When you wanted to practice Paloalto lab by yourself, you have got multiple options.
You could try physical gears if you can afford one, else virtualize them.
In this blog, we are going to configure the Palo alto in gns3. We are going to install a Paloalto firewall with management IP and one public-facing interface with the internet.
There are things that may not work when you try to install the Paloalto at first by yourself in Gns3, I am going to close all those gaps and get you up and running in this lab guide and saves you a lot of frustration and time.
Before you start there are certain prerequisite for this lab
You need to have,
- Latest GNS3 software
- Palo alto qcow2 image – You can get the file here,
Note: To get the Palo-alto image, you must have a service agreement with Paloalto networks.
Steps to install the Paloalto firewall on Gns3.
- Enable internet access on the GNS3.
- Install Paloalto firewall VM in Gns3.
- Change the console for Paloalto firewall in gns3.
- Configuration of Paloalto management interface.
- Accessing Paloalto management GUI in Gns3.
Step 1. Enable internet access on the GNS3.
Follow this guide to enable internet access in Gns3.
It is very unlikely that you are going to use a public IP address in gns3 and route traffic, by enabling the internet in gns3 you are going to get an IP address from the private IP range 192.168.137.0/24.
Step 2. Install Palo Alto firewall VM in Gns3.
Open Gns3 and Click on security devices.
and click on New template on the bottom.
In the new template wizard, select install an appliance from the GNS3 server, and click next.
On the next screen , expand firewall and select PA-VM (which represents Palo alto firewall) from the list and click install.
Select the option which says Install the appliance on the GNS3 VM (recommended) If you are using GNS3VM on your machine.
Install the appliance on a remote server, if you are using a remote server
Once you select the option click on next.
Click next again on the Qemu binary window.
I am going to install Paloalto version 8.1.10, However, the version is not in the list hence do the following.
- Select Palo-alto version 8.1.0
- check the option which says ‘Allow custom files’
- click Yes on the md5 notification
Click on import and browse for the palo-alto qcow2 image.
Since the version that I have is 8.1.10 though I have selected 8.1.0, so you may get same MD5 error again, click on Yes on the same.
As you can see below Palo-alto KVM image upload has now been started and it will take some time depends on the network connectivity between the GNS3 client and the server.
Once upload is completed, you will be able to see the status as Ready to install, select the version again and you may click on next now.
You will get a prompt which says Would you like to install PA-VM version 8.1.0 (ESX)? , click Yes.
Note: Don’t worry about the vmdk extension though we have qcow2 file, it would work just fine.
The properties of the Paloalto VM looks like below. This windows tells you about the default admin credentials and basic configuration on how to set up the management interface, click on Finish on this screen.
You would get a prompt below which indicate that the palo-alto firewall successfully installed. Click on OK now.
Step 3. Change the console for Paloalto firewall in gns3.
You now will be able to see the firewall added under the security devices, like below.
You have now installed the Paloalto firewall Vm in gns3, and it would start to work now, however, there is one more change you have to do.
While installing the Paloalto VM we installed with the telnet as the console, that’s good but the telnet doesn’t work well with the device hence I am going to change to VNC as the console.
Personally I had a lot of issues with telnet in Paloalto KVM image which doesn’t show proper output on the window.
Right click on Palo alto firewall and click on the configure template.
Under general settings change the console type from telnet to VNC.
Step 4. Change the network interface type.
By default the palo firewall is installed with the interface Type as Paravirtualized network I/O, you will have to change that as well.
This step is very important if you don’t change that you can only use the management side, not any other zone interfaces.
To change the network interface type, On the same configuration template window that you have opened in step 3, click on the Network tab.
Click on the network interface Type dropdown and select Intel Gigabit Ethernet (e1000)
Alright, you have now successfully installed the firewall lets go ahead start the network configuration.
Step 5. Configuration of Paloalto management interface.
Drag and drop the firewall to the work area, right click on the device and power it on by clicking start.
Double click on the device to open the console and on the PaloAlto VM console, enter the username as
admin and the password as
Note: you may have to wait for some time as the booting of the VM would take about 5-10 minutes, during this time if you try to login to the device you may end up throwing an error that says ‘login incorrect’ which is expected.
Configure the management IP address of the firewall using the command below.
Here I am using IP address 10.1.1.1, you may use the same or the IP that you wanted to use.
configure set deviceconfig system type static set deviceconfig system ip-address 10.1.1.1 netmask 255.255.255.0 commit exit
Exit out of the configuration mode by typing the command exit.
You may verify the IP address configuration by entering the command
show interface management, as you can see the management IP address of the Paloalto firewall now configured.
Step 6. Accessing Paloalto management GUI in Gns3.
Well, we configured the management IP address of the firewall and it all looks good but how do we access the Paloalto GUI in Gns3?
You can access the firewall GUI using the GNS3 built-in Firefox host webterm client.
Adding the GUI client using Webterm.
Just like you have added the end-user machine for the internet access in gns3 using webterm, you could use the same approach and add the end-user machine as webterm that way you can connect to the Paloalto web GUI.
- Click on end End devices
- And click on New template.
- Select the option Install an appliance from the GNS3 server and click on next.
- Search for webterm, you will be able to see the Webterm host under Guests.
- Click on that and click on install.
On the next screen, you may choose the GNS3 server or GNS3VM depends on how you have set up the GNS3.
You will get a successful message after you install the webterm client.
You can see the device under the End devices now.
From the end devices tab in GNS3, drag and drop webterm end-user machine and connect it to Paloalto managemnt interface like below like below.
Note: You must require internet access to download the webterm client and it would take few minutes to download the software for the first time.
Next what you have to do is configure the static IP address for the end user machine
- Righ click on the webterm machine and click on configure, and click on network configuration.
- Configure the network as below and apply the config.
The client now restarts and come back online with the new IP configuration, once it is back online double click on the device that would open the firefox window.
Try to access the management IP address of the Paloalto now.
You may get a security warning just add the exception in firefox and you would be able to see the Palo-Alto GUI window like below.
You may log in with the default credentials which is admin and admin