Skip to content

Commit 8f8ad3f

Browse files
cloudops-wstevensSheng Yang
cloudops-wstevens
authored and
Sheng Yang
committed
Squashed commit of the Palo Alto Networks firewall integration plugin.
This patch adds a network plugin to support Palo Alto Networks firewall (their appliance and their VM series firewall). More information in the FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Palo+Alto+Firewall+Integration Features supported are: - List/Add/Delete Palo Alto service provider - List/Add/Delete Palo Alto network service offering - List/Add/Delete Palo Alto network with above service offering - Add instance to the new network (creates the public IP and private gateway/cidr on the PA as well as the source nat rule) - List/Add/Delete Ingress Firewall rule - List/Add/Delete Egress Firewall rule - List/Add/Delete Port Forwarding rule - List/Add/Delete Static Nat rule - Supports Palo Alto Networks 'Log Forwarding' profile globally per device (additional docs to come) - Supports Palo Alto Networks 'Security Profile Groups' functionality globally per device (additional docs to come) Knowns limitations: - Only supports one public IP range in CloudStack. - Currently not verifying SSL certificates when creating a connection between CloudStack and the Palo Alto Networks firewall. - Currently not tracking usage on Public IPs. Signed-off-by: Sheng Yang <sheng.yang@citrix.com>
1 parent 40a7839 commit 8f8ad3f

31 files changed

Lines changed: 5436 additions & 3 deletions

api/src/com/cloud/network/Network.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,7 @@ public static class Provider {
116116
public static final Provider VirtualRouter = new Provider("VirtualRouter", false);
117117
public static final Provider JuniperContrail = new Provider("JuniperContrail", false);
118118
public static final Provider JuniperSRX = new Provider("JuniperSRX", true);
119+
public static final Provider PaloAlto = new Provider("PaloAlto", true);
119120
public static final Provider F5BigIp = new Provider("F5BigIp", true);
120121
public static final Provider Netscaler = new Provider("Netscaler", true);
121122
public static final Provider ExternalDhcpServer = new Provider("ExternalDhcpServer", true);

api/src/org/apache/cloudstack/api/command/admin/network/AddNetworkDeviceCmd.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,8 +47,9 @@ public class AddNetworkDeviceCmd extends BaseCmd {
4747
// ////////////// API parameters /////////////////////
4848
// ///////////////////////////////////////////////////
4949

50+
5051
@Inject ExternalNetworkDeviceManager nwDeviceMgr;
51-
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall")
52+
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall, PaloAltoFirewall")
5253
private String type;
5354

5455
@Parameter(name = ApiConstants.NETWORK_DEVICE_PARAMETER_LIST, type = CommandType.MAP, description = "parameters for network device")

api/src/org/apache/cloudstack/api/command/admin/network/ListNetworkDeviceCmd.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ public class ListNetworkDeviceCmd extends BaseListCmd {
5151
//////////////// API parameters /////////////////////
5252
/////////////////////////////////////////////////////
5353

54-
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall")
54+
@Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall, PaloAltoFirewall")
5555
private String type;
5656

5757
@Parameter(name = ApiConstants.NETWORK_DEVICE_PARAMETER_LIST, type = CommandType.MAP, description = "parameters for network device")

api/src/org/apache/cloudstack/network/ExternalNetworkDeviceManager.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ public static class NetworkDevice {
4242
public static final NetworkDevice NetscalerSDXLoadBalancer = new NetworkDevice("NetscalerSDXLoadBalancer", Network.Provider.Netscaler.getName());
4343
public static final NetworkDevice F5BigIpLoadBalancer = new NetworkDevice("F5BigIpLoadBalancer", Network.Provider.F5BigIp.getName());
4444
public static final NetworkDevice JuniperSRXFirewall = new NetworkDevice("JuniperSRXFirewall", Network.Provider.JuniperSRX.getName());
45+
public static final NetworkDevice PaloAltoFirewall = new NetworkDevice("PaloAltoFirewall", Network.Provider.PaloAlto.getName());
4546
public static final NetworkDevice NiciraNvp = new NetworkDevice("NiciraNvp", Network.Provider.NiciraNvp.getName());
4647
public static final NetworkDevice CiscoVnmc = new NetworkDevice("CiscoVnmc", Network.Provider.CiscoVnmc.getName());
4748

client/WEB-INF/classes/resources/messages.properties

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -304,6 +304,7 @@ label.add.new.F5=Add new F5
304304
label.add.new.gateway=Add new gateway
305305
label.add.new.NetScaler=Add new NetScaler
306306
label.add.new.SRX=Add new SRX
307+
label.add.new.PA=Add new Palo Alto
307308
label.add.new.tier=Add new tier
308309
label.add.NiciraNvp.device=Add Nvp Controller
309310
label.add.physical.network=Add physical network
@@ -318,6 +319,7 @@ label.add.secondary.storage=Add Secondary Storage
318319
label.add.security.group=Add Security Group
319320
label.add.service.offering=Add Service Offering
320321
label.add.SRX.device=Add SRX device
322+
label.add.PA.device=Add Palo Alto device
321323
label.add.static.nat.rule=Add static NAT rule
322324
label.add.static.route=Add static route
323325
label.add.system.service.offering=Add System Service Offering
@@ -479,6 +481,7 @@ label.delete.NetScaler=Delete NetScaler
479481
label.delete.NiciraNvp=Remove Nvp Controller
480482
label.delete.project=Delete project
481483
label.delete.SRX=Delete SRX
484+
label.delete.PA=Delete Palo Alto
482485
label.delete.VPN.connection=delete VPN connection
483486
label.delete.VPN.customer.gateway=delete VPN Customer Gateway
484487
label.delete.VPN.gateway=delete VPN Gateway
@@ -876,6 +879,8 @@ label.os.type=OS Type
876879
label.owned.public.ips=Owned Public IP Addresses
877880
label.owner.account=Owner Account
878881
label.owner.domain=Owner Domain
882+
label.PA.log.profile=Palo Alto Log Profile
883+
label.PA.threat.profile=Palo Alto Threat Profile
879884
label.parent.domain=Parent Domain
880885
label.password.enabled=Password Enabled
881886
label.password=Password
@@ -1048,6 +1053,7 @@ label.specify.vlan=Specify VLAN
10481053
label.specify.vxlan=Specify VXLAN
10491054
label.SR.name = SR Name-Label
10501055
label.srx=SRX
1056+
label.PA=Palo Alto
10511057
label.start.IP=Start IP
10521058
label.start.port=Start Port
10531059
label.start.reserved.system.IP=Start Reserved system IP
@@ -1366,6 +1372,7 @@ message.confirm.action.force.reconnect=Please confirm that you want to force rec
13661372
message.confirm.delete.F5=Please confirm that you would like to delete F5
13671373
message.confirm.delete.NetScaler=Please confirm that you would like to delete NetScaler
13681374
message.confirm.delete.SRX=Please confirm that you would like to delete SRX
1375+
message.confirm.delete.PA=Please confirm that you would like to delete Palo Alto
13691376
message.confirm.destroy.router=Please confirm that you would like to destroy this router
13701377
message.confirm.disable.provider=Please confirm that you would like to disable this provider
13711378
message.confirm.enable.provider=Please confirm that you would like to enable this provider

client/pom.xml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,11 @@
9090
<artifactId>cloud-plugin-network-contrail</artifactId>
9191
<version>${project.version}</version>
9292
</dependency>
93+
<dependency>
94+
<groupId>org.apache.cloudstack</groupId>
95+
<artifactId>cloud-plugin-network-palo-alto</artifactId>
96+
<version>${project.version}</version>
97+
</dependency>
9398
<dependency>
9499
<groupId>org.apache.cloudstack</groupId>
95100
<artifactId>cloud-plugin-network-ovs</artifactId>

client/tomcatconf/commands.properties.in

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -533,6 +533,17 @@ configureSrxFirewall=1
533533
listSrxFirewalls=1
534534
listSrxFirewallNetworks=1
535535

536+
#### Palo Alto firewall commands
537+
addExternalFirewall=1
538+
deleteExternalFirewall=1
539+
listExternalFirewalls=1
540+
541+
addPaloAltoFirewall=1
542+
deletePaloAltoFirewall=1
543+
configurePaloAltoFirewall=1
544+
listPaloAltoFirewalls=1
545+
listPaloAltoFirewallNetworks=1
546+
536547
####Netapp integration commands
537548
createVolumeOnFiler=15
538549
destroyVolumeOnFiler=15

plugins/network-elements/palo-alto/pom.xml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
<!--
2+
Licensed to the Apache Software Foundation (ASF) under one
3+
or more contributor license agreements. See the NOTICE file
4+
distributed with this work for additional information
5+
regarding copyright ownership. The ASF licenses this file
6+
to you under the Apache License, Version 2.0 (the
7+
"License"); you may not use this file except in compliance
8+
with the License. You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing,
13+
software distributed under the License is distributed on an
14+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15+
KIND, either express or implied. See the License for the
16+
specific language governing permissions and limitations
17+
under the License.
18+
-->
19+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
20+
<modelVersion>4.0.0</modelVersion>
21+
<artifactId>cloud-plugin-network-palo-alto</artifactId>
22+
<name>Apache CloudStack Plugin - Palo Alto</name>
23+
<parent>
24+
<groupId>org.apache.cloudstack</groupId>
25+
<artifactId>cloudstack-plugins</artifactId>
26+
<version>4.3.0-SNAPSHOT</version>
27+
<relativePath>../../pom.xml</relativePath>
28+
</parent>
29+
</project>

plugins/network-elements/palo-alto/resources/META-INF/cloudstack/paloalto/module.properties

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
# Licensed to the Apache Software Foundation (ASF) under one
2+
# or more contributor license agreements. See the NOTICE file
3+
# distributed with this work for additional information
4+
# regarding copyright ownership. The ASF licenses this file
5+
# to you under the Apache License, Version 2.0 (the
6+
# "License"); you may not use this file except in compliance
7+
# with the License. You may obtain a copy of the License at
8+
#
9+
# http://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# Unless required by applicable law or agreed to in writing,
12+
# software distributed under the License is distributed on an
13+
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14+
# KIND, either express or implied. See the License for the
15+
# specific language governing permissions and limitations
16+
# under the License.
17+
name=paloalto
18+
parent=network

plugins/network-elements/palo-alto/resources/META-INF/cloudstack/paloalto/spring-paloalto-context.xml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
<!--
2+
Licensed to the Apache Software Foundation (ASF) under one
3+
or more contributor license agreements. See the NOTICE file
4+
distributed with this work for additional information
5+
regarding copyright ownership. The ASF licenses this file
6+
to you under the Apache License, Version 2.0 (the
7+
"License"); you may not use this file except in compliance
8+
with the License. You may obtain a copy of the License at
9+
10+
http://www.apache.org/licenses/LICENSE-2.0
11+
12+
Unless required by applicable law or agreed to in writing,
13+
software distributed under the License is distributed on an
14+
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15+
KIND, either express or implied. See the License for the
16+
specific language governing permissions and limitations
17+
under the License.
18+
-->
19+
<beans xmlns="http://www.springframework.org/schema/beans"
20+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
21+
xmlns:context="http://www.springframework.org/schema/context"
22+
xmlns:aop="http://www.springframework.org/schema/aop"
23+
xsi:schemaLocation="http://www.springframework.org/schema/beans
24+
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
25+
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
26+
http://www.springframework.org/schema/context
27+
http://www.springframework.org/schema/context/spring-context-3.0.xsd"
28+
>
29+
30+
<bean id="PaloAlto" class="com.cloud.network.element.PaloAltoExternalFirewallElement">
31+
<property name="name" value="PaloAlto" />
32+
</bean>
33+
</beans>

0 commit comments

Comments
 (0)