When you wanted to practice Paloalto lab by yourself, you have got multiple options.
You could try physical gears if you can afford one, else virtualize them.
In this blog, we are going to configure the Paloalto firewall in gns3. We are going to install a Paloalto firewall with management IP and one public-facing interface with the internet.
There are things that may not work when you try to install the Paloalto at first by yourself in Gns3, I am going to close all those gaps and get you up and running in this lab guide and saves you a lot of frustration and time.
Before you start there are certain prerequisite for this lab
You need to have,
- Latest GNS3 software
- Palo alto qcow2 image – You can get the file here,
Note: To get the palo-alto image, you must have service agreement with paloalto networks.
Steps to install the Paloalto firewall on Gns3.
- Enable internet access on the GNS3.
- Install Paloalto firewall VM in Gns3.
- Change the console for Paloalto firewall in gns3.
- Configuration of Paloalto management interface.
- Accessing Paloalto management GUI in Gns3.
Step 1. Enable internet access on the GNS3.
Follow this guide to enable internet access in Gns3.
It is very unlikely that you are going to use a public IP address in gns3 and route traffic, by enabling the internet in gns3 you are going to get an IP address from the private IP range 192.168.137.0/24.
Step 2. Install Paloalto firewall VM in Gns3.
- Open Gns3 and Click on security devices.
- and click on New template.
- In the new template wizard, select install an appliance from the GNS3 server, and click next.
- On the next screen , expand firewall and select Palo-alto firewall from the list and click install.
- Select the option which says Install the appliance on the GNS3 VM (recommended) and click next.
Click next again on the Qemu binary window.
Note: I hope you have installed gns3 along with Gns3 VM on your MAC or Windows machine.
- I am going to install Paloalto version 8.1.10, However, the version is not in the list hence do the following.
- Select Palo-alto version 8.1.0
- check the option which says ‘Allow custom files’
- click Yes on the md5 notification
- Click on import and browse for the palo-alto qcow2 image.
- Since the version that I have is 8.1.10 though I have selected 8.1.0, so you may get same MD5 error again, click on Yes on the same.
- The palo-alto kvm image upload would now begin and it take some time, once that is done click on Next.
- Click on Yes on the next prompt.
Note: Don’t worry about the vmdk extension though we have qcow2 file, it would work just fine.
- The properties of the Paloalto VM looks like below. This windows tells you about the default admin credentials and basic configuration, click on Finish on this screen.
- Here you would get the login information of the Palo-alto firewall also how to set up the management interface. Click on Finish.
- You would get a prompt below which indicate that the palo-alto firewall successfully installed.
Step 3. Change the console for Paloalto firewall in gns3.
You have now installed the Paloalto firewall Vm in gns3, and it would start to work now, however, there is one more change you have to do.
While installing the Paloalto VM we installed with the telnet as the console, that’s good but the telnet doesn’t work well with the device hence I am going to change to VNC as the console. Personally I had lot of issues with telnet in Paloalto which doesn’t show proper output on the window.
- Right click on Palo alto firewall and click on the configure template.
- Under general settings change the console type from telnet to VNC.
Alright, you have now successfully installed the firewall lets go ahead start the network configuration.
Step 4. Configuration of Paloalto management interface.
- Power on the PaloAlto VM and console to the device, on the CLI login screen, enter the username
adminand the password as
Note: you may have to wait for some time as the booting of the VM completely would take about 5-10 minutes, during this time if you try to login to the device you may end up getting an error that says ‘login incorrect’ which is expected.
- Configure the management IP address of the firewall using the command below.
set deviceconfig system type static set deviceconfig system ip-address 10.1.1.1 netmask 255.255.255.0 commit exit
- Verify the ip address configuration by entering the command
show interface management, as you can see the management IP address of the Paloalto firewall now configured.
Step 5. Accessing Paloalto management GUI in Gns3.
Well, we configured the management IP address of the firewall and it all looks good but how do we access the Paloalto GUI in Gns3?
Just like you have added the end-user machine for the internet access in gns3 using webterm, you could use the same approach and add the end-user machine as webterm that way you can connect to the Paloalto web GUI.
- from the end devices tab in GNS3, drag and drop webterm end-user machine and connect it to Paloalto device like below.
- Configure the static IP address for the end machine
- righ click on the webterm machine and click on configure, and click on network configuration.
- Configure the network as below and apply the config.
Open the Webterm and you would have an IP address 10.1.1.10 configured.
- Try to access the management IP address of the Paloalto now. You may get a security warning just add the exception in firefox and you would be able to see the Palo-Alto GUI window like below.
- You may log in with the default credentials which is admin and admin