series.
5.2
These procedures apply to the section of the topology highlighted in blue in the following diagram.
5.2.1
5. In the Port section, enter port number 0 (zero) and select "TCP" from the Type drop-down list.
Then click Add.
6. Create a UDP port with port number 0. This is the same as the previous step, except "UDP"
instead of "TCP" should be selected.
Note: In IP protocol load balancing, port 0 (zero) is used as a wildcard port and matches on any port
number.
10
7. Click OK, then click the Save button at the top of the GUI window to save the configuration.
5.2.2
The steps in this section place the client gateways into a service group.
1. Navigate to Config Mode > Service > SLB > Service Group. There are two (2) service groups
required in the configuration. In this example, they are named: "sg_tcp" and "sg_udp".
11
3. Create a UDP service group. The steps are similar to those above for a TCP service group,
except the name is different, and the type is "UDP" instead of "TCP".
12
4. Add the firewalls to the UDP service group. For reference, see step 2 above.
5.2.3
This section describes how to configure the Virtual IP (VIP). FWLB uses a wildcard VIP. A wildcard VIP
has IPv4 address 0.0.0.0 or IPv6 address:: (double colon).
Wildcard VIPs also have the following configuration requirements:
Access Control List (ACL) to specify the traffic allowed to access the VIP (described in the
following subsection)
Promiscuous mode on the interface connected to clients (shown in the sample configurations at
the end of the guide)
Note: For simplicity, this guide uses an ACL that permits all traffic. You can more tightly control traffic by
using more specific source and destination information in the ACL.
5.2.4
This section shows how to configure the ACL for the wildcard VIP.
1. Navigate to Config Mode > Network > ACL > Extended.
2. Click Add.
13
Select Entry
Action: Permit
Protocol: IP
5.2.5
This section describes how to configure the wildcard VIP on the external AX Series.
1. Navigate to Config Mode > Service > SLB > Virtual Server.
2. Click Add.
14
Name: "outside_in_to_out".
Wildcard: Select this checkbox to display the Access List drop-down list.
4. In the Virtual Server Port section, click Add and enter the virtual port information for the TCP
virtual port:
Type: TCP.
Port: 0.
Use default server selection when preferred method fails: Select this option to enable it.
Use received hop for response: Select this option to enable it.
15
5. Click OK.
6. Click Add to add the UDP wildcard port. Select "UDP" as the Type and select Service Group "sgudp".
Note: The use received hop for response option is required in FWLB. This option sends replies to
clients back through the last hop on which the request for the virtual port's service was received.
7. Click OK, and then save the configuration.
8. To validate the configuration, navigate to Config Mode > SLB > Virtual Service.
16
5.3
This section shows how to configure the PA Series firewalls. Configuration consists of the following items:
Zone
Interface Configuration
Policies
The configuration settings for each item must be the same on each firewall. The only settings that should
differ are network settings such as IP addresses.
Note: Although not shown in this guide, you also can deploy the firewalls HA mode for quick configuration
synchronization to all in-service firewalls.
17
5.3.1
INTERFACE CONFIGURATION
On the PA Series:
1.
2.
3.
4.
18
5.3.2
ZONE CONFIGURATION
On the PA Series:
10. Navigate to Network > Zone.
11. Click Add.
12. Create the following configurations for Names, Locations and Type:
19
Table 1: Trusted and untrusted zone requirements for Palo Alto Network Appliance
Note: The "Trusted" network segment is located in the internal section of the network topology. The
"Untrusted" network segment is the external section of the network topology, see the Diagram 15 above.
The steps have to be repeated for both interfaces. Interfaces have to be assigned to trust and untrust
interfaces.
On the PA Series, the "vsys" is equivalent to an RBA partition on the AX Series. On the PA Series,
partitions such as "vsys1" from the example above can be created dynamically.
5.3.3
20
5.3.4
This section shows how to configure the security policy rules of the firewall.
1. Navigate to "Policies" and click Add.
2. Enter the following configuration values for the traffic you wish to allow or deny. The following
policy information is required:
General
Source
User
Destination
Application
Service/URL Category
Actions
Note: Every network will have its own policy, so the configuration within the Palo Alto Networks appliance
will be used as a reference configuration.
3. Click Save to commit the configuration.
21
This section shows how to configure the internal AX Series for FWLB. These procedures apply to the
section of the topology highlighted in blue in the following diagram.
6.1
22
8. Create a UDP port with port number 0. This is the same as the previous step, except "UDP"
instead of "TCP" should be selected.
23
6.2
Name: "LB_Paths_TCP"
Type: TCP
Note: The AX Series also comes with other algorithm options such as Least Connection, Least Request,
and so on.
3. In the Server section, add each of the firewall paths (server configurations).
24
6.3
This section describes how to configure the wildcard VIP on the internal AX Series.
1. Navigate to Config Mode > Service > SLB > Virtual Server.
2. Click Add.
3. Enter or select the following values:
Name: "wildcard_v4_101_server"
25
Wildcard: Select this checkbox to display the Access List drop-down list.
Note: The example name shown above indicates that this wildcard VIP is for IPv4 and uses ACL 101.
Configuration of the ACL is not shown here. However, the steps are the same as those in Access Control
List Configuration.
4. In the Virtual Server Port section, click Add and enter the virtual port information for the TCP
virtual port:
Type: TCP.
Port: 0.
Use default server selection when preferred method fails: Select this option to enable it.
Use received hop for response: Select this option to enable it.
Note: The use received hop for response option is required in FWLB. This option sends replies to clients
back through the last hop on which the request for the virtual port's service was received.
5. Click Add to add the UDP wildcard port. Select "UDP" as the Type and select Service Group
"LB_Paths_UDP".
26
27
The AX Series also supports Layer 3 connection to the firewalls. In this case, configure Layer 3 interfaces
for untagged routed traffic, and define layer sub interfaces for traffic with specific VLAN tags. These
configuration changes can be made if you navigate to Network > Interfaces > Interfaces.
In layer 3 firewall configuration, the Palo Alto appliance has to be configured such that layer 3 interfaces
are added for untagged routed traffic and sub-interfaces for traffic with specific VLAN tags. For detailed
information on Layer 3 deployment, contact your Palo Alto Networks SE or refer to the Palo Alto Networks
Administration Guide.
The sections above show how to deploy the AX device with the Palo Alto Networks device for optimized
Firewall Load Balancing. By using the AX device to load balance a pool of Palo Alto Networks appliance,
the following key advantages are achieved:
High-availability for firewalls to prevent downtime and access failure, with no adverse impact on
user access to applications
Seamless distribution of client traffic across multiple firewall appliances for site scalability
For more information about AX Series products, please refer to the following URLs:
http://www.a10networks.com/products/axseries.php
http://www.a10networks.com/resources/solutionsheets.php
http:/www.a10networks.com/resources/casestudies.php
CONFIGURATION SAMPLES
This section shows sample configuration files for the internal and external AX devices.
28
9.1
29
interface ethernet 16
disable
interface ethernet 18
ip allow-promiscuous-vip
disable
interface ethernet 19
ip allow-promiscuous-vip
interface ethernet 20
disable
interface ve 16
ip address 16.1.1.78 255.255.0.0
ip allow-promiscuous-vip
tftp blksize 32768
slb server server-gateway 16.1.1.253
port 0
udp
no health-check
port 0
tcp
no health-check
slb service-group sg-tcp tcp
member server-gateway:0
slb service-group sg-udp udp
member server-gateway:0
slb virtual-server outside_in_to_out 0.0.0.0 acl 100
port 0
tcp
name _wildcard_v4_TCP_65535
service-group sg-tcp
use-rcv-hop-for-resp
use-default-if-no-server
no-dest-nat
port 0
udp
name _wildcard_v4_UDP_65535
service-group sg-udp
use-rcv-hop-for-resp
no-dest-nat
enable-management service ssh ve 16
no terminal auto-size
terminal width 80
terminal length 25
end
30
9.2
31
interface ethernet 17
interface ethernet 18
interface ethernet 19
interface ethernet 20
interface ve 2
ip address 5.1.1.1 255.255.255.240
interface ve 3
ip address 5.1.1.17 255.255.255.240
interface ve 4
ip address 15.1.1.1 255.255.255.0
interface ve 274
ip address 24.24.112.1 255.255.255.192
ip route 0.0.0.0 /0 5.1.1.2
tftp blksize 32768
slb server FW1_route 5.1.1.18
port 0
tcp
no health-check
port 0
udp
no health-check
slb server FW2_route 5.1.1.2
port 0
tcp
no health-check
port 0
udp
no health-check
slb service-group LB_Paths_UDP udp
member FW1_route:0
member FW2_route:0
slb service-group LB_Paths_TCP tcp
slb virtual-server wildcard_v4_101_vserver 0.0.0.0 acl 100
port 0
tcp
name Inside_in_to_out
use-rcv-hop-for-resp
use-default-if-no-server
no-dest-nat
port 0
udp
name Inside_in_to_out_UDP
32
service-group LB_Paths_UDP
use-rcv-hop-for-resp
use-default-if-no-server
no-dest-nat
no terminal auto-size
terminal width 80
terminal length 25
end
33