5 Easy steps to configure Palo-Alto firewall in Gns3

Saifudheen SidheeqLatest Posts, Networking3 Comments

When you wanted to practice Paloalto lab by yourself, you have got multiple options.

You could try physical gears if you can afford one, else virtualize them.

In this blog, we are going to configure the Paloalto firewall in gns3. We are going to install a Paloalto firewall with management IP and one public-facing interface with the internet.

There are things that may not work when you try to install the Paloalto at first by yourself in Gns3, I am going to close all those gaps and get you up and running in this lab guide and saves you a lot of frustration and time.

Before you start there are certain prerequisite for this lab

You need to have,

  • Latest GNS3 software
  • Palo alto qcow2 image – You can get the file here,
    Note: To get the palo-alto image, you must have service agreement with paloalto networks.

Steps to install the Paloalto firewall on Gns3.

  1. Enable internet access on the GNS3.
  2. Install Paloalto firewall VM in Gns3.
  3. Change the console for Paloalto firewall in gns3.
  4. Configuration of Paloalto management interface.
  5. Accessing Paloalto management GUI in Gns3.

Step 1. Enable internet access on the GNS3.

Follow this guide to enable internet access in Gns3.
It is very unlikely that you are going to use a public IP address in gns3 and route traffic, by enabling the internet in gns3 you are going to get an IP address from the private IP range

Step 2. Install Paloalto firewall VM in Gns3.

  • Open Gns3 and Click on security devices.
add palo-alto in gns3
  • and click on New template.
paloalto integration with gns3
  • In the new template wizard, select install an appliance from the GNS3 server, and click next.
install palo alto template from gns3
  • On the next screen , expand firewall and select Palo-alto firewall from the list and click install.
install palo alto in gns3
  • Select the option which says Install the appliance on the GNS3 VM (recommended) and click next.
Installing palo-alto firewall in gns3

Click next again on the Qemu binary window.

install palo alto appliance

Note: I hope you have installed gns3 along with Gns3 VM on your MAC or Windows machine.

  • I am going to install Paloalto version 8.1.10, However, the version is not in the list hence do the following.
  1. Select Palo-alto version 8.1.0
  2. check the option which says ‘Allow custom files’
  3. click Yes on the md5 notification
allow custom files in gns3 to install palo alto firewall
  • Click on import and browse for the palo-alto qcow2 image.
import palo alto firewall to gns3
  • Since the version that I have is 8.1.10 though I have selected 8.1.0, so you may get same MD5 error again, click on Yes on the same.
click yes on palo-alto md5 prompt
  • The palo-alto kvm image upload would now begin and it take some time, once that is done click on Next.
  • Click on Yes on the next prompt.
select the palo alto firewall version to install

Note: Don’t worry about the vmdk extension though we have qcow2 file, it would work just fine.

  • The properties of the Paloalto VM looks like below. This windows tells you about the default admin credentials and basic configuration, click on Finish on this screen.
add paloalto appliance to the gns3
  • Here you would get the login information of the Palo-alto firewall also how to set up the management interface. Click on Finish.
  • You would get a prompt below which indicate that the palo-alto firewall successfully installed.
palo alto firewall successfully installed in gns3

Step 3. Change the console for Paloalto firewall in gns3.

You have now installed the Paloalto firewall Vm in gns3, and it would start to work now, however, there is one more change you have to do.

While installing the Paloalto VM we installed with the telnet as the console, that’s good but the telnet doesn’t work well with the device hence I am going to change to VNC as the console. Personally I had lot of issues with telnet in Paloalto which doesn’t show proper output on the window.

  • Right click on Palo alto firewall and click on the configure template.
change the console for palo alto firewall in gns3
  • Under general settings change the console type from telnet to VNC.

Alright, you have now successfully installed the firewall lets go ahead start the network configuration.

Step 4. Configuration of Paloalto management interface.

  • Power on the PaloAlto VM and console to the device, on the CLI login screen, enter the username admin and the password as admin.

Note: you may have to wait for some time as the booting of the VM completely would take about 5-10 minutes, during this time if you try to login to the device you may end up getting an error that says ‘login incorrect’ which is expected.

login to the paloalto firewall CLI in gns3
  • Configure the management IP address of the firewall using the command below.
set deviceconfig system type static
set deviceconfig system ip-address netmask
configuring static management IP address for paloalto firewall
  • Verify the ip address configuration by entering the command show interface management, as you can see the management IP address of the Paloalto firewall now configured.
verifying the management IP address of paloalto firewall in gns3

Step 5. Accessing Paloalto management GUI in Gns3.

Well, we configured the management IP address of the firewall and it all looks good but how do we access the Paloalto GUI in Gns3?

Just like you have added the end-user machine for the internet access in gns3 using webterm, you could use the same approach and add the end-user machine as webterm that way you can connect to the Paloalto web GUI.

  • from the end devices tab in GNS3, drag and drop webterm end-user machine and connect it to Paloalto device like below.
access the paloalto firewall gui in gns3
  • Configure the static IP address for the end machine
    • righ click on the webterm machine and click on configure, and click on network configuration.
    • Configure the network as below and apply the config.
configure the end user machine to access the paloalto firewall gui in gns3

Open the Webterm and you would have an IP address configured.

  • Try to access the management IP address of the Paloalto now. You may get a security warning just add the exception in firefox and you would be able to see the Palo-Alto GUI window like below.
paloalot gui in gns3
  • You may log in with the default credentials which is admin and admin
paloalto gui in gns3