Summary

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability and the protection of critical assets using Virtual Palo Alto NGFW.  It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here.

This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process.

Configuration files of Palo Alto NGFW can be downloaded from here from GitLab. 

Please forgive me for using SSL and TLS interchangeably in this article.

This article is divided into the following high level sections:

Part 1 (available here)

• Palo Alto NGFW Virtual Machine configuration
• Create a new Topology to perform testing
• Monitor Palo Alto statistics – change the weight ratio – check Palo Alto stats again
• Remove a single Palo Alto VM from the Service

Part 2 (available here)

• Perform maintenance on the Palo Alto VM
• Add the Palo Alto VM to the new Topology
• Test functionality with a single client
• Add the Palo Alto VM back to the original Topology
• Test functionality again
• Repeat to perform maintenance on the other Palo Alto VM

Perform maintenance on the Palo Alto VM

At this point PaloAlto1 has been removed from the Production_Topology and is no longer handling production traffic.  PaloAlto2 is now handling all the production traffic.

We can now perform a variety of maintenance tasks on PaloAlto1 without disrupting production traffic.  When done with the task(s) we can then safely test/verify the health of PaloAlto1 prior to moving it back into production.

Some examples of maintenance tasks:

• Perform a software upgrade to a newer version.
• Make policy changes and verify they work as expected.
• Physically move the device.
• Replace a hard drive, fan, and/or power supply.

Add the PaloAlto VM to the new Topology

This will allow us to test its functionality with a single client computer, prior to moving it back to production.

From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging.

Click the pencil icon on the right to edit the Service.

Click Add Service.

Select the Palo Alto Service and click Add.

Give it a name or leave the default.  Click Add under Network Configuration.

Set the FROM and TO VLANS to the following and click Done.

Click Save at the bottom.

Click the Service Chain icon.

Click the Staging_Chain.

Move the PALO-test Service from Available to Selected and click Save.

Click OK.

Click Deploy.

Click OK.

Test functionality with a single client

We created a policy with source IP = 10.1.11.52 to use the new PaloAlto Service that we just performed maintenance on.

Go to that client computer and verify that everything is still working as expected.

As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers. 

You can view the Certificate and see that it is not the same as the Production Certificate.

To ensure that everything is working as expected you can view the ACC statistics on Palo_Alto1, which was the Palo Alto device removed from the Production network.

From ACC select Network Activity then Sessions.  A time filter can be set on the left.

You should see something like the image below, where Sessions and Bytes sent/received are gradually increasing.

Add the Palo Alto VM back to the original Topology

From the SSL Orchestrator GUI select SSL Orchestrator > Configuration > Service Chains.

Select the Staging_Chain.

Select ssloS_PALO-test on the right and click the left arrow to remove it from Selected.

Click Deploy when done.

Click OK.

Click OK to the Success message.

From the SSL Orchestrator Guided Configuration select SSL Orchestrator > Configuration > Services.

Select the PALO-test Service and click Delete.

Click OK to the Warning.

When that is done click the ssloS_PALOALTO Service.

Click the Pencil icon to edit the Service.

Under Network Configuration click Add.

Set the Ratio to the same value as PaloAlto2, 65535 in this example.  Set the From and To VLAN the following and click Done.

Click Save & Next at the bottom.

Click OK.

Click Deploy.

Click OK.

Test functionality again

To ensure that everything is working as expected you can view the statistics on Palo_Alto1.

From the Palo Alto GUI select ACC (Application Command Center).

Select Network Activity then Sessions.  A time filter can be set on the left.

Palo_Alto1 appears to be completely healthy.

Repeat these steps to perform maintenance on the other Palo Alto VM (not covered in this guide)

• Remove a single Palo Alto VM from the Service
• Perform maintenance on the Palo Alto VM
• Add the Palo Alto VM to the new Topology
• Test functionality with a single client
• Add the Palo Alto VM back to the original Topology
• Test functionality again