Verified Design: SSL Orchestrator with Palo Alto NGFW Virtual Edition-Part 1

Summary

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability and the protection of critical assets using Virtual Palo Alto NGFW.  It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here.

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Configuration files of Palo Alto NGFW can be downloaded from here from GitLab. 

Please forgive me for using SSL and TLS interchangeably in this article.

This article is divided into the following high level sections:

Part 1 (available here) 

  • Palo Alto NGFW Virtual Machine configuration
  • Create a new Topology to perform testing
  • Monitor Palo Alto statistics – change the weight ratio – check Palo Alto stats again
  • Remove a single Palo Alto VM from the Service

Part 2 (available here)

  • Perform maintenance on the Palo Alto VM
  • Add the Palo Alto VM to the new Topology
  • Test functionality with a single client
  • Add the Palo Alto VM back to the original Topology
  • Test functionality again
  • Repeat to perform maintenance on the other Palo Alto VM

Palo Alto Virtual Machine configuration

If you haven’t already configured the Palo Alto Virtual Machines there are a few things to be aware of.  For the ESX Network configuration you will need 4 interfaces at a minimum. The configuration should look something like this:

The corresponding Palo Alto network settings should look something like the image below.

Click the name (ethernet1/X) of the interface you wish to configure. 

Set the Interface Type to Virtual Wire and the Security Zone to trust.  Click OK. 

Do the same for the next interface.

Click the name of one of the interfaces configured previously.  Click Virtual Wire > New Virtual Wire. 

Give it a name.  Select the 2 interfaces configured previously.  Click OK and OK. 

You will need to Commit the changes for them to take effect.

Note: setting the Security Zone to trust is needed for the F5 Health Monitors to work.

Repeat these steps if configuring SSL Orchestrator deployed with High Availability.

Create a new Topology to perform testing

A new Topology will be used to safely test the Service after maintenance is performed.  The Topology should be similar to the one used for production traffic.  This Topology can be re-used in the future.

From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration.  Click Add under Topologies.

Scroll to the bottom of the next screen and click Next.

Give it a name, Topology_Staging in this example.

Select L2 Inbound as the Topology type then click Save & Next.

For the SSL Configurations you can leave the default settings.  Click Save & Next at the bottom.

Click Save & Next at the bottom of the Services List.

Click the Add button under Services Chain List.  A new Service Chain is needed so we can remove PaloAlto1 from the Production Service and add it here.

Give the Service Chain a name, Staging_Chain in this example.  Click Save at the bottom.

Note: The Service will be added to this Service Chain later.

Click Save & Next.

Click the Add button on the right to add a new rule.

For Conditions select Client IP Subnet Match.

Enter the Client IP and mask, 10.1.11.52/32 in this example.  Click New to add the IP/Subnet.

Set the SSL Proxy Action to Intercept.

Set the Service Chain to the one created previously.

Click OK.

Note: This rule is written so that a single client computer (10.1.11.52) will match and can be used for testing.  In the All Traffic default rule set the SSL Proxy Action to Bypass.

Select Save & Next at the bottom.

For the Interception Rule set the Source Address to 10.1.11.52/32.  Set the Destination Address/Mask to 10.4.11.0/24.  Set the port to 443.

Select the VLAN for your Ingress Network and move it to Selected.

Set the L7 Profile to Common/http.

Click Save & Next.

For Log Settings, scroll to the bottom and select Save & Next.

Click Deploy.

Monitor Palo Alto statistics – change the weight ratio – check Palo Alto statistics again

Check the statistics on the Palo Alto NGFW we will be performing maintenance on.  It’s “Palo_Alto1” in this example.

From the Palo Alto GUI select ACC (Application Command Center).

Select Network Activity then Sessions.  A time filter can be set on the left, in this case it’s set to the Last Hour.

Palo_Alto1 appears to be completely healthy.

Change the Weight Ratio

Back to the SSL Orchestrator Configuration Utility.  Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_PALOALTO in this example.

Click the pencil icon to edit the Service.

Click the pencil icon to edit the Network Configuration for PaloAlto2

Set the ratio to 65535 and click Done.

Note: Alternately you could disable the Pool Member from LTM > Pools.

Click Save & Next at the bottom.

Click OK if presented with the following warning.

Click Deploy.

Click OK when presented with the Success message.

Check Palo Alto Statistics Again

Check the ACC statistics on “Palo_Alto1”.  It should look like the image below, with the number of sessions tapering off until there is zero.

Remove a single Palo Alto VM from the Service

Back to the SSL Orchestrator Configuration Utility.  Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_PALOALTO in this example.

Click the pencil icon to edit the Service.

Under Network Configuration, delete Palo1.

Click Save & Next at the bottom.

Click OK if presented with the following warning.

Click Deploy.

Click OK when presented with the Success message.

Proceed to Part 2

Updated Mar 14, 2023
Version 2.0