Open in app

Sign in

Write

Sign in

Code/Demo Share: Palo Alto Firewall Network Infrastructure Automation with Consul-Terraform-Sync

Sebastian Maniak
5 min readAug 17, 2022

--

IP is broken as a unit of Control! IDENTITY as a unit of control is the key to succeed in discovering, securing and automating your current workflows across any runtime and cloud.

Let’s discuss how we can automate Palo Alto Network firewall dynamic address groups using Consul with Terraform.

The goal is to reduce Opex, removing this burden of manually config

What is Consul?

Consul is a service mesh solution providing a full featured control plane with service discovery, configuration, and segmentation functionality. Each of these features can be used individually as needed, or they can be used together to build a full service mesh. Consul requires a data plane and supports both a proxy and native integration model. Consul ships with a simple built-in proxy so that everything works out of the box, but also supports 3rd party proxy integrations such as Envoy.

Learn more Click here

What is Consul Terraform Sync

Network Infrastructure Automation (NIA) enables dynamic updates to network infrastructure devices triggered by service changes. Consul-Terraform-Sync (CTS) utilizes Consul as a data source that contains networking information about services and monitors those services. Terraform is used as the underlying automation tool and leverages the Terraform provider ecosystem to drive relevant changes to the network infrastructure.

CTS executes one or more automation tasks with the most recent service variable values from the Consul service catalog. Each task consists of a runbook automation written as a CTS compatible Terraform module using resources and data sources for the underlying network infrastructure. The consul-terraform-sync daemon runs on the same node as a Consul agent.

CTS is available as an open source and enterprise distribution. Follow the Network Infrastructure Automation introduction tutorial to get started with CTS OSS or read more about CTS Enterprise.

Learn more Click here

Palo Alto Dynamic Address Groups

Dynamic address groups are used in policy. They allow you to create policy that automatically adapts to changes — adds, moves, or deletions of servers. It also enables the flexibility to apply different rules to the same server based on tags that define its role on the network, the operating system, or the different kinds of traffic it processes.

Learn more about PAN NGFW

Click here to learn more about the Palo Alto Learn Consul Terraform Sync

Let Build..

The following code in my repo

We will build the following deploy Azure Resource Group:

  • HashiCorp Vault Server — Manage Secrets
  • Consul Server — Service Registry and Identity
  • Consul-Terraform-Sync — used to create event-driven-architecture
  • Palo Alto PAN-OS Firewall — used to secure traffic in an out of the datacenter
  • API/WEB/DB Servers
  • Logging server — Because we need logs :D

Prerequisites

  • Azure cloud subscription
  • Terraform installed on your machine to initiate the code
  • Azure CLI

How to start

  1. Log into your azure environment and get a subscription az account list
  2. Need to accept the Azure Palo Alto marketpalce terms, replace MYSUB with your subscription ID
az vm image terms accept --publisher paloaltonetworks --offer vmseries-flex --plan bundle1 --subscription MYSUB=
  1. Install terraform (brew install terraform)

Download the repo

Pull the code from the repo

git clone https://github.com/maniak-academy/medium-consul-palo-alto-nia.git

Deploy the Infrastructure

  1. First you will need to jump into the build-infra directory

cd 01-deploy-infra

Run Terraform

terraform init
terraform plan
terraform apply
  1. The output will give you all the information to access all the devices
  2. Note: PAN-OS takes about 6–7 minutes to deploy, so go get a coffee

Configure the Infrastructure

  1. First you will need to jump into the configure-infra directory

cd 02-configure-infra

Run Terraform

terraform init
terraform plan
terraform apply

Configure the Infrastructure

  1. Log into Vault to get the password to the Palo Alto Firewall
  2. Log into the Palo Alto firewall and COMMIT the changes

Deploy Apps

  1. First you will need to jump into the deploy-apps directory

cd 03-deploy-apps

Run Terraform

terraform init
terraform plan
terraform apply

Note: Apps do take some time to deploy, it will take about 1–2 minutes for them to go be online.

Deploy Network Infrastructure Automation

Log into the directory..

cd 04-network-automation

This is where the magic happens, once you deploy CTS,.. it will be fast

Let’s deploy Consul-Terraform-Sync service. Things happen quickly!!

Once CTS is deployed and registered with Consul, it will automatically update the Dynamic Address Groups in the PAN.

terraform init
terraform plan
terraform apply -auto-approve

When its complete, you can SSH into the Consul-Terraform-Server. The Terraform output will give you the command to log into the server.

example.. (IP will be different for fall)

ssh -i cts.pem azureuser@$x.x.x.x

Inside the consul-terraform-server you can execute the following commands to see consul-terraform-sync logs

sudo journalctl -u consul-tf-sync.service -f

Log into your Consul server GUI/HTTP to validate that Consul-Terraform-Sync was registered with consul

Next..let’s see if the magic worked…

Log into the Palo Alto Firewall and take a look in the “Objects” tab and click on “Address Group”. Select any address group and click on the “more..” button.

What do you see?

You will notice that Consul-Terraform-Sync has automatically add the IPs of the nodes that are registered in Consul.

Now let‘s scale these apps and see whats happening.

Using Terraform the application sets the app_count and web_count to 3. Let’s see this live in action.

cd 03-network-automation

SSH into your consul-terraform-sync server using the output from above. Once you logged in run the following command, this will show us the magic.

sudo journalctl -u consul-tf-sync.service -f

Scale it more

terraform apply -var app_count=3 -var web_count=2 -var db_count=2 -auto-approve

You can also monitor the status of the applications inside Consul GUI/HTTP.

Validate that CTS added those servers to there specific Address Groups by logging into your palo alto firewall.

* log into the PAN FW using the GUI/HTTPS, select OBJECTS > Address Groups

* look at the _web or _api address group by click “more..” and you will see the new IPs deployed.

Explore:

Change the count and add more or less db to be deployed. Watch Consul Terraform Sync in action.

terraform apply -var app_count=2 -var web_count=4 -var db_count=3 -auto-approve

Re-run Terraform, and monitor the various integration points once again. We’ll do so in the background so that you can move on whenever you’re ready.

Consul
Palo Alto Networks
Terraform

--

--

Sebastian Maniak
Sebastian Maniak

Written by Sebastian Maniak

116 Followers
88 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams