How to Install & Configure Arista’s DirectFlow Assist for Palo Alto Firewalls

Contents
Summary
Prerequisite
Summary
Prerequisite
Concepts
Configuring QoS Markings
Configuring the DFA Modes
DFA Installation
Palo Alto Configuration
Troubleshooting

SUMMARY

For the high level solution brief, view the Palo Alto Solution Brief.

One of the many features of having an Arista switch is the ability to install extensions on the box. Remember that you can manage the Arista switch as if it was a Linux server (it actually is, but that’s outside the scope of this article) – and because of this we can install RPM packages. One of the packages we can install is Arista’s DirectFlow Assist (DFA), which allows for the switch to receive syslog messages from the Palo Alto firewall which in turn will trigger DirectFlow to implement new flow table entries dynamically via eAPI. This will help unburden the Palo Alto firewall and/or out-of-band security platforms.

Arista DirectFlow can be manually configured as well as of EOS 4.13.0. For more information, view the 4.13F TOI “DirectFlow on T+ and T2”.

This allows for increased scale and performance for DoS attacks, elephant flows, traffic redirection, and allows network administrators to size their firewall based on normal traffic patterns instead of over-engineering the solution. This also lowers latency for allowed traffic flows, no need to go all the way to the firewall. In this post let’s go over its operation, installation, and how to configuration on the Palo Alto firewall.

EOSC.01.01

A high level physical topology design of using the Palo Alto firewalls and Arista switches

 The DFA extension supports Arista switches in an MLAG configuration, as well as Palo Alto firewalls in a HA configuration. Both Arista switches in the MLAG configuration listen to each firewall for syslog messages. These syslog messages can be in either TCP, UDP, or SSL/TLS connections from the PAN firewall.

EOSC.01.02

Block traffic at the switch based on Palo Alto firewall rules

 

EOSC.01.03

Allow certain traffic flows to bypass firewall inspection

PREREQUISITE

  • Download the ext from the Arista.com site under Software Downloads
  • Place the file in a file share like SFTP or SCP
  • The Arista switch can copy it from this file share or if you have physical access to the switch, you can copy it via the USB slot
  • Ensure the Arista switch can reach the Palo Alto FW
  • Supported EOS versions: 4.14.7M, 4.14.8M
  • Supported Platforms: 7050 and 7050X series
  • Minimum PAN-OS version: 6.1.0

 

CONCEPTS

Extensions allow us to extend (pun intended) an Arista switch’s ability. Once we have installed the DirectFlow Assist (DFA) package, files and directories get created. The following is a list of the files and directories that DFA installs.

NOTE: The DFA process must be restarted if there is a change in the config.py file while it is running.

 DFA Python Package directory
/usr/lib/python2.7/site-package/directflow_assist

DFA Config File, Readme, and License file directory
/persist/sys/extensions/directflow_assist

DFA Startup Script directory
/usr/bin/asssit

DFA Log Rotation directory
/etc/logrotate.d/dfa_logrotate

DFA Log Files
/var/log/directflow_assist.log

DFA Process ID
/var/run/directflow_assist.pid

DFA can also run in three different modes to best suit your environment. By default, the DFA runs in SHUN_MODE (THRU_FIREWALL). Let’s go over these different modes, which can be changed in the config file.

EOSC.01.04EOSC.01.05

In SHUN mode, the firewall allows for default traffic to go through the firewall until a firewall policy explicitly requests assistance for specific flows to bypass or to be dropped at the switch. Notice in the diagram below we have two links towards the firewall (one for trust, the other untrust). DirectFlow drops bad traffic whereas suspect traffic gets sent to the firewall as per normal operations.

EOSC.01.06

In MIRROR mode, traffic bypasses the firewall and can only drop. There is only one link

EOSC.01.07

 

In INLINE mode, upstream traffic flows to the switch to the firewall and then to the downstream inside network. Drops are done to the blocked attacks originating upstream.

EOSC.01.08

 

 

CONFIGURING QoS MARKINGS

DFA allows for marking of Ethernet Class of Service (CoS) and/or IP Type of Service (ToS) fields and only runs in SHUNT Mode. These markings are applied on flows going through the switch. To configure this, configure the COS_TOS_MARKINGS field in the config.py file.

EOSC.01.09

 

CONFIGURING THE DFA MODES

To change the mode of DFA, we will need to add certain config to the config.py file.  We will also need to change the OPERATION_MODE field.  In the example below, we can see the mode is set to SHUNT. For a more detailed explanation, see the DFA Installation section step 5.

 OPERATING_MODE = SHUNT_MODE             # SHUNT_MODE, INLINE_MODE, MIRROR_MODE, MIRROR_AND_SHUNT_MODE

SHUN_MODE – to use this mode, fill in the config file both sections for Zone A (trust) and Zone B(untrust).
INLINE_MODE – only fill in the Zone A (trust) section
MIRROR MODE – only fill in SWITCH_INTERFACES_TO_FW_TAP and SWITCH_INTERFACES_TO_BE_MIRRORED interfaces

 

DFA INSTALLATION

  1. Copy over the .rpm file. In this example I am using SFTP. Copy this to the extensions: directory.

LAB-LF05(vrf:MGMT)#copy sftp://admin:pass0rd@10.30.121.244/work/directflow_assist_pan-1.0.0.noarch.rpm flash:
work@10.29.19.22’s password:
sftp> progress
Progress meter enabled
sftp> get ‘/work/directflow_assist_pan-1.0.0.noarch.rpm’ ‘/mnt/flash/directflow_assist_pan-1.0.0.noarch.rpm.7lmv3c’
Fetching /work/directflow_assist_pan-1.0.0.noarch.rpm to /mnt/flash/directflow_assist_pan-1.0.0.noarch.rpm.7lmv3c
/work/directflow_assist_pan-1.0.0.noarch.rpm  100%   86KB  86.0KB/s   00:00   
Copy completed successfully.

In the example above, I copied over the file to the flash: instead of the extension: directory by mistake. Not a problem, we just need to do another copy command.

LAB-LF05(vrf:MGMT)#copy flash:/directflow_assist_pan-1.0.0.noarch.rpm extension:

Copy completed successfully. 

  1. To ensure this extension loads every time the switch boots up, let’s copy it to the boot-extension path. First, let’s verify the extension is recognized by the switch.

LAB-LF05(vrf:MGMT)#show extensions det
       Name: directflow_assist_pan-1.0.0.noarch.rpm

    Version: 1.0.0
    Release: 1
   Presence: available
     Status: not installed
     Vendor: Arista Networks, Inc. <support@arista.com>
    Summary: DirectFlow Assist for PAN Firewalls
       RPMS: directflow_assist_pan-1.0.0.noarch.rpm 1.0.0/1
 Total size: 323844 bytes
Description:
Arista Networks, Inc.
DirectFlow Assist for Palo Alto Networks Firewalls
EOS Extension written in python
Runs on Arista switches that support DirectFlow.
See the README at /persist/sys/extensions/directflow_assist/README.txt
for minimum EOS version and additional info.

Notice the Status shows as “not installed”.  Let’s change that.

LAB-LF05#extension directflow_assist_pan-1.0.0.noarch.rpm
LAB-LF05#show ext
Name                                       Version/Release           Status extension

—————————————— ————————- —— —-

directflow_assist_pan-1.0.0.noarch.rpm     1.0.0/1                   A, I      1

 A: available | NA: not available | I: installed | NI: not installed | F: forced

Let us also install it to the boot-extension so it boot-up when our switch reboots.

LAB-LF05(vrf:MGMT)#copy installed-extensions boot-extensions
Copy completed successfully.

 

  1. Next we need to make sure the eAPI is enabled for unix domain sockets.

 

LAB-LF05#config t
LAB-LF05(config)#management api http-commands
LAB-LF05(config-mgmt-api-http-cmds)#protocol unix-socket
LAB-LF05(config-mgmt-api-http-cmds)#no shut
LAB-LF05#show management api http-commands
Enabled:            Yes

HTTPS server:       running, set to use port 443
HTTP server:        shutdown, set to use port 80
Local HTTP server:  shutdown, no authentication, set to use port 8080
Unix Socket server: running, no authentication
VRF:                default
Hits:               76
Last hit:           10189710 seconds ago
Bytes in:           8323
Bytes out:          15850
Requests:           4
Commands:           4
Duration:           0.838 seconds
User        Requests       Bytes in       Bytes out    Last hit            
———– ————– ————– ————— ——————–
   admin       4              8323           15850        10189710 seconds ago
URLs                                        

——————————————–
Unix Socket : unix:/var/run/command-api.sock

 

  1. To fully verify if the extension has installed, drop into bash and cd to the following directory /usr/lib/python2.7/site-packages/directflow_assist. If you see these files you know you properly install the extension on your switch.

[admin@LAB-LF05 ~]$ cd /usr/lib/python2.7/site-packages/directflow_assist
[admin@LAB-LF05 directflow_assist]$ ls

DedupCache.py             FlowEntryManager.py   SyslogMsg.py          app.py
DedupCache.pyc            FlowEntryManager.pyc  SyslogMsg.pyc         app.pyc
DedupCache.pyo            FlowEntryManager.pyo  SyslogMsg.pyo         app.pyo
DirectFlowSwitch.py       PANSyslogMsg.py       VarmourSyslogMsg.py   common
DirectFlowSwitch.pyc      PANSyslogMsg.pyc      VarmourSyslogMsg.pyc  util.py
DirectFlowSwitch.pyo      PANSyslogMsg.pyo      VarmourSyslogMsg.pyo  util.pyc
FlowAssistController.py   SyslogListener.py     __init__.py           util.pyo
FlowAssistController.pyc  SyslogListener.pyc    __init__.pyc
FlowAssistController.pyo  SyslogListener.pyo    __init__.pyo

  1. Before we start the process, let us configure the DFA config file. This will tell the switch which PAN fws we should be received syslogs from along with other parameters. Change to the /persist/sys/extensions/directflow_assist dir to find the config file and let’s edit it.

 

admin@LAB-LF05 directflow_assist]$ cd / persist/sys/extensions/directflow_assist/
[admin@LAB-LF05 directflow_assist]$ ls
LICENSE     config.py         dfa_tor1.crt  dfa_tor2.crt  rootCA2.crt

README.txt  config_common.py  dfa_tor1.key  dfa_tor2.key
[admin@LAB-LF05 directflow_assist]$ vi config.py

Change the following…

Zone_A interfaces – add in this section the interfaces going from the arista to the PAN firewall.

 

SWITCH_INTERFACE_A – this goes to your internal network

SWITCH_INTERFACE_AF – this goes to your firewall interface

FIREWALL_INTERFACE_AF – the UnTrust interface on your fw.

 

# Zone_A interfaces

SWITCH_INTERFACE_A = ‘Ethernet1’

SWITCH_INTERFACE_AF = ‘Ethernet3’

SWITCH_INTERFACE_HA_AF = ‘ethernet3’             # optional: High-Availability to second

firewall

FIREWALL_INTERFACE_AF = ”              # use same firewall intf name on AF and

HA_AF, don’t include sub-intf

 NOTE:  ZoneA depends on what you have configured on your PAN  fw. Zone A could be designated as either Trust or Untrust.  In this example, Zone A is UnTrust based on the config.py example and PAN interface zone config. Ethernet3 is going towards the PAN firewall from the switch’s local eth3 interface. Eth1 going towards another internal device.

 EOSC.01.10

 

Zone_B interfaces – add in this section (in our example), Trusted interfaces.

 

# Zone_B interfaces

SWITCH_INTERFACE_B = ‘Ethernet2’

SWITCH_INTERFACE_BF = ‘Ethernet4’

SWITCH_INTERFACE_HA_BF = ”             # optional: High-Availability to second

firewall

FIREWALL_INTERFACE_BF = ‘ethernet4’              # use same firewall intf name on AF and

HA_AF, don’t include sub-intf

 

SWITCH_INTERFACE_B – this is the interface on the Aristas switch going to your internal network.

SWITCH_INTERFACE-BF – this interface is going from the switch to the Trusted interface on the PAN fw.

FIREWALL_INTERFACE_BF – this is the interface on the PAN fw going towards the Arista switch

 

Empty config.py seen below

 

# Zone_A interfaces

SWITCH_INTERFACE_A = ”

SWITCH_INTERFACE_AF = ”

SWITCH_INTERFACE_HA_AF = ”             # optional: High-Availability to second

firewall

FIREWALL_INTERFACE_AF = ”              # use same firewall intf name on AF and

HA_AF, don’t include sub-intf

 

# Zone_B interfaces

SWITCH_INTERFACE_B = ”

SWITCH_INTERFACE_BF = ”

SWITCH_INTERFACE_HA_BF = ”             # optional: High-Availability to second

firewall

FIREWALL_INTERFACE_BF = ”              # use same firewall intf name on AF and

HA_AF, don’t include sub-intf

 

Accept Syslog Msgs From IP– add here the IP addresses to accept the syslog messages from, else the traffic will be dropped. In this example, we are using the IP address of 192.168.1.254.

ACCEPT_SYSLOG_MSGS_FROM_IP = [192.168.1.254]         # IP addr is a string, e.g. ‘1.2.3.4’; ignore msgs from other IPs

Syslog Transport– add here which transport you will use to receive syslog messages from the PAN firewall. This field depends on what you’ve configured on the PAN firewall. In this example, we’ve specified UDP.

SYSLOG_TRANSPORT = UDP             # options: UDP, TCP, SSL

Operation Mode – change this field to specify which operation mode DFA will run. By default, it is SHUNT_MODE.

OPERATING_MODE = SHUNT_MODE  # SHUNT_MODE, INLINE_MODE, MIRROR_MODE, MIRROR_AND_SHUNT_MODE

Mirror Config Mode – add in this field if you wish to use Mirror mode.

 SWITCH_INTERFACE_TO_FW_TAP = ”         # ethernet intf only; mirrors traffic between Zone A & B to FW

DEFAULT_THRU_FIREWALL_MODE = True       # False= traffic mirrored to firewall tap

 

  1. Once configured, we can start the DFA process by typing in assist setup from the /persist/sys/extensions/directflow_assist directory. You can also find help commands by simply typing in assist.

 NOTE: This will create static DirectFlow mappings towards the PAN firewall. You’ll notice them when you type in #show run. Make sure you also do a #wr mem to save these mappings!

 

[demo@df-assist-demo ~]$ assist
 DirectFlow Assist – Command Line Processor:

 usage: python assist.py <command> [options]
  Commands    Options                    Description
 —————————————————————————–
 run_demo    none                  Start in demo mode (listens for pause,
                                   resume & delete commands from DemoRemote)
 stop        none                  Stop DirectFlow Assist process on switch
 status      none                  Show assist process and open ports (local)
 setup       none                  Initial setup of static flows to/from the
                                   attached firewall, create log file, etc.
 setup_run   none                  Combined setup & run for cold starts such
                                   as from EOS event-handler after reloads
 close_ports none                  Close syslog listening port(s) in local
                                   iptables (in case of abnormal termination)
 monitor     [sw_IP user passwd]   Monitor flows on switch (local or remote)
 delete      [sw_IP user passwd]   Delete DROP and BYPASS flow entries on
                                    switch (local or remote)

  1. Finally, start the process by typing assist start.
  1. We can also start DirectFlow from an AEM’s Event Handler.

conf   
event-handler directflow_assist
trigger on-boot   
delay 360   
asynchronous   
action bash assist setup_start

 

PALO ALTO CONFIGURATION

There is minimal config that needs to be done on the PAN fw. Create your fw policies as normal. If there is a change you’d like DFA to do on the Arista switch based on a deny or allow of a policy, go to the policy and add under the policy’s ACTION tab a Log Forwarder. Ensure you check off the Log at Session Start for the PAN to send a syslog to the Arista switch.

EOSC.01.11

 

To define a syslog server/Arista switch, click DEVICE tab and then under Server Profiles click Syslog. From here, add your Arista switch. Most implementations can use TCP as a transport but we also have options for TLS, SSL, and UDP. Once created we can now choose this switch as a Log Forwarder when a policy is hit.

EOSC.01.12

 

TROUBLESHOOTING
To find DFA logs, view the log file in /var/log/directflow_assist.log