6 Easy steps to configure Palo-Alto firewall in Gns3

Saifudheen SidheeqNetworking4 Comments

When you wanted to practice Paloalto lab by yourself, you have got multiple options.

You could try physical gears if you can afford one, else virtualize them.

In this blog, we are going to configure the Palo alto in gns3. We are going to install a Paloalto firewall with management IP and one public-facing interface with the internet.

There are things that may not work when you try to install the Paloalto at first by yourself in Gns3, I am going to close all those gaps and get you up and running in this lab guide and saves you a lot of frustration and time.

Before you start there are certain prerequisite for this lab

You need to have,

  • Latest GNS3 software
  • Palo alto qcow2 image – You can get the file here,
    Note: To get the Palo-alto image, you must have a service agreement with Paloalto networks.

Steps to install the Paloalto firewall on Gns3.

  1. Enable internet access on the GNS3.
  2. Install Paloalto firewall VM in Gns3.
  3. Change the console for Paloalto firewall in gns3.
  4. Configuration of Paloalto management interface.
  5. Accessing Paloalto management GUI in Gns3.

Step 1. Enable internet access on the GNS3.

Follow this guide to enable internet access in Gns3.

It is very unlikely that you are going to use a public IP address in gns3 and route traffic, by enabling the internet in gns3 you are going to get an IP address from the private IP range 192.168.137.0/24.

Step 2. Install Palo Alto firewall VM in Gns3.

Open Gns3 and Click on security devices.

add palo-alto in gns3

and click on New template on the bottom.

paloalto integration with gns3

In the new template wizard, select install an appliance from the GNS3 server, and click next.

how to install palo alto in gns3

On the next screen , expand firewall and select PA-VM (which represents Palo alto firewall) from the list and click install.

how to install palo alto in gns3

Select the option which says Install the appliance on the GNS3 VM (recommended) If you are using GNS3VM on your machine.
or

Install the appliance on a remote server, if you are using a remote server

Once you select the option click on next.

palo alto gns3

Click next again on the Qemu binary window.

install palo alto appliance

I am going to install Paloalto version 8.1.10, However, the version is not in the list hence do the following.

  1. Select Palo-alto version 8.1.0
  2. check the option which says ‘Allow custom files’
  3. click Yes on the md5 notification
palo alto gns3

Click on import and browse for the palo-alto qcow2 image.

import palo alto firewall to gns3

Since the version that I have is 8.1.10 though I have selected 8.1.0, so you may get same MD5 error again, click on Yes on the same.

gns3 palo alto

As you can see below Palo-alto KVM image upload has now been started and it will take some time depends on the network connectivity between the GNS3 client and the server.

Once upload is completed, you will be able to see the status as Ready to install, select the version again and you may click on next now.

palo alto in gns3

You will get a prompt which says Would you like to install PA-VM version 8.1.0 (ESX)? , click Yes.

gns3 palo alto

Note: Don’t worry about the vmdk extension though we have qcow2 file, it would work just fine.

The properties of the Paloalto VM looks like below. This windows tells you about the default admin credentials and basic configuration on how to set up the management interface, click on Finish on this screen.

add paloalto appliance to the gns3

You would get a prompt below which indicate that the palo-alto firewall successfully installed. Click on OK now.

palo alto firewall successfully installed in gns3

Step 3. Change the console for Paloalto firewall in gns3.

You now will be able to see the firewall added under the security devices, like below.

palo alto in gns3

You have now installed the Paloalto firewall Vm in gns3, and it would start to work now, however, there is one more change you have to do.

While installing the Paloalto VM we installed with the telnet as the console, that’s good but the telnet doesn’t work well with the device hence I am going to change to VNC as the console.

Personally I had a lot of issues with telnet in Paloalto KVM image which doesn’t show proper output on the window.

Right click on Palo alto firewall and click on the configure template.

change the console for palo alto firewall in gns3

Under general settings change the console type from telnet to VNC.

Step 4. Change the network interface type.

By default the palo firewall is installed with the interface Type as Paravirtualized network I/O, you will have to change that as well.

This step is very important if you don’t change that you can only use the management side, not any other zone interfaces.

To change the network interface type, On the same configuration template window that you have opened in step 3, click on the Network tab.

Click on the network interface Type dropdown and select Intel Gigabit Ethernet (e1000)

change the palo-alto interface type.

Alright, you have now successfully installed the firewall lets go ahead start the network configuration.

Step 5. Configuration of Paloalto management interface.

Drag and drop the firewall to the work area, right click on the device and power it on by clicking start.

Double click on the device to open the console and on the PaloAlto VM console, enter the username as admin and the password as admin.

Note: you may have to wait for some time as the booting of the VM would take about 5-10 minutes, during this time if you try to login to the device you may end up throwing an error that says ‘login incorrect’ which is expected.

login to the paloalto firewall CLI in gns3

Configure the management IP address of the firewall using the command below.

Here I am using IP address 10.1.1.1, you may use the same or the IP that you wanted to use.

configure
set deviceconfig system type static
set deviceconfig system ip-address 10.1.1.1 netmask 255.255.255.0
commit
exit
configuring static management IP address for paloalto firewall

Exit out of the configuration mode by typing the command exit.

You may verify the IP address configuration by entering the command show interface management, as you can see the management IP address of the Paloalto firewall now configured.

verifying the management IP address of paloalto firewall in gns3

Step 6. Accessing Paloalto management GUI in Gns3.

Well, we configured the management IP address of the firewall and it all looks good but how do we access the Paloalto GUI in Gns3?

You can access the firewall GUI using the GNS3 built-in Firefox host webterm client.

Adding the GUI client using Webterm.

Just like you have added the end-user machine for the internet access in gns3 using webterm, you could use the same approach and add the end-user machine as webterm that way you can connect to the Paloalto web GUI.

  • Click on end End devices
  • And click on New template.
  • Select the option Install an appliance from the GNS3 server and click on next.
  • Search for webterm, you will be able to see the Webterm host under Guests.
  • Click on that and click on install.

On the next screen, you may choose the GNS3 server or GNS3VM depends on how you have set up the GNS3.

You will get a successful message after you install the webterm client.

You can see the device under the End devices now.

From the end devices tab in GNS3, drag and drop webterm end-user machine and connect it to Paloalto managemnt interface like below like below.

Note: You must require internet access to download the webterm client and it would take few minutes to download the software for the first time.

access the paloalto firewall gui in gns3

Next what you have to do is configure the static IP address for the end user machine

  • Righ click on the webterm machine and click on configure, and click on network configuration.
  • Configure the network as below and apply the config.
configure the end user machine to access the paloalto firewall gui in gns3

The client now restarts and come back online with the new IP configuration, once it is back online double click on the device that would open the firefox window.

Try to access the management IP address of the Paloalto now.
https://10.1.1.10

You may get a security warning just add the exception in firefox and you would be able to see the Palo-Alto GUI window like below.

paloalot gui in gns3

You may log in with the default credentials which is admin and admin

paloalto gui in gns3