Oracle® SD-WAN Chaining with Palo Alto Networks NGFW

[Pages:22]Oracle? SD-WAN Chaining with Palo Alto Networks NGFW

Installation Guide

Original Publication Date: Nov 1, 2019

Palo Alto Networks NGFW

Copyright ? 2019, 2007 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be errorfree. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. Windows? 7 and Windows? XP are trademarks or registered trademarks of Microsoft Corporation. This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.

2

Palo Alto Networks NGFW

Table of Contents

About This Document ................................................................................................................................................... 4 Audience ................................................................................................................................................................... 4 References ................................................................................................................................................................. 4

Introduction ................................................................................................................................................................... 5 Interaction Between the Talari Appliance and Palo Alto Networks NGFW ................................................................. 5

Customer Solution #1................................................................................................................................................ 6 Customer Solution #2................................................................................................................................................ 7 Functional Business Requirements.............................................................................................................................. 10 Description of the Test Environment ...................................................................................................................... 11 Test Plan and Results................................................................................................................................................... 11 Success Criteria ....................................................................................................................................................... 11 Steps for Integration .................................................................................................................................................... 11 Customer Solution #1 Installation ........................................................................................................................... 13 Customer Solution #2 Installation ........................................................................................................................... 17

3

Palo Alto Networks NGFW

About This Document

The purpose of this document is to provide the reader with an understanding of how to install a Talari Appliance with Virtual Palo Alto Networks NGFW. The Palo Alto Networks NGFW will be installed using the Service Chaining capability of the Talari E100 or Talari E1000 platform.

My Oracle Support

My Oracle Support () is your initial point of contact for all product support and training needs. A representative at Customer Access Support (CAS) can assist you with My Oracle Support registration. Call the CAS main number at 1-800-223-1711 (toll-free in the US), or call the Oracle Support hotline for your local country from the list at . When calling, make the selections in the sequence shown below on the Support telephone menu:

1. Select 2 for New Service Request.

2. Select 3 for Hardware, Networking, and Solaris Operating System Support.

3. Select one of the following options:

For technical issues such as creating a new Service Request (SR), select 1.

For non-technical issues such as registration or assistance with My Oracle Support, select 2.

You are connected to a live agent who can assist you with My Oracle Support registration and opening a support ticket.

My Oracle Support is available 24 hours a day, 7 days a week, 365 days a year.

Emergency Response

In the event of a critical service situation, emergency response is offered by the Customer Access Support (CAS) main number at 1-800-223-1711 (toll-free in the US), or call the Oracle Support hotline for your local country from the list at . The emergency response provides immediate coverage, automatic escalation, and other features to ensure that the critical situation is resolved as rapidly as possible. A critical situation is defined as a problem with the installed equipment that severely affects service, traffic, or maintenance capabilities, and requires immediate corrective action. Critical situations affect service and/or system operation resulting in one or several of these situations:

A total system failure that results in loss of all transaction processing capability

 Significant reduction in system capacity or traffic handling capability Loss of the system's ability to perform automatic system reconfiguration Inability to restart a processor or the system Corruption of system databases that requires service affecting corrective actions Loss of access for maintenance or recovery operations Loss of the system ability to provide any required critical or major trouble

notification Any other problem severely affecting service, capacity/traffic, billing, and maintenance capabilities may be defined as critical by prior discussion and agreement with Oracle. Locate Product Documentation on the Oracle Help Center Site Oracle Communications customer documentation is available on the web at the Oracle Help Center (OHC) site, . You do not have to register to access these documents. Viewing these files requires Adobe Acrobat Reader, which can be downloaded at .

1. Access the Oracle Help Center site at . 2. Click Industries. 3. Click the Oracle Communications link.

Under the SD-WAN header, select a product. 4. Select the Release Number.

A list of the entire documentation set for the selected product and release appears. 5. To download a file to your location, right-click the PDF link, select Save target as (or similar command based on your browser), and save to a local folder.

References

The following documents are available: Talari Service Chaining UI Installation GUI Talari 6.1 New Feature Guide

4

Palo Alto Networks NGFW

Introduction

In this installation guide, we will explore how to integrate a native Talari and the Palo Alto Networks NGFW (Next Generation Firewall) as a Guest VM on a Talari Appliance. The hypervisor being used for this Service Chaining is the KVM hypervisor. The Talari solution is a next-generation SD-WAN architecture which supports the Service Chaining capability. This capability allows the Talari Application to run natively while also supporting a Guest VM. The combined next-generation security with SD-WAN and branch office network simplification solution will provide a virtual service chained architecture which delivers the highest performance required by networks today, while also increasing reliability, performance, and security.

Talari has expanded support for service chaining from the E100 appliance to a higher

performance appliance, the Talari E1000. For larger sites, Talari recommends that

customers use the E1000 appliance. Contact your Talari representative for conduits

performance levels for these platforms. Configuration of the E100 appliance and the

E1000 appliance is the same from a user perspective. The two Talari Models have the

following properties from a resource and OS perspective:

Model

VCPUs

Memory Maximum

QEMU Version

Libvirt Version

E100

2

10GB

2.1.2

1.2.9

E1000

2

16GB

2.1.2

1.2.9

Note: Talari OS 5.0 and OS 5.1 support the above QEMU and libvirt versions. These are compatible with the Palo Alto Next Generation Firewall requirements.

Interaction Between the Talari Appliance and Palo Alto Networks NGFW

The Talari SD-WAN is a two-ended solution. The Talari Appliances use a proprietary encrypted encapsulation (Talari Reliable Protocol - TRP) for data traversal between appliances, which enables a unique per-packet routing feature across multiple WAN Links simultaneously.

The Palo Alto Networks Solution brings next-generation security through its one-ofakind, multi-layered defense model, preventing threats at each stage of the attack life cycle.

The data shared between the Talari Appliance and Palo Alto Networks NGFW will be dependent on the customer requirement.

Here we will go over two example solutions. In Customer Solution #1, branch office

5

Palo Alto Networks NGFW

Internet-bound traffic uses the Internet WAN Link local to the site. The Internet traffic needs to be secure. The user traffic will be received first by the Talari Appliance and then by the Palo Alto Networks NGFW. In Customer Solution #2, the user needs to inspect and secure all data from the branch prior to sending data via the Private or Public WAN. The user traffic is received by the Palo Alto Networks NGFW then forwarded (based on security parameters) to the Talari Appliance.

Customer Solution #1

INTERNET

MPLS

Branch Office

PT2 E100/E1000

Palo Alto Networks

NGFW ( virtual )

MPLS Router PT3

Talari Networks Appliance ( native )

PT1

LAN

6

Palo Alto Networks NGFW

Figure 1

The Talari Appliance will send Internet-bound data packets (Salesforce, Dropbox, etc.) to the Palo Alto Networks NGFW for NAT and other security features to create secure, direct Internet access. The Palo Alto Networks NGFW will also be providing NAT for the encrypted encapsulated Talari Reliable Protocol packets traversing the Internet link to other Talari sites.

In the configuration defined above, the Talari Appliance will operate in Fail-to-Block mode. This will provide additional security in the event there is a Talari Appliance failure and not allow Internet traffic to reach the LAN segment. The Talari Appliance will have an IP address and port assigned to the Internet WAN Link, and the Palo Alto Networks NGFW will have an interface, IP address, and zone assigned for the LAN. The Palo Alto Networks NGFW LAN port and Talari WAN port will reside on the same Layer 3 subnet and the ports will connect via Linux bridge commands.

From the Talari Appliance perspective, the Palo Alto Networks NGFW LAN interface is configured as the gateway for the Internet link. All traffic that must be routed to the Internet WAN Link will be sent to the Palo Alto Networks NGFW as the next-hop gateway. Within the Talari Appliance configuration, we have also turned on Auto-Detect Public IP for the branch site, so the Public IP is disseminated to other connected Talari Appliances for TRP exchange.

From the Palo Alto Networks NGFW perspective, the Talari Appliance is the LAN gateway next-hop. All traffic to be routed to the LAN must be sent to the Talari Appliance's IP address representing the Internet link. The Talari Appliance acts as a next-hop router.

As packets are flowing from the LAN to the WAN the Talari Appliance is making perpacket routing decisions based upon application and link quality (loss, latency, jitter, and bandwidth) for LAN traffic destined for Talari-enabled sites. Between Talari sites, the customer is now able to duplicate voice packets and send them on separate WAN Links to increase reliability, mitigate loss by tracking individual packet transmits and arrivals while resending lost packets, use latency-aware Load Balancing so a large packet flow such as a data backup can use multiple links simultaneously, and perform sub-second failover to avoid black-outs and brown-outs. The Palo Alto Networks NGFW brings peace of mind knowing the Internet bound traffic has next-generation security in place keeping a watchful eye on packets, ensuring secure transmission.

Customer Solution #2

The data path flow will be different when the user needs to inspect and secure all data from the branch prior to sending data via the MPLS or Internet WAN Links. In this scenario, the user must secure all LAN traffic, regardless of destination.

7

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download