This tutorial shows how to deploy and configure Palo Alto Networks VM-Series to secure IPv4 and IPv6 traffic on Google Cloud.
This guide is intended for network administrators, solution architects, and security professionals who are very familiar with Compute Engine and Virtual Private Cloud (VPC) networking.
Warning
IPv6 support for VM-Series on Google Cloud is currently not supported. This open-source tutorial represents a best-effort to demonstrate how VM-Series secures IPv6 traffic on Google Cloud.
The following are required for this tutorial:
- A Google Cloud project.
- Access to Google Cloud Shell to deploy the resources.
- If using BYOL, an VM-Series authkey to license the firewall.
The diagram shows the resources created with Terraform.
The VM-Series has 3 network interfaces, each belonging to a dual-stack subnet in separate VPC networks. The VM-Series is deployed to an unmanaged instance group which is a backend service of an external pass-through load balancer. The load balancer is configured with IPv4 and IPv6 frontend addresses to distribute internet inbound traffic to the VM-Series for inspection.
Test workloads are deployed to test north/south traffic. The external-vm
will be used to test internet inbound traffic through the VM-Series to the internal-vm
in the trust network.
Caution
At the time of this writing, IPv6 traffic cannot be routed to an internal load balancer as the next hop.
On your local machine or in Google Cloud Shell, perform the following.
-
Enable the required APIs, generate an SSH key, and clone the repository.
gcloud services enable compute.googleapis.com git clone https://github.com/PaloAltoNetworks/google-cloud-vmseries-ipv6-tutorial cd google-cloud-vmseries-ipv6-tutorial
-
Create an SSH key to assign to the GCE instances created.
ssh-keygen -f ~/.ssh/vmseries-tutorial -t rsa
-
Create a
terraform.tfvars
.cp terraform.tfvars.example terraform.tfvars
-
Edit the
terraform.tfvars
file and set values for the following variables:Key Value Default project_id
The Project ID within Google Cloud. null
public_key_path
The local path of the public key you previously created ~/.ssh/vmseries-tutorial.pub
mgmt_allow_ips
A list of IPv4 addresses that can have access to the VM-Series management interface. ["0.0.0.0/0"]
create_test_vms
Set to false
if you do not want to create the test VMs.true
vmseries_image_name
Set to the VM-Series image you want to deploy. vmseries-flex-bundle1-1102
-
Save your
terraform.tfvars
file.
When no further changes are necessary, deploy the resources:
-
Initialize and apply the Terraform plan.
terraform init terraform apply
-
Enter
yes
to start the deployment. -
After the resources are created, Terraform displays the following message:
Apply complete! Outputs: EXTLB_IPv4 = "1.2.3.4/32" EXTLB_IPv6 = "2600:1900:4000:eba6:8000::/32" SSH_INTERNAL_VM = "gcloud compute ssh paloalto@internal-vm --zone=us-central1-a" SSH_EXTERNAL_VM = "gcloud compute ssh paloalto@external-vm --zone=us-central1-a" VMSERIES_CLI = "ssh admin@1.1.1.1 -i ~/.ssh/vmseries-tutorial" VMSERIES_GUI = "https://1.1.1.1"
To access the VM-Series user interface, a password must be set for the admin
user.
Note
It may take an additional 10 minutes for the VM-Series to be accessible.
-
Use the
VMSERIES_CLI
output to access the VM-Series CLI.ssh admin@1.1.1.1 -i ~/.ssh/vmseries-tutorial
-
On the VM-Series, set a password for the
admin
username.configure set mgt-config users admin password
-
Commit the changes.
commit
-
Enter
exit
twice to terminate the session. -
In a browser, use the
VMSERIES_GUI
output to access the VM-Series.
In this step, retrieve the required network parameters and apply them to the VM-Series configuration.
Tip
DHCPv6 is available in PAN-OS 11.0 and eliminates the need to configure static IPv6 addresses.
Enable DHCPv4 and DHCPv6 on the VM-Series network interfaces to handle IPv4/IPv6 traffic.
-
On the VM-Series, go to Network → Zones. Click Add.
-
Create two zones:
untrust
&trust
. -
Go to Network → Interfaces → Ethernet.
-
Configure
ethernet1/1
(untrust
) as follows:In IPv4 tab, check
Automatically create default route
.
In IPv6 tab, checkAccept Router Advertised Route
and uncheckEnable Prefix Delegation
. -
Configure
ethernet1/2
(trust
) as follows:In IPv4 tab, uncheck
Automatically create default route
.
In IPv6 tab, uncheckAccept Router Advertised Route
and uncheckEnable Prefix Delegation
. -
Commit the changes.
Retrieve the default gateways for the untrust & trust subnets and the ULA for the trust VPC.
-
On
ethernet1/1
, click Dynamic-DHCPv6 Client. -
Record the Server and IPv6 Address (Non-Temporary) addresses.
Server address is the IPv6 default gateway for the untrust network.
IPv6 Address is the external IPv6 address assigned to the untrust interface. -
On
ethernet1/2
, click Dynamic-DHCPv6 Client. -
Record the Server address.
Server address is the IPv6 default gateway of the trust network.
-
In to Google Cloud, go to VPC Networks →
trust-vpc
. -
Record the VPC network ULA internal IPv6 range.
The ULA covers all of the possible IPv6 prefixes within the trust VPC.
On the VM-Series, create an IPv4 & IPv6 routes to correctly return traffic to the trust VPC.
-
Go to Network → Virtual Routers. Select the
default
virtual router. -
Click Static Routes → IPv4. Click + Add.
-
Configure the IPv4 return route as follows:
-
Click Static Routes → IPv6. Click + Add.
-
Configure the IPv6 return route as follows:
IPv4 Route IPv6 Route Name ipv4-trust
ipv6-trust
Destination IPv4 CIDR of trust network
ULA range of trust VPC
Next Hop IP Address
IPv6 Address
Next Hop Value eth1/2 IPv4 gateway IP
eth1/2 IPv6 Server Address
-
Click OK.
Create a NAT rule to translate trust VPC traffic to the external IPv4/v6 addresses attached to the untrust interface.
-
Go to Policies → NAT. Click Add.
-
Create a NAT policy to translate outbound IPv4 traffic.
-
Create a NPTv6 NAT policy to translate outbound IPv6 traffic.
Set the IPv6 Address (Non-Temporary) IP on
eth1/1
as the translated address (use a/96
prefix).
For the purposes of this tutorial, create a security policy to allow ping
, ping6
, & web-browsing
.
Caution
This tutorial does not provide guidance on security policy implementation.
-
Go to Policies → Security. Click Add.
-
Configure the security policy to allow
ping
,ping6
, &web-browsing
. -
Commit the changes.
-
In Cloud Shell, create default routes in the
trust-vpc
to steer IPv4/IPv6 traffic to the VM-Series trust interface for inspection.gcloud compute routes create ipv4-default \ --network=trust-vpc \ --destination-range=0.0.0.0/0 \ --next-hop-instance=vmseries \ --next-hop-instance-zone=us-central1-a gcloud beta compute routes create ipv6-default \ --network=trust-vpc \ --destination-range=::0/0 \ --next-hop-instance=vmseries \ --next-hop-instance-zone=us-central1-a
Access the internal-vm
in the trust network and generate outbound IPv4/IPv6 internet traffic.
-
In Cloud Shell, SSH to the
internal-vm
.gcloud compute ssh paloalto@internal-vm --zone=us-central1-a
-
Ping an external IPv4 address to test outbound IPv4 traffic.
ping 8.8.8.8
-
Ping an external IPv6 address to test outbound IPv6 traffic.
ping6 2600::
-
On the VM-Series, go to Monitor → Traffic. Enter the filter below to search for the outbound traffic.
( app eq 'ping6' ) or ( app eq 'ping' )
You should see that IPv4 & IPv6 traffic from the
internal-vm
is translated correctly by the VM-Series.
In this section, you will configure the VM-Series to translate inbound internet traffic, which is distributed by an external pass-through load balancer, to reach the a web application running on the internal-vm
in the trust VPC.
Note
The Terraform plan creates an external load balancer and health check for you.
Setup a loopback interface to receive the load balancer's IPv4/IPv6 health checks. Then, create a NAT policy to translate IPv4 health checks to the IPv4 loopback address and create a security policy to allow the health checks.
-
In Google Cloud, go to Network Services → Load Balancers.
-
Click the
vmseries-extlb
load balancer. Record the IPv6 address assigned to the forwarding rule. -
On the VM-Series, go to Network → Zones. Click Add.
-
Create a zone called
lb-checks
. -
Go to Network → Network Profiles → Interface Mgmt. click Add.
-
Enable
HTTP
and add the Health Check Ranges (35.191.0.0/16
,209.85.152.0/22
,209.85.204.0/22
,2600:1901:8001::/48
) as permitted addresses. -
Go to Network → Interfaces → Loopback. Click Add.
-
In the Config Tab, set tunnel to
1
, Virtual Router todefault
, & Zone tolb-checks
. -
In the IPv4 Tab, set
100.64.0.1/32
as the address. -
In the IPv6 Tab, set load balancer's IPv6 forwarding rule address.
-
In the Advanced Tab, set the Management Profile to
lb-checks
-
Go to Policies → NAT. Click Add.
-
Configure the policy to translate the IPv4 health check ranges to the IPv4 loopback address.
-
Go to Policies → Security. Click Add.
-
Configure the policy to allow IPv4 & IPv6 health check ranges to the
lb-checks
zone.
Important
Move the policy to the top of the rule set before committing the changes.
Create a NAT policy to translate traffic destined to the IPv4 forwarding rule to a web app on the internal-vm
in the trust VPC.
-
In Google Cloud, record IPv4 & IPv6 addresses of the
internal-vm
. -
On the VM-Series, go to Policies → NAT. Click Add.
-
Configure the policy to translate the IPv4 forwarding rule to the
internal-vm
IPv4 address.NAT Policy Original Packet Source Zone untrust
Destination Zone untrust
Destination Interface ethernet1/1
Destination Address 34.29.169.107
(IPv4 fowarding rule address)Source Translation Translation Type Dynamic IP and Port
Address Type Interface Address
Interface ethernet1/2
DST Translation Translation Type Dynamic IP
Translated Address 10.0.3.10
(IPv4 ofinternal-vm
)
Important
When load balancing internet inbound traffic through multiple firewalls, source translation is necessary to ensure a synchronous response from the backend application.
Create an NPTv6 policy to translate traffic destined to the IPv6 forwarding rule to the web app on internal-vm
.
Note
NPTv6 performs stateless translation, moving traffic from one IPv6 prefix to another by eliminating the IPv6 header checksum. Therefore, a checksum-neutral address must be calculated and used as the original packet's destination in the NPTv6 policy.
-
In Cloud Shell, SSH to the VM-Series using its management IP.
ssh admin@1.1.1.1
-
Use the
test nptv6
command to generate the checksum for traffic between the IPv6 address of theinternal-vm
and the IPv6 forwarding rule address on the load balancer.test nptv6 cks-neutral source-ip fd20:eb0:af94:0:0:0:0:0 dest-network 2600:1900:4000:5db5:8000:1:0:0/96
Replace
fd20:eb0:af94:0:0:0:0:0
with the IPv6 address of your internal-vm and replace2600:1900:4000:5db5:8000:1:0:0/96
with the IPv6 address assigned to your load balancer's forwarding rule. -
Record the generated checksum neutral address.
(Output)
The checksum neutral address of fd20:eb0:af94:: is 2600:1900:4000:5db5:8000:1:5eae:0 in 2600:1900:4000:5db5:8000:1:0:0/96 subnet
-
On the VM-Series, go to Policies → NAT. Click Add.
-
Set NAT Type to
nptv6
. -
Configure the policy to translate the checksum IP to the
internal-vm
IPv6 address.NPTv6 Policy Original Packet Source Zone untrust
Destination Zone untrust
Destination Interface ethernet1/1
Destination Address 2600:1900:4000:5db5:8000:1:5eae:0
(checksum neutral address)DST Translation Translation Type Dynamic IP
Translated Address fd20:eb0:af94:0:0:0:0:0/96
(IPv6 ofinternal-vm
)
Access the external-vm
to test internet inbound traffic through the IPv4/IPv6 external load balancer to the web application on internal-vm
.
-
In Cloud Shell, SSH to the external VM.
gcloud compute ssh paloalto@external-vm --zone=us-central1-a
-
Attempt to reach the web application using the load balancer's IPv4 address.
curl http://34.29.169.107:80/?[1-3]
-
Attempt to reach the web application using the checksum neutral IPv6 address.
curl -6 'http://[2600:1900:4000:5db5:8000:1:5eae:0]:80/?[1-3]'
-
On the VM-Series, go to Monitor → Traffic. Enter the filter below to search for the inbound traffic.
( zone.src eq 'untrust' ) and ( zone.dst eq 'trust' ) and ( app eq 'web-browsing' )
You should see that both IPv4 and IPv6 traffic is inspected and translated correctly by the VM-Series firewall.
-
To delete the created resources, run the commands below.
gcloud compute routes delete ipv4-default -q gcloud compute routes delete ipv6-default -q terraform destroy
-
At the prompt to perform the actions, enter
yes
.After all the resources are deleted, Terraform displays the following message:
Destroy complete!
- Learn about the VM-Series on Google Cloud.
- Getting started with Palo Alto Networks PAN-OS.
- Read about securing Google Cloud Networks with the VM-Series.
- Learn about VM-Series licensing on all platforms.
- Use the VM-Series Terraform modules for Google Cloud.