Chebis26/palo-alto-cisco-nva-cloud
GitHub: Chebis26/palo-alto-cisco-nva-cloud
该项目是一个基于 Terraform 的跨云部署框架,用于在 AWS 和 Azure 上自动化部署、扩展和集成 Palo Alto 防火墙与 Cisco SD-WAN 节点。
Stars: 0 | Forks: 0
# Palo Alto VM-Series 与 Cisco CSR 8000v — NVA 云部署
[](https://www.paloaltonetworks.com/)
[](https://www.cisco.com/)
[](https://aws.amazon.com/)
[](https://azure.microsoft.com/)
在 AWS 和 Azure 上生产部署 Palo Alto VM-Series(通过 AWS GWLB)和 Cisco Catalyst 8000V(SD-WAN 中心),包含 bootstrapping、BGP 路由、auto-scaling 以及 Panorama 集成。
## 架构 — 双 NVA 模式
```
┌──────────────────────────────────────────────────────────────────────┐
│ AWS SECURITY STACK │
│ │
│ INTERNET │
│ │ │
│ [Internet GW] │
│ │ │
│ ┌───▼──────────────────────────────────────────────────────────┐ │
│ │ Gateway Load Balancer (GWLB) — GENEVE encapsulation │ │
│ │ Health check: port 80 → /php/login.php │ │
│ └───┬──────────────────────────────────────────────────────────┘ │
│ │ Distributes to all healthy PA instances │
│ ┌───▼──────────────────────────────────────────────────────────┐ │
│ │ Palo Alto VM-Series ASG (m5.xlarge × 2-10) │ │
│ │ PAN-OS 11.1 | Bootstrapped from S3 | Panorama-managed │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │
│ │ │ PA-VM-01 │ │ PA-VM-02 │ │ PA-VM-03 │ │ │
│ │ │ App-ID │ │ Threat Prev │ │ URL Filter │ │ │
│ │ │ IPS/IDS │ │ WildFire │ │ SSL Decrypt │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │
│ └───┬──────────────────────────────────────────────────────────┘ │
│ │ Inspected traffic returned to GWLB │
│ │ │
│ ┌───▼──────────────────────────────────────────────────────────┐ │
│ │ Cisco CSR 8000V (SD-WAN Hub) — m5.xlarge │ │
│ │ BGP AS 65001 | DMVPN Hub | SD-WAN vEdge │ │
│ │ ┌─────────────────────────────────────────────────────┐ │ │
│ │ │ Interfaces: │ │ │
│ │ │ GE1 (mgmt) | GE2 (WAN/public) | GE3 (LAN/private) │ │ │
│ │ └─────────────────────────────────────────────────────┘ │ │
│ └──────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────┘
```
## 分步执行
### A 部分 — AWS GWLB 上的 Palo Alto VM-Series
#### 步骤 1:在 AWS Marketplace 中订阅 VM-Series
```
# VM-Series BYOL AMI (Palo Alto Networks 发布者)
# 订阅网址: https://aws.amazon.com/marketplace/pp/prodview-2ol6thptd6d6q
# 订阅后,获取您所在区域的 AMI ID
PA_AMI=$(aws ec2 describe-images \
--owners aws-marketplace \
--filters \
"Name=product-code,Values=6njl1pau431dv1qxipg63mvah" \
"Name=state,Values=available" \
"Name=architecture,Values=x86_64" \
--query 'sort_by(Images,&CreationDate)[-1].ImageId' \
--output text)
echo "Palo Alto AMI: $PA_AMI"
```
#### 步骤 2:创建 S3 bootstrap bucket
```
BOOTSTRAP_BUCKET="pa-vm-bootstrap-${ACCOUNT_ID}"
aws s3 mb s3://$BOOTSTRAP_BUCKET --region us-east-1
# 上传 bootstrap 配置
mkdir -p /tmp/pa-bootstrap/{config,license,software,content}
# 指向 Panorama 的最小化 bootstrap.xml
cat > /tmp/pa-bootstrap/config/bootstrap.xml << 'EOF'
pa-vm-gwlb
US/Eastern
panorama.company.internal
panorama-dr.company.internal
updates.paloaltonetworks.com
Untrust — GWLB data plane (GENEVE)
ethernet1/1
10.0.1.1
0.0.0.0/0
EOF
# Auth codes 文件
echo "$PA_LICENSE_AUTH_CODE" > /tmp/pa-bootstrap/license/authcodes
aws s3 sync /tmp/pa-bootstrap/ s3://$BOOTSTRAP_BUCKET/
echo "Bootstrap bucket ready: s3://$BOOTSTRAP_BUCKET"
```
#### 步骤 3:部署 GWLB + VM-Series Auto Scaling Group
```
cd terraform/aws/palo-alto/
# 为 GWLB + ASG 应用 Terraform
terraform apply -var="bootstrap_bucket=$BOOTSTRAP_BUCKET" \
-var="pa_ami=$PA_AMI" \
-var="instance_type=m5.xlarge"
GWLB_ARN=$(terraform output -raw gwlb_arn)
GWLB_EP_SERVICE=$(terraform output -raw gwlb_endpoint_service_name)
echo "GWLB ARN: $GWLB_ARN"
echo "Endpoint Service: $GWLB_EP_SERVICE"
echo "(Share endpoint service name with spoke VPC owners)"
```
#### 步骤 4:在 spoke VPC 中创建 GWLB endpoint
```
# 在每个需要进行流量检测的 spoke VPC 中:
GWLB_ENDPOINT=$(aws ec2 create-vpc-endpoint \
--vpc-id $SPOKE_VPC_ID \
--vpc-endpoint-type GatewayLoadBalancer \
--service-name $GWLB_EP_SERVICE \
--subnet-ids $SPOKE_PRIVATE_SUBNET \
--query 'VpcEndpoint.VpcEndpointId' \
--output text)
# 更新 spoke VPC 路由表以将流量发送到 GWLB endpoint
aws ec2 create-route \
--route-table-id $SPOKE_RT_ID \
--destination-cidr-block 0.0.0.0/0 \
--vpc-endpoint-id $GWLB_ENDPOINT
echo "All spoke VPC traffic now flows through Palo Alto for inspection"
```
### B 部分 — AWS 上的 Cisco Catalyst 8000V
#### 步骤 5:将 CSR 8000V 部署为 SD-WAN 中心
```
# 订阅: https://aws.amazon.com/marketplace/pp/prodview-c2dl4c1v5t8ik
CISCO_AMI=$(aws ec2 describe-images \
--owners aws-marketplace \
--filters "Name=product-code,Values=7h2s5opj2xftvlm1ufofpf2os" \
--query 'sort_by(Images,&CreationDate)[-1].ImageId' \
--output text)
echo "Cisco C8000V AMI: $CISCO_AMI"
cd terraform/aws/cisco-c8000v/
terraform apply -var="cisco_ami=$CISCO_AMI" \
-var="instance_type=m5.xlarge"
C8000V_PRIMARY_IP=$(terraform output -raw c8000v_primary_lan_ip)
C8000V_WAN_EIP=$(terraform output -raw c8000v_wan_eip)
echo "C8000V Primary LAN: $C8000V_PRIMARY_IP | WAN EIP: $C8000V_WAN_EIP"
```
#### 步骤 6:配置 C8000V BGP 以进行 SD-WAN 集成
```
# 通过 SSM 推送初始配置 (无需 SSH)
aws ssm send-command \
--document-name "AWS-RunShellScript" \
--targets "Key=tag:Name,Values=c8000v-primary" \
--parameters commands='[
"vtysh -c \"conf t\" -c \"router bgp 65001\" -c \"neighbor 169.254.10.2 remote-as 133937\" -c \"neighbor 169.254.10.2 description MCR-PRIMARY\" -c \"end\" -c \"write\""
]'
# 验证到 MCR 的 BGP 会话
aws ssm start-session \
--target $C8000V_INSTANCE_ID \
--document-name "AWS-StartInteractiveCommand" \
--parameters command="show bgp summary | include Neighbor|133937"
# 预期: 133937 ... Established
```
### C 部分 — Azure NVA 部署
#### 步骤 7:通过 GWLB 在 Azure 中部署 Palo Alto
```
cd terraform/azure/palo-alto/
# Azure GWLB (不同于 AWS GWLB — 基于 L4 隧道)
az network lb create \
--name gwlb-pa-fleet \
--resource-group rg-security \
--location eastus \
--sku Gateway \
--frontend-ip-configs "[{\"name\":\"frontend\",\"subnet\":{\"id\":\"$SECURITY_SUBNET_ID\"}}]"
# 用于 PA VM 的 Backend pool
az network lb address-pool create \
--lb-name gwlb-pa-fleet \
--resource-group rg-security \
--name pool-pa-vms \
--tunnel-interfaces "[{\"type\":\"Internal\",\"identifier\":900,\"protocol\":\"VXLAN\",\"port\":10800}]"
# 将 GWLB 链接到 spoke frontend (consumer LB)
az network lb frontend-ip update \
--lb-name lb-spoke-prod \
--resource-group rg-networking \
--name frontend-spoke \
--gateway-lb $GWLB_ID
echo "Azure GWLB chaining configured: spoke ALB → PA VMs → back to ALB"
```
#### 步骤 8:验证 NVA 流量检查
```
echo "=== NVA TRAFFIC INSPECTION VALIDATION ==="
# AWS: 检查 GWLB 是否路由到健康的 PA 实例
aws elbv2 describe-target-health \
--target-group-arn $GWLB_TG_ARN \
--query 'TargetHealthDescriptions[*].{Target:Target.Id,State:TargetHealth.State,Reason:TargetHealth.Reason}' \
--output table
# 生成测试流量并验证 PA 是否记录
aws ssm start-session \
--target $TEST_INSTANCE_ID \
--document-name "AWS-StartInteractiveCommand" \
--parameters command="curl -s https://api.company.com/health"
# 通过 Panorama API 检查 PA threat logs
curl -k "https://panorama.company.internal/api/?type=log&log-type=traffic&query=(addr.src+in+$TEST_IP)" \
-H "X-PAN-KEY: $PANORAMA_API_KEY" \
| python3 -m json.tool | grep -E "action|app|bytes"
echo "Traffic flowing through PA inspection: VALIDATED"
```
## Palo Alto 安全策略最佳实践
```
Security Zones:
untrust → internet-facing interface
trust → internal VPC subnet
dmz → semi-trusted workloads
management → Out-of-band management
Policy structure (ordered):
1. Allow intrazone-default (within same zone)
2. Application-specific rules:
allow ssl web-browsing from trust to untrust
allow ms-office365-base from trust to untrust
3. Block known malicious destinations (EDL)
4. Deny all (default)
Security Profiles to attach to each allow rule:
Antivirus: block + wildfire-submit
Anti-Spyware: block (critical/high), alert (medium), sinkhole DNS
Vulnerability: block (critical/high), alert (medium)
URL Filtering: block (malware/phishing/proxy-avoidance)
WildFire: submit all unknown files
```
## 许可证
MIT License
标签:AWS GWLB, Azure NVA, BGP路由, Palo Alto, 网络架构, 自动化运维, 自动扩容