cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
KevinGallaugher
F5 Employee
F5 Employee

Introduction

It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working. If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here.

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Configuration files of Palo Alto NGFW can be downloaded from here from GitLab. 

Please forgive me for using SSL and TLS interchangeably in this article.

This article is divided into the following high level sections:

  • Create a new Topology to perform testing
  • Monitor Palo Alto statistics – change the weight ratio – check Palo Alto stats again
  • Remove a single Palo Alto device from the Service
  • Perform maintenance on the Palo Alto device
  • Add the Palo Alto device to the new Topology
  • Test functionality with a single client
  • Add the Palo Alto device back to the original Topology
  • Test functionality again
  • Repeat to perform maintenance on the other Palo Alto device

Create a new Topology to perform testing

A new Topology will be used to safely test the Service after maintenance is performed. The Topology should be similar to the one used for production traffic. This Topology can be re-used in the future.

From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration. Click Add under Topologies.

0EM1T000002lKwc.png

Scroll to the bottom of the next screen and click Next.

0EM1T000002lKwd.png

Give it a name, Topology_Staging in this example.

0EM1T000002lKwe.png

Select L2 Inbound as the Topology type then click Save & Next.

0EM1T000002lKwf.png

For the SSL Configurations you can leave the default settings. Click Save & Next at the bottom.

0EM1T000002lKwg.png

Click Save & Next at the bottom of the Services List.

0EM1T000002lKwh.png

Click the Add button under Services Chain List. A new Service Chain is needed so we can remove Palo_Alto1 from the Production Service and add it here.

0EM1T000002lKwi.png

Give the Service Chain a name, Staging_Chain in this example. Click Save at the bottom.

0EM1T000002lKwj.png

Note: The Service will be added to this Service Chain later.

Click Save & Next.

0EM1T000002lKwk.png

Click the Add button on the right to add a new rule.

0EM1T000002lKwl.png

For Conditions select Client IP Subnet Match.

0EM1T000002lKwm.png

Enter the Client IP and mask, 10.1.11.52/32 in this example. Click New to add the IP/Subnet.

0EM1T000002lMQ4.png

Set the SSL Proxy Action to Intercept.

0EM1T000002lMQ5.png

Set the Service Chain to the one created previously.

0EM1T000002lMQ6.png

Click OK.

0EM1T000002lMQ7.png

Note: This rule is written so that a single client computer (10.1.11.52) will match and can be used for testing.

Select Save & Next at the bottom.

0EM1T000002lMQ8.png

For the Interception Rule set the Source Address to 10.1.11.52/32. Set the Destination Address/Mask to 10.4.11.0/24. Set the port to 443.

0EM1T000002lMQ9.png

Select the VLAN for your Ingress Network and move it to Selected.

0EM1T000002lMQA.png

Set the L7 Profile to Common/http.  

0EM1T000002lMQB.png

Click Save & Next.

0EM1T000002lMQC.png

For Log Settings, scroll to the bottom and select Save & Next.

0EM1T000002lMQD.png

Click Deploy.

0EM1T000002lMQE.png

Monitor Palo Alto statistics – change the weight ratio – check Palo Alto statistics again

Check the statistics on the Palo Alto NGFW we will be performing maintenance on. It’s “Palo_Alto1” in this example.

From the Palo Alto GUI select ACC (Application Command Center).

0EM1T000002lMQF.png

Select Network Activity then Sessions. A time filter can be set on the left, in this case it’s set to the Last Hour.

0EM1T000002lMQG.png

Palo_Alto1 appears to be completely healthy.

0EM1T000002lMQH.png

Change the Weight Ratio

Back to the SSL Orchestrator Configuration Utility. Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_PALOALTO in this example.

0EM1T000002lMQI.png

Click the pencil icon to edit the Service.

0EM1T000002lMQJ.png

Click the pencil icon to edit the Network Configuration for Palo_Alto2.

0EM1T000002lMQK.png

Set the ratio to 65535 and click Done.

0EM1T000002lMQL.png

Note: Alternately you could disable the Pool Member from LTM > Pools.

Click Save & Next at the bottom.

0EM1T000002lMQM.png

Click OK if presented with the following warning.

0EM1T000002lMQN.png

Click Deploy.

0EM1T000002lMQO.png

Click OK when presented with the Success message.

0EM1T000002lMQP.png

Check Palo Alto Statistics Again

Check the ACC statistics on “Palo_Alto1”. It should look like the image below, with the number of sessions tapering off until there is zero.

0EM1T000002lMQQ.png

Remove a single Palo Alto device from the Service

Back to the SSL Orchestrator Configuration Utility. Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_PALOALTO in this example.

0EM1T000002lMQR.png

Click the pencil icon to edit the Service.

0EM1T000002lMQS.png

Under Network Configuration, delete Palo_Alto1.

0EM1T000002lMQT.png

Click Save & Next at the bottom.

0EM1T000002lMQU.png

Click OK if presented with the following warning.

0EM1T000002lMQV.png

Click Deploy.

0EM1T000002lMQW.png

Click OK when presented with the Success message.

0EM1T000002lMQX.png

Perform maintenance on the Palo Alto device

At this point Palo_Alto1 has been removed from the Production Topology and is no longer handling production traffic. Palo_Alto2 is now handling all the production traffic.

We can now perform a variety of maintenance tasks on Palo_Alto1 without disrupting production traffic. When done with the task(s) we can then safely test/verify the health of Palo_Alto1 prior to moving it back into production.

Some examples of maintenance tasks:

·     Perform a software upgrade to a newer version.

·     Make policy changes and verify they work as expected.

·     Physically move the device.

·     Replace a hard drive, fan, and/or power supply.

Add the Palo Alto device to the new Topology

This will allow us to test its functionality with a single client computer, prior to moving it back to production.

From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging.

0EM1T000002lMZ8.png

Click the pencil icon on the right to edit the Service.

0EM1T000002lMZ9.png

Click Add Service.

0EM1T000002lMZA.png

Select the Palo Alto Networks NGFW Inline Layer 2 Service and click Add.

0EM1T000002lMZB.png

Give it a name or leave the default. Click Add under Network Configuration.

0EM1T000002lMZC.png

Set the FROM and TO VLANS to the following and click Done.

0EM1T000002lMZD.png

Click Save at the bottom.

0EM1T000002lMZE.png

Click the Service Chain icon.

0EM1T000002lMZF.png

Click the Staging_Chain.

0EM1T000002lMZG.png

Move the PALO-test Service from Available to Selected and click Save.

0EM1T000002lMZH.png

Click OK.

0EM1T000002lMZI.png

Click Deploy.

0EM1T000002lMZJ.png

Click OK.

0EM1T000002lMZK.png

Test functionality with a single client

We created a policy with source IP = 10.1.11.52 to use the new Palo Alto Service that we just performed maintenance on.

Go to that client computer and verify that everything is still working as expected.

As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers. 

0EM1T000002lMZL.png

You can view the Certificate and see that it is not the same as the Production Certificate.

0EM1T000002lMZM.png

To ensure that everything is working as expected you can view the ACC statistics on Palo_Alto1, which was the Palo Alto device removed from the Production network.

From ACC select Network Activity then Sessions. A time filter can be set on the left.

0EM1T000002lMZN.png

You should see something like the image below, where Sessions and Bytes sent/received are gradually increasing.

0EM1T000002lMZO.png

Add the Palo Alto device back to the original Topology

From the SSL Orchestrator GUI select SSL Orchestrator > Configuration > Service Chains.

0EM1T000002lMZP.png

Select the Staging_Chain.

0EM1T000002lMZQ.png

Select ssloS_PALO-test on the right and click the left arrow to remove it from Selected.        

0EM1T000002lMZR.png

Click Deploy when done.

0EM1T000002lMZS.png

0EM1T000002lMZT.png

Click OK.

0EM1T000002lMZU.png

Click OK to the Success message.

0EM1T000002lMZV.png

From the SSL Orchestrator Guided Configuration select SSL Orchestrator > Configuration > Services.

0EM1T000002lMZW.png

Select the PALO-test Service and click Delete.

0EM1T000002lMZX.png

Click OK to the Warning.

0EM1T000002lMZY.png

When that is done click the ssloS_PALOALTO Service.

0EM1T000002lMZZ.png

Click the Pencil icon to edit the Service.

0EM1T000002lMZa.png

Under Network Configuration click Add.

0EM1T000002lMZb.png

Set the Ratio to the same value as PaloAlto2, 65535 in this example. Set the From and To VLAN the following and click Done.

0EM1T000002lMZc.png

Click Save & Next at the bottom.

0EM1T000002lMZd.png

Click OK.

0EM1T000002lMZe.png

Click Deploy.

0EM1T000002lMZf.png

Click OK.

0EM1T000002lMZg.png

Test functionality again

To ensure that everything is working as expected you can view the statistics on Palo_Alto1.

From the Palo Alto GUI select ACC (Application Command Center).

0EM1T000002lMZh.png

Select Network Activity then Sessions. A time filter can be set on the left.

0EM1T000002lMZi.png

Palo_Alto1 appears to be completely healthy.

0EM1T000002lMZj.png

Repeat these steps to perform maintenance on the other Palo Alto device (not covered in this guide)

Remove a single Palo Alto device from the Service

Perform maintenance on the Palo Alto device

Add the Palo Alto device to the new Topology

Test functionality with a single client

Add Palo Alto device back to the original Topology

Test functionality again

Version history
Last update:
‎23-Aug-2021 08:09
Updated by:
Contributors