Jump to: navigation, search

Neutron/mcafee-ngfw-firewall

Overview

McAfee NGFW FWaaS integration implements L3 router and FWaaS functionality with the McAfee Next Generation Firewall (NGFW) virtual appliance (VM) and the Security Management Center (SMC) server.

Features

Basic routing

NGFW routes traffic between networks it is connected to.

External gateway

You can attach a gateway to the router that works as a default gateway.

Floating IP

You can associate a public IP to an internal instance with destination NAT.

FWaaS

You can create FW policy and associate it with all the tenant’s routers.

NGFW features

You can use the SMC to configure deep packet inspection and application detection rules around the basic firewall policy defined though Neutron.

Architecture

McAfee NGFW FWaaS integration is implemented in two parts: McAfee L3 router plugin and McAfee FWaaS driver.

McAfee FWaaS integration architecture

McAfee L3 router plugin

The L3 plugin runs inside Neutron and replaces the upstream network namespace implementation with a router VM. The plugin communicates with Nova to instantiate the VM and attach router ports as they are configured. The NGFW interface and routing configuration is communicated to the pre-configured common SMC server using the SMC REST API. SMC then configures the NGFW VMs.

When created, the router VM is attached to a pre-configured management network that is used for communication between the SMC and NGFW VMs.

The plugin uses two new tables in neutron database to keep track of router VM related information. You can create the tables with mfe-neutron-db-manage command that is a wrapper for neutron-db-manage. McAfee L3 plugin uses its own alembic migration table and thus functions independently of neutron. Make sure to run 

mfe-neutron-db-manage upgrade

command each time you update the mfe_fwaas python package.

McAfee FWaaS driver

The FWaaS driver runs inside the L3 agent and conforms to the FwaasDriverBase API. The driver is responsible for translating Neutron firewall object into NGFW policies and applying those policies to the NGFW VMs. Like the L3 plugin, the FWaaS driver consumes the SMC REST API.

NGFW driver.png

Configuration

The current implementation is developed and tested on top of kilo release. You do need to backport the fix for bug #1475244, though.

McAfee L3 router plugin

Install mfe_fwaas python package 

pip install mfe_fwaas

Update the Neutron database 

mfe-neutron-db-manage upgrade head

As admin, create a tenant for hosting the router VMs 

tenant-create --name ngfw_tenant

As admin, create a user for administering the router VMs 

keystone user-create --name ngfw_admin --tenant ngfw_tenant --pass password

As admin, make the user admin 

keystone user-role-add --user ngfw_admin --tenant ngfw_tenant --role admin

Use the ngfw_admin and ngfw_tenant as the user and project from now on.

Create flavor for the NGFW VM. These resources are the recommended minimums. 

nova flavor-create --is-public false ngfw_flavor auto 2048 0 2

Import the NGFW disk image. NOTE: The FWaaS integration requires currently unreleased NGFW features to work properly. Contact McAfee sales for an image. 

glance image-create --name ngfw_image --disk-format qcow2 --container-format bare --is-public false --file mcafee_ngfw.img

Create a Neutron network for communication between the SMC and the NGFW firewall VMs. E.g this creates provider network that maps to bridge ‘smc’ to which the SMC server is connected. 

neutron net-create --provider:network_type flat --provider:physical_network smc ngfw_mgmt_network

Create a subnet for SMC 

neutron subnet-create ngfw_mgmt_network 192.168.206.128/26

Install SMC in a machine that can communicate with both Neutron and the L3 agent as well as the management network. Use the SMC management client to enable the SMC API.

Make sure McAfee router plugin and FWaaS plugin are added to your service plugins in neutron.conf. 

service_plugins = mfe_fwaas.router_plugin.ngfw_neutron_plugin.NgfwRouterPlugin,neutron_fwaas.services.firewall.fwaas_plugin.FirewallPlugin

Add the following configuration section to your neutron.conf. 

[NGFW]

# Router VM parameters
ngfw_image_id = 068185a4-20af-43e4-bb89-2e944d4cfe99
ngfw_flavor_id = 044f3971-6cfc-4432-a162-d43a2f58ce62
ngfw_mgmt_network_id = 3f9a2e58-0766-4eca-b5ff-3eb4b2db9cfb

vm_spawn_timeout = 0
vm_status_polling_interval = 3
fw_status_polling_interval = 3
fw_status_polling_timeout = 0

# Tenant that owns the router VMs
tenant_id = 87e36f304f8a4afdaa989b300100b2e4
tenant_name = ngfw_tenant

# Router VM admin user
tenant_admin_password = password
tenant_admin_name = ngfw_admin

# All router VM MACs will start with this. Hotplugging only works with ‘58:7a:4d’.
mac_address_prefix = 58:7a:4d

# SMC credential
smc_api_version = 5.8
smc_url = http://192.168.206.171:8082
smc_api_auth_key = BRTcfZspkFgsoTHcjD680001

McAfee FWaaS driver

After configuring the McAfee L3 plugin, the FWaaS driver is enabled by configuring the following variables in the fwaas_driver.ini. 

driver = mfe_fwaas.fwaas_driver.ngfw_fwaas.NgfwFwaasDriver
[ngfw]
smc_api_auth_key = BRTcfZspkFgsoTHcjD680001
smc_api_version = 5.8
smc_url = http://192.168.206.171:8082
Retrieved from "https://wiki.openstack.org/w/index.php?title=Neutron/mcafee-ngfw-firewall&oldid=88889"