Squashed commit of the Palo Alto Networks firewall integration plugin.

This patch adds a network plugin to support Palo Alto Networks firewall (their appliance and their VM series firewall).

More information in the FS: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Palo+Alto+Firewall+Integration

Features supported are:
- List/Add/Delete Palo Alto service provider
- List/Add/Delete Palo Alto network service offering
- List/Add/Delete Palo Alto network with above service offering
- Add instance to the new network (creates the public IP and private gateway/cidr on the PA as well as the source nat rule)
- List/Add/Delete Ingress Firewall rule
- List/Add/Delete Egress Firewall rule
- List/Add/Delete Port Forwarding rule
- List/Add/Delete Static Nat rule
- Supports Palo Alto Networks 'Log Forwarding' profile globally per device (additional docs to come)
- Supports Palo Alto Networks 'Security Profile Groups' functionality globally per device (additional docs to come)

Knowns limitations:
- Only supports one public IP range in CloudStack.
- Currently not verifying SSL certificates when creating a connection between CloudStack and the Palo Alto Networks firewall.
- Currently not tracking usage on Public IPs.

Signed-off-by: Sheng Yang <sheng.yang@citrix.com>

api/src/com/cloud/network/Network.java

@@ -116,6 +116,7 @@ public interface Network extends ControlledEntity, StateObject<Network.State>, I
         public static final Provider VirtualRouter = new Provider("VirtualRouter", false);
         public static final Provider JuniperContrail = new Provider("JuniperContrail", false);
         public static final Provider JuniperSRX = new Provider("JuniperSRX", true);
+        public static final Provider PaloAlto = new Provider("PaloAlto", true);
         public static final Provider F5BigIp = new Provider("F5BigIp", true);
         public static final Provider Netscaler = new Provider("Netscaler", true);
         public static final Provider ExternalDhcpServer = new Provider("ExternalDhcpServer", true);

api/src/org/apache/cloudstack/api/command/admin/network/AddNetworkDeviceCmd.java

@@ -47,8 +47,9 @@ public class AddNetworkDeviceCmd extends BaseCmd {
     // ////////////// API parameters /////////////////////
     // ///////////////////////////////////////////////////
 
+
     @Inject ExternalNetworkDeviceManager nwDeviceMgr;
-    @Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall")
+    @Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall, PaloAltoFirewall")
     private String type;
 
     @Parameter(name = ApiConstants.NETWORK_DEVICE_PARAMETER_LIST, type = CommandType.MAP, description = "parameters for network device")

api/src/org/apache/cloudstack/api/command/admin/network/ListNetworkDeviceCmd.java

@@ -51,7 +51,7 @@ public class ListNetworkDeviceCmd extends BaseListCmd {
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
 
-    @Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall")
+    @Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, description = "Network device type, now supports ExternalDhcp, PxeServer, NetscalerMPXLoadBalancer, NetscalerVPXLoadBalancer, NetscalerSDXLoadBalancer, F5BigIpLoadBalancer, JuniperSRXFirewall, PaloAltoFirewall")
     private String type;
 
     @Parameter(name = ApiConstants.NETWORK_DEVICE_PARAMETER_LIST, type = CommandType.MAP, description = "parameters for network device")

api/src/org/apache/cloudstack/network/ExternalNetworkDeviceManager.java

@@ -42,6 +42,7 @@ public interface ExternalNetworkDeviceManager extends Manager {
         public static final NetworkDevice NetscalerSDXLoadBalancer = new NetworkDevice("NetscalerSDXLoadBalancer", Network.Provider.Netscaler.getName());
         public static final NetworkDevice F5BigIpLoadBalancer = new NetworkDevice("F5BigIpLoadBalancer", Network.Provider.F5BigIp.getName());
         public static final NetworkDevice JuniperSRXFirewall = new NetworkDevice("JuniperSRXFirewall", Network.Provider.JuniperSRX.getName());
+        public static final NetworkDevice PaloAltoFirewall = new NetworkDevice("PaloAltoFirewall", Network.Provider.PaloAlto.getName());
         public static final NetworkDevice NiciraNvp = new NetworkDevice("NiciraNvp", Network.Provider.NiciraNvp.getName());
         public static final NetworkDevice CiscoVnmc = new NetworkDevice("CiscoVnmc", Network.Provider.CiscoVnmc.getName());
 

client/WEB-INF/classes/resources/messages.properties

@@ -304,6 +304,7 @@ label.add.new.F5=Add new F5
 label.add.new.gateway=Add new gateway
 label.add.new.NetScaler=Add new NetScaler
 label.add.new.SRX=Add new SRX
+label.add.new.PA=Add new Palo Alto
 label.add.new.tier=Add new tier
 label.add.NiciraNvp.device=Add Nvp Controller
 label.add.physical.network=Add physical network
@@ -318,6 +319,7 @@ label.add.secondary.storage=Add Secondary Storage
 label.add.security.group=Add Security Group
 label.add.service.offering=Add Service Offering
 label.add.SRX.device=Add SRX device
+label.add.PA.device=Add Palo Alto device
 label.add.static.nat.rule=Add static NAT rule
 label.add.static.route=Add static route
 label.add.system.service.offering=Add System Service Offering
@@ -479,6 +481,7 @@ label.delete.NetScaler=Delete NetScaler
 label.delete.NiciraNvp=Remove Nvp Controller
 label.delete.project=Delete project
 label.delete.SRX=Delete SRX
+label.delete.PA=Delete Palo Alto
 label.delete.VPN.connection=delete VPN connection
 label.delete.VPN.customer.gateway=delete VPN Customer Gateway
 label.delete.VPN.gateway=delete VPN Gateway
@@ -876,6 +879,8 @@ label.os.type=OS Type
 label.owned.public.ips=Owned Public IP Addresses
 label.owner.account=Owner Account
 label.owner.domain=Owner Domain
+label.PA.log.profile=Palo Alto Log Profile
+label.PA.threat.profile=Palo Alto Threat Profile
 label.parent.domain=Parent Domain
 label.password.enabled=Password Enabled
 label.password=Password
@@ -1048,6 +1053,7 @@ label.specify.vlan=Specify VLAN
 label.specify.vxlan=Specify VXLAN
 label.SR.name = SR Name-Label
 label.srx=SRX
+label.PA=Palo Alto
 label.start.IP=Start IP
 label.start.port=Start Port
 label.start.reserved.system.IP=Start Reserved system IP
@@ -1366,6 +1372,7 @@ message.confirm.action.force.reconnect=Please confirm that you want to force rec
 message.confirm.delete.F5=Please confirm that you would like to delete F5
 message.confirm.delete.NetScaler=Please confirm that you would like to delete NetScaler
 message.confirm.delete.SRX=Please confirm that you would like to delete SRX
+message.confirm.delete.PA=Please confirm that you would like to delete Palo Alto
 message.confirm.destroy.router=Please confirm that you would like to destroy this router
 message.confirm.disable.provider=Please confirm that you would like to disable this provider
 message.confirm.enable.provider=Please confirm that you would like to enable this provider

client/pom.xml

@@ -90,6 +90,11 @@
       <artifactId>cloud-plugin-network-contrail</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.cloudstack</groupId>
+      <artifactId>cloud-plugin-network-palo-alto</artifactId>
+      <version>${project.version}</version>
+    </dependency>
     <dependency>
       <groupId>org.apache.cloudstack</groupId>
       <artifactId>cloud-plugin-network-ovs</artifactId>

client/tomcatconf/commands.properties.in

@@ -533,6 +533,17 @@ configureSrxFirewall=1
 listSrxFirewalls=1
 listSrxFirewallNetworks=1
 
+#### Palo Alto firewall commands
+addExternalFirewall=1
+deleteExternalFirewall=1
+listExternalFirewalls=1
+
+addPaloAltoFirewall=1
+deletePaloAltoFirewall=1
+configurePaloAltoFirewall=1
+listPaloAltoFirewalls=1
+listPaloAltoFirewallNetworks=1
+
 ####Netapp integration commands
 createVolumeOnFiler=15
 destroyVolumeOnFiler=15

plugins/network-elements/palo-alto/pom.xml

@@ -0,0 +1,29 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>cloud-plugin-network-palo-alto</artifactId>
+  <name>Apache CloudStack Plugin - Palo Alto</name>
+  <parent>
+    <groupId>org.apache.cloudstack</groupId>
+    <artifactId>cloudstack-plugins</artifactId>
+    <version>4.3.0-SNAPSHOT</version>
+    <relativePath>../../pom.xml</relativePath>
+  </parent>
+</project>

plugins/network-elements/palo-alto/resources/META-INF/cloudstack/paloalto/module.properties

@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+name=paloalto
+parent=network

plugins/network-elements/palo-alto/resources/META-INF/cloudstack/paloalto/spring-paloalto-context.xml

@@ -0,0 +1,33 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:aop="http://www.springframework.org/schema/aop"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans
+                      http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+                      http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
+                      http://www.springframework.org/schema/context
+                      http://www.springframework.org/schema/context/spring-context-3.0.xsd"
+                      >
+
+    <bean id="PaloAlto" class="com.cloud.network.element.PaloAltoExternalFirewallElement">
+        <property name="name" value="PaloAlto" />
+    </bean>
+</beans>

plugins/network-elements/palo-alto/src/com/cloud/api/commands/AddExternalFirewallCmd.java

@@ -0,0 +1,112 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.commands;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.host.Host;
+import com.cloud.network.element.PaloAltoFirewallElementService;
+import org.apache.cloudstack.api.response.ExternalFirewallResponse;
+import com.cloud.user.Account;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+@APICommand(name = "addExternalFirewall", description="Adds an external firewall appliance", responseObject = ExternalFirewallResponse.class)
+public class AddExternalFirewallCmd extends BaseCmd {
+    public static final Logger s_logger = Logger.getLogger(AddExternalFirewallCmd.class.getName());
+    private static final String s_name = "addexternalfirewallresponse";
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.ZONE_ID, type=CommandType.UUID, entityType = ZoneResponse.class,
+            required = true, description="Zone in which to add the external firewall appliance.")
+    private Long zoneId;
+
+    @Parameter(name=ApiConstants.URL, type=CommandType.STRING, required = true, description="URL of the external firewall appliance.")
+    private String url;
+
+    @Parameter(name=ApiConstants.USERNAME, type=CommandType.STRING, required = true, description="Username of the external firewall appliance.")
+    private String username;
+
+    @Parameter(name=ApiConstants.PASSWORD, type=CommandType.STRING, required = true, description="Password of the external firewall appliance.")
+    private String password;
+
+    ///////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getZoneId() {
+        return zoneId;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Inject PaloAltoFirewallElementService _paElementService;
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    @SuppressWarnings("deprecation")
+    @Override
+    public void execute(){
+        try {
+            Host externalFirewall = _paElementService.addExternalFirewall(this);
+            ExternalFirewallResponse response = _paElementService.createExternalFirewallResponse(externalFirewall);
+            response.setObjectName("externalfirewall");
+            response.setResponseName(getCommandName());
+            this.setResponseObject(response);
+        } catch (InvalidParameterValueException ipve) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, ipve.getMessage());
+        } catch (CloudRuntimeException cre) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, cre.getMessage());
+        }
+    }
+}
+

plugins/network-elements/palo-alto/src/com/cloud/api/commands/AddPaloAltoFirewallCmd.java

@@ -0,0 +1,135 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.commands;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.api.response.PhysicalNetworkResponse;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import com.cloud.api.response.PaloAltoFirewallResponse;
+import com.cloud.event.EventTypes;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.dao.ExternalFirewallDeviceVO;
+import com.cloud.network.element.PaloAltoFirewallElementService;
+import org.apache.cloudstack.context.CallContext;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+@APICommand(name = "addPaloAltoFirewall", responseObject=PaloAltoFirewallResponse.class, description="Adds a Palo Alto firewall device")
+public class AddPaloAltoFirewallCmd extends BaseAsyncCmd {
+    public static final Logger s_logger = Logger.getLogger(AddPaloAltoFirewallCmd.class.getName());
+    private static final String s_name = "addpaloaltofirewallresponse";
+    @Inject PaloAltoFirewallElementService _paFwService;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.PHYSICAL_NETWORK_ID, type=CommandType.UUID, entityType = PhysicalNetworkResponse.class,
+            required=true, description="the Physical Network ID")
+    private Long physicalNetworkId;
+
+    @Parameter(name=ApiConstants.URL, type=CommandType.STRING, required = true, description="URL of the Palo Alto appliance.")
+    private String url;
+
+    @Parameter(name=ApiConstants.USERNAME, type=CommandType.STRING, required = true, description="Credentials to reach Palo Alto firewall device")
+    private String username;
+
+    @Parameter(name=ApiConstants.PASSWORD, type=CommandType.STRING, required = true, description="Credentials to reach Palo Alto firewall device")
+    private String password;
+
+    @Parameter(name = ApiConstants.NETWORK_DEVICE_TYPE, type = CommandType.STRING, required = true, description = "supports only PaloAltoFirewall")
+    private String deviceType;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getPhysicalNetworkId() {
+        return physicalNetworkId;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+
+    public String getDeviceType() {
+        return deviceType;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
+        try {
+            ExternalFirewallDeviceVO fwDeviceVO = _paFwService.addPaloAltoFirewall(this);
+            if (fwDeviceVO != null) {
+                PaloAltoFirewallResponse response = _paFwService.createPaloAltoFirewallResponse(fwDeviceVO);
+                response.setObjectName("pafirewall");
+                response.setResponseName(getCommandName());
+                this.setResponseObject(response);
+            } else {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to add Palo Alto firewall due to internal error.");
+            }
+        }  catch (InvalidParameterValueException invalidParamExcp) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
+        } catch (CloudRuntimeException runtimeExcp) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
+        }
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Adding a Palo Alto firewall device";
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_EXTERNAL_FIREWALL_DEVICE_ADD;
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/api/commands/ConfigurePaloAltoFirewallCmd.java

@@ -0,0 +1,114 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.commands;
+
+import javax.inject.Inject;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import com.cloud.api.response.PaloAltoFirewallResponse;
+import com.cloud.event.EventTypes;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.dao.ExternalFirewallDeviceVO;
+import com.cloud.network.element.PaloAltoFirewallElementService;
+import org.apache.cloudstack.context.CallContext;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+@APICommand(name = "configurePaloAltoFirewall", responseObject=PaloAltoFirewallResponse.class, description="Configures a Palo Alto firewall device")
+public class ConfigurePaloAltoFirewallCmd extends BaseAsyncCmd {
+
+    public static final Logger s_logger = Logger.getLogger(ConfigurePaloAltoFirewallCmd.class.getName());
+    private static final String s_name = "configurepaloaltofirewallresponse";
+    @Inject PaloAltoFirewallElementService _paFwService;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.FIREWALL_DEVICE_ID, type=CommandType.UUID, entityType = PaloAltoFirewallResponse.class,
+            required=true, description="Palo Alto firewall device ID")
+    private Long fwDeviceId;
+
+    @Parameter(name=ApiConstants.FIREWALL_DEVICE_CAPACITY, type=CommandType.LONG, required=false, description="capacity of the firewall device, Capacity will be interpreted as number of networks device can handle")
+    private Long capacity;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getFirewallDeviceId() {
+        return fwDeviceId;
+    }
+
+    public Long getFirewallCapacity() {
+        return capacity;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
+        try {
+            ExternalFirewallDeviceVO fwDeviceVO = _paFwService.configurePaloAltoFirewall(this);
+            if (fwDeviceVO != null) {
+                PaloAltoFirewallResponse response = _paFwService.createPaloAltoFirewallResponse(fwDeviceVO);
+                response.setObjectName("pafirewall");
+                response.setResponseName(getCommandName());
+                this.setResponseObject(response);
+            } else {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to configure Palo Alto firewall device due to internal error.");
+            }
+        }  catch (InvalidParameterValueException invalidParamExcp) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
+        } catch (CloudRuntimeException runtimeExcp) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
+        }
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Configuring a Palo Alto firewall device";
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_EXTERNAL_FIREWALL_DEVICE_CONFIGURE;
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/api/commands/DeleteExternalFirewallCmd.java

@@ -0,0 +1,88 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.commands;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.api.response.HostResponse;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.network.element.PaloAltoFirewallElementService;
+import com.cloud.user.Account;
+
+@APICommand(name = "deleteExternalFirewall", description="Deletes an external firewall appliance.", responseObject = SuccessResponse.class)
+public class DeleteExternalFirewallCmd extends BaseCmd {
+    public static final Logger s_logger = Logger.getLogger(DeleteExternalFirewallCmd.class.getName());
+    private static final String s_name = "deleteexternalfirewallresponse";
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.ID, type=CommandType.UUID, entityType = HostResponse.class,
+            required = true, description="Id of the external firewall appliance.")
+    private Long id;
+
+    ///////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getId() {
+        return id;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Inject PaloAltoFirewallElementService _paElementService;
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return Account.ACCOUNT_ID_SYSTEM;
+    }
+
+    @SuppressWarnings("deprecation")
+    @Override
+    public void execute(){
+        try {
+            boolean result = _paElementService.deleteExternalFirewall(this);
+            if (result) {
+            SuccessResponse response = new SuccessResponse(getCommandName());
+            response.setResponseName(getCommandName());
+            this.setResponseObject(response);
+            } else {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete external firewall.");
+            }
+        } catch (InvalidParameterValueException e) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Failed to delete external firewall.");
+        }
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/api/commands/DeletePaloAltoFirewallCmd.java

@@ -0,0 +1,105 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.commands;
+
+import javax.inject.Inject;
+
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseAsyncCmd;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.SuccessResponse;
+import com.cloud.api.response.PaloAltoFirewallResponse;
+import com.cloud.event.EventTypes;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.element.PaloAltoFirewallElementService;
+import org.apache.cloudstack.context.CallContext;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+@APICommand(name = "deletePaloAltoFirewall", responseObject=SuccessResponse.class, description=" delete a Palo Alto firewall device")
+public class DeletePaloAltoFirewallCmd extends BaseAsyncCmd {
+    public static final Logger s_logger = Logger.getLogger(DeletePaloAltoFirewallCmd.class.getName());
+    private static final String s_name = "deletepaloaltofirewallresponse";
+    @Inject PaloAltoFirewallElementService _paElementService;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.FIREWALL_DEVICE_ID, type=CommandType.UUID, entityType = PaloAltoFirewallResponse.class,
+            required=true, description="Palo Alto firewall device ID")
+    private Long fwDeviceId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getFirewallDeviceId() {
+        return fwDeviceId;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
+        try {
+            boolean result = _paElementService.deletePaloAltoFirewall(this);
+            if (result) {
+                SuccessResponse response = new SuccessResponse(getCommandName());
+                response.setResponseName(getCommandName());
+                this.setResponseObject(response);
+            } else {
+                throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to delete Palo Alto firewall device");
+            }
+        }  catch (InvalidParameterValueException invalidParamExcp) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
+        } catch (CloudRuntimeException runtimeExcp) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
+        }
+    }
+
+    @Override
+    public String getEventDescription() {
+        return "Deleting Palo Alto firewall device";
+    }
+
+    @Override
+    public String getEventType() {
+        return EventTypes.EVENT_EXTERNAL_FIREWALL_DEVICE_DELETE;
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListExternalFirewallsCmd.java

@@ -0,0 +1,88 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the 
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.commands;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.api.command.user.offering.ListServiceOfferingsCmd;
+import org.apache.cloudstack.api.response.ZoneResponse;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseListCmd;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.response.ListResponse;
+import com.cloud.host.Host;
+import com.cloud.network.element.PaloAltoFirewallElementService;
+import org.apache.cloudstack.api.response.ExternalFirewallResponse;
+
+@APICommand(name = "listExternalFirewalls", description="List external firewall appliances.", responseObject = ExternalFirewallResponse.class)
+public class ListExternalFirewallsCmd extends BaseListCmd {
+	public static final Logger s_logger = Logger.getLogger(ListServiceOfferingsCmd.class.getName());
+    private static final String s_name = "listexternalfirewallsresponse";
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.ZONE_ID, type=CommandType.UUID, entityType = ZoneResponse.class,
+            required = true, description="zone Id")
+    private long zoneId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public long getZoneId() {
+        return zoneId;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Inject PaloAltoFirewallElementService _paElementService;
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+
+    @SuppressWarnings("deprecation")
+    @Override
+    public void execute(){
+
+    	List<? extends Host> externalFirewalls = _paElementService.listExternalFirewalls(this);
+
+        ListResponse<ExternalFirewallResponse> listResponse = new ListResponse<ExternalFirewallResponse>();
+        List<ExternalFirewallResponse> responses = new ArrayList<ExternalFirewallResponse>();
+        for (Host externalFirewall : externalFirewalls) {
+        	ExternalFirewallResponse response = _paElementService.createExternalFirewallResponse(externalFirewall);
+        	response.setObjectName("externalfirewall");
+        	response.setResponseName(getCommandName());
+        	responses.add(response);
+        }
+
+        listResponse.setResponses(responses);
+        listResponse.setResponseName(getCommandName());
+        this.setResponseObject(listResponse);
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListPaloAltoFirewallNetworksCmd.java

@@ -0,0 +1,95 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.commands;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.api.*;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.api.response.NetworkResponse;
+import com.cloud.api.response.PaloAltoFirewallResponse;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.Network;
+import com.cloud.network.element.PaloAltoFirewallElementService;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+@APICommand(name = "listPaloAltoFirewallNetworks", responseObject=NetworkResponse.class, description="lists network that are using Palo Alto firewall device")
+public class ListPaloAltoFirewallNetworksCmd extends BaseListCmd {
+
+    public static final Logger s_logger = Logger.getLogger(ListPaloAltoFirewallNetworksCmd.class.getName());
+    private static final String s_name = "listpaloaltofirewallnetworksresponse";
+    @Inject PaloAltoFirewallElementService _paFwService;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.LOAD_BALANCER_DEVICE_ID, type=CommandType.UUID, entityType = PaloAltoFirewallResponse.class,
+            required = true, description="palo alto balancer device ID")
+    private Long fwDeviceId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getFirewallDeviceId() {
+        return fwDeviceId;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
+        try {
+            List<? extends Network> networks  = _paFwService.listNetworks(this);
+            ListResponse<NetworkResponse> response = new ListResponse<NetworkResponse>();
+            List<NetworkResponse> networkResponses = new ArrayList<NetworkResponse>();
+
+            if (networks != null && !networks.isEmpty()) {
+                for (Network network : networks) {
+                    NetworkResponse networkResponse = _responseGenerator.createNetworkResponse(network);
+                    networkResponses.add(networkResponse);
+                }
+            }
+
+            response.setResponses(networkResponses);
+            response.setResponseName(getCommandName());
+            this.setResponseObject(response);
+        }  catch (InvalidParameterValueException invalidParamExcp) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
+        } catch (CloudRuntimeException runtimeExcp) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
+        }
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/api/commands/ListPaloAltoFirewallsCmd.java

@@ -0,0 +1,103 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.commands;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.inject.Inject;
+
+import org.apache.cloudstack.api.*;
+import org.apache.cloudstack.api.response.PhysicalNetworkResponse;
+import org.apache.log4j.Logger;
+
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.response.ListResponse;
+import com.cloud.api.response.PaloAltoFirewallResponse;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.network.dao.ExternalFirewallDeviceVO;
+import com.cloud.network.element.PaloAltoFirewallElementService;
+import com.cloud.utils.exception.CloudRuntimeException;
+
+@APICommand(name = "listPaloAltoFirewalls", responseObject=PaloAltoFirewallResponse.class, description="lists Palo Alto firewall devices in a physical network")
+public class ListPaloAltoFirewallsCmd extends BaseListCmd {
+
+    public static final Logger s_logger = Logger.getLogger(ListPaloAltoFirewallsCmd.class.getName());
+    private static final String s_name = "listpaloaltofirewallresponse";
+    @Inject PaloAltoFirewallElementService _paFwService;
+
+    /////////////////////////////////////////////////////
+    //////////////// API parameters /////////////////////
+    /////////////////////////////////////////////////////
+
+    @Parameter(name=ApiConstants.PHYSICAL_NETWORK_ID, type=CommandType.UUID, entityType = PhysicalNetworkResponse.class,
+            description="the Physical Network ID")
+    private Long physicalNetworkId;
+
+    @Parameter(name=ApiConstants.FIREWALL_DEVICE_ID, type=CommandType.UUID, entityType = PaloAltoFirewallResponse.class,
+            description="Palo Alto firewall device ID")
+    private Long fwDeviceId;
+
+    /////////////////////////////////////////////////////
+    /////////////////// Accessors ///////////////////////
+    /////////////////////////////////////////////////////
+
+    public Long getFirewallDeviceId() {
+        return fwDeviceId;
+    }
+
+    public Long getPhysicalNetworkId() {
+        return physicalNetworkId;
+    }
+
+    /////////////////////////////////////////////////////
+    /////////////// API Implementation///////////////////
+    /////////////////////////////////////////////////////
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException {
+        try {
+            List<ExternalFirewallDeviceVO> fwDevices = _paFwService.listPaloAltoFirewalls(this);
+            ListResponse<PaloAltoFirewallResponse> response = new ListResponse<PaloAltoFirewallResponse>();
+            List<PaloAltoFirewallResponse> fwDevicesResponse = new ArrayList<PaloAltoFirewallResponse>();
+
+            if (fwDevices != null && !fwDevices.isEmpty()) {
+                for (ExternalFirewallDeviceVO fwDeviceVO : fwDevices) {
+                    PaloAltoFirewallResponse deviceResponse = _paFwService.createPaloAltoFirewallResponse(fwDeviceVO);
+                    fwDevicesResponse.add(deviceResponse);
+                }
+            }
+
+            response.setResponses(fwDevicesResponse);
+            response.setResponseName(getCommandName());
+            this.setResponseObject(response);
+        }  catch (InvalidParameterValueException invalidParamExcp) {
+            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, invalidParamExcp.getMessage());
+        } catch (CloudRuntimeException runtimeExcp) {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, runtimeExcp.getMessage());
+        }
+    }
+
+    @Override
+    public String getCommandName() {
+        return s_name;
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/api/response/PaloAltoFirewallResponse.java

@@ -0,0 +1,142 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.api.response;
+
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.EntityReference;
+import com.cloud.serializer.Param;
+import com.google.gson.annotations.SerializedName;
+import org.apache.cloudstack.api.BaseResponse;
+
+import com.cloud.network.dao.ExternalFirewallDeviceVO;
+
+@EntityReference(value=ExternalFirewallDeviceVO.class)
+@SuppressWarnings("unused")
+public class PaloAltoFirewallResponse extends BaseResponse {
+
+    @SerializedName(ApiConstants.FIREWALL_DEVICE_ID) @Param(description="device id of the Palo Alto firewall")
+    private String id;
+
+    @SerializedName(ApiConstants.PHYSICAL_NETWORK_ID) @Param(description="the physical network to which this Palo Alto firewall belongs to")
+    private String physicalNetworkId;
+
+    @SerializedName(ApiConstants.PROVIDER) @Param(description="name of the provider")
+    private String providerName;
+
+    @SerializedName(ApiConstants.FIREWALL_DEVICE_NAME) @Param(description="device name")
+    private String deviceName;
+
+    @SerializedName(ApiConstants.FIREWALL_DEVICE_STATE) @Param(description="device state")
+    private String deviceState;
+
+    @SerializedName(ApiConstants.FIREWALL_DEVICE_CAPACITY) @Param(description="device capacity")
+    private Long deviceCapacity;
+
+    @SerializedName(ApiConstants.ZONE_ID) @Param(description="the zone ID of the external firewall")
+    private String zoneId;
+
+    @SerializedName(ApiConstants.IP_ADDRESS) @Param(description="the management IP address of the external firewall")
+    private String ipAddress;
+
+    @SerializedName(ApiConstants.USERNAME) @Param(description="the username that's used to log in to the external firewall")
+    private String username;
+
+    @SerializedName(ApiConstants.PUBLIC_INTERFACE) @Param(description="the public interface of the external firewall")
+    private String publicInterface;
+
+    @SerializedName(ApiConstants.USAGE_INTERFACE) @Param(description="the usage interface of the external firewall")
+    private String usageInterface;
+
+    @SerializedName(ApiConstants.PRIVATE_INTERFACE) @Param(description="the private interface of the external firewall")
+    private String privateInterface;
+
+    @SerializedName(ApiConstants.PUBLIC_ZONE) @Param(description="the public security zone of the external firewall")
+    private String publicZone;
+
+    @SerializedName(ApiConstants.PRIVATE_ZONE) @Param(description="the private security zone of the external firewall")
+    private String privateZone;
+
+    @SerializedName(ApiConstants.NUM_RETRIES) @Param(description="the number of times to retry requests to the external firewall")
+    private String numRetries;
+
+    @SerializedName(ApiConstants.TIMEOUT) @Param(description="the timeout (in seconds) for requests to the external firewall")
+    private String timeout;
+
+    public void setId(String lbDeviceId) {
+        this.id = lbDeviceId;
+    }
+
+    public void setPhysicalNetworkId(String physicalNetworkId) {
+        this.physicalNetworkId = physicalNetworkId;
+    }
+
+    public void setProvider(String provider) {
+        this.providerName = provider;
+    }
+
+    public void setDeviceName(String deviceName) {
+        this.deviceName = deviceName;
+    }
+
+    public void setDeviceCapacity(long deviceCapacity) {
+        this.deviceCapacity = deviceCapacity;
+    }
+
+    public void setDeviceState(String deviceState) {
+        this.deviceState = deviceState;
+    }
+
+    public void setIpAddress(String ipAddress) {
+        this.ipAddress = ipAddress;
+    }
+
+    public void setPublicInterface(String publicInterface) {
+        this.publicInterface = publicInterface;
+    }
+
+    public void setUsageInterface(String usageInterface) {
+        this.usageInterface = usageInterface;
+    }
+
+    public void setPrivateInterface(String privateInterface) {
+        this.privateInterface = privateInterface;
+    }
+
+    public void setPublicZone(String publicZone) {
+        this.publicZone = publicZone;
+    }
+
+    public void setPrivateZone(String privateZone) {
+        this.privateZone = privateZone;
+    }
+
+    public String getNumRetries() {
+        return numRetries;
+    }
+
+    public void setNumRetries(String numRetries) {
+        this.numRetries = numRetries;
+    }
+
+    public String getTimeout() {
+        return timeout;
+    }
+
+    public void setTimeout(String timeout) {
+        this.timeout = timeout;
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoExternalFirewallElement.java

@@ -0,0 +1,538 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the 
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.element;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.ejb.Local;
+import javax.inject.Inject;
+
+import org.apache.cloudstack.api.response.ExternalFirewallResponse;
+import org.apache.cloudstack.network.ExternalNetworkDeviceManager.NetworkDevice;
+import org.apache.log4j.Logger;
+
+import com.cloud.api.ApiDBUtils;
+import com.cloud.api.commands.AddExternalFirewallCmd;
+import com.cloud.api.commands.AddPaloAltoFirewallCmd;
+import com.cloud.api.commands.ConfigurePaloAltoFirewallCmd;
+import com.cloud.api.commands.DeleteExternalFirewallCmd;
+import com.cloud.api.commands.DeletePaloAltoFirewallCmd;
+import com.cloud.api.commands.ListExternalFirewallsCmd;
+import com.cloud.api.commands.ListPaloAltoFirewallNetworksCmd;
+import com.cloud.api.commands.ListPaloAltoFirewallsCmd;
+import com.cloud.api.response.PaloAltoFirewallResponse;
+import com.cloud.configuration.Config;
+import com.cloud.configuration.ConfigurationManager;
+import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
+import com.cloud.dc.DataCenter;
+import com.cloud.dc.DataCenter.NetworkType;
+import com.cloud.dc.DataCenterVO;
+import com.cloud.dc.dao.DataCenterDao;
+import com.cloud.deploy.DeployDestination;
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.InsufficientNetworkCapacityException;
+import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.ResourceUnavailableException;
+import com.cloud.host.Host;
+import com.cloud.host.HostVO;
+import com.cloud.host.dao.HostDao;
+import com.cloud.host.dao.HostDetailsDao;
+import com.cloud.network.ExternalFirewallDeviceManagerImpl;
+import com.cloud.network.Network;
+import com.cloud.network.Network.Capability;
+import com.cloud.network.Network.Provider;
+import com.cloud.network.Network.Service;
+import com.cloud.network.NetworkModel;
+import com.cloud.network.PhysicalNetwork;
+import com.cloud.network.PhysicalNetworkServiceProvider;
+import com.cloud.network.PublicIpAddress;
+import com.cloud.network.dao.ExternalFirewallDeviceDao;
+import com.cloud.network.dao.ExternalFirewallDeviceVO;
+import com.cloud.network.dao.NetworkDao;
+import com.cloud.network.dao.NetworkExternalFirewallDao;
+import com.cloud.network.dao.NetworkExternalFirewallVO;
+import com.cloud.network.dao.NetworkServiceMapDao;
+import com.cloud.network.dao.NetworkVO;
+import com.cloud.network.dao.PhysicalNetworkDao;
+import com.cloud.network.dao.PhysicalNetworkVO;
+import com.cloud.network.dao.ExternalFirewallDeviceVO.FirewallDeviceState;
+import com.cloud.network.resource.PaloAltoResource;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.PortForwardingRule;
+import com.cloud.network.rules.StaticNat;
+import com.cloud.offering.NetworkOffering;
+import com.cloud.offerings.dao.NetworkOfferingDao;
+import com.cloud.utils.NumbersUtil;
+import com.cloud.utils.db.EntityManager;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.vm.NicProfile;
+import com.cloud.vm.ReservationContext;
+import com.cloud.vm.VirtualMachine;
+import com.cloud.vm.VirtualMachineProfile;
+
+@Local(value = {NetworkElement.class, FirewallServiceProvider.class, 
+        PortForwardingServiceProvider.class, IpDeployer.class, 
+        SourceNatServiceProvider.class})
+public class PaloAltoExternalFirewallElement extends ExternalFirewallDeviceManagerImpl implements SourceNatServiceProvider, FirewallServiceProvider,
+PortForwardingServiceProvider, IpDeployer, PaloAltoFirewallElementService, StaticNatServiceProvider {
+
+    private static final Logger s_logger = Logger.getLogger(PaloAltoExternalFirewallElement.class);
+
+    private static final Map<Service, Map<Capability, String>> capabilities = setCapabilities();
+
+    @Inject
+    NetworkModel _networkManager;
+    @Inject
+    HostDao _hostDao;
+    @Inject
+    ConfigurationManager _configMgr;
+    @Inject
+    NetworkOfferingDao _networkOfferingDao;
+    @Inject
+    NetworkDao _networksDao;
+    @Inject
+    DataCenterDao _dcDao;
+    @Inject
+    PhysicalNetworkDao _physicalNetworkDao;
+    @Inject
+    ExternalFirewallDeviceDao _fwDevicesDao;
+    @Inject
+    NetworkExternalFirewallDao _networkFirewallDao;
+    @Inject
+    NetworkDao _networkDao;
+    @Inject
+    NetworkServiceMapDao _ntwkSrvcDao;
+    @Inject
+    HostDetailsDao _hostDetailDao;
+    @Inject
+    ConfigurationDao _configDao;
+    @Inject
+    EntityManager _entityMgr;
+
+    private boolean canHandle(Network network, Service service) {
+        DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
+        if (zone.getNetworkType() == NetworkType.Advanced && network.getGuestType() != Network.GuestType.Isolated) {
+            s_logger.trace("Element " + getProvider().getName() + "is not handling network type = " + network.getGuestType());
+            return false;
+        }
+
+        if (service == null) {
+            if (!_networkManager.isProviderForNetwork(getProvider(), network.getId())) {
+                s_logger.trace("Element " + getProvider().getName() + " is not a provider for the network " + network);
+                return false;
+            }
+        } else {
+            if (!_networkManager.isProviderSupportServiceInNetwork(network.getId(), service, getProvider())) {
+                s_logger.trace("Element " + getProvider().getName() + " doesn't support service " + service.getName() + " in the network " + network);
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    @Override
+    public boolean implement(Network network, NetworkOffering offering, DeployDestination dest, ReservationContext context) throws ResourceUnavailableException, ConcurrentOperationException,
+    InsufficientNetworkCapacityException {
+        DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
+
+        // don't have to implement network is Basic zone
+        if (zone.getNetworkType() == NetworkType.Basic) {
+            s_logger.debug("Not handling network implement in zone of type " + NetworkType.Basic);
+            return false;
+        }
+
+        if (!canHandle(network, null)) {
+            return false;
+        }
+
+        try {
+            return manageGuestNetworkWithExternalFirewall(true, network);
+        } catch (InsufficientCapacityException capacityException) {
+            // TODO: handle out of capacity exception in more gracefule manner when multiple providers are present for
+            // the network
+            s_logger.error("Fail to implement the Palo Alto for network " + network, capacityException);
+            return false;
+        }
+    }
+
+    @Override
+    public boolean prepare(Network config, NicProfile nic, VirtualMachineProfile vm, DeployDestination dest, ReservationContext context) throws ConcurrentOperationException,
+    InsufficientNetworkCapacityException, ResourceUnavailableException {
+        return true;
+    }
+
+    @Override
+    public boolean release(Network config, NicProfile nic, VirtualMachineProfile vm, ReservationContext context) {
+        return true;
+    }
+
+    @Override
+    public boolean shutdown(Network network, ReservationContext context, boolean cleanup) throws ResourceUnavailableException, ConcurrentOperationException {
+        DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
+
+        // don't have to implement network is Basic zone
+        if (zone.getNetworkType() == NetworkType.Basic) {
+            s_logger.debug("Not handling network shutdown in zone of type " + NetworkType.Basic);
+            return false;
+        }
+
+        if (!canHandle(network, null)) {
+            return false;
+        }
+        try {
+            return manageGuestNetworkWithExternalFirewall(false, network);
+        } catch (InsufficientCapacityException capacityException) {
+            // TODO: handle out of capacity exception
+            return false;
+        }
+    }
+
+    @Override
+    public boolean destroy(Network config, ReservationContext context) {
+        return true;
+    }
+
+    @Override
+    public boolean applyFWRules(Network config, List<? extends FirewallRule> rules) throws ResourceUnavailableException {
+        if (!canHandle(config, Service.Firewall)) {
+            return false;
+        }
+
+        return applyFirewallRules(config, rules);
+    }
+
+    @Override
+    public Provider getProvider() {
+        return Provider.PaloAlto;
+    }
+
+    @Override
+    public Map<Service, Map<Capability, String>> getCapabilities() {
+        return capabilities;
+    }
+
+    private static Map<Service, Map<Capability, String>> setCapabilities() {
+        Map<Service, Map<Capability, String>> capabilities = new HashMap<Service, Map<Capability, String>>();
+
+        // Set capabilities for Firewall service
+        Map<Capability, String> firewallCapabilities = new HashMap<Capability, String>();
+        firewallCapabilities.put(Capability.SupportedProtocols, "tcp,udp,icmp");
+        firewallCapabilities.put(Capability.SupportedEgressProtocols, "tcp,udp,icmp,all");
+        firewallCapabilities.put(Capability.MultipleIps, "true");
+        firewallCapabilities.put(Capability.TrafficStatistics, "per public ip");
+        firewallCapabilities.put(Capability.SupportedTrafficDirection, "ingress, egress");
+        capabilities.put(Service.Firewall, firewallCapabilities);
+
+        capabilities.put(Service.Gateway, null);
+
+        Map<Capability, String> sourceNatCapabilities = new HashMap<Capability, String>();
+        // Specifies that this element supports either one source NAT rule per account;
+        sourceNatCapabilities.put(Capability.SupportedSourceNatTypes, "peraccount");
+        capabilities.put(Service.SourceNat, sourceNatCapabilities);
+
+        // Specifies that port forwarding rules are supported by this element
+        capabilities.put(Service.PortForwarding, null);
+
+        // Specifies that static NAT rules are supported by this element
+        capabilities.put(Service.StaticNat, null);
+
+        return capabilities;
+    }
+
+    @Override
+    public boolean applyPFRules(Network network, List<PortForwardingRule> rules) throws ResourceUnavailableException {
+        if (!canHandle(network, Service.PortForwarding)) {
+            return false;
+        }
+
+        return applyPortForwardingRules(network, rules);
+    }
+
+    @Override
+    public boolean isReady(PhysicalNetworkServiceProvider provider) {
+
+        List<ExternalFirewallDeviceVO> fwDevices = _fwDevicesDao.listByPhysicalNetworkAndProvider(provider.getPhysicalNetworkId(), Provider.PaloAlto.getName());
+        // true if at-least one Palo Alto device is added in to physical network and is in configured (in enabled state) state
+        if (fwDevices != null && !fwDevices.isEmpty()) {
+            for (ExternalFirewallDeviceVO fwDevice : fwDevices) {
+                if (fwDevice.getDeviceState() == FirewallDeviceState.Enabled) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public boolean shutdownProviderInstances(PhysicalNetworkServiceProvider provider, ReservationContext context) throws ConcurrentOperationException,
+    ResourceUnavailableException {
+        // TODO Auto-generated method stub
+        return true;
+    }
+
+    @Override
+    public boolean canEnableIndividualServices() {
+        return true;
+    }
+
+    @Override
+    @Deprecated
+    // should use more generic addNetworkDevice command to add firewall
+    public Host addExternalFirewall(AddExternalFirewallCmd cmd) {
+        Long zoneId = cmd.getZoneId();
+        DataCenterVO zone = null;
+        PhysicalNetworkVO pNetwork = null;
+        HostVO fwHost = null;
+
+        zone = _dcDao.findById(zoneId);
+        if (zone == null) {
+            throw new InvalidParameterValueException("Could not find zone with ID: " + zoneId);
+        }
+
+        List<PhysicalNetworkVO> physicalNetworks = _physicalNetworkDao.listByZone(zoneId);
+        if ((physicalNetworks == null) || (physicalNetworks.size() > 1)) {
+            throw new InvalidParameterValueException("There are no physical networks or multiple physical networks configured in zone with ID: "
+                    + zoneId + " to add this device.");
+        }
+        pNetwork = physicalNetworks.get(0);
+
+        String deviceType = NetworkDevice.PaloAltoFirewall.getName();
+        ExternalFirewallDeviceVO fwDeviceVO = addExternalFirewall(pNetwork.getId(), cmd.getUrl(), cmd.getUsername(), cmd.getPassword(), deviceType, new PaloAltoResource());
+        if (fwDeviceVO != null) {
+            fwHost = _hostDao.findById(fwDeviceVO.getHostId());
+        }
+
+        return fwHost;
+    }
+
+    @Override
+    public boolean deleteExternalFirewall(DeleteExternalFirewallCmd cmd) {
+        return deleteExternalFirewall(cmd.getId());
+    }
+
+    @Override
+    @Deprecated
+    // should use more generic listNetworkDevice command
+    public List<Host> listExternalFirewalls(ListExternalFirewallsCmd cmd) {
+        List<Host> firewallHosts = new ArrayList<Host>();
+        Long zoneId = cmd.getZoneId();
+        DataCenterVO zone = null;
+        PhysicalNetworkVO pNetwork = null;
+
+        if (zoneId != null) {
+            zone = _dcDao.findById(zoneId);
+            if (zone == null) {
+                throw new InvalidParameterValueException("Could not find zone with ID: " + zoneId);
+            }
+
+            List<PhysicalNetworkVO> physicalNetworks = _physicalNetworkDao.listByZone(zoneId);
+            if ((physicalNetworks == null) || (physicalNetworks.size() > 1)) {
+                throw new InvalidParameterValueException("There are no physical networks or multiple physical networks configured in zone with ID: "
+                        + zoneId + " to add this device.");
+            }
+            pNetwork = physicalNetworks.get(0);
+        }
+
+        firewallHosts.addAll(listExternalFirewalls(pNetwork.getId(), NetworkDevice.PaloAltoFirewall.getName()));
+        return firewallHosts;
+    }
+
+    @Override
+    public ExternalFirewallResponse createExternalFirewallResponse(Host externalFirewall) {
+        return super.createExternalFirewallResponse(externalFirewall);
+    }
+
+    @Override
+    public List<Class<?>> getCommands() {
+        List<Class<?>> cmdList = new ArrayList<Class<?>>();
+        cmdList.add(AddExternalFirewallCmd.class);
+        cmdList.add(AddPaloAltoFirewallCmd.class);
+        cmdList.add(ConfigurePaloAltoFirewallCmd.class);
+        cmdList.add(DeleteExternalFirewallCmd.class);
+        cmdList.add(DeletePaloAltoFirewallCmd.class);
+        cmdList.add(ListExternalFirewallsCmd.class);
+        cmdList.add(ListPaloAltoFirewallNetworksCmd.class);
+        cmdList.add(ListPaloAltoFirewallsCmd.class);
+        return cmdList;
+    }
+
+    @Override
+    public ExternalFirewallDeviceVO addPaloAltoFirewall(AddPaloAltoFirewallCmd cmd) {
+        String deviceName = cmd.getDeviceType();
+        if (!deviceName.equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
+            throw new InvalidParameterValueException("Invalid Palo Alto firewall device type");
+        }
+        return addExternalFirewall(cmd.getPhysicalNetworkId(), cmd.getUrl(), cmd.getUsername(), cmd.getPassword(), deviceName,
+            new PaloAltoResource());
+    }
+
+    @Override
+    public boolean deletePaloAltoFirewall(DeletePaloAltoFirewallCmd cmd) {
+        Long fwDeviceId = cmd.getFirewallDeviceId();
+
+        ExternalFirewallDeviceVO fwDeviceVO = _fwDevicesDao.findById(fwDeviceId);
+        if (fwDeviceVO == null || !fwDeviceVO.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
+            throw new InvalidParameterValueException("No Palo Alto firewall device found with ID: " + fwDeviceId);
+        }
+        return deleteExternalFirewall(fwDeviceVO.getHostId());
+    }
+
+    @Override
+    public ExternalFirewallDeviceVO configurePaloAltoFirewall(ConfigurePaloAltoFirewallCmd cmd) {
+        Long fwDeviceId = cmd.getFirewallDeviceId();
+        Long deviceCapacity = cmd.getFirewallCapacity();
+
+        ExternalFirewallDeviceVO fwDeviceVO = _fwDevicesDao.findById(fwDeviceId);
+        if (fwDeviceVO == null || !fwDeviceVO.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
+            throw new InvalidParameterValueException("No Palo Alto firewall device found with ID: " + fwDeviceId);
+        }
+
+        if (deviceCapacity != null) {
+            // check if any networks are using this Palo Alto device
+            List<NetworkExternalFirewallVO> networks = _networkFirewallDao.listByFirewallDeviceId(fwDeviceId);
+            if ((networks != null) && !networks.isEmpty()) {
+                if (deviceCapacity < networks.size()) {
+                    throw new CloudRuntimeException("There are more number of networks already using this Palo Alto firewall device than configured capacity");
+                }
+            }
+            if (deviceCapacity != null) {
+                fwDeviceVO.setCapacity(deviceCapacity);
+            }
+        }
+
+        fwDeviceVO.setDeviceState(FirewallDeviceState.Enabled);
+        _fwDevicesDao.update(fwDeviceId, fwDeviceVO);
+        return fwDeviceVO;
+    }
+
+    @Override
+    public List<ExternalFirewallDeviceVO> listPaloAltoFirewalls(ListPaloAltoFirewallsCmd cmd) {
+        Long physcialNetworkId = cmd.getPhysicalNetworkId();
+        Long fwDeviceId = cmd.getFirewallDeviceId();
+        PhysicalNetworkVO pNetwork = null;
+        List<ExternalFirewallDeviceVO> fwDevices = new ArrayList<ExternalFirewallDeviceVO>();
+
+        if (physcialNetworkId == null && fwDeviceId == null) {
+            throw new InvalidParameterValueException("Either physical network Id or load balancer device Id must be specified");
+        }
+
+        if (fwDeviceId != null) {
+            ExternalFirewallDeviceVO fwDeviceVo = _fwDevicesDao.findById(fwDeviceId);
+            if (fwDeviceVo == null || !fwDeviceVo.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
+                throw new InvalidParameterValueException("Could not find Palo Alto firewall device with ID: " + fwDeviceId);
+            }
+            fwDevices.add(fwDeviceVo);
+        }
+
+        if (physcialNetworkId != null) {
+            pNetwork = _physicalNetworkDao.findById(physcialNetworkId);
+            if (pNetwork == null) {
+                throw new InvalidParameterValueException("Could not find phyical network with ID: " + physcialNetworkId);
+            }
+            fwDevices = _fwDevicesDao.listByPhysicalNetworkAndProvider(physcialNetworkId, Provider.PaloAlto.getName());
+        }
+
+        return fwDevices;
+    }
+
+    @Override
+    public List<? extends Network> listNetworks(ListPaloAltoFirewallNetworksCmd cmd) {
+        Long fwDeviceId = cmd.getFirewallDeviceId();
+        List<NetworkVO> networks = new ArrayList<NetworkVO>();
+
+        ExternalFirewallDeviceVO fwDeviceVo = _fwDevicesDao.findById(fwDeviceId);
+        if (fwDeviceVo == null || !fwDeviceVo.getDeviceName().equalsIgnoreCase(NetworkDevice.PaloAltoFirewall.getName())) {
+            throw new InvalidParameterValueException("Could not find Palo Alto firewall device with ID " + fwDeviceId);
+        }
+
+        List<NetworkExternalFirewallVO> networkFirewallMaps = _networkFirewallDao.listByFirewallDeviceId(fwDeviceId);
+        if (networkFirewallMaps != null && !networkFirewallMaps.isEmpty()) {
+            for (NetworkExternalFirewallVO networkFirewallMap : networkFirewallMaps) {
+                NetworkVO network = _networkDao.findById(networkFirewallMap.getNetworkId());
+                networks.add(network);
+            }
+        }
+
+        return networks;
+    }
+
+    @Override
+    public PaloAltoFirewallResponse createPaloAltoFirewallResponse(ExternalFirewallDeviceVO fwDeviceVO) {
+        PaloAltoFirewallResponse response = new PaloAltoFirewallResponse();
+        Map<String, String> fwDetails = _hostDetailDao.findDetails(fwDeviceVO.getHostId());
+        Host fwHost = _hostDao.findById(fwDeviceVO.getHostId());
+
+        response.setId(fwDeviceVO.getUuid());
+        PhysicalNetwork pnw = ApiDBUtils.findPhysicalNetworkById(fwDeviceVO.getPhysicalNetworkId());
+        if (pnw != null) {
+            response.setPhysicalNetworkId(pnw.getUuid());
+        }
+        response.setDeviceName(fwDeviceVO.getDeviceName());
+        if (fwDeviceVO.getCapacity() == 0) {
+            long defaultFwCapacity = NumbersUtil.parseLong(_configDao.getValue(Config.DefaultExternalFirewallCapacity.key()), 50);
+            response.setDeviceCapacity(defaultFwCapacity);
+        } else {
+            response.setDeviceCapacity(fwDeviceVO.getCapacity());
+        }
+        response.setProvider(fwDeviceVO.getProviderName());
+        response.setDeviceState(fwDeviceVO.getDeviceState().name());
+        response.setIpAddress(fwHost.getPrivateIpAddress());
+        response.setPublicInterface(fwDetails.get("publicInterface"));
+        response.setUsageInterface(fwDetails.get("usageInterface"));
+        response.setPrivateInterface(fwDetails.get("privateInterface"));
+        response.setPublicZone(fwDetails.get("publicZone"));
+        response.setPrivateZone(fwDetails.get("privateZone"));
+        response.setNumRetries(fwDetails.get("numRetries"));
+        response.setTimeout(fwDetails.get("timeout"));
+        response.setObjectName("paloaltofirewall");
+        return response;
+    }
+
+    @Override
+    public boolean verifyServicesCombination(Set<Service> services) {
+        if (!services.contains(Service.Firewall)) {
+            s_logger.warn("Palo Alto must be used as Firewall Service Provider in the network");
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public IpDeployer getIpDeployer(Network network) {
+        return this;
+    }
+
+    @Override
+    public boolean applyIps(Network network, List<? extends PublicIpAddress> ipAddress, Set<Service> service) throws ResourceUnavailableException {
+        // return true, as IP will be associated as part of static NAT/port forwarding rule configuration
+        return true;
+    }
+
+    @Override
+    public boolean applyStaticNats(Network config, List<? extends StaticNat> rules) throws ResourceUnavailableException {
+        if (!canHandle(config, Service.StaticNat)) {
+            return false;
+        }
+        return applyStaticNatRules(config, rules);
+    }
+}

plugins/network-elements/palo-alto/src/com/cloud/network/element/PaloAltoFirewallElementService.java

@@ -0,0 +1,88 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the 
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.element;
+
+import java.util.List;
+
+import com.cloud.api.commands.AddExternalFirewallCmd;
+import com.cloud.api.commands.AddPaloAltoFirewallCmd;
+import com.cloud.api.commands.ConfigurePaloAltoFirewallCmd;
+import com.cloud.api.commands.DeleteExternalFirewallCmd;
+import com.cloud.api.commands.DeletePaloAltoFirewallCmd;
+import com.cloud.api.commands.ListExternalFirewallsCmd;
+import com.cloud.api.commands.ListPaloAltoFirewallNetworksCmd;
+import com.cloud.api.commands.ListPaloAltoFirewallsCmd;
+import com.cloud.api.response.PaloAltoFirewallResponse;
+import com.cloud.host.Host;
+import com.cloud.network.Network;
+import com.cloud.network.dao.ExternalFirewallDeviceVO;
+
+import org.apache.cloudstack.api.response.ExternalFirewallResponse;
+import com.cloud.utils.component.PluggableService;
+
+public interface PaloAltoFirewallElementService  extends PluggableService {
+
+    /**
+     * adds a Palo Alto firewall device in to a physical network
+     * @param AddPaloAltoFirewallCmd 
+     * @return ExternalFirewallDeviceVO object for the firewall added
+     */
+    public ExternalFirewallDeviceVO addPaloAltoFirewall(AddPaloAltoFirewallCmd cmd);
+
+    /**
+     * removes Palo Alto firewall device from a physical network
+     * @param DeletePaloAltoFirewallCmd 
+     * @return true if firewall device successfully deleted
+     */
+    public boolean deletePaloAltoFirewall(DeletePaloAltoFirewallCmd cmd);
+
+    /**
+     * configures a Palo Alto firewal device added in a physical network
+     * @param ConfigurePaloAltoFirewallCmd
+     * @return ExternalFirewallDeviceVO for the device configured
+     */
+    public ExternalFirewallDeviceVO configurePaloAltoFirewall(ConfigurePaloAltoFirewallCmd cmd);
+
+    /**
+     * lists all the Palo Alto firewall devices added in to a physical network
+     * @param ListPaloAltoFirewallsCmd
+     * @return list of ExternalFirewallDeviceVO for the devices in the physical network.
+     */
+    public List<ExternalFirewallDeviceVO> listPaloAltoFirewalls(ListPaloAltoFirewallsCmd cmd);
+
+    /**
+     * lists all the guest networks using a PaloAlto firewall device
+     * @param ListPaloAltoFirewallNetworksCmd
+     * @return list of the guest networks that are using this F5 load balancer
+     */
+    public List<? extends Network> listNetworks(ListPaloAltoFirewallNetworksCmd cmd);
+
+    public PaloAltoFirewallResponse createPaloAltoFirewallResponse(ExternalFirewallDeviceVO fwDeviceVO);
+
+
+    @Deprecated // API helper function supported for backward compatibility
+    public Host addExternalFirewall(AddExternalFirewallCmd cmd);
+
+    @Deprecated // API helper function supported for backward compatibility
+    public boolean deleteExternalFirewall(DeleteExternalFirewallCmd cmd);
+    
+    @Deprecated // API helper function supported for backward compatibility
+    public List<Host> listExternalFirewalls(ListExternalFirewallsCmd cmd);
+    
+    @Deprecated // API helper function supported for backward compatibility
+    public ExternalFirewallResponse createExternalFirewallResponse(Host externalFirewall);
+}

plugins/network-elements/palo-alto/src/com/cloud/network/utils/HttpClientWrapper.java

@@ -0,0 +1,69 @@
+package com.cloud.network.utils;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import org.apache.http.client.HttpClient;
+import org.apache.http.conn.ClientConnectionManager;
+import org.apache.http.conn.scheme.Scheme;
+import org.apache.http.conn.scheme.SchemeRegistry;
+import org.apache.http.conn.ssl.SSLSocketFactory;
+import org.apache.http.conn.ssl.X509HostnameVerifier;
+import org.apache.http.impl.client.DefaultHttpClient;
+
+import java.io.*;
+
+public class HttpClientWrapper {
+ 
+    public static HttpClient wrapClient(HttpClient base) {
+        try {
+            SSLContext ctx = SSLContext.getInstance("TLS");
+            X509TrustManager tm = new X509TrustManager() {
+ 
+                public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
+                }
+ 
+                public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
+                }
+ 
+                public X509Certificate[] getAcceptedIssuers() {
+                    return null;
+                }
+            };
+            X509HostnameVerifier verifier = new X509HostnameVerifier() {
+ 
+                @Override
+                public void verify(String string, SSLSocket ssls) throws IOException {
+                }
+ 
+                @Override
+                public void verify(String string, X509Certificate xc) throws SSLException {
+                }
+ 
+                @Override
+                public void verify(String string, String[] strings, String[] strings1) throws SSLException {
+                }
+ 
+                @Override
+                public boolean verify(String string, SSLSession ssls) {
+                    return true;
+                }
+            };
+            ctx.init(null, new TrustManager[]{tm}, null);
+            SSLSocketFactory ssf = new SSLSocketFactory(ctx);
+            ssf.setHostnameVerifier(verifier);
+            ClientConnectionManager ccm = base.getConnectionManager();
+            SchemeRegistry sr = ccm.getSchemeRegistry();
+            sr.register(new Scheme("https", ssf, 443));
+            return new DefaultHttpClient(ccm, base.getParams());
+        } catch (Exception ex) {
+            ex.printStackTrace();
+            return null;
+        }
+    }
+}

plugins/network-elements/palo-alto/test/com/cloud/network/resource/MockablePaloAltoResource.java

@@ -0,0 +1,460 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the 
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.resource;
+
+import java.io.BufferedReader;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.log4j.Logger;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
+import javax.naming.ConfigurationException;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import com.cloud.agent.IAgentControl;
+import com.cloud.agent.api.Answer;
+import com.cloud.agent.api.Command;
+import com.cloud.agent.api.ExternalNetworkResourceUsageAnswer;
+import com.cloud.agent.api.ExternalNetworkResourceUsageCommand;
+import com.cloud.agent.api.MaintainAnswer;
+import com.cloud.agent.api.MaintainCommand;
+import com.cloud.agent.api.PingCommand;
+import com.cloud.agent.api.ReadyAnswer;
+import com.cloud.agent.api.ReadyCommand;
+import com.cloud.agent.api.StartupCommand;
+import com.cloud.agent.api.StartupExternalFirewallCommand;
+import com.cloud.agent.api.routing.IpAssocAnswer;
+import com.cloud.agent.api.routing.IpAssocCommand;
+import com.cloud.agent.api.routing.NetworkElementCommand;
+import com.cloud.agent.api.routing.SetFirewallRulesCommand;
+import com.cloud.agent.api.routing.SetPortForwardingRulesCommand;
+import com.cloud.agent.api.routing.SetStaticNatRulesCommand;
+import com.cloud.agent.api.to.FirewallRuleTO;
+import com.cloud.agent.api.to.IpAddressTO;
+import com.cloud.agent.api.to.PortForwardingRuleTO;
+import com.cloud.agent.api.to.StaticNatRuleTO;
+import com.cloud.host.Host;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.FirewallRule.TrafficType;
+import com.cloud.network.rules.FirewallRule.Purpose;
+import com.cloud.resource.ServerResource;
+import com.cloud.utils.NumbersUtil;
+import com.cloud.utils.exception.ExecutionException;
+import com.cloud.utils.net.NetUtils;
+import com.cloud.utils.script.Script;
+
+// http client handling
+import org.apache.http.client.ResponseHandler;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.BasicResponseHandler;
+import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.NameValuePair;
+import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.protocol.HTTP;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.net.URLDecoder;
+import javax.xml.xpath.XPathFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import com.cloud.network.utils.HttpClientWrapper;
+
+// for prettyFormat()
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.OutputKeys;
+import javax.xml.transform.Source;
+import java.io.StringWriter;
+
+
+public class MockablePaloAltoResource extends PaloAltoResource {
+	private HashMap<String, String> context;
+	public void setMockContext(HashMap<String, String> context) {
+		this.context = context;
+	}
+
+	/* Fake the calls to the Palo Alto API */
+    protected String request(PaloAltoMethod method, Map<String, String> params) throws ExecutionException {
+        if (method != PaloAltoMethod.GET && method != PaloAltoMethod.POST) {
+            throw new ExecutionException("Invalid http method used to access the Palo Alto API.");
+        }
+
+        String response = "";
+
+        // 'keygen' request
+        if (params.containsKey("type") && params.get("type").equals("keygen")) {
+            response = "<response status = 'success'><result><key>LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09</key></result></response>";
+        }
+        
+        // 'config' requests
+        if (params.containsKey("type") && params.get("type").equals("config") && params.containsKey("action")) {
+        	// action = 'get'
+        	if (params.get("action").equals("get")) {
+                // get interface for type
+                // | public_using_ethernet
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']")) {
+                    if (context.containsKey("public_using_ethernet") && context.get("public_using_ethernet").equals("true")) {
+                        context.put("public_interface_type", "ethernet");
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"ethernet1/1\" admin=\"admin\" time=\"2013/06/18 13:33:56\"><layer3 admin=\"admin\" time=\"2013/06/18 13:33:56\"><ipv6><neighbor-discovery><router-advertisement><enable>no</enable><min-interval>200</min-interval><max-interval>600</max-interval><hop-limit>64</hop-limit><reachable-time>unspecified</reachable-time><retransmission-timer>unspecified</retransmission-timer><lifetime>1800</lifetime><managed-flag>no</managed-flag><other-flag>no</other-flag><enable-consistency-check>no</enable-consistency-check><link-mtu>unspecified</link-mtu></router-advertisement><enable-dad>no</enable-dad><reachable-time>30</reachable-time><ns-interval>1</ns-interval><dad-attempts>1</dad-attempts></neighbor-discovery><enabled>no</enabled><interface-id>EUI-64</interface-id></ipv6><untagged-sub-interface>no</untagged-sub-interface><units admin=\"admin\" time=\"2013/06/18 13:33:56\"><entry name=\"ethernet1/1.9999\" admin=\"admin\" time=\"2013/06/18 13:33:56\"><ipv6><neighbor-discovery><router-advertisement><enable>no</enable><min-interval>200</min-interval><max-interval>600</max-interval><hop-limit>64</hop-limit><reachable-time>unspecified</reachable-time><retransmission-timer>unspecified</retransmission-timer><lifetime>1800</lifetime><managed-flag>no</managed-flag><other-flag>no</other-flag><enable-consistency-check>no</enable-consistency-check><link-mtu>unspecified</link-mtu></router-advertisement><enable-dad>no</enable-dad><reachable-time>30</reachable-time><ns-interval>1</ns-interval><dad-attempts>1</dad-attempts></neighbor-discovery><enabled>no</enabled><interface-id>EUI-64</interface-id></ipv6><ip admin=\"admin\" time=\"2013/06/18 13:33:56\"><entry name=\"192.168.80.254/24\"/></ip><adjust-tcp-mss>no</adjust-tcp-mss><tag>3033</tag></entry></units></layer3><link-speed>auto</link-speed><link-duplex>auto</link-duplex><link-state>auto</link-state></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                } // | private_using_ethernet
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']")) {
+                    if (context.containsKey("private_using_ethernet") && context.get("private_using_ethernet").equals("true")) {
+                        context.put("private_interface_type", "ethernet");
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"ethernet1/2\" admin=\"admin\" time=\"2013/06/18 13:33:57\"><layer3 admin=\"admin\" time=\"2013/06/18 13:33:57\"><ipv6><neighbor-discovery><router-advertisement><enable>no</enable><min-interval>200</min-interval><max-interval>600</max-interval><hop-limit>64</hop-limit><reachable-time>unspecified</reachable-time><retransmission-timer>unspecified</retransmission-timer><lifetime>1800</lifetime><managed-flag>no</managed-flag><other-flag>no</other-flag><enable-consistency-check>no</enable-consistency-check><link-mtu>unspecified</link-mtu></router-advertisement><enable-dad>no</enable-dad><reachable-time>30</reachable-time><ns-interval>1</ns-interval><dad-attempts>1</dad-attempts></neighbor-discovery><enabled>no</enabled><interface-id>EUI-64</interface-id></ipv6><untagged-sub-interface>no</untagged-sub-interface><units admin=\"admin\" time=\"2013/06/18 13:33:57\"/></layer3><link-speed>auto</link-speed><link-duplex>auto</link-duplex><link-state>auto</link-state></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get management profile | has_management_profile
+                if (params.get("xpath").equals("/config/devices/entry/network/profiles/interface-management-profile/entry[@name='Ping']")) {
+                    if (context.containsKey("has_management_profile") && context.get("has_management_profile").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"Ping\"><ping>yes</ping></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+        		// get public interface IP | has_public_interface
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']/layer3/units/entry[@name='ethernet1/1.9999']/ip/entry[@name='192.168.80.102/32']")) {
+                    if (context.containsKey("has_public_interface") && context.get("has_public_interface").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"192.168.80.102/32\" admin=\"admin\" time=\"2013/07/05 13:02:37\"/></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get private interface | has_private_interface
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']/layer3/units/entry[@name='ethernet1/2.3954']")) {
+                    if (context.containsKey("has_private_interface") && context.get("has_private_interface").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"ethernet1/2.3954\" admin=\"admin\" time=\"2013/07/05 13:02:36\"><tag admin=\"admin\" time=\"2013/07/05 13:02:36\">3954</tag><ip><entry name=\"10.5.80.1/20\"/></ip><interface-management-profile>Ping</interface-management-profile></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get private interface ip
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']/layer3/units/entry[@name='ethernet1/2.3954']/ip/entry")) {
+                    response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"10.3.96.1/20\"/></result></response>";
+                }
+
+        		// get source nat | has_src_nat_rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='src_nat.3954']")) {
+                    if (context.containsKey("has_src_nat_rule") && context.get("has_src_nat_rule").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"src_nat.3954\" admin=\"admin\" time=\"2013/07/05 13:02:38\"><to admin=\"admin\" time=\"2013/07/05 13:02:38\"><member admin=\"admin\" time=\"2013/07/05 13:02:38\">untrust</member></to><from><member>trust</member></from><source><member>10.5.80.1/20</member></source><destination><member>any</member></destination><service>any</service><nat-type>ipv4</nat-type><to-interface>ethernet1/1.9999</to-interface><source-translation><dynamic-ip-and-port><interface-address><ip>192.168.80.102/32</ip><interface>ethernet1/1.9999</interface></interface-address></dynamic-ip-and-port></source-translation></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get isolation firewall rule | has_isolation_fw_rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='isolate_3954']")) {
+                    if (context.containsKey("has_isolation_fw_rule") && context.get("has_isolation_fw_rule").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"isolate_3954\" admin=\"admin\" time=\"2013/07/05 13:02:38\"><from admin=\"admin\" time=\"2013/07/05 13:02:38\"><member admin=\"admin\" time=\"2013/07/05 13:02:38\">trust</member></from><to><member>trust</member></to><source><member>10.5.80.0/20</member></source><destination><member>10.5.80.1</member></destination><application><member>any</member></application><service><member>any</member></service><action>deny</action><negate-source>no</negate-source><negate-destination>yes</negate-destination></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get service | has_service
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/service/entry[@name='cs_tcp_80']")) {
+                    if (context.containsKey("has_service_tcp_80") && context.get("has_service_tcp_80").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"cs_tcp_80\"><protocol><tcp><port>80</port></tcp></protocol></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get egress firewall rule | has_egress_fw_rule | policy_0
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']")) {
+                    if (context.containsKey("has_egress_fw_rule") && context.get("has_egress_fw_rule").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"policy_0\" admin=\"admin\" time=\"2013/07/03 12:43:30\"><from admin=\"admin\" time=\"2013/07/03 12:43:30\"><member admin=\"admin\" time=\"2013/07/03 12:43:30\">trust</member></from><to><member>untrust</member></to><source><member>10.3.96.1/20</member></source><destination><member>any</member></destination><application><member>any</member></application><service><member>cs_tcp_80</member></service><action>allow</action><negate-source>no</negate-source><negate-destination>no</negate-destination></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get ingress firewall rule | has_ingress_fw_rule | policy_8
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_8']")) {
+                    if (context.containsKey("has_ingress_fw_rule") && context.get("has_ingress_fw_rule").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"policy_8\" admin=\"admin\" time=\"2013/07/03 13:26:27\"><from admin=\"admin\" time=\"2013/07/03 13:26:27\"><member admin=\"admin\" time=\"2013/07/03 13:26:27\">untrust</member></from><to><member>trust</member></to><source><member>any</member></source><destination><member>192.168.80.103</member></destination><application><member>any</member></application><service><member>cs_tcp_80</member></service><action>allow</action><negate-source>no</negate-source><negate-destination>no</negate-destination></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get destination nat rule (port forwarding) | has_dst_nat_rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='dst_nat.192-168-80-103_9']")) {
+                    if (context.containsKey("has_dst_nat_rule") && context.get("has_dst_nat_rule").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"dst_nat.192-168-80-103_9\" admin=\"admin\" time=\"2013/07/03 13:40:50\"><to admin=\"admin\" time=\"2013/07/03 13:40:50\"><member admin=\"admin\" time=\"2013/07/03 13:40:50\">untrust</member></to><from><member>untrust</member></from><source><member>any</member></source><destination><member>192.168.80.103</member></destination><service>cs_tcp_80</service><nat-type>ipv4</nat-type><to-interface>ethernet1/1.9999</to-interface><destination-translation><translated-address>10.3.97.158</translated-address><translated-port>8080</translated-port></destination-translation></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get destination nat rules (returns all dst nat rules per ip)
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[destination/member[text()='192.168.80.103']]")) {
+                    if (context.containsKey("has_dst_nat_rule") && context.get("has_dst_nat_rule").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"dst_nat.192-168-80-103_9\" admin=\"admin\" time=\"2013/07/03 13:40:50\"><to admin=\"admin\" time=\"2013/07/03 13:40:50\"><member admin=\"admin\" time=\"2013/07/03 13:40:50\">untrust</member></to><from><member>untrust</member></from><source><member>any</member></source><destination><member>192.168.80.103</member></destination><service>cs_tcp_80</service><nat-type>ipv4</nat-type><to-interface>ethernet1/1.9999</to-interface><destination-translation><translated-address>10.3.97.158</translated-address><translated-port>8080</translated-port></destination-translation></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+                // get static nat rule | has_stc_nat_rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='stc_nat.192-168-80-103_0']")) {
+                    if (context.containsKey("has_stc_nat_rule") && context.get("has_stc_nat_rule").equals("true")) {
+                        response = "<response status=\"success\" code=\"19\"><result total-count=\"1\" count=\"1\"><entry name=\"stc_nat.192-168-80-103_0\" admin=\"admin\" time=\"2013/07/03 14:02:23\"><to admin=\"admin\" time=\"2013/07/03 14:02:23\"><member admin=\"admin\" time=\"2013/07/03 14:02:23\">untrust</member></to><from><member>untrust</member></from><source><member>any</member></source><destination><member>192.168.80.103</member></destination><service>any</service><nat-type>ipv4</nat-type><to-interface>ethernet1/1.9999</to-interface><destination-translation><translated-address>10.3.97.158</translated-address></destination-translation></entry></result></response>";
+                    } else {
+                        response = "<response status=\"success\" code=\"19\"><result/></response>";
+                    }
+                }
+
+        	}
+
+        	// action = 'set'
+        	if (params.get("action").equals("set")) {
+                // set management profile
+                if (params.get("xpath").equals("/config/devices/entry/network/profiles/interface-management-profile/entry[@name='Ping']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_management_profile", "true");
+                }
+
+                // add private interface
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']/layer3/units/entry[@name='ethernet1/2.3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_private_interface", "true");
+                }
+
+                // add public ip to public interface
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']/layer3/units/entry[@name='ethernet1/1.9999']/ip")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_public_interface", "true");
+                }
+
+                // add private interface to zone
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/zone/entry[@name='trust']/network/layer3")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                }
+
+                // add public interface to zone
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/zone/entry[@name='untrust']/network/layer3")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                }
+
+                // set virtual router (public | private)
+                if (params.get("xpath").equals("/config/devices/entry/network/virtual-router/entry[@name='default']/interface")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                }
+
+                // add interface to network (public | private)
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/import/network/interface")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                }
+
+                // add src nat rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='src_nat.3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_src_nat_rule", "true");
+                }
+
+                // add isolation firewall rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='isolate_3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_isolation_fw_rule", "true");
+                }
+
+                // add egress firewall rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_egress_fw_rule", "true");
+                }
+
+                // add ingress firewall rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_8']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_ingress_fw_rule", "true");
+                }
+
+                // add destination nat rule (port forwarding)
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='dst_nat.192-168-80-103_9']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_dst_nat_rule", "true");
+                }
+
+                // add static nat rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='stc_nat.192-168-80-103_0']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_stc_nat_rule", "true");
+                }
+
+                // add tcp 80 service
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/service/entry[@name='cs_tcp_80']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.put("has_service_tcp_80", "true");
+                }
+        	}
+
+        	// action = 'delete'
+        	if (params.get("action").equals("delete")) {
+                // remove egress firewall rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_0']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.remove("has_egress_fw_rule");
+                }
+
+                // remove ingress firewall rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='policy_8']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.remove("has_ingress_fw_rule");
+                }
+
+                // remove destination nat rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='dst_nat.192-168-80-103_9']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.remove("has_dst_nat_rule");
+                }
+
+                // remove static nat rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='stc_nat.192-168-80-103_0']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.remove("has_dst_nat_rule");
+                }
+
+                // remove public ip from interface (dst_nat | stc_nat)
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']/layer3/units/entry[@name='ethernet1/1.9999']/ip/entry[@name='192.168.80.103/32']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                }
+
+                // remove isolation firewall rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/security/rules/entry[@name='isolate_3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.remove("has_isolation_fw_rule");
+                }
+
+                // remove source nat rule
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/rulebase/nat/rules/entry[@name='src_nat.3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.remove("has_src_nat_rule");
+                }
+
+                // remove public source nat ip
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/1']/layer3/units/entry[@name='ethernet1/1.9999']/ip/entry[@name='192.168.80.102/32']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.remove("has_public_interface");
+                }
+
+                // remove private interface from the zone
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/zone/entry[@name='trust']/network/layer3/member[text()='ethernet1/2.3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                }
+
+                // remove private interface from the virtual router
+                if (params.get("xpath").equals("/config/devices/entry/network/virtual-router/entry[@name='default']/interface/member[text()='ethernet1/2.3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                }
+
+                // remove private interface from network
+                if (params.get("xpath").equals("/config/devices/entry/vsys/entry[@name='vsys1']/import/network/interface/member[text()='ethernet1/2.3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                }
+
+                // remove private interface
+                if (params.get("xpath").equals("/config/devices/entry/network/interface/ethernet/entry[@name='ethernet1/2']/layer3/units/entry[@name='ethernet1/2.3954']")) {
+                    response = "<response status=\"success\" code=\"20\"><msg>command succeeded</msg></response>";
+                    context.remove("has_private_interface");
+                }
+
+        	}
+        } // end 'config'
+
+        // 'op' requests
+        if (params.containsKey("type") && params.get("type").equals("op")) {
+        	// check if there are pending changes
+        	if (params.get("cmd").equals("<check><pending-changes></pending-changes></check>")) {
+                if (context.containsKey("firewall_has_pending_changes") && context.get("firewall_has_pending_changes").equals("true")) {
+                    response = "<response status=\"success\"><result>yes</result></response>";
+                } else {
+                    response = "<response status=\"success\"><result>no</result></response>";
+                }
+        	}
+
+        	// add a config lock
+        	if (params.get("cmd").equals("<request><config-lock><add></add></config-lock></request>")) {
+                response = "<response status=\"success\"><result>Successfully acquired lock. Other administrators will not be able to modify configuration for scope shared until lock is released</result></response>";
+        	}
+
+            // check job status
+            if (params.get("cmd").equals("<show><jobs><id>1</id></jobs></show>")) {
+                if (context.containsKey("simulate_commit_failure") && context.get("simulate_commit_failure").equals("true")) {
+                    response = "<response status=\"success\"><result><job><tenq>2013/07/10 11:11:49</tenq><id>1</id><user>admin</user><type>Commit</type><status>FIN</status><stoppable>no</stoppable><result>FAIL</result><tfin>11:11:54</tfin><progress>11:11:54</progress><details><line>Bad config</line><line>Commit failed</line></details><warnings></warnings></job></result></response>";
+                } else { 
+                    response = "<response status=\"success\"><result><job><tenq>2013/07/02 14:49:49</tenq><id>1</id><user>admin</user><type>Commit</type><status>FIN</status><stoppable>no</stoppable><result>OK</result><tfin>14:50:02</tfin><progress>14:50:02</progress><details><line>Configuration committed successfully</line></details><warnings></warnings></job></result></response>";
+                }
+            }
+
+        	// load from running config
+        	if (params.get("cmd").equals("<load><config><from>running-config.xml</from></config></load>")) {
+                response = "<response status=\"success\"><result><msg><line>Config loaded from running-config.xml</line></msg></result></response>";
+        	}
+
+        	// remove config lock
+        	if (params.get("cmd").equals("<request><config-lock><remove></remove></config-lock></request>")) {
+                response = "<response status=\"success\"><result>Config lock released for scope shared</result></response>";
+        	}
+        } // end 'op'
+
+        // 'commit' requests
+        if (params.containsKey("type") && params.get("type").equals("commit")) {
+        	// cmd = '<commit></commit>'
+        	if (params.get("cmd").equals("<commit></commit>")) {
+                response = "<response status=\"success\" code=\"19\"><result><msg><line>Commit job enqueued with jobid 1</line></msg><job>1</job></result></response>";
+        	}
+        } // end 'commit'
+
+
+        // print out the details into the console
+        if (context.containsKey("enable_console_output") && context.get("enable_console_output") == "true") {
+            if (params.containsKey("xpath")) {
+                System.out.println("XPATH("+params.get("action")+"): "+params.get("xpath"));
+            }
+            if (params.containsKey("type") && params.get("type").equals("op")) {
+                System.out.println("OP CMD: "+params.get("cmd"));
+            }
+            System.out.println(response+"\n");
+        }
+
+        return response;
+    }
+}

plugins/network-elements/palo-alto/test/com/cloud/network/resource/PaloAltoResourceTest.java

@@ -0,0 +1,507 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the 
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.network.resource;
+
+// test imports
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
+import org.junit.Before;
+import org.junit.Test;
+
+import java.util.Collections;
+
+// basic imports
+import java.io.BufferedReader;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.StringReader;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.log4j.Logger;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
+import javax.naming.ConfigurationException;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import com.cloud.agent.IAgentControl;
+import com.cloud.agent.api.Answer;
+import com.cloud.agent.api.Command;
+import com.cloud.agent.api.ExternalNetworkResourceUsageAnswer;
+import com.cloud.agent.api.ExternalNetworkResourceUsageCommand;
+import com.cloud.agent.api.MaintainAnswer;
+import com.cloud.agent.api.MaintainCommand;
+import com.cloud.agent.api.PingCommand;
+import com.cloud.agent.api.ReadyAnswer;
+import com.cloud.agent.api.ReadyCommand;
+import com.cloud.agent.api.StartupCommand;
+import com.cloud.agent.api.StartupExternalFirewallCommand;
+import com.cloud.agent.api.routing.IpAssocAnswer;
+import com.cloud.agent.api.routing.IpAssocCommand;
+import com.cloud.agent.api.routing.NetworkElementCommand;
+import com.cloud.agent.api.routing.SetFirewallRulesCommand;
+import com.cloud.agent.api.routing.SetPortForwardingRulesCommand;
+import com.cloud.agent.api.routing.SetStaticNatRulesCommand;
+import com.cloud.agent.api.to.FirewallRuleTO;
+import com.cloud.agent.api.to.IpAddressTO;
+import com.cloud.agent.api.to.PortForwardingRuleTO;
+import com.cloud.agent.api.to.StaticNatRuleTO;
+import com.cloud.host.Host;
+import com.cloud.network.rules.FirewallRuleVO;
+import com.cloud.network.rules.FirewallRule;
+import com.cloud.network.rules.FirewallRule.TrafficType;
+import com.cloud.network.rules.FirewallRule.Purpose;
+import com.cloud.network.rules.FirewallRule.State;
+import com.cloud.resource.ServerResource;
+import com.cloud.utils.NumbersUtil;
+import com.cloud.utils.exception.ExecutionException;
+import com.cloud.utils.net.NetUtils;
+import com.cloud.utils.script.Script;
+
+// http client handling
+import org.apache.http.client.ResponseHandler;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.impl.client.BasicResponseHandler;
+import org.apache.http.impl.client.DefaultHttpClient;
+import org.apache.http.NameValuePair;
+import org.apache.http.message.BasicNameValuePair;
+import org.apache.http.client.entity.UrlEncodedFormEntity;
+import org.apache.http.protocol.HTTP;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.net.URLDecoder;
+import javax.xml.xpath.XPathFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import com.cloud.network.utils.HttpClientWrapper;
+
+// for prettyFormat()
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.OutputKeys;
+import javax.xml.transform.Source;
+import java.io.StringWriter;
+
+public class PaloAltoResourceTest {
+	// configuration data
+	private String _test_name = "PaloAltoTestDevice";
+    private String _test_zoneId = "TestZone";
+    private String _test_ip = "192.168.80.2";
+    private String _test_username = "admin";
+    private String _test_password = "admin";
+    private String _test_publicInterface = "ethernet1/1";
+    private String _test_privateInterface = "ethernet1/2";
+    private String _test_publicZone = "untrust";
+    private String _test_privateZone = "trust";
+    private String _test_virtualRouter = "default";
+
+	MockablePaloAltoResource _resource;
+	Map<String, Object> _resource_params;
+	HashMap<String, String> _context;
+	
+	@Before
+	public void setUp() {
+		_resource = new MockablePaloAltoResource();
+		_resource_params = new HashMap<String, Object>(); // params to be passed to configure()
+		_resource_params.put("name", _test_name);
+		_resource_params.put("zoneId", _test_zoneId);
+		_resource_params.put("ip", _test_ip);
+		_resource_params.put("username", _test_username);
+		_resource_params.put("password", _test_password);
+		_resource_params.put("publicinterface", _test_publicInterface);
+		_resource_params.put("privateinterface", _test_privateInterface);
+		_resource_params.put("publicnetwork", _test_publicZone);
+		_resource_params.put("privatenetwork", _test_privateZone);
+		_resource_params.put("pavr", _test_virtualRouter);
+		_resource_params.put("guid", "aaaaa-bbbbb-ccccc");
+
+		_context = new HashMap<String, String>(); // global context
+		_context.put("name", _test_name);
+		_context.put("zone_id", _test_zoneId);
+		_context.put("ip", _test_ip);
+		_context.put("username", _test_username);
+		_context.put("password", _test_password);
+		_context.put("public_interface", _test_publicInterface);
+		_context.put("private_interface", _test_privateInterface);
+		_context.put("public_zone", _test_publicZone);
+		_context.put("private_zone", _test_privateZone);
+		_context.put("pa_vr", _test_virtualRouter);
+		// --
+		_context.put("public_using_ethernet", "true");
+		_context.put("private_using_ethernet", "true");
+		_context.put("has_management_profile", "true");
+		_context.put("enable_console_output", "false"); // CHANGE TO "true" TO ENABLE CONSOLE LOGGING OF TESTS
+		_resource.setMockContext(_context);
+	}
+
+	@Test (expected=ConfigurationException.class)
+	public void resourceConfigureFailure() throws ConfigurationException {
+		_resource.configure("PaloAltoResource", new HashMap<String, Object>());
+	}
+	
+	@Test 
+	public void resourceConfigureWithoutManagementProfile() throws ConfigurationException {
+		if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+			System.out.println("\nTEST: resourceConfigureWithoutManagementProfile");
+	        System.out.println("---------------------------------------------------");
+	    }
+        _context.remove("has_management_profile");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+	}
+
+	@Test 
+	public void resourceConfigureWithManagementProfile() throws ConfigurationException {
+		if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+			System.out.println("\nTEST: resourceConfigureWithManagementProfile");
+			System.out.println("---------------------------------------------------");
+		}
+		_resource.configure("PaloAltoResource", _resource_params);
+	}
+
+	@Test (expected=ConfigurationException.class)
+	public void simulateFirewallNotConfigurable() throws ConfigurationException {
+		if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+			System.out.println("\nTEST: simulateFirewallNotConfigurable");
+	        System.out.println("---------------------------------------------------");
+	    }
+	    _context.put("firewall_has_pending_changes", "true");
+        _context.remove("has_management_profile");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+	}
+
+	@Test (expected=ConfigurationException.class)
+	public void simulateFirewallCommitFailure() throws ConfigurationException {
+		if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+			System.out.println("\nTEST: simulateFirewallCommitFailure");
+	        System.out.println("---------------------------------------------------");
+	    }
+	    _context.put("simulate_commit_failure", "true");
+        _context.remove("has_management_profile");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+	}
+
+	@Test
+    public void testInitialize() throws ConfigurationException {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	        System.out.println("\nTEST: testInitialization");
+			System.out.println("---------------------------------------------------");
+		}
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        StartupCommand[] sc = _resource.initialize();
+        assertTrue(sc.length == 1);
+        assertTrue("aaaaa-bbbbb-ccccc".equals(sc[0].getGuid()));
+        assertTrue("PaloAltoTestDevice".equals(sc[0].getName()));
+        assertTrue("TestZone".equals(sc[0].getDataCenter()));
+    }
+
+	@Test // implement public & private interfaces, source nat, guest network
+	public void implementGuestNetwork() throws ConfigurationException, ExecutionException {
+		if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+			System.out.println("\nTEST: implementGuestNetwork");
+			System.out.println("---------------------------------------------------");
+		}
+		_resource.configure("PaloAltoResource", _resource_params);
+
+		IpAddressTO ip = new IpAddressTO(Long.valueOf("1"), "192.168.80.102", true, false, true, "untagged", null, null, null, 100, false);
+		IpAddressTO[] ips = new IpAddressTO[1];
+        ips[0] = ip;
+        IpAssocCommand cmd = new IpAssocCommand(ips);
+        cmd.setAccessDetail(NetworkElementCommand.GUEST_NETWORK_GATEWAY, "10.3.96.1");
+        cmd.setAccessDetail(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+        cmd.setAccessDetail(NetworkElementCommand.GUEST_VLAN_TAG, "3954");
+
+        IpAssocAnswer answer = (IpAssocAnswer) _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+	}
+
+	@Test // remove public & private interface details, source nat, guest network
+	public void shutdownGuestNetwork() throws ConfigurationException, ExecutionException {
+		if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+			System.out.println("\nTEST: shutdownGuestNetwork");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+		IpAddressTO ip = new IpAddressTO(Long.valueOf("1"), "192.168.80.102", false, false, true, "untagged", null, null, null, 100, false);
+		IpAddressTO[] ips = new IpAddressTO[1];
+        ips[0] = ip;
+        IpAssocCommand cmd = new IpAssocCommand(ips);
+        cmd.setAccessDetail(NetworkElementCommand.GUEST_NETWORK_GATEWAY, "10.3.96.1");
+        cmd.setAccessDetail(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+        cmd.setAccessDetail(NetworkElementCommand.GUEST_VLAN_TAG, "3954");
+
+        IpAssocAnswer answer = (IpAssocAnswer) _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+	}
+
+	@Test
+    public void addIngressFirewallRule() throws ConfigurationException, Exception {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	    	System.out.println("\nTEST: addIngressFirewallRule");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_context.put("has_service_tcp_80", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        long vlanId = 3954;
+        List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
+        List<String> cidrList = new ArrayList<String>();
+        cidrList.add("0.0.0.0/0");
+        FirewallRuleTO active = new FirewallRuleTO(8,
+            null, "192.168.80.103", "tcp", 80, 80, false, false,
+            FirewallRule.Purpose.Firewall, cidrList, null, null);
+        rules.add(active);
+
+        SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
+        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
+        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+
+        Answer answer = _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+    }
+
+	@Test
+    public void removeIngressFirewallRule() throws ConfigurationException, Exception {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	    	System.out.println("\nTEST: removeIngressFirewallRule");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_context.put("has_service_tcp_80", "true");
+		_context.put("has_ingress_fw_rule", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        long vlanId = 3954;
+        List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
+        FirewallRuleTO revoked = new FirewallRuleTO(8,
+            null, "192.168.80.103", "tcp", 80, 80, true, false,
+            FirewallRule.Purpose.Firewall, null, null, null);
+        rules.add(revoked);
+
+        SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
+        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
+        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+
+        Answer answer = _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+    }
+
+    @Test
+    public void addEgressFirewallRule() throws ConfigurationException, Exception {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	    	System.out.println("\nTEST: addEgressFirewallRule");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_context.put("has_service_tcp_80", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        long vlanId = 3954;
+        List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
+        List<String> cidrList = new ArrayList<String>();
+        cidrList.add("0.0.0.0/0");
+        FirewallRuleVO activeVO = new FirewallRuleVO(null, null, 80, 80, "tcp", 
+            1, 1, 1, Purpose.Firewall, cidrList, null,
+            null, null, FirewallRule.TrafficType.Egress);
+        FirewallRuleTO active = new FirewallRuleTO(activeVO, Long.toString(vlanId), null, Purpose.Firewall, FirewallRule.TrafficType.Egress);
+        rules.add(active);
+
+        SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
+        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
+        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+
+        Answer answer = _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+    }
+
+	@Test
+    public void removeEgressFirewallRule() throws ConfigurationException, Exception {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	    	System.out.println("\nTEST: removeEgressFirewallRule");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_context.put("has_service_tcp_80", "true");
+		_context.put("has_egress_fw_rule", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        long vlanId = 3954;
+        List<FirewallRuleTO> rules = new ArrayList<FirewallRuleTO>();
+        FirewallRuleVO revokedVO = new FirewallRuleVO(null, null, 80, 80, "tcp", 
+            1, 1, 1, Purpose.Firewall, null, null, null, null, FirewallRule.TrafficType.Egress);
+        revokedVO.setState(State.Revoke);
+        FirewallRuleTO revoked = new FirewallRuleTO(revokedVO, Long.toString(vlanId), null, Purpose.Firewall, FirewallRule.TrafficType.Egress);
+        rules.add(revoked);
+
+        SetFirewallRulesCommand cmd = new SetFirewallRulesCommand(rules);
+        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
+        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+
+        Answer answer = _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+    }
+
+    @Test
+    public void addStaticNatRule() throws ConfigurationException, Exception {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	    	System.out.println("\nTEST: addStaticNatRule");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_context.put("has_service_tcp_80", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        long vlanId = 3954;
+        List<StaticNatRuleTO> rules = new ArrayList<StaticNatRuleTO>();
+        StaticNatRuleTO active = new StaticNatRuleTO(0, "192.168.80.103", null,
+                null, "10.3.97.158", null, null, null, false, false);
+        rules.add(active);
+
+        SetStaticNatRulesCommand cmd = new SetStaticNatRulesCommand(rules, null);
+        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
+        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+
+        Answer answer = _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+    }
+
+    @Test
+    public void removeStaticNatRule() throws ConfigurationException, Exception {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	    	System.out.println("\nTEST: removeStaticNatRule");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_context.put("has_service_tcp_80", "true");
+		_context.put("has_stc_nat_rule", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        long vlanId = 3954;
+        List<StaticNatRuleTO> rules = new ArrayList<StaticNatRuleTO>();
+        StaticNatRuleTO revoked = new StaticNatRuleTO(0, "192.168.80.103", null,
+                null, "10.3.97.158", null, null, null, true, false);
+        rules.add(revoked);
+
+        SetStaticNatRulesCommand cmd = new SetStaticNatRulesCommand(rules, null);
+        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
+        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+
+        Answer answer = _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+    }
+
+    @Test
+    public void addPortForwardingRule() throws ConfigurationException, Exception {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	    	System.out.println("\nTEST: addPortForwardingRule");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_context.put("has_service_tcp_80", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        long vlanId = 3954;
+        List<PortForwardingRuleTO> rules = new ArrayList<PortForwardingRuleTO>();
+        PortForwardingRuleTO active = new PortForwardingRuleTO(9, "192.168.80.103", 80,
+            80, "10.3.97.158", 8080, 8080, "tcp", false, false);
+        rules.add(active);
+
+        SetPortForwardingRulesCommand cmd = new SetPortForwardingRulesCommand(rules);
+        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
+        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+
+        Answer answer = _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+    }
+
+    @Test
+    public void removePortForwardingRule() throws ConfigurationException, Exception {
+    	if (_context.containsKey("enable_console_output") && _context.get("enable_console_output").equals("true")) {
+	    	System.out.println("\nTEST: removePortForwardingRule");
+			System.out.println("---------------------------------------------------");
+		}
+		_context.put("has_public_interface", "true");
+		_context.put("has_private_interface", "true");
+		_context.put("has_src_nat_rule", "true");
+		_context.put("has_isolation_fw_rule", "true");
+		_context.put("has_service_tcp_80", "true");
+		_context.put("has_dst_nat_rule", "true");
+		_resource.setMockContext(_context);
+		_resource.configure("PaloAltoResource", _resource_params);
+
+        long vlanId = 3954;
+        List<PortForwardingRuleTO> rules = new ArrayList<PortForwardingRuleTO>();
+        PortForwardingRuleTO revoked = new PortForwardingRuleTO(9, "192.168.80.103", 80,
+            80, "10.3.97.158", 8080, 8080, "tcp", true, false);
+        rules.add(revoked);
+
+        SetPortForwardingRulesCommand cmd = new SetPortForwardingRulesCommand(rules);
+        cmd.setContextParam(NetworkElementCommand.GUEST_VLAN_TAG, Long.toString(vlanId));
+        cmd.setContextParam(NetworkElementCommand.GUEST_NETWORK_CIDR, "10.3.96.1/20");
+
+        Answer answer = _resource.executeRequest(cmd);
+        assertTrue(answer.getResult());
+    }
+}
+

plugins/pom.xml

@@ -44,6 +44,7 @@
     <module>network-elements/elastic-loadbalancer</module>
     <module>network-elements/ovs</module>
     <module>network-elements/juniper-contrail</module>
+    <module>network-elements/palo-alto</module>
     <module>network-elements/nicira-nvp</module>
     <module>network-elements/bigswitch-vns</module>
     <module>network-elements/midonet</module>

server/src/com/cloud/api/ApiResponseHelper.java

@@ -2631,7 +2631,7 @@ public class ApiResponseHelper implements ResponseGenerator {
         List<ProviderResponse> serviceProvidersResponses = new ArrayList<ProviderResponse>();
         for (Network.Provider serviceProvider : serviceProviders) {
             // return only Virtual Router/JuniperSRX/CiscoVnmc as a provider for the firewall
-            if (service == Service.Firewall && !(serviceProvider == Provider.VirtualRouter || serviceProvider == Provider.JuniperSRX || serviceProvider == Provider.CiscoVnmc)) {
+            if (service == Service.Firewall && !(serviceProvider == Provider.VirtualRouter || serviceProvider == Provider.JuniperSRX || serviceProvider == Provider.CiscoVnmc || serviceProvider == Provider.PaloAlto)) {
                 continue;
             }
 

server/src/com/cloud/configuration/ConfigurationManagerImpl.java

@@ -3792,6 +3792,10 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
                             firewallProvider = provider;
                         }
 
+                        if (provider == Provider.PaloAlto) {
+                            firewallProvider = Provider.PaloAlto;
+                        }
+                        
                         if ((service == Service.PortForwarding || service == Service.StaticNat)
                                 && provider == Provider.VirtualRouter) {
                             firewallProvider = Provider.VirtualRouter;

ui/dictionary.jsp

@@ -322,6 +322,7 @@ dictionary = {
 'label.add.new.gateway': '<fmt:message key="label.add.new.gateway" />',
 'label.add.new.NetScaler': '<fmt:message key="label.add.new.NetScaler" />',
 'label.add.new.SRX': '<fmt:message key="label.add.new.SRX" />',
+'label.add.new.PA': '<fmt:message key="label.add.new.PA" />',
 'label.add.new.tier': '<fmt:message key="label.add.new.tier" />',
 'label.add.NiciraNvp.device': '<fmt:message key="label.add.NiciraNvp.device" />',
 'label.add.pod': '<fmt:message key="label.add.pod" />',
@@ -334,6 +335,7 @@ dictionary = {
 'label.add.security.group': '<fmt:message key="label.add.security.group" />',
 'label.add.service.offering': '<fmt:message key="label.add.service.offering" />',
 'label.add.SRX.device': '<fmt:message key="label.add.SRX.device" />',
+'label.add.PA.device': '<fmt:message key="label.add.PA.device" />',
 'label.add.static.nat.rule': '<fmt:message key="label.add.static.nat.rule" />',
 'label.add.static.route': '<fmt:message key="label.add.static.route" />',
 'label.add.system.service.offering': '<fmt:message key="label.add.system.service.offering" />',
@@ -480,6 +482,7 @@ dictionary = {
 'label.delete.NiciraNvp': '<fmt:message key="label.delete.NiciraNvp" />',
 'label.delete.project': '<fmt:message key="label.delete.project" />',
 'label.delete.SRX': '<fmt:message key="label.delete.SRX" />',
+'label.delete.PA': '<fmt:message key="label.delete.PA" />',
 'label.delete.VPN.connection': '<fmt:message key="label.delete.VPN.connection" />',
 'label.delete.VPN.customer.gateway': '<fmt:message key="label.delete.VPN.customer.gateway" />',
 'label.delete.VPN.gateway': '<fmt:message key="label.delete.VPN.gateway" />',
@@ -859,6 +862,8 @@ dictionary = {
 'label.owned.public.ips': '<fmt:message key="label.owned.public.ips" />',
 'label.owner.account': '<fmt:message key="label.owner.account" />',
 'label.owner.domain': '<fmt:message key="label.owner.domain" />',
+'label.PA.log.profile': '<fmt:message key="label.PA.log.profile" />',
+'label.PA.threat.profile': '<fmt:message key="label.PA.threat.profile" />',
 'label.parent.domain': '<fmt:message key="label.parent.domain" />',
 'label.password.enabled': '<fmt:message key="label.password.enabled" />',
 'label.password': '<fmt:message key="label.password" />',
@@ -1031,6 +1036,7 @@ dictionary = {
 'label.specify.vxlan': '<fmt:message key="label.specify.vxlan" />',
 'label.SR.name ': '<fmt:message key="label.SR.name " />',
 'label.srx': '<fmt:message key="label.srx" />',
+'label.PA': '<fmt:message key="label.PA" />',
 'label.start.IP': '<fmt:message key="label.start.IP" />',
 'label.start.port': '<fmt:message key="label.start.port" />',
 'label.start.reserved.system.IP': '<fmt:message key="label.start.reserved.system.IP" />',
@@ -1332,6 +1338,7 @@ dictionary = {
 'message.confirm.delete.F5': '<fmt:message key="message.confirm.delete.F5" />',
 'message.confirm.delete.NetScaler': '<fmt:message key="message.confirm.delete.NetScaler" />',
 'message.confirm.delete.SRX': '<fmt:message key="message.confirm.delete.SRX" />',
+'message.confirm.delete.PA': '<fmt:message key="message.confirm.delete.PA" />',
 'message.confirm.destroy.router': '<fmt:message key="message.confirm.destroy.router" />',
 'message.confirm.disable.provider': '<fmt:message key="message.confirm.disable.provider" />',
 'message.confirm.enable.provider': '<fmt:message key="message.confirm.enable.provider" />',

ui/scripts/docs.js

@@ -770,6 +770,75 @@ cloudStack.docs = {
         desc: 'Number of guest networks/accounts that will share this device',
         externalLink: ''
     },
+    // Add Palo Alto
+    helpPaloAltoIPAddress: {
+        desc: 'The IP address of the device',
+        externalLink: ''
+    },
+    helpPaloAltoUsername: {
+        desc: 'A user ID with valid authentication credentials that provide to access the device',
+        externalLink: ''
+    },
+    helpPaloAltoPassword: {
+        desc: 'The password for the user ID provided in Username',
+        externalLink: ''
+    },
+    helpPaloAltoType: {
+        desc: 'The type of device that is being added',
+        externalLink: ''
+    },
+    helpPaloAltoPublicInterface: {
+        desc: 'Interface of device that is configured to be part of the public network. For example, ge-0/0/2',
+        externalLink: ''
+    },
+    helpPaloAltoPrivateInterface: {
+        desc: 'Interface of device that is configured to be part of the private network. For example, ge-0/0/1',
+        externalLink: ''
+    },
+    helpPaloAltoUsageInterface: {
+        desc: 'Interface used to meter traffic. If you don\'t want to use the public interface, specify a different interface name here.',
+        externalLink: ''
+    },
+    helpPaloAltoRetries: {
+        desc: 'Number of times to attempt a command on the device before considering the operation failed. Default is 2.',
+        externalLink: ''
+    },
+    helpPaloAltoTimeout: {
+        desc: 'The time to wait for a command on the Palo Alto before considering it failed. Default is 300 seconds.',
+        externalLink: ''
+    },
+    helpPaloAltoMode: {
+        desc: 'Side by side mode is supported for the Palo Alto.',
+        externalLink: ''
+    },
+    helpPaloAltoPublicNetwork: {
+        desc: 'The name of the public network on the Palo Alto. For example, trust.',
+        externalLink: ''
+    },
+    helpPaloAltoPrivateNetwork: {
+        desc: 'The name of the private network on the Palo Alto. For example, untrust.',
+        externalLink: ''
+    },
+    helpPaloAltoVirtualRouter: {
+        desc: 'The name of the virtual router on the Palo Alto.',
+        externalLink: ''
+    },
+    helpPaloAltoThreatProfile: {
+        desc: 'The threat profile name/group to associate with allow firewall policies.',
+        externalLink: ''
+    },
+    helpPaloAltoLogProfile: {
+        desc: 'The log profile name/group to associate with allow firewall policies.',
+        externalLink: ''
+    },
+    helpPaloAltoDedicated: {
+        desc: 'Check this box to dedicate the device to a single account. The value in the Capacity field will be ignored.',
+        externalLink: ''
+    },
+    helpPaloAltoCapacity: {
+        desc: 'Number of guest networks/accounts that will share this device',
+        externalLink: ''
+    },
     // Add system service offering
     helpSystemOfferingName: {
         desc: 'Any desired name for the offering',

ui/scripts/system.js

@@ -4944,6 +4944,288 @@
                         }
                     },
 
+                    // Palo Alto provider detailView
+                    pa: {
+                        type: 'detailView',
+                        id: 'paProvider',
+                        label: 'label.PA',
+                        viewAll: {
+                            label: 'label.devices',
+                            path: '_zone.paDevices'
+                        },
+                        tabs: {
+                            details: {
+                                title: 'label.details',
+                                fields: [{
+                                    name: {
+                                        label: 'label.name'
+                                    }
+                                }, {
+                                    state: {
+                                        label: 'label.state'
+                                    }
+                                }],
+                                dataProvider: function (args) {
+                                    refreshNspData("PaloAlto");
+                                    var providerObj;
+                                    $(nspHardcodingArray).each(function () {
+                                        if (this.id == "pa") {
+                                            providerObj = this;
+                                            return false; //break each loop
+                                        }
+                                    });
+                                    args.response.success({
+                                        data: providerObj,
+                                        actionFilter: networkProviderActionFilter('pa')
+                                    });
+                                }
+                            }
+                        },
+                        actions: {
+                            add: {
+                                label: 'label.add.PA.device',
+                                createForm: {
+                                    title: 'label.add.PA.device',
+                                    fields: {
+                                        ip: {
+                                            label: 'label.ip.address',
+                                            docID: 'helpPaloAltoIPAddress'
+                                        },
+                                        username: {
+                                            label: 'label.username',
+                                            docID: 'helpPaloAltoUsername'
+                                        },
+                                        password: {
+                                            label: 'label.password',
+                                            isPassword: true,
+                                            docID: 'helpPaloAltoPassword'
+                                        },
+                                        networkdevicetype: {
+                                            label: 'label.type',
+                                            docID: 'helpPaloAltoType',
+                                            select: function (args) {
+                                                var items = [];
+                                                items.push({
+                                                    id: "PaloAltoFirewall",
+                                                    description: "Palo Alto Firewall"
+                                                });
+                                                args.response.success({
+                                                    data: items
+                                                });
+                                            }
+                                        },
+                                        publicinterface: {
+                                            label: 'label.public.interface',
+                                            docID: 'helpPaloAltoPublicInterface'
+                                        },
+                                        privateinterface: {
+                                            label: 'label.private.interface',
+                                            docID: 'helpPaloAltoPrivateInterface'
+                                        },
+                                        //usageinterface: {
+                                        //  label: 'Usage interface',
+                                        //  docID: 'helpPaloAltoUsageInterface'
+                                        //},
+                                        numretries: {
+                                            label: 'label.numretries',
+                                            defaultValue: '2',
+                                            docID: 'helpPaloAltoRetries'
+                                        },
+                                        timeout: {
+                                            label: 'label.timeout',
+                                            defaultValue: '300',
+                                            docID: 'helpPaloAltoTimeout'
+                                        },
+                                        // inline: {
+                                        //   label: 'Mode',
+                                        //   docID: 'helpPaloAltoMode',
+                                        //   select: function(args) {
+                                        //     var items = [];
+                                        //     items.push({id: "false", description: "side by side"});
+                                        //     items.push({id: "true", description: "inline"});
+                                        //     args.response.success({data: items});
+                                        //   }
+                                        // },
+                                        publicnetwork: {
+                                            label: 'label.public.network',
+                                            defaultValue: 'untrust',
+                                            docID: 'helpPaloAltoPublicNetwork'
+                                        },
+                                        privatenetwork: {
+                                            label: 'label.private.network',
+                                            defaultValue: 'trust',
+                                            docID: 'helpPaloAltoPrivateNetwork'
+                                        },
+                                        pavr: {
+                                            label: 'label.virtual.router',
+                                            docID: 'helpPaloAltoVirtualRouter'
+                                        },
+                                        patp: {
+                                            label: 'label.PA.threat.profile',
+                                            docID: 'helpPaloAltoThreatProfile'
+                                        },
+                                        palp: {
+                                            label: 'label.PA.log.profile',
+                                            docID: 'helpPaloAltoLogProfile'
+                                        },
+                                        capacity: {
+                                            label: 'label.capacity',
+                                            validation: {
+                                                required: false,
+                                                number: true
+                                            },
+                                            docID: 'helpPaloAltoCapacity'
+                                        },
+                                        dedicated: {
+                                            label: 'label.dedicated',
+                                            isBoolean: true,
+                                            isChecked: false,
+                                            docID: 'helpPaloAltoDedicated'
+                                        }
+                                    }
+                                },
+                                action: function (args) {
+                                    if (nspMap["pa"] == null) {
+                                        $.ajax({
+                                            url: createURL("addNetworkServiceProvider&name=PaloAlto&physicalnetworkid=" + selectedPhysicalNetworkObj.id),
+                                            dataType: "json",
+                                            async: true,
+                                            success: function (json) {
+                                                var jobId = json.addnetworkserviceproviderresponse.jobid;
+                                                var addPaloAltoProviderIntervalID = setInterval(function () {
+                                                    $.ajax({
+                                                        url: createURL("queryAsyncJobResult&jobId=" + jobId),
+                                                        dataType: "json",
+                                                        success: function (json) {
+                                                            var result = json.queryasyncjobresultresponse;
+                                                            if (result.jobstatus == 0) {
+                                                                return; //Job has not completed
+                                                            } else {
+                                                                clearInterval(addPaloAltoProviderIntervalID);
+                                                                if (result.jobstatus == 1) {
+                                                                    nspMap["pa"] = json.queryasyncjobresultresponse.jobresult.networkserviceprovider;
+                                                                    addExternalFirewall(args, selectedPhysicalNetworkObj, "addPaloAltoFirewall", "addpaloaltofirewallresponse", "pafirewall");
+                                                                } else if (result.jobstatus == 2) {
+                                                                    alert("addNetworkServiceProvider&name=Palo Alto failed. Error: " + _s(result.jobresult.errortext));
+                                                                }
+                                                            }
+                                                        },
+                                                        error: function (XMLHttpResponse) {
+                                                            var errorMsg = parseXMLHttpResponse(XMLHttpResponse);
+                                                            alert("addNetworkServiceProvider&name=Palo Alto failed. Error: " + errorMsg);
+                                                        }
+                                                    });
+                                                }, 3000);
+                                            }
+                                        });
+                                    } else {
+                                        addExternalFirewall(args, selectedPhysicalNetworkObj, "addPaloAltoFirewall", "addpaloaltofirewallresponse", "pafirewall");
+                                    }
+                                },
+                                messages: {
+                                    notification: function (args) {
+                                        return 'label.add.PA.device';
+                                    }
+                                },
+                                notification: {
+                                    poll: pollAsyncJobResult
+                                }
+                            },
+                            enable: {
+                                label: 'label.enable.provider',
+                                action: function (args) {
+                                    $.ajax({
+                                        url: createURL("updateNetworkServiceProvider&id=" + nspMap["pa"].id + "&state=Enabled"),
+                                        dataType: "json",
+                                        success: function (json) {
+                                            var jid = json.updatenetworkserviceproviderresponse.jobid;
+                                            args.response.success({
+                                                _custom: {
+                                                    jobId: jid,
+                                                    getUpdatedItem: function (json) {
+                                                        $(window).trigger('cloudStack.fullRefresh');
+                                                    }
+                                                }
+                                            });
+                                        }
+                                    });
+                                },
+                                messages: {
+                                    confirm: function (args) {
+                                        return 'message.confirm.enable.provider';
+                                    },
+                                    notification: function () {
+                                        return 'label.enable.provider';
+                                    }
+                                },
+                                notification: {
+                                    poll: pollAsyncJobResult
+                                }
+                            },
+                            disable: {
+                                label: 'label.disable.provider',
+                                action: function (args) {
+                                    $.ajax({
+                                        url: createURL("updateNetworkServiceProvider&id=" + nspMap["pa"].id + "&state=Disabled"),
+                                        dataType: "json",
+                                        success: function (json) {
+                                            var jid = json.updatenetworkserviceproviderresponse.jobid;
+                                            args.response.success({
+                                                _custom: {
+                                                    jobId: jid,
+                                                    getUpdatedItem: function (json) {
+                                                        $(window).trigger('cloudStack.fullRefresh');
+                                                    }
+                                                }
+                                            });
+                                        }
+                                    });
+                                },
+                                messages: {
+                                    confirm: function (args) {
+                                        return 'message.confirm.disable.provider';
+                                    },
+                                    notification: function () {
+                                        return 'label.disable.provider';
+                                    }
+                                },
+                                notification: {
+                                    poll: pollAsyncJobResult
+                                }
+                            },
+                            destroy: {
+                                label: 'label.shutdown.provider',
+                                action: function (args) {
+                                    $.ajax({
+                                        url: createURL("deleteNetworkServiceProvider&id=" + nspMap["pa"].id),
+                                        dataType: "json",
+                                        success: function (json) {
+                                            var jid = json.deletenetworkserviceproviderresponse.jobid;
+                                            args.response.success({
+                                                _custom: {
+                                                    jobId: jid
+                                                }
+                                            });
+
+                                            $(window).trigger('cloudStack.fullRefresh');
+                                        }
+                                    });
+                                },
+                                messages: {
+                                    confirm: function (args) {
+                                        return 'message.confirm.shutdown.provider';
+                                    },
+                                    notification: function (args) {
+                                        return 'label.shutdown.provider';
+                                    }
+                                },
+                                notification: {
+                                    poll: pollAsyncJobResult
+                                }
+                            }
+                        }
+                    },
+
                     // Security groups detail view
                     securityGroups: {
                         id: 'securityGroup-providers',
@@ -9156,6 +9438,250 @@
                     }
                 }
             },
+
+            //Palo Alto devices listView
+            paDevices: {
+                id: 'paDevices',
+                title: 'label.devices',
+                listView: {
+                    id: 'paDevices',
+                    fields: {
+                        ipaddress: {
+                            label: 'label.ip.address'
+                        },
+                        fwdevicestate: {
+                            label: 'label.status'
+                        },
+                        fwdevicename: {
+                            label: 'label.type'
+                        }
+                    },
+                    actions: {
+                        add: {
+                            label: 'label.add.PA.device',
+                            createForm: {
+                                title: 'label.add.PA.device',
+                                fields: {
+                                    ip: {
+                                        label: 'label.ip.address'
+                                    },
+                                    username: {
+                                        label: 'label.username'
+                                    },
+                                    password: {
+                                        label: 'label.password',
+                                        isPassword: true
+                                    },
+                                    networkdevicetype: {
+                                        label: 'label.type',
+                                        select: function (args) {
+                                            var items = [];
+                                            items.push({
+                                                id: "PaloAltoFirewall",
+                                                description: "Palo Alto Firewall"
+                                            });
+                                            args.response.success({
+                                                data: items
+                                            });
+                                        }
+                                    },
+                                    publicinterface: {
+                                        label: 'label.public.interface'
+                                    },
+                                    privateinterface: {
+                                        label: 'label.private.interface'
+                                    },
+                                    //usageinterface: {
+                                    //  label: 'label.usage.interface'
+                                    //},
+                                    numretries: {
+                                        label: 'label.numretries',
+                                        defaultValue: '2'
+                                    },
+                                    timeout: {
+                                        label: 'label.timeout',
+                                        defaultValue: '300'
+                                    },
+                                    // inline: {
+                                    //   label: 'Mode',
+                                    //   select: function(args) {
+                                    //     var items = [];
+                                    //     items.push({id: "false", description: "side by side"});
+                                    //     items.push({id: "true", description: "inline"});
+                                    //     args.response.success({data: items});
+                                    //   }
+                                    // },
+                                    publicnetwork: {
+                                        label: 'label.public.network',
+                                        defaultValue: 'untrust'
+                                    },
+                                    privatenetwork: {
+                                        label: 'label.private.network',
+                                        defaultValue: 'trust'
+                                    },
+                                    pavr: {
+                                        label: 'label.virtual.router'
+                                    },
+                                    patp: {
+                                        label: 'label.PA.threat.profile'
+                                    },
+                                    palp: {
+                                        label: 'label.PA.log.profile'
+                                    },
+                                    capacity: {
+                                        label: 'label.capacity',
+                                        validation: {
+                                            required: false,
+                                            number: true
+                                        }
+                                    },
+                                    dedicated: {
+                                        label: 'label.dedicated',
+                                        isBoolean: true,
+                                        isChecked: false
+                                    }
+                                }
+                            },
+                            action: function (args) {
+                                if (nspMap["pa"] == null) {
+                                    $.ajax({
+                                        url: createURL("addNetworkServiceProvider&name=PaloAlto&physicalnetworkid=" + selectedPhysicalNetworkObj.id),
+                                        dataType: "json",
+                                        async: true,
+                                        success: function (json) {
+                                            var jobId = json.addnetworkserviceproviderresponse.jobid;
+                                            var addPaloAltoProviderIntervalID = setInterval(function () {
+                                                $.ajax({
+                                                    url: createURL("queryAsyncJobResult&jobId=" + jobId),
+                                                    dataType: "json",
+                                                    success: function (json) {
+                                                        var result = json.queryasyncjobresultresponse;
+                                                        if (result.jobstatus == 0) {
+                                                            return; //Job has not completed
+                                                        } else {
+                                                            clearInterval(addPaloAltoProviderIntervalID);
+                                                            if (result.jobstatus == 1) {
+                                                                nspMap["pa"] = json.queryasyncjobresultresponse.jobresult.networkserviceprovider;
+                                                                addExternalFirewall(args, selectedPhysicalNetworkObj, "addPaloAltoFirewall", "addpaloaltofirewallresponse", "pafirewall");
+                                                            } else if (result.jobstatus == 2) {
+                                                                alert("addNetworkServiceProvider&name=Palo Alto failed. Error: " + _s(result.jobresult.errortext));
+                                                            }
+                                                        }
+                                                    },
+                                                    error: function (XMLHttpResponse) {
+                                                        var errorMsg = parseXMLHttpResponse(XMLHttpResponse);
+                                                        alert("addNetworkServiceProvider&name=Palo Alto failed. Error: " + errorMsg);
+                                                    }
+                                                });
+                                            }, 3000);
+                                        }
+                                    });
+                                } else {
+                                    addExternalFirewall(args, selectedPhysicalNetworkObj, "addPaloAltoFirewall", "addpaloaltofirewallresponse", "pafirewall");
+                                }
+                            },
+                            messages: {
+                                notification: function (args) {
+                                    return 'label.add.PA.device';
+                                }
+                            },
+                            notification: {
+                                poll: pollAsyncJobResult
+                            }
+                        }
+                    },
+                    dataProvider: function (args) {
+                        $.ajax({
+                            url: createURL("listPaloAltoFirewalls&physicalnetworkid=" + selectedPhysicalNetworkObj.id),
+                            data: {
+                                page: args.page,
+                                pageSize: pageSize
+                            },
+                            dataType: "json",
+                            async: false,
+                            success: function (json) {
+                                var items = json.listpaloaltofirewallresponse.paloaltofirewall;
+                                args.response.success({
+                                    data: items
+                                });
+                            }
+                        });
+                    },
+                    detailView: {
+                        name: 'Palo Alto details',
+                        actions: {
+                            'remove': {
+                                label: 'label.delete.PA',
+                                messages: {
+                                    confirm: function (args) {
+                                        return 'message.confirm.delete.PA';
+                                    },
+                                    notification: function (args) {
+                                        return 'label.delete.PA';
+                                    }
+                                },
+                                action: function (args) {
+                                    $.ajax({
+                                        url: createURL("deletePaloAltoFirewall&fwdeviceid=" + args.context.paDevices[0].fwdeviceid),
+                                        dataType: "json",
+                                        async: true,
+                                        success: function (json) {
+                                            var jid = json.deletepaloaltofirewallresponse.jobid;
+                                            args.response.success({
+                                                _custom: {
+                                                    jobId: jid
+                                                }
+                                            });
+                                        }
+                                    });
+                                },
+                                notification: {
+                                    poll: pollAsyncJobResult
+                                }
+                            }
+                        },
+                        tabs: {
+                            details: {
+                                title: 'label.details',
+                                fields: [{
+                                    fwdeviceid: {
+                                        label: 'label.id'
+                                    },
+                                    ipaddress: {
+                                        label: 'label.ip.address'
+                                    },
+                                    fwdevicestate: {
+                                        label: 'label.status'
+                                    },
+                                    fwdevicename: {
+                                        label: 'label.type'
+                                    },
+                                    fwdevicecapacity: {
+                                        label: 'label.capacity'
+                                    },
+                                    timeout: {
+                                        label: 'label.timeout'
+                                    }
+                                }],
+                                dataProvider: function (args) {
+                                    $.ajax({
+                                        url: createURL("listPaloAltoFirewalls&fwdeviceid=" + args.context.paDevices[0].fwdeviceid),
+                                        dataType: "json",
+                                        async: true,
+                                        success: function (json) {
+                                            var item = json.listpaloaltofirewallresponse.paloaltofirewall[0];
+                                            args.response.success({
+                                                data: item
+                                            });
+                                        }
+                                    });
+                                }
+                            }
+                        }
+                    }
+                }
+            },
+
             // FIXME convert to nicira detailview
             // NiciraNvp devices listView
             niciraNvpDevices: {
@@ -15763,6 +16289,44 @@
         }
         url.push("fwdevicededicated=" + dedicated.toString());
 
+        // START - Palo Alto Specific Fields
+        var externalVirtualRouter = args.data.pavr;
+        if(externalVirtualRouter != null && externalVirtualRouter.length > 0) {
+            if(isQuestionMarkAdded == false) {
+                url.push("?");
+                isQuestionMarkAdded = true;
+            }
+            else {
+                url.push("&");
+            }
+            url.push("pavr=" + encodeURIComponent(externalVirtualRouter));
+        }
+
+        var externalThreatProfile = args.data.patp;
+        if(externalThreatProfile != null && externalThreatProfile.length > 0) {
+            if(isQuestionMarkAdded == false) {
+                url.push("?");
+                isQuestionMarkAdded = true;
+            }
+            else {
+                url.push("&");
+            }
+            url.push("patp=" + encodeURIComponent(externalThreatProfile));
+        }
+
+        var externalLogProfile = args.data.palp;
+        if(externalLogProfile != null && externalLogProfile.length > 0) {
+            if(isQuestionMarkAdded == false) {
+                url.push("?");
+                isQuestionMarkAdded = true;
+            }
+            else {
+                url.push("&");
+            }
+            url.push("palp=" + encodeURIComponent(externalLogProfile));
+        }
+        // END - Palo Alto Specific Fields
+
         array1.push("&url=" + todb(url.join("")));
         //construct URL ends here
 
@@ -16495,6 +17059,9 @@
                             case "JuniperSRX":
                                 nspMap["srx"] = items[i];
                                 break;
+                            case "PaloAlto":
+                                nspMap["pa"] = items[i];
+                                break;
                             case "SecurityGroupProvider":
                                 nspMap["securityGroups"] = items[i];
                                 break;
@@ -16576,6 +17143,11 @@
                 name: 'SRX',
                 state: nspMap.srx ? nspMap.srx.state : 'Disabled'
             });
+            nspHardcodingArray.push({
+                id: 'pa',
+                name: 'Palo Alto',
+                state: nspMap.pa ? nspMap.pa.state : 'Disabled'
+            });
         }
     };