Deploy Palo Alto VM Into VMWare LAB and Configure Mgmt Interface - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, January 1, 2018

Deploy Palo Alto VM Into VMWare LAB and Configure Mgmt Interface

Palo Alto Networks has developed Virtualized Firewalls VM series to run in virtual environment. Here is the list for supported hypervisors from its website:
The VM-Series supports the exact same next-generation firewall and advanced threat prevention features available in our physical form factor appliances, allowing you to safely enable applications flowing into, and across your private, public and hybrid cloud computing environments.Automation features such as VM monitoring, dynamic address groups and a REST-based API allow you to proactively monitor VM changes dynamically feeding that context into security policies, thereby eliminating the policy lag that may occur when your VMs change.The VM-Series supports the following hypervisors:
  • VMWare ESXi and NSX
  • Citrix SDX,
  • KVM (Centos/RHEL)
  • Ubuntu
  • Amazon Web Services

There are four models for different requirements:
  • VM-100
  • VM-200
  • VM-300
  • VM-1000-HV


Download VM Package(s)

Log into your Customer Support Portal - Updates - Software Updates, then choose your software image type.

In my this lab, I am using VMWare Workstation, so PAN-OS for VM-Series Base Images is my selection. 

You will find all related OVA files available for you to download.


The file size is about 4.9GB for latest version 10.2.1 and file name will be PA-VM-ESX-10.2.1 ova.

Following steps are based on one of my old version 6. But the steps are similar if you are using newer version of OVA files. 

Note: Please use Microsoft Edge to download. Chrome might not work for downloading software updates.

Imported VM into VMware workstation

I have got a VM including two files (PA-VM-6.0.0.ovf and PA-VM-6.0.0-disk1.vmdk) and deployed it into my lab environment to test. Here are some steps:


It was successful but need a 64-bit host and Intel VT-x need to be enabled for running this VM in Workstation.




Deploy OVF file into ESXi lab


By selecting "File -> Deploy OVF Template... ", you can deploy OVF into ESXi.
I havd to change network adapter 2 to Internal v_switch and keep the network adapter 1 to Internet v_switch.


Start VM in ESXi Lab Enviroment

You will need to wait 1 minute to log in after login prompt shows up.

Type admin / admin as username and password after Login prompt shows up for 1 minute.


Basic Configuration

Check Mgmt interface ip using command "show interface management":

If there is no ip address for mgmt port, you can follow those steps to set up Mgmt IP.

4.1. Once you got to the prompt (admin@PA-VM), type

"configure"

4.2. You are now in the config mode, type the following command in order to give an IP address for the PAN management and Web Access:


set deviceconfig system ip-address 192.168.2.10 netmask 255.255.255.0 default-gateway 192.168.2.1 dns-setting servers primary 8.8.8.8

4.3. Hit Enter and then Type "commit"

note: Remember that we can use "?" to see all the commands and use "TAB" to complete the commands


Test

Try to ping the IP address of the PAN-OS and If successful, then open a browser and type "https://192.168.2.10"Use the admin / admin for username and password.
Now the firewall is fully up and running. Enjoy the fun from this product coming from world leading security company


Verify Mgmt Interface Information from Web GUI:

After you have mgmt access, you can start to configure other interfaces for your Internal network (Trust), DMZ network and External network (Untrust) . 

Further configuration information can be found from this post: https://blog.51sec.org/2021/12/deploy-palo-alto-vm-series-firewall.html

YouTube Videos


Install and Configure Palo Alto VM in ESXi




Troubleshoot issues after installed Palo Alto VM:

After installed the VM into your virtual environment, it is not usable. There are two typical issues:
1. Data Interfaces are not working. They are not reachable.
Mac address will need to copy from Palo Alto interface to ESXi VM Interface (Manual configuration)
Firewall Rule to allow Ping
Interfae mgmt Profule will need to allow ping


2. Traffic log is not showing from GUI interface. It is because of license. I am going to show some tricks to check the logs.
solution:
Log forwarding to external syslog server
session browser
or add a evaluation license






18 comments:

  1. Good post. Very good info.

    ReplyDelete
  2. Thanks i have an Autorization code for Palo VM-100, can you please explain to me how to get the OVA file.

    ReplyDelete
    Replies
    1. You should be able to get it from your SE. or somewhere internet drive such as:
      http://maxiasnas.iptime.org:8080/share.cgi?ssid=0Ax3QUu#0Ax3QUu

      Delete
  3. How did you get the OVA file, i have an auth code but cannot find how to get the OVA file.

    ReplyDelete
  4. I found a link which has some addresses for downloading, you can give them a try:
    http://www.netemu.cn/bbs/thread-17003-1-1.html

    ReplyDelete
  5. Can you post the links here?

    ReplyDelete
    Replies
    1. Both links:
      ftp://68.109.162.5/
      and
      http://pan.baidu.com/s/1c0yBBIo Password:dfj8

      are not valid anymore.

      Delete
    2. https://kat.cr/palo-alto-firewall-vm-image-pa-vm-esx-6-1-0-ova-t10333460.html

      Delete
    3. not able to download ova file, send me a proper link

      Delete
  6. not is PAN management and Web Access,
    is,,

    RUN management and Web Access,

    ReplyDelete
  7. Thanks for info.I installed PAN OS 6.1.0 on Vmware Workstation and working finr but what i see that i m not able to see any traffic logs in Monitor->Logs->Traffic option. I have enabled the logs in Security Policies but after after that nothing found.

    Does firewall store the logs locally or need the separate log server?

    Could u please help me on this. Thanks!

    ReplyDelete
  8. I am also facing problem with traffic logs displayed in PA GUI or CLI. However forwarding to a syslog server works. Or browse sessions for real time data

    ReplyDelete
  9. This post is very helpful i downloaded it on
    https://kat.cr/palo-alto-firewall-vm-image-pa-vm-esx-6-1-0-ova-t10333460.html
    but the instruction document link is broken (https://community.gns3.com/docs/DOC-2114)
    *can you please do a full tutorial*

    ReplyDelete
    Replies
    1. Working on more video tutorial now. Please check my channel on youtube:
      https://www.youtube.com/channel/UCPzmia0KbQlmhYuh5r7kWtA

      Delete
  10. not able to see any traffic logs in Monitor->Logs->Traffic option. I have enabled the logs in Security Policies but after after that nothing found.

    please help

    ReplyDelete
    Replies
    1. To see traffic logs from CLI and GUI, you will need a license installed on those VMs. You also can do log forwarding to another syslog server to check logs. Or from Web GUI, sessions can be checked.

      Delete