Palo Alto - Hub & Spoke Architecture - Part 2
February 24, 2020 | 6 minute readOverview
The purpose of this document is to help in configuring Palo Alto for a Hub & Spoke architecture on Oracle Cloud Infrastructure (OCI). Basic OCI and Palo Alto experience is recommended. This document will not cover how to install Palo Alto from OCI Marketplace. This document contains the second part of the Palo Alto - Hub & Spoke architecture document.
This configuration was validated using Palo Alto version 9.1.1-c25.
For more details on how to use Palo Alto products, please visit Palo Alto official website - https://docs.paloaltonetworks.com.
Palo Alto VM in Hub & Spoke architecture - Configuration
Step by step
Step 4. Configuring the routing tables on OCI.
Step 5. Configuring Palo Alto.
Step 6. Test
Step 4. Configuring the routing tables on OCI.
The on-premises subnet will be 172.16.33.0/24.
The plan is to add the following routing rules for the following routing tables:
- Management subnet
- Target Type => Internet Gateway
- Destination CIDR Block => 0.0.0.0/0
- Target Internet Gateway => “pan-hub-igw”
- Internet subnet
- 1 routing rule
- Target Type => Internet Gateway
- Destination CIDR Block => 0.0.0.0/0
- Target Internet Gateway => “pan-hub-igw”
- 1 routing rule
- OSN and On-prem subnet
- 2 routing rules
- 1st routing rule
- Target Type => Dynamic Routing Gateway
- Destination CIDR Block => 172.16.33.0/24
- Dynamic Routing Gateways => “pan-hub-drg”
- 2nd routing rule
- Target Type => Service Gateway
- Destination Service => OCI Object Storage
- Target Service Gateway => “pan-hub-swg”
- 1st routing rule
- 2 routing rules
Here are some screenshots with what we need to have in OCI after configuring each routing table from the above list:
4.1 HUB-Management routing table
4.2 HUB-Internet routing table
4.3 HUB-OSN-and-ON-PREM Routing Table
We also need to add the routing tables for Spoke 1 & 2, DRG and Service Gateway. This will be done after starting the Palo Alto Networks VM-Series VM instance, to be able to get the allocated IP address from the allocated VNICs.
Step 5. Configuring Palo Alto.
This step will not cover how to start a Palo Alto Networks VM-Series instance from Marketplace or how to fully configure, but will cover the interface allocation from OCI and what is the configuration needed.
5.1 OCI interfaces allocated for Palo Alto Networks VM-Series
5.2 Interface configuration on Palo Alto Networks VM-Series
5.3 Security policies on Palo Alto Networks VM-Series
5.4 Routing rules on Palo Alto Networks VM-Series
On-premises subnet is 172.16.33.0/24 and the Oracle Object Storage uses the following subnet. The entire subnet list for OSN can be found at this link https://docs.cloud.oracle.com/en-us/iaas/Content/General/Concepts/addressranges.htm#osn-ranges or https://docs.cloud.oracle.com/en-us/iaas/tools/public_ip_ranges.json.
5.5 Spoke 1 Routing Table
5.6 Spoke 2 Routing Table
5.7 DRG Routing Table
5.8 Service Gateway Routing Table
Step 6. Test
Test will consist in two scenarios:
- Generate traffic from Spoke 1 to Spoke 2
- Access the Object Storage from Spoke 1
As for accessing the VPN or FastConnect, traffic to on-prem will work the same way as with the Service Gateway.
1. Generating traffic from Spoke 1 to Spoke 2
Spoke 1 test VM has 192.168.66.3 IP address and Spoke 2 test VM has 192.168.77.3 IP address.
To generate traffic, we use the ping tool to generate ICMP packets.
[opc@pan-spoke1 ~]$ ping 192.168.77.3 -c 3
PING 192.168.77.3 (192.168.77.3) 56(84) bytes of data.
64 bytes from 192.168.77.3: icmp_seq=1 ttl=63 time=0.836 ms
64 bytes from 192.168.77.3: icmp_seq=2 ttl=63 time=0.611 ms
64 bytes from 192.168.77.3: icmp_seq=3 ttl=63 time=0.657 ms
--- 192.168.77.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2049ms
rtt min/avg/max/mdev = 0.611/0.701/0.836/0.099 ms
In the above command, we can see that Spoke 2 test VM responds to ICMP. To check if traffic goes trough Palo Alto Networks VM-Series, we can use the Packet Capture feature to generate pcaps.
Here is the result of the pcap:
2. Access the Object Storage from Spoke 1
Spoke 1 test VM has 192.168.66.3 IP address and the Object Storage uses 3 public IP addresses (134.70.16.3, 134.70.8.3, 134.70.12.3). Keep in mind that there is no need to any NATing on Palo Alto Networks VM-Series because the Service Gateway is doing this.
To connect to the Object Storage, we will use wget tool on Spoke 1 test VM to download a test file.
[opc@pan-spoke1 ~]$ wget https://objectstorage.us-phoenix-1.oraclecloud.com/p/MNF9Cy2NJGEeW3AbRNjb7ri4ehFbgHruAkgcaxO-LaU/n/git-test/b/test_bucket/o/test.pcap
--2020-02-20 15:55:14-- https://objectstorage.us-phoenix-1.oraclecloud.com/p/MNF9Cy2NJGEeW3AbRNjb7ri4ehFbgHruAkgcaxO-LaU/n/git-test/b/test_bucket/o/test.pcap
Resolving objectstorage.us-phoenix-1.oraclecloud.com (objectstorage.us-phoenix-1.oraclecloud.com)... 134.70.16.3, 134.70.8.3, 134.70.12.3
Connecting to objectstorage.us-phoenix-1.oraclecloud.com (objectstorage.us-phoenix-1.oraclecloud.com)|134.70.16.3|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 708 [application/octet-stream]
Saving to: 'test.pcap'
100%[====================================================================================================================================================================================================>] 708 --.-K/s in 0s
2020-02-20 15:55:14 (49.7 MB/s) - 'test.pcap' saved [708/708]
[opc@pan-spoke1 ~]$
We can see above that the test file got downloaded. To check if traffic goes trough Palo Alto Networks VM-Series, we can use the Packet Capture feature to generate pcaps.
Here is the result of the pcap: