nautobot-app-firewall-models icon indicating copy to clipboard operation
nautobot-app-firewall-models copied to clipboard

Published 20 hours ago verified publisher icon nautobot

Ability to model virtual contexts

Open u1735067 opened this issue 3 months ago • 0 comments

Proposed Functionality

Support firewall virtual contexts (for policies, zones, ...)

Use Case

Some firewall supports virtual contexts (ie. virtual firewall that behave like a standalone firewall), some examples are:

  • vsys for Palo Alto
    • https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/virtual-systems/virtual-systems-overview/virtual-system-components-and-segmentation
  • VDOM for Fortigate
    • https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/597696/vdom-overview
    • https://docs.fortinet.com/document/fortigate/latest/administration-guide/597696/vdom-overview
  • virtual systems (VS ?) for Checkpoint
    • https://www.checkpoint.com/quantum/virtual-systems/
    • https://www.checkpoint.com/downloads/products/virtual-systems-datasheet.pdf

One way (maybe wrong?) to model them is to create the physical devices as Devices, put them in a Virtualization cluster, and create a Virtual machine for each virtual context (vsys, vdom, ...), which would be the best representation as they're not actual Devices (not in a physical DC). However in that case this plugin is not usable as only Devices and Device Interfaces are selectable (verified in v2.0.3 on https://next.demo.nautobot.com/).

What would be the best approach to support/model this and be able to use this plugin?

I did a POC (patch attached: nautobot-app-firewall-models_ltm-1.6_vminterfaces.diff.txt) modifying this plugin to allow selection of VM Interfaces based on the ltm-1.6 branch, it works for simple needs (not all features are implemented however), but it might not be the direction you would take? If it is however, would you accept a patch for the v2 branch?

On a side note for Nautobot in general, some load-balancer may suffer the same limitations, for example Radware Alteon can be standalone, virtual (VA), or in VX (~hypervisor)/vADC (virtual context) mode, and clusters can be formed at physical and/or virtual level (between vADC, themself on (cluster of) VX), the latter being hard to model as this notion of cluster/redundancy between VM is not supported natively. Cluster/redundancy can also be formed at the VIP level but that's another story ...

Edit, some captures of the POC result:

  • Policies (form): image
  • Policies (list): image
  • Zones (form): image
  • Zones (list): image

u1735067 avatar Mar 20 '24 16:03 u1735067