Team Leader - Nutanix Technology Champion - Nutanix NTC Storyteller

Julien DUMUR
Infrastructure in a Nutshell

Security

Nutanix on OVHcloud: deployment and basic configuration of a Palo Alto gateway

Published: 20 July 2025
Written by Julien D.
No comments
Categories: Nutanix EN, Nutanix NC2 EN, Security
nutanix on ovhcloud

This is one of the operations I recommend performing on an OVHcloud cluster immediately after delivery: replacing the pre-deployed gateway that will allow your cluster to connect to the internet.

In this article, we’ll see how to deploy a Palo Alto PA-VM and how to perform its basic configuration so that it’s ready to be connected to the OVHcloud RTvRack (which will be the subject of another article).

Prerequisites

Here is the list of prerequisites for deployment:

  • A Nutanix OVHcloud cluster deployed
  • The required subnets created on the cluster
  • A backup VM deployed on the cluster
  • A Palo Alto account with access to image downloads

Retrieving the PA-VM Image

The first step is to retrieve the qcow2 image, which will allow us to deploy the PA-VM on the Palo Alto site: https://support.paloaltonetworks.com/Updates/SoftwareUpdates/64685971

NOTE: You must have a registered account with them with the correct access rights; there is no “Community” or “Free” version.

VM Deployment

After transferring the newly downloaded image to the cluster, we create a VM with the following characteristics:

For VM sizing, I invite you to consult the documentation to adapt it to your context: https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/license-the-vm-series-firewall/vm-series-models/vm-series-system-requirements

The disk to add is the one downloaded in qcow2 format from the Palo Alto website.

Also select the subnets that will be connected to your gateway. The first interface you add will always be the PA-VM’s management interface, so make sure you select the correct subnet, which ideally will be a subnet dedicated to management interfaces. Your backup VM must have an interface in this subnet to access the PA-VM’s web interface. Here, for example, is what I would recommend for configuring the interfaces:

Management

  • ethernet1/1 (subnet 0 created by default on the cluster, for the WAN output)
  • ethernet1/2 (internal subnet 1, often the one corresponding to your Nutanix infrastructure)
  • ethernet1/3 (internal subnet 2)

It’s important to select “Legacy BIOS Mode” when creating the VM, otherwise it won’t boot!

Select “Use this VM as an Agent VM” so that it boots first.

Validate the settings, the virtual machine is ready to be started.

Initializing the PA-VM

Start the VM and launch the console from the Nutanix interface. Wait while the operating system boots.

The first login is via the CLI with the following credentials:

  • Username: admin
  • Password: admin

The system will ask you to change the password.de passe par défaut. On passe ensuite en mode configuration :

configure

Next, configure the management IP in static mode:

set deviceconfig system type static

Configuring the management interface parameters:

set deviceconfig system ip-address <Firewall-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>

At this point, the firewall can be accessed from the bounce machine’s web browser at: https://<Firewall-IP>

CAUTION: This only works if the bounce VM has a pin in the same subnet as the Management interface.

Don’t forget to commit, either from the web interface or from the command line:

commit

You can now continue the configuration on the web interface.

Basic PA-VM Configurations

Let’s start with the basic PA-VM configuration.

On the web interface, in “Device > Setup”, edit the “General Settings” widget to enter at least the Hostname and the Timezone:

Then go to the “Services” tab and edit the “Services” widget to add DNS servers and NTP servers:

All that’s left is to commit the changes; the basic configuration of the Palo Alto gateway is complete.

I want to point out that this is a basic configuration, and there are many other configuration points to complete to ensure a perfectly configured and secure gateway that allows your cluster to access the internet, including authentication, password complexity, VPN, firewall rules, and more.

In a future article, we’ll see how to connect your Palo Alto PA-VM gateway to the OVHcloud RTvRack to allow your cluster to access the internet.

Read More

Nutanix AHV : SSH keys and cluster lockdown

Published: 17 April 2024
Written by Julien D.
No comments
Categories: Nutanix AHV EN, Nutanix EN, Security

It’s in Nutanix’s roadmap! Password authentication is in the sights of the publisher who intends to put an end to it and warn its users via an informational alert:

The objective is to gradually switch clients to SSH key authentication in order to impose it in a future version of its hypervisor.

Creating SSH keys

Supported SSH encryption algorithms are:

  • AES128-CTR
  • AES192-CTR
  • AES256-CTR

If you already have such a key pair, you can proceed directly to cluster integration.

To create an SSH key pair, we will need a tool like PuttyGen.

Click “Generate” and move the mouse cursor over the window. Then indicate a passphrase then save the public key and the private key.

WARNING: be sure to use a strong, non-predictable passphrase.

We must now integrate the public key into the cluster.

Integration of the public key on the cluster

To integrate your public key into your cluster, connect to the Prism interface and go to “Settings > Cluster Lockdown”

Click on “New Public Key”, give it a name, paste the public key content and validate.

At this stage, classic password authentication and SSH key authentication are both active and functional, it is time to test.

Testing and activation of the cluster lockdown feature

First, we will test authentication via SSH key. Don’t panic, whatever happens, even if the SSH connection via the keys does not work after activating the cluster lockdown, you can always backtrack via the Prism interface.

Configure your favorite SSH connection tools, integrate your private key then launch a connection to your Nutanix cluster. First, enter the login you want to use, here I chose “nutanix”:

Then enter the passphrase that you configured when creating your SSH key. Validate, you are now connected to your cluster via your SSH key without having to use the password for the “nutanix” account.

Now let’s deactivate password authentication by returning to the “Settings > Cluster Lockdown” menu. Uncheck the “Enable Remote Login with Password” box:

Try logging in again using the “nutanix” account and the usual password and notice that you can no longer log in with this method:

Try with your private key and the associated passphrase :

Your cluster is now SSH accessible only via the SSH key system. If there are several administrators working on the server, don’t forget to repeat the operation for each of them.

Important point: remember to keep your private keys in a safe place and use a strong passphrase.

Official documentation

The Nutanix official documentation: https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Security-Guide-v6_7:mul-security-cluster-lockdown-pc-t.html

Read More

Hardening a SSH Server

Published: 28 December 2022
Written by Julien D.
No comments
Categories: Linux, Security

An SSH access is a privileged entry point for hackers. Today I am offering you a guide that will allow you to strengthen the security of your SSH accesses, to reduce the attack surface, in order to make them much more difficult to attack.

Read More