From 404d9183aad0470ce1afe4769aa6b74b5c5d9cc1 Mon Sep 17 00:00:00 2001
From: Damian Szeluga <dszeluga@mirantis.com>
Date: Sun, 7 Aug 2016 11:10:31 +0200
Subject: [PATCH] PaloAlto Firewall application for Murano

Change-Id: I3320f433d767f713845ea871628f0c2438223014
---
 PaloAlto/package/Classes/PaloAltoApp.yaml     | 141 +++++++
 PaloAlto/package/Classes/PaloAltoNode.yaml    | 100 +++++
 PaloAlto/package/LICENSE                      | 175 ++++++++
 PaloAlto/package/README.rst                   |   7 +
 .../Resources/PaloAltoConfigure.template      |  32 ++
 .../package/Resources/PaloAltoDeploy.template |  32 ++
 .../package/Resources/pa-configuration.xml    | 390 ++++++++++++++++++
 .../Resources/scripts/runPaloAltoConfigure.sh |  61 +++
 .../Resources/scripts/runPaloAltoDeploy.sh    |  27 ++
 PaloAlto/package/UI/ui.yaml                   | 108 +++++
 PaloAlto/package/logo.png                     | Bin 0 -> 19061 bytes
 PaloAlto/package/manifest.yaml                |  25 ++
 12 files changed, 1098 insertions(+)
 create mode 100644 PaloAlto/package/Classes/PaloAltoApp.yaml
 create mode 100644 PaloAlto/package/Classes/PaloAltoNode.yaml
 create mode 100644 PaloAlto/package/LICENSE
 create mode 100644 PaloAlto/package/README.rst
 create mode 100644 PaloAlto/package/Resources/PaloAltoConfigure.template
 create mode 100644 PaloAlto/package/Resources/PaloAltoDeploy.template
 create mode 100644 PaloAlto/package/Resources/pa-configuration.xml
 create mode 100644 PaloAlto/package/Resources/scripts/runPaloAltoConfigure.sh
 create mode 100644 PaloAlto/package/Resources/scripts/runPaloAltoDeploy.sh
 create mode 100644 PaloAlto/package/UI/ui.yaml
 create mode 100644 PaloAlto/package/logo.png
 create mode 100644 PaloAlto/package/manifest.yaml

diff --git a/PaloAlto/package/Classes/PaloAltoApp.yaml b/PaloAlto/package/Classes/PaloAltoApp.yaml
new file mode 100644
index 00000000..05520259
--- /dev/null
+++ b/PaloAlto/package/Classes/PaloAltoApp.yaml
@@ -0,0 +1,141 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+Namespaces:
+  =: com.mirantis
+  std: io.murano
+  res: io.murano.resources
+  netsfc: org.openstack.networkingSfc
+  sys: io.murano.system
+  conf: io.murano.configuration
+
+Name: PaloAltoApp
+
+Extends: std:Application
+
+Properties:
+  paloalto:
+    Contract: $.class(PaloAltoNode)
+  loadbalancer:
+    Contract: $.class(PaloAltoNode)
+  backendNodes:
+    Contract: [$.class(PaloAltoNode)]
+  network:
+    Contract: $.class(res:Network).notNull()
+  keyname:
+    Contract: $.string()
+  flavor:
+    Contract: $.string().notNull()
+  paImage:
+    Contract: $.string().notNull()
+  image:
+    Contract: $.string().notNull()
+  portPairGroup:
+    Contract: $.class(netsfc:PortPairGroup)
+    Usage: InOut
+  flowClassifier:
+    Contract: $.class(netsfc:FlowClassifier)
+    Usage: InOut
+  portChain:
+    Contract: $.class(netsfc:PortChain)
+    Usage: InOut
+
+Methods:
+  .init:
+    Body:
+      - $._environment: $.find(std:Environment).require()
+
+  deploy:
+    Body:
+      - If: not $.getAttr(deployed, false)
+        Then:
+          - $._log: $._environment.reporter
+          - $._log.report($this, 'Deploying SFC network...')
+          - $.network.deploy()
+
+          # preparing Firewall
+          - $.paloalto.spawnInstance(name => 'paloalto-fw-instance',
+              network => $.network, flavor => $.flavor,
+              image => $.paImage, portNum => 2)
+
+          # port pair & port pair group
+          - $._log.report($this, 'Deploying port pair...')
+          - $portPair: new(
+              netsfc:PortPair, $this, ingress => $.paloalto.ports[1],
+              egress => $.paloalto.ports[1], name => 'paloalto')
+          - $portPair.deploy()
+          - $.portPairGroup: new(
+              netsfc:PortPairGroup, $this, portPairs => [$portPair], name => 'paloalto')
+          - $.portPairGroup.deploy()
+
+          # preparing loadbalancer
+          - $.loadbalancer.spawnInstance(name => 'paloalto-loadbalancer',
+              network => $.network, flavor => $.flavor,
+              image => $.image)
+
+          # backends
+          - $net: $.network
+          - $.backendNodes.pselect($.spawnInstance(flavor => $.flavor,
+              image => $.image, network => $net, name => $.name))
+
+          # deploying and configuring software
+          - $._log.report($this, 'Deploying software on backend server...')
+          - $.loadbalancer.deploySoftware('loadbalancer')
+          - $.backendNodes.pselect($.deploySoftware('backend'))
+
+          - $bips: $.backendNodes.select($.getInternalIp())
+          - $backendIps: format('{0}', ':'.join($bips))
+          - $._log.report($this, format( "backend ips => {0}", $backendIps))
+          - $.loadbalancer.configureSoftware('loadbalancer', $backendIps)
+          - $.backendNodes.pselect($.configureSoftware('backend', $backendIps))
+
+          - $._log.report($this, 'Deploying flow classifier...')
+          - $.flowClassifier: new(
+              netsfc:FlowClassifier, $this, protocol => 'TCP', name => 'paloalto',
+              destinationIpPrefix => format("{0}/32",$.loadbalancer.getInternalIp()),
+              destinationPortMin => 80, destinationPortMax => 80)
+          - $.flowClassifier.deploy()
+          - $._log.report($this, 'Deploying port chain...')
+          - $.portChain: new(
+              netsfc:PortChain, $this,
+              name => 'paloalto',
+              portPairGroups => [$.portPairGroup],
+              flowClassifiers => [$.flowClassifier])
+          - $.portChain.deploy()
+
+          # Workaround: due to current PA config drive support implementation
+          # it is required that user will distribute config manually
+          - $replacements:
+              "%ZONEIP%": $.paloalto.getSecondIp()
+          - $config: sys:Resources.string('pa-configuration.xml').replace($replacements)
+          - conf:Linux.putFile($.loadbalancer.agent, $config, '/home/ubuntu/pa-config.xml')
+
+          # Workaround: unusual number of sleeps is due to LP #1611019 - then this gets
+          # resolved, need to remove it.
+          - $lbip: $.loadbalancer.getInternalIp()
+          - $._log.report($this, 'Due to current PA config import implementation you need to do the following manually')
+          - conf:Linux.runCommand($.loadbalancer.agent, 'sleep 1')
+          - $._log.report($this, format('1. Assign floating IP to PA machine to {0} IP', $lbip))
+          - conf:Linux.runCommand($.loadbalancer.agent, 'sleep 1')
+          - $._log.report($this, '2. Login via SSH to this host using ssh admin@floating_ip')
+          - conf:Linux.runCommand($.loadbalancer.agent, 'sleep 1')
+          - $._log.report($this, format('scp import configuration from ubuntu\@{0}:pa-config.xml \#password is ubuntu', $lbip))
+          - conf:Linux.runCommand($.loadbalancer.agent, 'sleep 1')
+          - $._log.report($this, 'configure')
+          - conf:Linux.runCommand($.loadbalancer.agent, 'sleep 1')
+          - $._log.report($this, 'load config from pa-config.xml')
+          - conf:Linux.runCommand($.loadbalancer.agent, 'sleep 1')
+          - $._log.report($this, 'commit')
+          - conf:Linux.runCommand($.loadbalancer.agent, 'sleep 1')
+          - $._log.report($this, 'Deployment finished. Please see the deployment logs')
+
+          - $.setAttr(deployed, true)
diff --git a/PaloAlto/package/Classes/PaloAltoNode.yaml b/PaloAlto/package/Classes/PaloAltoNode.yaml
new file mode 100644
index 00000000..de57523e
--- /dev/null
+++ b/PaloAlto/package/Classes/PaloAltoNode.yaml
@@ -0,0 +1,100 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+Namespaces:
+  =: com.mirantis
+  std: io.murano
+  res: io.murano.resources
+  sys: io.murano.system
+  netsfc: org.openstack.networkingSfc
+
+Name: PaloAltoNode
+
+Extends: netsfc:Instance
+
+Properties:
+  name:
+    Usage: InOut
+    Contract: $.string().notNull()
+  flavor:
+    Usage: InOut
+    Contract: $.string()
+  image:
+    Usage: InOut
+    Contract: $.string()
+  keyname:
+    Usage: InOut
+    Contract: $.string()
+  network:
+    Usage: InOut
+    Contract: $.class(res:Network)
+
+Methods:
+  .init:
+    Body:
+      - $._environment: $.find(std:Environment).require()
+
+  getInternalIp:
+    Body:
+      - Return: $.ipAddresses.first()
+
+  getSecondIp:
+    Body:
+      - Return: $.ipAddresses[1]
+
+  spawnInstance:
+    Arguments:
+      - name:
+          Contract: $.string().notNull()
+      - flavor:
+          Contract: $.string()
+      - image:
+          Contract: $.string()
+      - keyname:
+          Contract: $.string()
+      - network:
+          Contract: $.class(res:Network)
+      - portNum:
+          Contract: $.int()
+          Default: 1
+
+    Body:
+      - $._environment.reporter.report($this, format( 'Creating {0} VM with {1} port(s)...',
+          $.name, $portNum))
+      - Repeat: $portNum
+        Do:
+          - $port: new(netsfc:NeutronPort, $this, network => $network)
+          - $.ports: $.ports.append($port)
+      - $.deploy()
+      - $._environment.reporter.report($this, format( 'VM {0} deployed', $.name))
+
+  deploySoftware:
+    Arguments:
+      - role:
+          Contract: $.string().notNull()
+    Body:
+      - $resources: new(sys:Resources)
+      - $template: $resources.yaml('PaloAltoDeploy.template').bind(dict(role => $role))
+      - $.agent.call($template, $resources)
+
+  configureSoftware:
+    Arguments:
+      - role:
+          Contract: $.string().notNull()
+      - backends:
+          Contract: $.string().notNull()
+
+    Body:
+      - $resources: new(sys:Resources)
+      - $template: $resources.yaml('PaloAltoConfigure.template').bind(dict(role => $role,
+          backends => $backends))
+      - $.agent.call($template, $resources)
diff --git a/PaloAlto/package/LICENSE b/PaloAlto/package/LICENSE
new file mode 100644
index 00000000..67db8588
--- /dev/null
+++ b/PaloAlto/package/LICENSE
@@ -0,0 +1,175 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
diff --git a/PaloAlto/package/README.rst b/PaloAlto/package/README.rst
new file mode 100644
index 00000000..68e3b838
--- /dev/null
+++ b/PaloAlto/package/README.rst
@@ -0,0 +1,7 @@
+=================
+PaloAlto Firewall
+=================
+
+This application will deploy PaloAlto Firewall, http Loadbalancer and number of
+http backends and will setup SFC which will push traffic to Loadbalancer
+thru PaloAlto Firewall on port 80.
diff --git a/PaloAlto/package/Resources/PaloAltoConfigure.template b/PaloAlto/package/Resources/PaloAltoConfigure.template
new file mode 100644
index 00000000..256e60f7
--- /dev/null
+++ b/PaloAlto/package/Resources/PaloAltoConfigure.template
@@ -0,0 +1,32 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+FormatVersion: 2.0.0
+Version: 1.0.0
+Name: Deploy PaloAlto software
+
+Parameters:
+  role: $role
+  backends: $backends
+
+Body: |
+  return PaloAltoConfigure('{0} {1}'.format(args.role, args.backends)).stdout
+
+Scripts:
+  PaloAltoConfigure:
+    Type: Application
+    Version: 1.0.0
+    EntryPoint: runPaloAltoConfigure.sh
+    Files: []
+    Options:
+      captureStdout: true
+      captureStderr: true
diff --git a/PaloAlto/package/Resources/PaloAltoDeploy.template b/PaloAlto/package/Resources/PaloAltoDeploy.template
new file mode 100644
index 00000000..3ab10290
--- /dev/null
+++ b/PaloAlto/package/Resources/PaloAltoDeploy.template
@@ -0,0 +1,32 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+FormatVersion: 2.0.0
+Version: 1.0.0
+Name: Deploy PaloAlto software
+
+Parameters:
+  role: $role
+
+
+Body: |
+  return PaloAltoDeploy('{0}'.format(args.role)).stdout
+
+Scripts:
+  PaloAltoDeploy:
+    Type: Application
+    Version: 1.0.0
+    EntryPoint: runPaloAltoDeploy.sh
+    Files: []
+    Options:
+      captureStdout: true
+      captureStderr: true
diff --git a/PaloAlto/package/Resources/pa-configuration.xml b/PaloAlto/package/Resources/pa-configuration.xml
new file mode 100644
index 00000000..7d80f248
--- /dev/null
+++ b/PaloAlto/package/Resources/pa-configuration.xml
@@ -0,0 +1,390 @@
+<?xml version="1.0"?>
+<config version="7.0.0" urldb="paloaltonetworks">
+  <mgt-config>
+    <users>
+      <entry name="admin">
+        <phash>fnRL/G5lXVMug</phash>
+        <permissions>
+          <role-based>
+            <superuser>yes</superuser>
+          </role-based>
+        </permissions>
+      </entry>
+    </users>
+  </mgt-config>
+  <shared>
+    <application/>
+    <application-group/>
+    <service/>
+    <service-group/>
+    <botnet>
+      <configuration>
+        <http>
+          <dynamic-dns>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </dynamic-dns>
+          <malware-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </malware-sites>
+          <recent-domains>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </recent-domains>
+          <ip-domains>
+            <enabled>yes</enabled>
+            <threshold>10</threshold>
+          </ip-domains>
+          <executables-from-unknown-sites>
+            <enabled>yes</enabled>
+            <threshold>5</threshold>
+          </executables-from-unknown-sites>
+        </http>
+        <other-applications>
+          <irc>yes</irc>
+        </other-applications>
+        <unknown-applications>
+          <unknown-tcp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-tcp>
+          <unknown-udp>
+            <destinations-per-hour>10</destinations-per-hour>
+            <sessions-per-hour>10</sessions-per-hour>
+            <session-length>
+              <maximum-bytes>100</maximum-bytes>
+              <minimum-bytes>50</minimum-bytes>
+            </session-length>
+          </unknown-udp>
+        </unknown-applications>
+      </configuration>
+      <report>
+        <topn>100</topn>
+        <scheduled>yes</scheduled>
+      </report>
+    </botnet>
+  </shared>
+  <devices>
+    <entry name="localhost.localdomain">
+      <network>
+        <interface>
+          <ethernet>
+            <entry name="ethernet1/1">
+              <layer3>
+                <ipv6>
+                  <neighbor-discovery>
+                    <router-advertisement>
+                      <enable>no</enable>
+                    </router-advertisement>
+                  </neighbor-discovery>
+                </ipv6>
+                <ndp-proxy>
+                  <enabled>no</enabled>
+                </ndp-proxy>
+                <lldp>
+                  <enable>no</enable>
+                </lldp>
+                <ip>
+                  <entry name="%ZONEIP%"/>
+                </ip>
+                <interface-management-profile>mgmt-all</interface-management-profile>
+              </layer3>
+            </entry>
+          </ethernet>
+        </interface>
+        <profiles>
+          <monitor-profile>
+            <entry name="default">
+              <interval>3</interval>
+              <threshold>5</threshold>
+              <action>wait-recover</action>
+            </entry>
+          </monitor-profile>
+          <interface-management-profile>
+            <entry name="mgmt-all">
+              <permitted-ip>
+                <entry name="0.0.0.0/0"/>
+              </permitted-ip>
+              <http>yes</http>
+              <https>yes</https>
+              <http-ocsp>yes</http-ocsp>
+              <ssh>yes</ssh>
+              <snmp>yes</snmp>
+              <ping>yes</ping>
+              <response-pages>yes</response-pages>
+              <telnet>yes</telnet>
+            </entry>
+          </interface-management-profile>
+        </profiles>
+        <ike>
+          <crypto-profiles>
+            <ike-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                  <member>3des</member>
+                </encryption>
+                <hash>
+                  <member>sha1</member>
+                </hash>
+                <dh-group>
+                  <member>group2</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha256</member>
+                </hash>
+                <dh-group>
+                  <member>group19</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <encryption>
+                  <member>aes-256-cbc</member>
+                </encryption>
+                <hash>
+                  <member>sha384</member>
+                </hash>
+                <dh-group>
+                  <member>group20</member>
+                </dh-group>
+                <lifetime>
+                  <hours>8</hours>
+                </lifetime>
+              </entry>
+            </ike-crypto-profiles>
+            <ipsec-crypto-profiles>
+              <entry name="default">
+                <esp>
+                  <encryption>
+                    <member>aes-128-cbc</member>
+                    <member>3des</member>
+                  </encryption>
+                  <authentication>
+                    <member>sha1</member>
+                  </authentication>
+                </esp>
+                <dh-group>group2</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-128">
+                <esp>
+                  <encryption>
+                    <member>aes-128-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group19</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+              <entry name="Suite-B-GCM-256">
+                <esp>
+                  <encryption>
+                    <member>aes-256-gcm</member>
+                  </encryption>
+                  <authentication>
+                    <member>none</member>
+                  </authentication>
+                </esp>
+                <dh-group>group20</dh-group>
+                <lifetime>
+                  <hours>1</hours>
+                </lifetime>
+              </entry>
+            </ipsec-crypto-profiles>
+            <global-protect-app-crypto-profiles>
+              <entry name="default">
+                <encryption>
+                  <member>aes-128-cbc</member>
+                </encryption>
+                <authentication>
+                  <member>sha1</member>
+                </authentication>
+              </entry>
+            </global-protect-app-crypto-profiles>
+          </crypto-profiles>
+        </ike>
+        <qos>
+          <profile>
+            <entry name="default">
+              <class>
+                <entry name="class1">
+                  <priority>real-time</priority>
+                </entry>
+                <entry name="class2">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class3">
+                  <priority>high</priority>
+                </entry>
+                <entry name="class4">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class5">
+                  <priority>medium</priority>
+                </entry>
+                <entry name="class6">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class7">
+                  <priority>low</priority>
+                </entry>
+                <entry name="class8">
+                  <priority>low</priority>
+                </entry>
+              </class>
+            </entry>
+          </profile>
+        </qos>
+        <virtual-router>
+          <entry name="default">
+            <protocol>
+              <bgp>
+                <enable>no</enable>
+                <dampening-profile>
+                  <entry name="default">
+                    <cutoff>1.25</cutoff>
+                    <reuse>0.5</reuse>
+                    <max-hold-time>900</max-hold-time>
+                    <decay-half-life-reachable>300</decay-half-life-reachable>
+                    <decay-half-life-unreachable>900</decay-half-life-unreachable>
+                    <enable>yes</enable>
+                  </entry>
+                </dampening-profile>
+              </bgp>
+            </protocol>
+            <interface>
+              <member>ethernet1/1</member>
+            </interface>
+          </entry>
+        </virtual-router>
+      </network>
+      <deviceconfig>
+        <system>
+          <update-server>updates.paloaltonetworks.com</update-server>
+          <update-schedule>
+            <threats>
+              <recurring>
+                <weekly>
+                  <day-of-week>wednesday</day-of-week>
+                  <at>01:02</at>
+                  <action>download-only</action>
+                </weekly>
+              </recurring>
+            </threats>
+          </update-schedule>
+          <timezone>US/Pacific</timezone>
+          <service>
+            <disable-telnet>yes</disable-telnet>
+            <disable-http>yes</disable-http>
+          </service>
+          <hostname>PA-VM</hostname>
+        </system>
+        <setting>
+          <config>
+            <rematch>yes</rematch>
+          </config>
+          <management>
+            <hostname-type-in-syslog>FQDN</hostname-type-in-syslog>
+          </management>
+          <auto-mac-detect>yes</auto-mac-detect>
+          <tcp>
+            <asymmetric-path>bypass</asymmetric-path>
+          </tcp>
+        </setting>
+      </deviceconfig>
+      <vsys>
+        <entry name="vsys1">
+          <application/>
+          <application-group/>
+          <zone>
+            <entry name="left">
+              <network>
+                <layer3>
+                  <member>ethernet1/1</member>
+                </layer3>
+              </network>
+            </entry>
+          </zone>
+          <service/>
+          <service-group/>
+          <schedule/>
+          <rulebase>
+            <security>
+              <rules>
+                <entry name="test-sfc">
+                  <to>
+                    <member>any</member>
+                  </to>
+                  <from>
+                    <member>any</member>
+                  </from>
+                  <source>
+                    <member>any</member>
+                  </source>
+                  <destination>
+                    <member>any</member>
+                  </destination>
+                  <source-user>
+                    <member>any</member>
+                  </source-user>
+                  <category>
+                    <member>any</member>
+                  </category>
+                  <application>
+                    <member>any</member>
+                  </application>
+                  <service>
+                    <member>any</member>
+                  </service>
+                  <hip-profiles>
+                    <member>any</member>
+                  </hip-profiles>
+                  <action>allow</action>
+                  <rule-type>intrazone</rule-type>
+                  <option>
+                    <disable-server-response-inspection>no</disable-server-response-inspection>
+                  </option>
+                  <log-start>yes</log-start>
+                </entry>
+              </rules>
+            </security>
+          </rulebase>
+          <address>
+            <entry name="%ZONEIP%">
+              <ip-netmask>%ZONEIP%/24</ip-netmask>
+            </entry>
+          </address>
+          <import>
+            <network>
+              <interface>
+                <member>ethernet1/1</member>
+              </interface>
+            </network>
+          </import>
+        </entry>
+      </vsys>
+    </entry>
+  </devices>
+</config>
diff --git a/PaloAlto/package/Resources/scripts/runPaloAltoConfigure.sh b/PaloAlto/package/Resources/scripts/runPaloAltoConfigure.sh
new file mode 100644
index 00000000..71b52f91
--- /dev/null
+++ b/PaloAlto/package/Resources/scripts/runPaloAltoConfigure.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+# $1 = role (backend/loadbalancer)
+# $2 = backend ips
+
+lb(){
+  CONFIG=$(echo "$1" | tr ':' "\n" | while read -r line; do echo "  server ${line}:80;" ; done)
+  sudo tee /etc/nginx/conf.d/backends.conf <<EOF
+upstream backend {
+${CONFIG}
+}
+EOF
+  sudo tee /etc/nginx/sites-enabled/default <<EOF
+server {
+  listen 80 default_server;
+  server_name localhost;
+
+  location / {
+    proxy_pass http://backend;
+  }
+}
+EOF
+  sudo /etc/init.d/nginx reload
+  sudo sed -i 's|PasswordAuthentication no|PasswordAuthentication yes|' /etc/ssh/sshd_config
+  sudo /etc/init.d/ssh restart
+  echo 'ubuntu:ubuntu' | sudo chpasswd
+}
+
+
+http(){
+  sudo tee /usr/share/nginx/html/index.html <<EOF
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to backend!</title>
+</head>
+<body>
+<h1>Welcome to backend $(hostname)</h1>
+</body>
+</html>
+EOF
+}
+
+case "$1" in
+    "loadbalancer" )
+        lb "$2"
+    ;;
+    "backend" )
+        http
+esac
diff --git a/PaloAlto/package/Resources/scripts/runPaloAltoDeploy.sh b/PaloAlto/package/Resources/scripts/runPaloAltoDeploy.sh
new file mode 100644
index 00000000..de314c16
--- /dev/null
+++ b/PaloAlto/package/Resources/scripts/runPaloAltoDeploy.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+# $1 = role (backend/loadbalancer)
+
+install-software() {
+  sudo apt-get install -y nginx
+}
+
+sudo apt-get update
+case "$1" in
+    "loadbalancer" )
+        install-software
+    ;;
+    "backend" )
+        install-software
+esac
diff --git a/PaloAlto/package/UI/ui.yaml b/PaloAlto/package/UI/ui.yaml
new file mode 100644
index 00000000..3136e2bd
--- /dev/null
+++ b/PaloAlto/package/UI/ui.yaml
@@ -0,0 +1,108 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+Version: 2.2
+
+Templates:
+  BackendNode:
+    ?:
+      type: com.mirantis.PaloAltoNode
+    name: generateHostname('paloalto-backend#', $index)
+    flavor: $.appConfiguration.flavor
+    image: $.appConfiguration.image
+    keyname: $.appConfiguration.keyPair
+    networks:
+      useEnvironmentNetwork: false
+      useFlatNetwork: false
+  PANode:
+    ?:
+      type: com.mirantis.PaloAltoNode
+    name: 'paloalto-firewall'
+    flavor: $.appConfiguration.flavor
+    image: $.appConfiguration.paImage
+    keyname: $.appConfiguration.keyPair
+    networks:
+      useEnvironmentNetwork: false
+      useFlatNetwork: false
+  LBNode:
+    ?:
+      type: com.mirantis.PaloAltoNode
+    name: 'paloalto-loadbalancer'
+    flavor: $.appConfiguration.flavor
+    image: $.appConfiguration.image
+    keyname: $.appConfiguration.keyPair
+    networks:
+      useEnvironmentNetwork: false
+      useFlatNetwork: false
+
+  networks:
+    ?:
+      type: io.murano.resources.ExistingNeutronNetwork
+    internalNetworkName: $.appConfiguration.network[0]
+    internalSubnetworkName: $.appConfiguration.network[1]
+
+Application:
+  ?:
+    type: com.mirantis.PaloAltoApp
+  paloalto: $PANode
+  loadbalancer: $LBNode
+  backendNodes: repeat($BackendNode, $.appConfiguration.numberOfBackends)
+  network: $networks
+  paImage: $.appConfiguration.paImage
+  image: $.appConfiguration.image
+  keyname: $.appConfiguration.keyname
+  flavor:  $.appConfiguration.flavor
+
+Forms:
+  - appConfiguration:
+      fields:
+        - name: numberOfBackends
+          type: integer
+          label: Number of backend nodes
+          initial: 1
+          minValue: 1
+          required: true
+          description: >-
+            Select the number of backend nodes.
+        - name: image
+          type: image
+          imageType: linux
+          label: image
+          description: >-
+            Select valid image for the application. Image should already be prepared and
+            registered in glance.
+        - name: paImage
+          type: image
+          imageType: linux
+          label: PAN-OS image
+          description: >-
+            Select image of Palo Alto vFW. Image should already be prepared and
+            registered in glance.
+        - name: keyPair
+          type: keypair
+          label: Key Pair
+          description: >-
+            Select the Key Pair to control access to instances. You can login to
+            instances using this KeyPair after the deployment of application.
+          required: false
+        - name: network
+          type: network
+          label: Network
+          description: Select a network to join. 'Auto' corresponds to a default environment's network.
+          required: false
+          murano_networks: translate
+        - name: flavor
+          type: flavor
+          label: Instance flavor
+          description: >-
+            Select registered in Openstack flavor. Consider that application performance
+            depends on this parameter.
diff --git a/PaloAlto/package/logo.png b/PaloAlto/package/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..ba18178c6e882f492321553e1e33503e5e230466
GIT binary patch
literal 19061
zcmZsCRa6^o)NWcFiWGM#?(S9`f(I{JoZ?noi@Uo^@Zj#n-HKarcPI`g-&y~~`PVuZ
zllLOYnwdTC-usa~;VMcpsK|uK00010PF4~GU5EcW5aFSpRoajo=z`=RtK$p+pkV!X
zd;nx*;R683%2pB*Dk_%tF80or_73E75)$MNPWI+jHf8{T`%1Q&g}T}iuJHZFt+;%c
zf0DdC2nUfIBp&IH9Z$nRfrJ4JqsU*zQSJRKB?U_~oEHWY6XPF+qssIt0(l8xm!cr%
zS7BJh=<}9Wq4h$?{r<#T<D$qx<xO_|6haT;rxaOERc`-JW#Xit|Na{4AKcny`5J&s
z<p97ytT&}_ex>{Xc<>bxV*JvB&;|J5K8Jz`=uyn<VIvNGM?V%%*Zbff^r6Qko=+ap
z9~<!1Ge#T?_$vLuKRb;^4Uh*5Fd8#4-T|mE1B__>_U8cp*$?Sn9{{>Z6gVI9;sNAX
zW?_;5OF=;8lxBn!K${JKZ7$!>4_IObu*qqe%K~be0X>r#D0KkDPXIR6uwZ%stQWv&
zn3B>R5R?wUmcG^!x?+T2956s5m0l;*O2sb~po_@th@hp#LP|F&hsTJ`^Zn!ZjIS)e
zJ<<s{0=Urs-i!kPdGR>VyS;gJpG1R9PV&Swp&2qCcf-GbF*e?L+ncIz_zD1Qx%ke!
zF|pPY`U}GQ+rAZ0pTk-jpyavUN1E56e{BTh9j$2HIQ$nIsr<Os<>kHI-6deZxbF8+
zEuS}w--bO}uQrdqLNE7sf4jD+0yy*oWMCiu{vN+oC?=jtKngNm+mDrbX-0W}A({Kq
zFK67U&49h5is=|5nGtovQT!!bJb`|IdiLFPdz0xIMr4y4Q1e6NgI7FrslEx!KY3aV
zZI_<ydjR0N-M;q^9U_ds<*%(NxAzOtSD8F&fWNt1f+GN6AW6ldK3Xq2ga`mg<^?d+
zh!NfP;xqNY6ZgWc^`g8O@dSxe_5T*f5JxukCw4NTuM8BY3z?`PVK8F-^Oc0FN7XVU
z(E*L+w?+$^umk$jcf_1tx{d%OSg~P5tnU;nVIPbmv?*f{@zR4ID0*dKF(awSN5ZgG
zzsSdP%d&$a)X6nuNv?&RKJtg^Nw>ud4g)v>UqU)$*pmY4RE7V1YLsX#<s}S~E<l+!
zbz#ql#m&o{c4{CLj^fEbn69uyUx^iw7-H)=#7E%lw_#%$>=Uo$V?s(a8LRzL`Ke-%
zutu{Irak=5WUAH;7BfJq2Z;yPO`QBYshF&`g0|9<Y$-W071!q#Bwi$#Al2WrUlL2@
z8)(`-KlbArbFhbM%Q8_eV8&vxVt9o~^z%|-hD&hJw#I#wt1VKW#hjI%wF6NeF_mR<
z$r4f~j;xqk*CFsHF_AM42k&O@_U&@+675o4>mp|xe|0Q+P}`;hjs5@<>|yM2?ZKO+
zafoRYW`Nd9^VL6d$9@y9%5MTytA>_hak*yjPyE7_lP|6+NS-6K#IwA&sy=jS`@Eh^
zs+2mdH9K}BbC`MvbL;jAH3a9^P?!ZBK_)%|z6F6Bes!7xm|!lFU`U;fm;EH|ARRs3
zUPGIqiNPBueiS(wm`syQ#K5XvRt_%TC`Zw_(HK*YEi+K_fk<m`s_m2^{Yk0ND9=_o
zQ6o~bC=)CVEw?DOR~Iev)p-qv*XdK}Q<f-F&8s!s=@=wOF(IgTXQHr1tq5@q;O?iX
zomlq%$<UtmO41%FTwa#XFTn}q)T#&FB$<mM?4&t9WVt9I9nh7e-uOmrU|-O0(-VQY
z6k6HM^sLKMQd6`mWGhrFWKKGHAZI1n;7+M_o#y~Fu^}L>9<7W;>?B<Ff!ea#dI@p~
zuA;EO9fYOax|k@xUDB=FuH-x|r^~=UN5Q^i!=v-yiP(qrRsGfWspL-PlQw+)Co1^W
zPm}mU1Kf`GLL{t1t5>QL`h8y|ioYj+Pu&WNZ=De;oR^N4Mvt-@)Z3xju^qG>ETn;_
zp`ejhJXSo<04cVD>A`{uf(k<u;}ZoF3+ddM!t9G22bl+%i<z6vM&I1OF*TJowV27(
z?S2F6oHupY1%Kn$Dc08bre7~zm0d->&|cME^0}l{DN(5+XThSc=BjC=sjQixW^W08
z71Cte<n!Ia7|)`40Md7!*qP|l<`exYjDQ-tj8;MNjl|cv!3kSHQ(z-wGV5H_XW%yF
zh}A-S3S(-CbEgSwjK1G0TP<@=#sbfx)%n*=SY)_-;22A)2umi>;QDaqF3{!9QGd&G
z_AWcKKJ)ik>1y>k&$-ok=vwYLS1x^y4yW^U->}4A)x8-}l-y)C>&;4EWeMc~i^c;=
zRuk5Et*XVE=3=+<`|lTcBL763a(6^_gm^bNHgpWfd3&0No5z&<>~jo*HzoWi-%Z~=
z-)8_N{?s2VV8R2$0(3t<KX`gmbjOGateX9+TRszu%4-$F5sMA13f$|hqOcr3jjN)#
zKS-O5pR_^?R`EStm`3=%|2?wL_Y-Y!Xs}j@XpBRcHsK6=D!1FrnuPPF<dbBI<VL0i
zyE1<@Gmx7>q@3l4&<bxGSDWY{i@DDDymq#>oQ*s&KMMnd$Ihl}^X2R&bUS++WycFI
zjdfVx!6Se2_ib<qZW#+ElR(N>g)k+)q)RajhEm)p>T4`F>KJ5?-z2{+zOc^l%!DmT
z=rNEgUCS~kdM2F4cW`@94R97S?X?Ecmc?}_pen3q3gqBs{3N&K5EkfU|CJCQ=O|uI
zp_tfYacr?~{&TF-EV%A%z%H_xl{6V)#JWDN5>AI1xk(&+sQ!&^kpZF3!c5D&dm?<4
zKcymvapG*eesndCH|rwz{S5Or=2k*eafrMYGl}+oXXOw6Iw41oRpcEUIK~i7_)4Lc
zh$aTxdF6^TtyG9_Cyl3~b$~(dXkc&S2kR3Q4dlIGpOdx4Gks-kR-Mhp?@uAwL?Srh
z5fJQEyi^>&CAu~DJ)%(i(eCuMq=vGJ{#Mf|^I7ww{SD?EU9^<))csU6JJjWs2GmW>
zhO@hWQmd?~6LhQXznUak3%i9{I?PH&CMN_%)r-_`)t}UP&S%#fzb`)6&72c?b^PNx
zonO`MxPKKH=~~tJprJT#K5zCc_gsH33JEVidPsS;)vr>rbvzq_nT2^pphRn0Z2dD&
zGApbOid|qlkwF_G>w3$+aAQX0LDh)P8r-IIko4F+x<}f)Cq)%l`5EO^xrH!C_LIbd
zg!PAb#&w2trdr0cuCZ>L^0>&%!tsXZi_9t+dKQ<EjtB5YeZ*?zC~z*(;(977J2~6O
zm*sKIXtkip>%e4k^9Q>9MH`08)~wWf<bhy^;H2Jli_3N0>K>L>i&jRpfT8WN%dyZ~
z;+*nOdsce}q*c$l_1v?w(aZe)h$x45a{ac`;|lkEVLpdnc)jz+)Bb+o{%#X@-Peis
zb#knI*^TzRszbTM@b>GO*s{cW=)9=z+uG8_n%|Eex4fH~HJN+(;9pa3@prN45^%BU
zv11{qAtyO}BK-W@qE4?zFC`LFrc*RIcy9%7V-P%CR^NyDlf}uIw3+<W>(s<<Tkqo6
z<DL_O>ea#DgQQ&}?wsrfx0=sqy>4r6Bo~F7=*qj^<bHJTmXEb}YSSgpi3Ev>@31gw
zH!mif%&SnmNp2zwQUm}zsR020UjV@4J9Iq)09@GsfMX*7Kp+hOz_U*<9FPV8MDye%
z#njzbPP09-vNe3(HxG2qyT(P*$4w0p<z)S9f~0y%$s_3yHI8T7{*Y-{TURZ7J5jc-
zXliV1{84omsykl}_ZbHpZaEwg7IArTgd^SOyh~_|zgzS?JG0f<;yk+_mUiT3%N1#D
z%|dYMG3(+@Se(B2@^5cn(sTy}bfpYKKqnOwa=%2}?)@c$flewE=zjV4bN?@dSaMP!
zci5}HTjRgB;AVy0FRA|Lr+ixs3rBDM$PUD*@#-lD_oU`KO|Pe-9HT}I(YAt!6dgKj
z^DXqjR)jA71x!bFX0M|Il{$Z<oVkL^PAtax5b5`<tb>*yW4*oXT{nN{*51d_24{6#
z6cMmPAUlqQ>~h3fAO8a7teM6e@gUpLtcEgfy2KKTLV;Q3pq)#HKr+$RbV1*ycy-9v
z;R``ZgTs-a9pE)wq&C&?8L!@?D_*s!lJhv_aG7+>#+$0h%Y3_s`67k5FPU#{z(JLu
z7?w0*M2cdQrQ^{kwf7SV@AUe@?&n?g-h~a{jl1eiGb1KNA!13!#KAtKEG~c8gmfWc
zTSf0XnC_{BR@;)j`W#Jxp{;nTi>Ea=evXU+YD{tWT|O(&HvsbtMkh?+%gjMnpV60{
z&!#+-@e?<_)oY6HvI$L=_(x^xv?L(<mCP@vf*hlUn^z`vaATCim3lKt+kRxr{aCE$
z#niZ0!&jKGKDt8VtU2qG%6^@D4T(!7aANRS1YMVfGL{jr@^zbi@)dSSVnVwIxn1w_
zgR}gx<n^|2&x5SKiZu2f8|9l@f`|_a(sTU2m&4$>W0I_ESh+pqwVMa?FCRop9LI04
zYh=hVZ?8H-bEvf%lrs+m_Ub)yH=WaJ6=GC+4kl(d*}X%0|7vI0B0T9d+vL!SnZuC!
zIkL9x6Oh)!i6iE$HEpWZnxp(ACKR9Rz)sNN%;)O;2LnSYW{v`%NdHOV-h7`apv?L<
zmRdM)9G5TVR;ayRVW5s_h;sPUgL0!NE1K#Gy5IWJjnq6O{{HWM7n+J;u)~K=ON^|P
z86>6rKf5t>N4>U#g3p<}7yv6y7j&s^4gCg?XPJr3jHRe%nbBXTz$9~DharUI6hbrx
z{M#Zh)`r06_9(KFfr<F{(nwI*PG|7z7wMjc&VXw~Cz=EpJ*}Nl=Vr&{73Q>%X!VaD
zZe2dj%=3)uqZ^L*SVrY-{#&8+U|2{8Yd&hbEr>vbF5tK*YDr)g=N<L318ryL_=j7^
z{!s??B<Dc(KJO-_z$4S+*zHl4;h8(=MQhVdJ<YF*`Kucz)I##D5>nieyQc<|H@Gg<
zE7dSQ*64?WBKBp&+^PJ*R#C;yQDCREwh(YQ!<{Uksc>#i_$yOFrlvqCM?6j9P#;yG
zd;F~q5bZ<LSs;d<*9_3W^$i(!(yDiw3oVxFak4sRzgMvx@o9q4B1xT)S<%Wxkwc>p
zj{+M~n5ZCALjp6$cNOw<#8EAT#38>W8%{~>ceAhM{3=y}_z=@oe%{2#h&R4Pc^>QW
zw>7(8{4HX%c+}I`nn^#xRe^%SMbWrjAY1`|2<Jh;KK|AwPEEnH$XROR?f9<a?YdE8
z7hi_z@6K7ZK`e`;Sz=~_55;9V%fyUAIExyF<Q$dMn9LU}NU7PJ+=n68c;HrwhA_0S
z_#V)GV_}ZRu=gDZcJ({pMK#{~s=;ck^&{w`)R%lcse(TpE+1M0bJcmmXw*@~V2$`$
zVi?(7e`(YCgRPfh`dz0gNdY+#+$hDNdwf~Vm6@{BhWE{n1<`vgVb@7GABoGb&<_w1
znAJ&Ogfh_+M&Q_8bWC>fY*Q_Vr%qS|LmMN#*tk$vT|FLx*VkVAQTzk)tt})^`zeQ+
zf)XM$Q1-tR!-DOssFIDjvis_Yz4ssNv1f6(WH=v=C5Lh1#zTg6MYtxizbXZot@cZZ
ziM&n{>D0TkP;~1&KD&<XvsV`ev##GDiX%2~=6%mCF`nRYq6@|hG!wRUCECVe%ItjY
z;{z4MzAGiq%75D-aGA)S4X&`lT%4CH>RXD5p)r+mT8jDg9p8J)r@8L!6i#Co0L^@l
z*F9_PKl8xepOayVD$vy8kS)8+6mZtfU^}r9$Y9nc#>bbyDlj&aFaCZQv9C>-uUG}J
z65nbOFgZd5C7;GS?ndC+uhhig+z5bk*~Du)+DRnvvXFS%W#X2lF^a=rU!jk`?X}oN
z(c~n6QlmQ_gmJmtPq`eyRhCR1AwEMDkET`J(GJYFCaf0ngUd+s{iYognSW9o;*$e=
zbva9P$WnF1#yq34zKP3}8BnV*f~G=EvE3pNZxkR~Gu_jI9yb~^-B@^>ywld-M^PZ=
zw;s-#Y&;YYFso|e4}10Hs9t5@+tN(nW@R_Qbbdap)Y#ykyK5F@WSJlRlsbWLPhN0f
zCov8w(U5aZp4}wmm7ULls5}&-yOG4C^2zFz@J&gyVnSKift3b)&5+RHpZXyQ1lLlT
z;XgY-gv>KcB7HfaPE7IqB=U45RXRMC=tztsAg*iUHt&fb4?0@(RvSy3uekyVw4fqF
z)bT^4mA$aQB0fV;1!r|Pml$mj4P$a35^Ti2JK?%RiQam!N((4XR?0yS)ix0IOS19&
z%VZ&GZCTh+3pA^DQ8Y*Rp{=w}-Zt+U^%o=sUpgCS#Z~_&8L4<Q5m^#wMR6{lKS7F7
zJ|ZKP89T<7Eh9!9k&~s7OOdU*kYKJ<Mj;eN0!gn7+LGPFQC)gmspIo<-T9__zPc?r
zo3?PJkBRp<a*O+BYV+x;7K7WQXL#gHf8)S(iYv?+DZv;6;Z{AL<w0YVVWC*uR~8>N
zG;8-=x#nRHX()9Y<o1y*#gkB79Q3ng>6H1j(>B_vu$PVfO=*H4?Rk<T&gSj?5+7EK
zx7rpbaF{(2WY|%oJz1ExKKDyV7$Z6qQ`z&kK>F)Qm{zSWy;AG<U3s(za41KZ(mR5|
zWQy#L#nNh2GSl{oqOQs0*+>bD4>PVBkJ+H<c}&W~3gz)y^%&D8m59rVqf<IL0Yf3%
zjl$GOSI{s89X2y|pvT$7xV8Q7coso4G>(+X)QBt^=6Yaq!5<WXZ-|dRuBdzKG9fC!
zlv9AKdiIYPb2e0qQEV&<Y-F)7SiMf4#64?)bxbEmr6=hLK=!Q31lAR5yj#;d6(Dko
zM34RK9JJy0_ucNwn%|6D#as>X>J94L2v|i2*XWN}G7R}`Jo9yLH0AnFX%&NIbs|jN
zng_1t*^`RZPmhQ`XaLo;%+OOH^cjT&pZa>!3kLPDioe~?sAHFXwZtq29(_U97HY17
z1f27+c*TAyOe+6!@2*p`$G2AFi=ze60p1@;#;J+qaYou1Vg<T%4Zp<TzTLWNT}Irb
zXqCy|tY$v!lIab#zukF3^SSS0j`2|eL?7sDNIl@wc5lqjqU#lFWa+uLRs82N6Ya_Y
zS5b{lCeta;X3>ZXrwqs*5BhFNxL)Px-Ntj~S`0cR!|!vHr>6muBooJ+T!(5^A23&I
z%UCbRTzw2C{UIzF^DE!V`-OSY>8=e&Z3WY|maVztRETK^5~mxMaQuf9eGVIWp;M{L
zaz->oe6ewq%C(4mmlYHBpoBXPPNm@!<`G*P3uAH!1oWWr>z{j(-MQAx&m~{WJOO`t
z*dx7wRfDdWW_=&kVB#FSvA(3haVNb6=G-Cv$Tsj@Ah7JvCgLwA>MravjFExYP10T?
z)>+bwON>Hqc^#gf7A4^*77{MlW>)3OXzy2%lh`Lk%?`t+vuQ$9ZWrc*NFJX)B!xn%
zyCAxF8bV};6PyEXp$*F6bfvg!rf&Cv-ysI2m1f`D=a*|BNlfQI3h6N`ohwbb5-GK6
z7#LeWViPLP2z}`0wv9lF!jnsvF(EH^5gltg@tRBu>@^K3&`5~e;V83Q&FZX)Y;u2S
z@Tn#hQz94h4pFie;`)xMXx88NZ{tIp%nn>#mN7>O{|X!44{LkTHjJpu&pY%qSF(h;
z>^@k0!A49t1CDpd-_>>QzfCWzFFMmCo6^NoXf@0Xg_mK2!SxLlsBYqOh|tyu{&(Gi
zImec^xuM59eA<?9779OoS9r7ylKZ4+;w$4Uaa8|&=};!u7le%^k;)}im)0g|3#$+8
zm1Xz_9#u7da{1L-b!S4Z$$xJx#Ky0Lp#@C2Z@{v_Sh_{z7_)^LN?wW)?DX9*+SZNH
zo#!_l9YKK>{g99!3|d9@d;#ANlhvKI7=C~7)4%(%hPJfM8#Kig<Jny#-D5F_Jwn07
zZCeOGG((^$Jri7+;3-b$xsq{=sfO4K>H8&XIuMr%{Ct_tB_r;-K3gK7w8|HjRIZ+l
zhsajK8CZ65OFJ6{c0SAqS;(W4Wsn-aW$&g8*|cEe$}p!(7F%r0kQDyV5;IoUdgf|^
z1Ss>4muynuAL5e}$Smj=4+z;M9NA?|Y>;FTqci%9v{!QPjv}=|sLZaKY`p?0;wLOB
z{!nJSXlB3ZFw&?O)7=8v;&jDzX~<eYIknPa<2E3%I22ekXi3mzF&z6niR+@smNtAT
zif+3N8OoK>z#O2hY5)~j1zJxU_F6Ag@1H(qr?m~LaEu8P8Sbv4zktChx*syYGtde~
zc&SJPqXMk$_G>Y9PSUbb&GC;sX!=~LR#}u(;KwBeQK>A~NCiT7?`LS9B$H<ND{LqW
zT(IsLX`JiM%n(!He)<!wOI7bN$njX%YG|fWTUZq?JMH$3H%ah}N_NIE9RB6yXhO?z
zqHPbB=5XO=CDZ+VLJQQOf9`P|oH4)gQ{TI7@Y${{!kR@}%=>r5#vJa!zY|s|fZK}=
zWf#(51E?5j6Biu|`JvPz|312?h8RKOKADyezil#WpKeCLr=|#W8(R#_mhtW?l;**R
z-9>zeaBXInEh^A%3ZD}CW@{<PBHy+`L?eS1RV=p`3HzzA4!IRn*U;W+_ZnvLYg}A8
zAt`}Z&sAhmzoj68I2lK5vE``F`NuXYkUpZRuSzQiinN4FB8X+QjQ<NK&F;Nc8E3L*
z#J~MES4>bjsK)lUy?R;u#~Z<nD}uYligg+3xNFPuP|!ybIW@k>DVI1k_Znb3CWCaM
zsvdoe0LG{XgYR6aI~Yv4|10w+g_&()$c%bZ{`xMIY006l7FTdjCR?ZeX@vVCMwTyE
z9=F%RB_pBdH&fmwZP8<aaj8`y4x$(Tkhq}zDvgqIR&z3aSwx;o_4j@T7k%;0mmZGw
z{G@L>7F^N-GRk0?sI@8U@@Bx1_pjgzNo41;70*<K6Ups`vNURb#eY?dI9@SPm#?9@
z)J7Q^k%3l+HlloAH!Vk@yfcVe-`1tS(A6)IaRr+xGdvju)LSsQ5b}A;rnlgbZyvra
zsexB2JoKa*oE|t}$q*_MfCNbjf{Erd;)IKopd4XHHedUNgK{uBMGmF_k5~#sfk|vR
z%K_c_&Zb-g`mvooU%%*AC79jVtTpA{`)>Kgmom^7V#9jVl<5UbdEeum9uv_RHaMEe
zA)`kX3lo|0v^l#{SVjkj!TY%St@36SskoGDI(-<ow*GNACn}UxWVxKYp<4cOWEakB
zGY>t96j-J7IE^kSucWcn4ppE>mO-9Dw=|=)Zmm=RcT#D!UomeO?_*J2emPI!&f>r4
zPj4q1v`apgai|B(C7tx*U$QN3-b8#KmQb)sLLGVxO~M$9!-8Riy3EL+VRM*+0$HJw
z<b2bR>`?f})n<c}&!$bwWR`5rjYx&PrmG(Ah-K=<Cshg5%E}hbMc-#sF8<=jRN(V|
zA1qPSlJCgRY_g{cKO6mlqeQ>&#)D<`^*ErG3$mk0jlw`q$b^A}?NH29tfgdGmt+j$
zsu;Cl#QHiH2J0<!y-mt<en@RZh)sew*2L~=0(4U72!OHzS%yBp*IP$DxDXmdgqIxH
zblW)K_hUk6Hzqv1j_`q@)JT-0m~oB%=iUJ6El)DOh~GLk8C$fC=0;09J0+4-NV6$F
zUH%arat!taKznX)JZ86@x?HC_pA5N?Vy1Bc(tu@MLt@gVg(AI2Fh<aeND*jHQ=G8Z
zQF-~3UW-_6xO#a)|I#uxzYn6*@pH|*YCIY83??d%jrUJeDxKne*<!>;Z<ofwV^V8=
zmggs#3Pif%-&`*L0Xkt#;6Olt<h(CW-I{w_Nhg6mma8%Ov|w5(sIchIG`E~kMjsb3
z^1^L`Jr#io%`zwh!*b{|4jFAahRo1h1wy(R2I4o9?<+fZTGghIuU`@?GIoJt@=SlG
zLx!=Lq!S4GVV&rKyBTxD6&Lt5HfU(k8dz!!-r&KGm?!wQvzAjnK7aO^H<gdMN7KZN
zXHtBwXer{r?09uk;N55+fm9rbMV+$S`&~O@Mj_uk_}nIjn`%*oLjr8XuDY5Enq9^$
zrUvEemDvQuoBm9|1I{dC(_&t7lbgrqOTyb4!|Efyh=jV+#j4L?Ya&a{@Zif!F{~21
z^GP6W1Lc~G7S9%o{BuPbamIc!JSre#5OT=`_KV*|kM&6)Il*})pysoe@Gm&<mj03m
zzqV7EugsalEG`T1awm_cP-`e>eCt=G)XOxlSL!};u*}Pzalx0kM|6_LlAPoENk(9L
zkiS(nkG;4@+r2URs%&5VZD7cC?=hPh)tdbuI*r2`644M{FiRdcsomi>5x%TEORYrt
zIj)Q^V#cV(tiMdGkW=)fSo9N3QGB0dfJb*LusFaEzH>B*=vRj~6_=%3pJ62yYivh0
z{q7H-QkYUiliEhHhLbzh$ianglHbD{tK;5o-lF?lpmv}2sfbWmX&nrZo@Tx3s_kwK
z;1wICUM$0)0c6)%S{Bdyz<!S!wSY~1l+o|VowL!EBpkYriHv=f&I8`UxLu8+%6QnS
zX4#rn;S90xBYy7?$R-_Rk_i$0H<4TC)JvRl@4~^BVm|gp32jX-`kAxQL`V;5bD&)E
z<-mcjUpVEK@g7jKTcM{O`W7?Rn?D1RY>P+>Ja2j$Vklnnb#NH9yYQVecVHSt_jM((
zPCYLvF+p6M=i^(NjPyE49EE2?UCi7g6{8VS(eYVX5$w6~dY%pr$+w<6FsHYS2(q#>
zTBCJ_!#vW{FjS<co>58TpSV-gz23=OS3iR<wu}i5ha<Y(Y9x6Y0?pBgJt>4LOioEm
zLCT8~=;+x#EmDTc#62;jvi}lhO7c(9uE|HRrb;$rO05PZ24OS|P&V*5phFAd2<|B%
zOea6)54u)q5WjRnYn#sR44SLwN?=t;C>CGr<Sq#~iNUsYZJC&I+DN8kBY>T0tSW^Z
zIExDf!)0VyLL3=1iBno0OG%&x?qJK<&=XR@r13arZ1Y<oW6kI)JUSr~x<D|}elss`
z5)U+49rsjut3b$#mJQregy6JWv>0Q4r`g)Tf7%WC0bTdQh*CqsCQU?_P=rPm#sVAJ
z{_W&#GC84-a!)-L2}@%R_Qqm5w5i#zVU5I2{8S3D?OP#gIDgWpk>EK&?RT(DoKBd-
zw6a%+BW*%Jt$M4#1zl_4+aNv7W5Gl~K6_eRMG^L4+vIO}RCGQ1<yGD&8lex{pLgAg
zj0YroLyqVRk7m2@!+wwmk|J}t%z;s)I6P3eRblC*m=5hN^DK~YWu)g2?MZGBuiO1$
zzwP9Quxvolu?u8DB_`+vRal#{jH&QQPZ2$N-?EgQU5$VCF_2bRDDZ{FROV>YS$9W`
z$1N?4l9IkI#fQsJKAB3^O+L%=*Gtt~?Wbk$T5w1aGp<#du(u_ZoPh4Fd6`VyW^^#5
z$ap>w(sr&|Y-IS37;~Z&_mMi-%27*xU8Dox^%UYb->*bfoSoD5t>A&ky&GDTRBM=(
z17FY__Xov-zJ`N1TRlzKvL>&VQaX!iX0T|=r>3pKLyk#LfFtqoRG`svajJC;mz2Vb
zyBJZfr2gbQ>yquKodGc=Ti+zIw~;C@IaB1hC3OC`v(VUS(Tv}`Ws|~xInx(6^zI2;
z3!u{>95c^*bEvozWf#45#Hj(bF0FnLT5+L3;%>0Z+BA2zerV{!_&r&kn?q&YF^+90
zo)^MH_hv`zbM8h2<YfLwOrT0nQAM#YnkIvm5nX&4nj=aW9E=N>tgW2sbyN{&Ns*_k
zfE9I#H%p4uVX2ki8PA`(ua-hDzge0{4-eJ`*83?be%_<jz8Z;2jrAVf%x5i2&5+vb
zN%3Wkv!yVrm$b@DF`e4C%$PA4mVXhNud7h^kmrR;8?eq9g~X(Cq;4p_AJRg4p^SGb
zciF&-$@cK+_UzZ-J&ye!32Q1Sh_yDAr;ji9jUH56MQ2MGT|BGfAo|{J*LUluJm85`
zTUi1_?e`o=u88%Z_$zO-pX>H1^Do`V_4&V$10k-2{&>4&R0=LJzb}1}&(9@7(!hc0
zX0pEsu_B=uKSl-OmOs&dALu}XUJzU=L@$WZ@LTp`3DIrCqE<X|Q(td@s^nvC;g4)`
zExPOZTw7D+ce>VsU`Cv#orF=GrH1C%*!TM>KCUdwC4hZXxi((4w)<15c1fF9qmwTJ
zRE8?E$=}-NrZxQt_|PpUBLrH+pTJ=XQ6tbROLNx^1gS1ILG}Lo0m0V0QD+?}7?A|`
z^s%1rm)UkML8x|l`R5Iy%>-SVBz0!zomTLVOFB?7|7EVZkMMgx(#FmZqEIM1JvM?O
z9C~D&8+<cl1?(M-==krHG{vEGHbhNF<h@VkD*c<;kj~un710yD44Pt+)6m;)xhtyL
zgD}ns^&k<1FIAgOw%5rZAuYgm8C4dRsQI2FY5dQ+5seX{WT40={UI)wKoKncIi=R|
zpA@jI1&X>tzoSpIoCLNS$Yrg$hI2Q(;YJklv9$%u7>mi{nQI)qE*dcR@iKp2ML+vR
zYx2CElv(c_U}OD^6D}TB{mE2xBPH_SMMTKc3r%Lh->!H$6B^d392uiI-t=GoGTw`f
zV6A!*jO_-@+O@!hf4Ud${N>krqxFeuwnRfHZ$lfpE%p4a7z}F7kB;u$(-rm`ki24w
zZaVhJ-ZOtmAVKA#5MADPP582%ZC+Fs-PW+2e|(T6n=_K#;LcFSrhbB+|6((Fe6$;b
z-VyIUd;!IMChtA?7q8p;#Dt`jxM&5A*X0_vC4V$!7P<8nnY}7+30&3q=fk%cq&PAy
zj@Ev@y{_|4m0smQi(X*Y3>Vq!zK>A*4FHOuHZ5}0n+us%g)PKE`51wL8Y{oguQehc
zmolsK3&lpR>0djJT%H=n-N+P7-7Rkn-fl{i<A(PUpS(+6M}6zQ3nm1b&0wP3<Sgn<
zj%l*~&{jSAY>Hd>Cz@&^HfL@8b?VfJD_IJ3O_&}M!$>`Pg3A$I1kj(WA#R=pmvZCo
zub^mMXWTI!{fNnN@-QY915-zQiJz#y>j6w%9GPtP;QJIJUBjX1FLtH~sNoaD>|i22
z9ofa!m)0jc<GR*5`O;pg{EZ?XB#?soa4~o}p!5H2jr?CrZX7df=J^-Yqm%o8%(~Fj
z4fv}Nz)xb*ecf*F47`8$?A@K|y!P5dPdGQ70UwI$mV_TRZ=;37)OpsKtBoC3tI|AQ
zqTGGsfyI-SjGdzKTPe!EBvNG*jXOZS#XXdZ&fuHWapAtB{3Y*)`csk)A_<f)K|PKr
zE`zMw1yb++7$xsdo`V(IeIraUCz=ABDWGk*RWvmBS&3GvI>BjfQSqcfsYP#7WQ6$9
zf9jQ-zY*so74s7@h}{_H=7605mkH5<v~*(mDI=|Yf=LmH8B*%gi+t)1+}<+wE(7AC
z$(`II6Sa%SWDqAInO3p8(>;Rh?oSxZ043!y_=WLjwry<fTw&If(8P#eg`y^0?Iij)
z`PLt}CU$#<U!(S#+<BmGWyWQ`BF8@Wgd|qmf7YgwN1)gL$8O?``9&wSZaY#0GDYDj
z(<4>4s;Jeba}aO$(T$OZSSF6($*)f*iz9}Ge1uipX?fZzKl(^<+#LI>1(d+NQdC!L
z3+7hDK!Fc~RrW@3k=b`J`>?85Xf2{=WpYg6!W@<l7i-O|{$ph(-I3U|%>_HaQG8ng
zIh@g1TPXo_2^A@}55FNgeq4ADi6>l5UVA@PB3-XT&&|K7(}-NE`Ds<m3xZhQ9H#gP
zb$GC@qN61+Yq!iwExK%P0S;Ks_qTCww3{13!47}Z?AhX(FV{9icrH#3f?s70$rOzR
zF=c>Xzgr4?=pI>1!9QR+H6D0DTVOec+LkZbm3%;YG_;bXmcmrprgIBu9zrb?M*UBU
zw1n67KYEELb!R6Y<=fL2f4<21@t*(+Tk-JaL}k7-lZ;IyfxafeQcMSh=Z9J$Gnepp
zWPtx78wZ$KZtwD>Pkwu@U1!RemOHplnp3AqkYGz$4J^1t8!Bm|@s@m%H|MH#{zoBQ
zH^q_kgc`nvM$8+k&XO_B-heR?pWGllS<GA)6UTqik}CzB4{PIkJ0KGo&5ji|990FW
z)Yyu+kHOn@z7YRIrFuBzJuh@~z*a<bQIwdAId{%4`kjoa1r*RVe%WJYJt)`{<~;s>
z(vmRLe0TlWPG&|PFO3*L1Dm1wq(;xMj0U7HQcuRI7AD<qs+imvjMUoVJ&{kg4GnQW
zIOvk;adR2^Hum$OJ`=Kgms%wP?j=?*f82*rzL_g&`o4@70?|5e{h^><R#>>n<vteT
zx^`X19Yl1RrrT*ry(IXe{}1&QQ49C8IAgJ0*wrhB{I5cwF-95GkL3yvO{r;nRt|%k
z1go}%fzXKVJ9BGKn}AFb^r>-vXsN8PtS+|YaLU*HIc}U8%OT)&#0J8^s9cKzZ;<SZ
zXI6#g3vUQ6gpywEl;n-Y3&Agp5d|@ya(Zl$PP928*<yiPG*Zy+yV%&tC6O(yK_FC4
zI)kNEAT7gIz7XgSjKLMTeLoii2K&v5;P3RYa0P&m(hj3&>R$%5F1GX+4SwtLWNm)c
zSMff6Mt6GW6l8Ph+<&2-5x(k%%kaI8oN>wVd)+D&s<GnD^%%P2>V&m@%w2H}i}igK
zagsvG&DZ)2F;^J%kOcv|oHnIN-R<ylJy%_C$MYmSCpV_lyhO#pOQDd*lJR81?u@Vg
z7>C=Xz|`Th?V0S0t<%;EBe~~HW#Ea1K1x1PA<b9q*SA{+PX;P5DMWrn(w8&SQ&g%6
z`hNs4x#eSPu%?H3u(8&A^AX7#(n;zIrRw`NmUU6+$9dKji$fdX=_#3RN7k>&8-~iP
z^U(IY_&6I&cCg$jbG$^5fbMr@aQ-~O^8!|#+XpcO?*NOKUUiPED`+~&#d<7iJp9P~
zt_R4B+iBf)ep}q%ULCwYQZfzo+7ohPg4i2{DJ73Yprq>(A@`Lm1k?(@d$^Z>c0q1|
zYHS%$zV0lhp{X=5BWi8X!ZyuKri=DY`z+(<Fp57$V9gtQ;YsG<g(!ip<oWODOfKN-
z;>(g<$k5NO(5%jjUC-Je4AW~Vn?<Qbt|E18CZZu%_UKsyuNX#pZ62rDf8zxm9($YK
zJ0cN#o!mcY#AXWIj2g`CMaLW&GZ&b$S4U@CZL{X*#AMX4DPW~m%UTV3Eb1!k<Eq#0
zPZIxa!zbvxy)cUYo^GVSSpKO8OYI5-O3nOqpgrR{=KRF8x+QGbV!h%>U#5AKAi)0J
ziH-`i;!keWG>!dDiK!;Y-I5-RD^8C`&s<*50S6{EzUgI+Yy6i38!84*&s<bj;u=V&
z(RL9|HYUfZ@voF>DzRPEAHy?RJz<umWP|b3M67snx3e`aeDHQWNi*e04j+y+P%~Le
zcGVT>(Pz!KuedU6QT1w)st)caDe3;ny{Ht#QseC2_K?uzi1_}^T##44u6%z@aSLGR
zvB~`MdQZALQuTb9Nz-(4U4E15{2FY*S=|}F?~uo&DBq7ScknPV`D^X!reqkmvfLI8
zIu7C{@=wTq#o-M}s}cLMdGir2hOy$$*D~O9jy<0nLA8(@0g2-0k6<ydk)tWsgd3S>
zN_J@IWxBLk`LjYcjD(5z<3{w$QFN-JN2j|HcPi7XMb6TzZ;}&m7L>-6aRa~K&q8bY
z^Sfn!1e|fJT-|~gTI_4WFG^8~xv20_(vR7;GF`vnP()lm3cnHJF}--1F7q6dJbw0q
z_w@%q(nQ7fwcdz+m4DE~K8IaN`E)u`*l~AxK)-_YNm%=?a|id(rY$T7tc7*$Ru~C@
zj3+ifACWw=Qyv|ZgKoIL{~i4}MfSpUF!78JrR}2U-X_qZxUJfCnUk3Y<*<*>H@H)K
zqw|p-o2eJ(MojwLR*Dik2UF*Nx$$zN*#}r^CgRC+-}+7-9-1!>-b$KpuA24wDi*W3
z&9ofV?mr_vXisnSn=#@!K6k(SL!CUGiC~P~NZeSv<soYpJx6h*y1gFqsdE9@;fo4Y
zPSM8&>sI5tf($Q%&b&nV$($)SGT#{cx9g+ww#2y2-SZ*dn?c5@V&@D+tBk;d%ep<o
z?eO&rnLNkGYgSB-17)j=hiIM`X`+ez#s;Y=lestLRNC<th94YR8<H~wzwKReY8<al
z&Z1Jif?jXHNfe*ojXz2+ep0XKJSA&&!{qNt=BYU7425Inr6}cr+3u}B3Nw&4y!JKV
zdtkN1vSHIlndbe6F($An-rxMtU!lFjSi*?&e(h%<NX<V8m5+W~Z20<27zBiX>vwv{
ze}x}OWtX9dT!)~(3_aWJJ)vlgm+tv$IR|xjo&8{1%{EQ6v{~Nt`>he)p6gvJUB#e{
z=I1yz=JA*@Ft_0hotKD(w1zDj)MW(jsh8!!t?qB(9ajjezB@s_U1>lBo?{4|6iA$>
z4<kAgAp5CXqsH@_EweQ7n~s?48|Pe(_30W^|7gh|Gi}7_7H0RWI!o7H+`D|`dk=?J
zZ2@M^8(c@}@_c+w7vsBI4-vfU77R~<F=NFRtVJc%;)OeSO+z}(4JCECn-7==EiBIn
z(kG-u*94Wiv-6jPSfUmaw$y~zS_A{)i11iP5n`K%kAtXPo{LZyK&aK#FgZ~iC?(I-
zUoolAQ|RUMJdbBg_$`@s<c}-qatFdtvTN*}l{1^vDtq+A%K{PDd$vGW==J&FVX$O|
z-`pvSvYwduk^c$yP9dMI0Yg}^I(>#8w`n7yEVSH)LJ>d8G`BB#AY_Ov6*eB|II@gl
zfjxyGez_vAnF`}I53(E!=*8+XepLLmpj`_5ag-s=pj*kl?MFmRsFX0NgX2|cnk2a9
zFvH+II3B`H3Pmx#cu?)2X2zw7jL@{9qw_XAsBEB|Mt9&LwN>Y+l|g_K`;<K>tp!o%
zwxQ#rMC9c7Fz)9SlM|I$h!cCsO(*txK327H*)>D+Pshcm*rOle#>bw~`F;+Tw?XLT
z>X_Kv<><8TYDF_H5SJ=BJe_*WNp^lg7X8+mh?W8-{ZPzwED;`Y{5{u(mBM0kE0~Z1
zPLNrDtk>B}!AZ<kFtUJ2>OxBgPD0ka-!@Vp=)ng*-z4m%X+S*a*W0m%{vy8of%1dF
zzHeVoJZ*Q1H&t@Q)c{eOwDsu{Ph-{`aoLEYv!2|fz*VAV<^nCJV6!@-b|1GDEulaN
zE<gC@;Wi~Bi>+9XnAdf?Q@gx!5Y~s2Ru*c8TxIS?E~v5wF{a1is1E6Z@fFPZ_>zkJ
zm<B9q3^{(&PB9cua|fKsI!RSz4ZB|(ylibzwXu{BN?{oTtM!C~Ud$)z(?TYD^I`Fr
z&g?MkhZCBg>6c(kBSYh`9gDdq9DZP*_5!0`)&12yit1))OSQ#0Rfbvs@IEAT)D@(<
zd1@}0v_litmI6a{v4v$P53e+J9lFOYw#LhLNA2_mY3dP*UQZ9bg{+sS=MvgxlzvWe
zwhWm=7KgNcQ%+Sb?_%AW=}zKU$<JBzHj4vU4Z@9#X8P6H6;7YPWM)%;-{a_SH4@%{
zq?EQR#fpfiifLI4HKv|G)Ikg4OxW72actKscn|Btek@6>k7a8nEBKm=T;3TXJ5c%Q
zZ@ruF?@nb~sj`G)4pNzPX0Pn_#96Juu@7H*O;DtdGc+kBZM86C6{^bjvL%G(o*fgG
z_4h*To>aMau`^yc19tYo6fd>RzD<dlU%rF>wk^o1)Fz4Jt+1~bs3YTX@0h%u<qWkv
zUroTmbd{Uv>5TTya@l^vE5O*MrkLsfw0@krMY`jzbpKQWY#qLSI2Y}$Q^WTxUD;J<
z0k-ZXA@eudF-fk&{$38Tn%js~6--mgObbtO9519Equ(23$EIzC4rZ*C6M^>Rc+$Di
zyIW!}gdUi#kQyn=v)X3nHu~F&g`wjW1>Cs5xo*pmz{$>aUAKuta^@(s8WT=5WzsvT
z48(<w%*B<peJ>%svK+b+u?OhB;3TJfxbi4Pj0Wk2X+oVyL;F4p$&xJf<!!N_|NM56
zYQ?;zD|x2rU}G{x2X7?fM$5htCncnDs?5ivlkbEFv<3$Ig-FT4jnU{bX%2h>@<OzH
zv}#D+&dz0!5PUQwor<?v{p?|&jaR4d3C+Ly?PZa69X=fXl{!$_iSBU7vWO@o;H>R|
z+axfW!YW3yLR-h0%qLu?+$lN9=_*rEujcR~>>-8A<{<rs%v|Q37b9ATvK|&_)#yk>
z9X~42bfb=A9?g1-``vFxWq`ez6h~aeg&4Vs(<JkY1-~hZ=Dhrj<cKaMUj}lQy-`%Y
zDVX7^+LHf2ETZSutAk?&LVqmKm*~Ixo&jW5`(t0tPa=@<#Y|j**hP**iw_K%%{Mg%
zatzU$!F&SqDrNjZ4mN#F@T1AQPXY!JX@?Y7Zj{Y;l%2PJKT-W-FX#U>B=hk`wMC;}
z3%EV{!X8~q$=PVYlwTPBweN=5tIf*;laxSl>LG1QJtfdgt1KplF?|)JZ`W30-||C4
z)2#4i?|>=i3OX$$G1m~X0olZL)-~pa4?1Chk7e&^-kDaJmk0T?z@A+V2VLkrsS#Bq
zoEJG+g;##bn-U&OzWo!RY+s&UfGjmB;H_{#Fe1cT-2W-<Ec#&XYOO^*;^3Yn{p!N6
zbLVf;!eIeFv&Orhkwc}xHUwL&8)>Kpv<#7_(aNgJ+m|e;pw_(lsv!hw`}?NYZmw5s
z!Ox;>vu=1d4rJKgBA>weqg8A}Osmf<nnZPM=&n$$vXwHo>-SvynX?O=QR`e_{*lP`
zFr)gISp4vonk<kYL4S)aZcRHG!eP+Kmx#Hx^CfJG?cqpGw>E2#_egd?*|)P1yc32|
zQ&3WP+@80om1qiet78P61EFX!q18LuhwTgywb-oe`3%LqUV8FW!v&B92Dj?66Pp#+
zIElhC0{!RU4d_hmQMp&6e(IeCYiYS^Zn=sqqSyv$#+Bp;{IM=J+n;AH8(-MrxUroE
z<x}$E<c}w)1jRE0qD!s6XNX&9tk=_g!d%ujtz749^Ih1GZ>#Ap$EyLMO~h+F+$|(Z
zVCZ8JlPWpg4_2Wf98c03nDV8IWg2w=p*BVk^g*84>IgJf(M)UB*gOq_IJ=t3gj;b|
z<A*p9*l4NoppK4oC4$<b`~2frEpdtYw(qeQdO~v+d}8A;ZMTnTmz)wp8Fp&*H!hEU
zq_pfrP0+8cTW7u>A>|OdI=4fFA#6Hq#0ELnO>soz1w=?jIzyRy8LQZx8w-K;`zMG!
zTld{lhKs8{zR>D3k`2G+rdK)0=J-`T`Ic_kn8!I2k`YfVbnY+4_je~!)Hljr=<+lv
zy~HH_qoLnlovz!Rp|Kycu=Brvw(g$7Nz&ehep_1BJ2~P&eY<+@Hoo}!+B>Yvv*~@Q
z)AfEx^RX*k@IYYub3y)B4W%@zL#T{_u8WR3-)IJDH-h_+tK(WZHN9N-j(G7nyKZw%
zQd$-|rHh8%*%Hh9y3;JTcdcQ-Dg$iO-R9QqM&c6KNlg-TCC=`EFx8p-W#p?9Nq7GD
z!MFasTE10r=#PdzC8-{d+;I}5-R;58LBqt&TBxB&T4I4qboJ>iGONBjU;oeN&M5z7
zkSn@4{%++5(#_YQsNJ0MGUoWvFFNk=L-!q_Hd~ie_mIdbn*vVHy>Z;|nVFe3@xS}s
z&ooEgj)bphOk??-^uMJnCWh>faT+am{=s~TD!zOkC(PN8<Z*j>B+?OSE*?~T^6PTI
zYez%Z&{*MzQ2phELSW+s<`ZxQ^|!JsrM<{gA+CN2)>AXB&FLgT3Ar+Dj^<?6&S!82
zdBI1Km%C?or<1qiIvt(s*{t@W%zcL%;zN~=o#V)Is?B>cuXw-K6N-YwFNZOVGhDr+
zkJ-=xr{X_J(w8qABL7gM)K{n!lfFF`40LxNm`~<@QCmsr6RNq3)+nwhX0JzlT1nsZ
z6jsbn#{cr|O(d3DhCohqXsaKF&(3#L-A(HoQ|^ssN<*hBA&wat`h~k!>!aSC<4lit
zL4XwEck*OKtrsVOLZTlw{?K?uDr~7tNaBc>aM$5V#C`$flA3rNkj>wo5suiJ?&P2w
zAI}iV6{&Cqr(&T;X+;7P9<!;O1cCBnRP%p+a_BYesx^eN=B7uud!M(0)K{muUqpUM
z(oA)BFNfq?(E-<`6*`;lP`^TquF734=HpECT)pn^Qm;2y*EP6jQ1$zqh<)G2f1dmO
zL}-IR#T%#4M5ls+DZY$Jjyb+Cz=p@ffKZ!<GL9Hmm1(BUiVr?T3^-xU`-ooyw)O6M
zUZ~YpRQc?%ilLMH7DVwUWy6=}LNpL!#ivv@GqC%|&tIYIzZVMxsQCd3Rnc&^i?wct
zq~l1cF8VjB4MR(gyC-`a-)RbLXou^>Sb_{VekNzt$!O>+_BQ+PUm{~JXKOHrxJ<}2
zxu@A&Ii$0}1)A$ZN1EX+Tsxx;FWzJ|0BVRN!Nzp2pFW}nM;gY~Htg7P!&;$MTR0A#
zEDJvLIa%iw9$<X^(w-=3E_0MM8f@h>Nz6Oc(Nu91rYB+|6Y*1M*D@wVyR)Xkc=*TO
zNSRf!#*96o8sUi4YJMUAXsEr<W5a={pB$dwLwO{W{xXbIA_Z6-;(O9hnCVrqyP)Rg
zr_vaC%%eT{4E?#V($PZkbH5uXx(Pl8hC8i9Ks5YluujP~d`S+N&!97FwEP667~+g>
zE;F=pY-QN#-to;{*B{?5aZZjm4kGw3D2NY#CkM;@6r<1M5upeEkPm0dV8cKxs$-8H
zuDwvG;F>hNWDlAySML~w&Av<rihpnkVl63gg=xyHYIF=z{ozgPa(nb-OwZ>vnL9mq
zjZCaldKG2$n~u8-Yb7c3CJFb9*g3P>$oAflWNwWwrb)Dzd~<W{AF`cxclp|NNf+r6
zP;SOadtrT&<iZao0Dk7u&A^!gO7%sQTIZE1c?;De0{1Xb5FQp+4Tn~w^q0<S_at9u
zxbd!^Sq($Y1eYLQ3ITMvkSk^T?wsZ>ClX-tT61(vYWbg!vRHw!oku_Hy6t=<+?sl(
z#!`IK!P7c>PO8oMSeo>BTDXUHD?M#+WVzEGj{BF^`g%>Ln`{kVAKR|+@icl@&SR(N
z>ORQqGwP$qo>2){x4lQy?{`#5x?Ax!7y^B~m|+8x*Ds6}?`2evm!5b}$eyM{MGP(w
zHvMjcSL7J}q8qlx+%fLgo7xHLdLqajpcL~I?g^j|IXWhb(_4lIxvxU+qJ-B#(<Dv#
z-jh{(Wx_+=3t!fp0ADfno;9^)FI?*fVM!cti_^uR{f$`U-*dI8fprwwt0!Y<Xd)s7
zFgyYD`8u=X=WBV}`2b4lUCmEbUdkh4i4hxWevp!-t>;-APQ#Ejr!A_!$@;7vM6W(c
z9nzD(MHO?hJvw_Q|71_!X-JRw;QgNz`Z8f#Z8Y(le@KPwprpbI#+OqXycD^!KYE<x
z<MJ(uHcuRrZB?7|;+4t9hcd6$Z`Y5p?fJoxd8^(EDSOlCvt>!U6-<U*TyxCd(l0>%
zVz7JCtZ0UW#SCGWLtB}&%q_=uz7+PU7!$3Im7Ug8izVWIa|a}*M6r;+Ap`<ujAKxS
zxZ`W->^;Qj8n_dGO|f2lh0?qT=eGC2f5Ur2jr9<G0)jI6y~X#}<{weF+QU;Me*e7s
zM}5F`QkfgQ?4Af%#Kb_3tkM6R|8+tWM++2T+gd`(pZfu#BU@Y8ui;#wA&H-8IH@?`
zGAKW+Y=6dW;;n6|NKTQh!7LMHOQO<02N-_q#TLsQDVW?Rpbiv(n9?Of-@0+s3uas&
zE$?WlZ_Q6tpdWA$FeFIqmCUHM37B*bI&Z>95y(iNBWAw4e`5YS%mr7Ht8j$@*Ph$K
z9oA1{)PTu#fN_0?@sG9Vk1@`L(%_12qbFlAV#e9S?Z5PHtn}Yb(yA@8I<Tt8p}GRf
zGJQM6bv0|MHoW>QWg2E0BUGolLOcJbYIBcf`v2p2i7$mzQet0<%9qhpL<q@JE-8`A
z+@ii{n3h_z*@_>dqKivqSid5D!<JlUw(-@J+>=!<W6g3M%@VuW_v3ed=X_7+eE$1f
z&gXp2`}2OkU(eU$L7vSA8N-IX*>;|s>1UI>)gDzUXPru6P+eu}!YK=8i1Ux@>lbR5
z6r9W6NkI2R2ZRE-UXPsk*BM*&#0ZfDu4c<Df#+Ta(rx}|eXg4lcVNW+(N3WAbqQyZ
zPOjoNH`mk(t4`lwT?w+a%nje2S9E~q><*2(k~_!N1%|PuW)Xj6;4iK!AxFdHU}5#E
za<gQUJn-vkL`LbApcu2V*)kEd4g`7%Fkim6R0LfWlQHGUg{|ggzWN8D*plkQ?*5{_
zKV$%^*}_!@C)vG}R39dfvp6^;lqkyYtgLyicWPo)0^3k`3<yD!j+%^EoVmNRO#J~>
z3BQ;{x(^w|3P)_JkfF66KVi(lH#x8+kw9zY_*vU#6NX&<_(62AKRb6vMaV~%6P=gD
z5RdIO_*|nM^63)J|5a>!W31*pUT|?(^zoVj7PlRR8@JG@XYd<j{7-ZIvG5ei%9qMQ
z>zfWJN1@TEc%WJ~sbFZ{5D?s!#}v~2nTd>=k<>r@G7q_>%0#sI3xU+VFYxAFs`JZJ
zxwlhuZ+SQI2ZE_dYfn$ZzNZ;Fb>o|W1%2OLC<nRx*4~iI7>(s0tB-$CB8qjid`C(a
z$Aju~^)A|%a@6qhHh<(I+T%z{;l@qQy}j)^<{UYT)*yO@cZQEgYg}w1up7+pHGd!<
z;)n`7Ud7hGBm|oK+Rat!ck>#rcJx_i9g!RVFX(Imv#Ty0HSsaCdmkc2Fk-DyM^+r<
z?Vf2nQ`<qn+|l5^P~L?B1F4Ph-M8f6M7ENPV`_5hdXA7fUv*6w>?qCFkG`FDdP92u
zVMo-`vnE~`<LwbcysFnO!>2Vc(1gX@H%<Qv)Ar3OF8#}Mtv$j_grZO({!X0CAarc;
z@QVm)559jlc?O587Of#Ec*KV2z`wYmjp4!;%F2HpR)%&O(j^hH^y3_4gDBGiJ3h1Y
zI=Y(}$Q}Stmqh25Yt-cmm05jV{!ctJXMTl09~tdN{O%Qcm1uOdJJ2$jG$s~!bs`W-
zPY!Qulk`Ob*?BkhcKKPsL_I4rO-Y9AkIzTtZMcK0iZM~Qg9Y^V0gB$27JCX~(=lz3
zuKQ}XK12z-tK_)U>h|ap=M9rF)All*6IZoKAtCFdTgw<MyzIw%M{I|mZeuoB=l8D7
z-7ue#GY7^FqGwt3A6dJnG6){98y;#Z*ph{9cv%|l#03#nz7BCgJp2rLdT67@z4za!
zlNBm{W&?&{nEgKQ(@lLWQ=e<r&9FbZg1jD|=5!{nf0Any6<85C%p#3qRVec1-(><6
zuHA(5!_3+5rQTbj4}fq1QyXq&mh1yB5sFT*K2R&oqbYML;dwcyDoyn+D|;5fAr3^6
zLv0!=G<j{~-i9dNIS#H1TF5LR5?6l0XQvD=qW#rj8#TskG}-$KTLbKR)G^ZQ^I4GA
zk5B<xGi&vJngRYMDy-h%7`Rj=s{|Q)#4=zy`MBxZIhq#Y>+qhDiXcnXQuiMCq@H)I
zee>Po&z=Awh>)@3I^kL8LMCLu6@d;9z47x8S25S>q`|59to=Zw??e;6M&{Q^08rY)
z%J*#KW=)AV4(_d$^U?gM8LY&3+xYEy`ePJ!4pR|oNr3GO3pvY+nAS^eHz(0W=dA?M
zNl(Fh5KM{7wi-(1-tbg76Wg@~P$floN<_MiZQ({;=-af(OB?$8Kzwc&1{gqpYZ>D2
zgU><Q5YrmZU)%by<IW5X=ourv062w4h;g`{15IiP^wlzE@_k>V__-U<d2+;~o%=oF
zLYY9V1dweB!K+{ex|KgLbZw?!ER2I*H!2y}Yk-a4?k%vr!Edl7cj&<L7w*HtPW6^4
zt|^NbFo@y>4C%j^>Ysa}PR5v#m<_kJI1;3zoUS?<gD?WUAoF`*hsw8ga&r*W#=Si5
zb<WTNHSW#dYYlLh4c$!}VZ6>5v#X`}E+|;s-c}im?v4PA&GB^<h~Kn|SLzK)4TP8Y
z`NNR6hm|XEnE5{m{}LNOyHih}PI;hLx)u0f_$4Ric(xSZTBaB)cpnjNzmGz_V2#HL
zSi|(oV3L>vnY!cFFkP6ICn^(dLl1F_{KJ}uLaEtJ7jxciy^e)J6pPhaGB?|15|fPM
z`nK9;jP{nvt}pOV#?UsQ)W5K!9AZmkN(Q~r<1D(eOnd1yWb>|BoAq82kT;BdqWMDW
zU@3OyW|??U?tNL#0)w+}&Oq#lu7`S@Mi(uG2~VCfYFRF^0o8>R#aA1R-Ef=9DgBP`
z9Z@J`f9b@gA3Fl_A`WCxEzUF+7<a~HBIlkS9!{J(>_8W-iR6EnyDZ>8Uo2OXdT|m5
zsKW_Dvz4#qORxB234FcP+)UpIrz-tz%cI8Q=95u4OyLkY;1~+7O-R?)B#o$VEjCK%
znCs5G)n~$ynKcGQfOeep^FvP-v;oTyP`{Gg>OgXbri)HQjOuesWcC)gUGVD&M}TvE
zD)_!|CEu4ZpFxPp{tb=mIZvj4k4@1&P&A6+l`eY~4LOQNhnG6{g?=9G`Nmm`TOL0b
zFYT<)bW<9>#;58?Pl6wscpiTj_0=ZJodz@YL!;J24WHme*3%!bLgI#3#D>0V;#*f9
zZc$fRE~kvVO$DmV{$j_~$JOH&K>$D3z+b2>CN9<71G)5qG}%^6%d0KhN0YVd71APQ
z`JbiiQfs{nJ0J6NM&;1Fo4ZQKQ>woK8)6zc$p4c{-#sQ-a&_fFd}Gj8E2vUpt?SD<
z?rH~pl_2ti=lc%5T$@9oD>Shy#c#zEGy}6d*L8IQKr!OWfPFR>f~hYs+Vzz?maBiz
zVkZ7rzp_e4T0(o<t#sLdy~#`pgt_$RO3#GiA#<5xD9T%+7eDD48wK8O^$&Jjq^qh)
zJVE|ORxKDr)1AerMJod-mwUcPhu@M~7J>fNU;lTzvZ@?UskL^zTO4c2`M=%%%h_K9
fc)~#~1s>4$X?Lo&ntlVk{xv6|r(DS{;VJ(BQvQgo

literal 0
HcmV?d00001

diff --git a/PaloAlto/package/manifest.yaml b/PaloAlto/package/manifest.yaml
new file mode 100644
index 00000000..4b2be0e5
--- /dev/null
+++ b/PaloAlto/package/manifest.yaml
@@ -0,0 +1,25 @@
+#  Licensed under the Apache License, Version 2.0 (the "License"); you may
+#  not use this file except in compliance with the License. You may obtain
+#  a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#  License for the specific language governing permissions and limitations
+#  under the License.
+
+Format: 1.3
+Type: Application
+FullName: com.mirantis.PaloAlto
+Name: PaloAlto App
+Description: |
+  "PaloAlto Networks virtual Firewall application with http loadbalancer and configurable number of backends"
+Author: 'Mirantis, Inc'
+Tags: [Palo, Alto, PaloAlto]
+Classes:
+ com.mirantis.PaloAltoNode: PaloAltoNode.yaml
+ com.mirantis.PaloAltoApp: PaloAltoApp.yaml
+Require:
+  org.openstack.networkingSfc: