When you wanted to build and practice Paloalto lab, you have got multiple options.
You could try physical gears if you can afford one, else virtualize them.
Does gns3 support Palo alto?
In this blog, we will configure the Paloalto firewall in gns3 with management IP and one public-facing interface connecting to the internet.
The Palo alto firewall works perfectly fine on the GNS3 environment. I have done multiple POC labs in GNS3 with it. One drawback is that without a license, certain features will not work. But you should be able to get started and do many configurations that work fine.
I have created a bit more advanced lab in GNS3, you check them out here once you have set up the Palo alto in GNS3.
Certain things may not work well when installing the Paloalto for the first time in Gns3.
I will close all those gaps hopefully and get you up and running in this lab guide and save you a lot of frustration and time.
- Palo Alto Firewall Lab Setup-Allow Inside Users To The Internet
- How To Install Palo alto In VMware Workstation?
- How to Setup IPsec Tunnel between Paloalto and PFsense?
- How To Configure Palo Alto Site To Site VPN Using IPsec?
- How to Setup IPsec Tunnel between Paloalto and PFsense?
Before you start, there are few prerequisites for this lab
You need to have,
- Latest GNS3 software
- Palo alto qcow2 image – You can get the file here, The version 8 and 9 for KVM works great with GNS3.
Note: To get the Palo-alto image, you must have a service agreement with Paloalto networks.
If you don’t have a Palo alto agreement then google will be your best friend 🙂
How To Install Palo Alto In Gns3?
Though I would install only one firewall in the topology, I will be showing you the KVM VM setup for both version 8.1.0 and 9.0. Also the difference between Palo alto version 8.1.10, and 9.0 during the installation as I tested both versions in GNS3.
- Enable internet access on the GNS3.
- Install Palo Alto firewall VM in Gns3.
- Change the console for the Paloalto firewall in gns3.
- Change the network interface type.
- Configure the CPU
- Configuration of Paloalto management interface.
- Accessing Paloalto management GUI in Gns3.
- Connect the Palo Alto to the internet
- Configure an internet IP address for the firewall outside interface.
1. Enable internet access on the GNS3.
You might require internet access when you wanted to test some of the labs with Palo alto, so before we proceed with the installation. Let’s go ahead and configure internet access in GNS3.
Create a virtual adapter for GNS3.
How are we going to share the internet?
With a virtual adapter’s help, you can share your physical host’s internet access into the GNS3.
And we are going to configure the virtual adapter with the help of VMware workstation.
You can go ahead and download and install VMware workstation pro.
You don’t need to have a full license. The trial license would work just fine. The idea here is to use the VMware workstation to manage the virtual adapters in GNS3.
So after the installation, you may open it and close the program. That way, all the VMware workstation services would start and ready to use.
Next, you may click on Edit – preferences in gns3.
In the preferences window, click on VMware and go to Advanced local settings.
In the managed VMnet interfaces, select vmnet2 to vmnet2 and click on Configure.
It will create the VMnet2 virtual adapter on your local machine.
Configure the VMnet2 adapter to share internet access
You just installed the VMnet2 adapter on your machine, let’s go ahead now and configure it to use the internet.
Go to Start, then Run and type ncpa.cpl and click OK. That will open the virtual adapter configuration on your windows machine.
You may right-click either the ethernet or wireless adapter, depends on where you have connected to the internet.
And click on properties. Since I am using a wired connection for the internet, I have right-clicked on it and check the option which says Allow other network users to connect through this computer internet connection. Then select VMnet2 from the dropdown and click on OK.
As soon as you share the internet access, the VMnet2 adapter would start to use the IP address 192.168.137.0/24
It is very unlikely that you will use a public IP address in gns3 and route traffic. By enabling the internet in gns3, you are going to get an IP address from the private IP range 192.168.137.0/24.
Configure the GNS3 Cloud to connect to the internet.
In GNS3, open a new project.
On the left side, click on Browse end devices and add the Cloud to the project area.
You will get a prompt to choose a server. Remember that you configured the VMnet2 on your local machine, so select the local machine as the server and click on OK. You may now right-click on the Cloud and click on configure.
The cloud configuration windows would show you the list of physical interfaces that are present in the machine.
In my machine, I could see three Ethernet interfaces. I will delete all three and check the option down below, which says Show special Ethernet interfaces.
Select the VMnet2 adapter that we have configured already and click on OK.
2. Install Palo Alto firewall VM in Gns3.
Alright, internet sharing has been done. Let’s go ahead and configure the Palo alto in GNS3.
Open Gns3 and Click on security devices.
And click on New template on the bottom.
In the new template wizard, select install an appliance from the GNS3 server, and click next.
On the next screen, expand the firewall and select PA-VM (which represents Palo alto firewall) from the list and click install.
You will get a new pop up windows that says Install PA-VM appliance.
Select the option which says Install the appliance on the GNS3 VM (recommended) If you are using GNS3VM on your machine.
Install the appliance on a remote server, if you are using a remote server
If you are unfamiliar with the above options, then don’t worry. I have created a step by step guide on installing gns3 in your machine here.
Once you select the option, click next.
Click next again on the Qemu binary window.
I am going to install Paloalto version 8.1.10. However, the version is not on the list; hence do the following.
- Select Palo-alto version 8.1.0
- check the option which says ‘Allow custom files.’
- Click Yes on the md5 notification
Click on import and browse for the Palo-alto qcow2 image.
Since the version that I have is 8.1.10 though I have selected 8.1.0, you may get the same MD5 error again and click on Yes.
As you can see below, the Palo-alto KVM image upload has now started, and it will take some time depends on the network connectivity between the GNS3 client and the server.
Once the upload is completed, you will see the status as Ready to install, select the version again, and click on next now.
You will get a prompt which says Would you like to install PA-VM version 8.1.0 (ESX)? , click Yes.
Note: Don’t worry about the VMDK extension, though we have a qcow2 file, it would work just fine.
The properties of the Paloalto VM looks like below. This window tells you about the default admin credentials and basic configuration on setting up the management interface and clicking on Finish on this screen.
You would get a prompt below, which indicates that the Palo-alto firewall was installed successfully. Click on OK now.
3. Change the console for Paloalto firewall in gns3.
You will now be able to see the firewall added under the security devices, like below.
You have now installed the Paloalto firewall Vm in gns3, and it would start to work now. However, there is one more change you have to make.
While installing the Paloalto VM, we installed with the telnet as the console, that’s good, but the telnet doesn’t work well with the device; hence, I will change to VNC console.
I had many telnet issues in the Paloalto KVM version 8 image, which doesn’t show proper output on the window.
Note: I didn’t notice any sort of telnet issue on version 9 or higher, so you may skip this option if you install the Palo alto VM version 9. Right-click on Palo alto firewall and click on the configure template.
Under general settings, change the console type from telnet to VNC.
4. Change the network interface type.
By default, the palo firewall installed with the interface Type as Paravirtualized network I/O. You will have to change that as well.
This step is crucial. If you don’t change, you can only use the management side, not any other zone interfaces.
To change the network interface type, On the same configuration template window you have opened in step 3, click on the Network tab.
Click on the network interface Type dropdown and select Intel Gigabit Ethernet (e1000)
5. Configure the CPU
The Palo alto firewall would work just fine, with one CPU. However, to get a good performance, you required to change the CPU to two.
In the same VM configuration window, click on General settings.
Change the CPU value to two, and click on OK.
Alright, you have now successfully installed the firewall lets go ahead start the network configuration.
6. Configuration of Paloalto management interface.
Drag and drop the firewall to the work area, right-click on the device, and power it on by clicking start.
Double click on the device to open the console, and on the PaloAlto VM console, enter the username as admin and the password as admin.
Note: you may have to wait for some time as the booting of the VM would take about 5-10 minutes. During this time, if you try to login to the device, you may end up throwing an error that says ‘login incorrect’, which is expected..
If you are using Palo alto version 9, then when you try to login with the credentials admin, it would ask you to change the password right away.
Configure the management IP address of the firewall using the command below.
Here I am using the IP address 10.1.1.1. You may use the same or the IP that you wanted to use.
configure set deviceconfig system type static set deviceconfig system ip-address 10.1.1.1 netmask 255.255.255.0 commit exit
Exit out of the configuration mode by typing the command exit.
You may verify the IP address configuration by entering the command show interface management as you can see the management IP address of the Paloalto firewall now configured.
7. Accessing Paloalto management GUI in Gns3.
Well, we configured the management IP address of the firewall, and it all looks good, but how do we access the Paloalto GUI in Gns3?
You can access the firewall GUI using the GNS3 built-in Firefox host called webterm client or using your local machine itself.
Let’s look at both options.
1.Adding Webterm client to access the Palo Alto GUI.
Just like you have added the end-user machine for the internet access in gns3 using webterm, you could use the same approach and add the end-user machine as webterm. That way, you can connect to the Paloalto web GUI.
- Click on end End devices
- And click on New template.
- Select the option Install an appliance from the GNS3 server and click on next.
- Search for webterm. You will be able to see the Webterm host under Guests.
- Click on that and click on install.
On the next screen, you may choose the GNS3 server, or GNS3VM depends on how you have set up the GNS3.
You will get a successful message after you install the webterm client.
You can see the device under the End devices now.
From the end devices tab in GNS3, drag and drop webterm end-user machine to the topology.
Note: You must require internet access to download the webterm client, and it would take a few minutes to download the software for the first time.
Next, what you have to do is configure the static IP address for the end-user machine
- Right-click on the webterm machine and click on configure, and click on network configuration.
- Configure the network as below and apply the config.
The client now restarts and comes back online with the new IP configuration. Once it is back online, double click on the device that would open the firefox window.
2. Access Palo Alto GUI from Local machine
In the first step, to access the internet, we configured a VMnet2 interface, right?
To connect your local machine to the firewall management interface via GNS3, you need to have one more interface.
Let’s go ahead and configure a VMnet5 for that purpose.
Just like before, start GNS3 and click on edit – preferences.
In the preferences pop up, click on VMware and click on the Advanced local settings.
In the managed VMnet interfaces select VMnet5 to VMnet5, then click on Configure.
That would create the VMnet5 virtual adapter on your machine.
Go to Start – Run and type ncpa.cpl , which would open up all the interface configuration you have.
Right-click on the VMnet5 and click on Properties.
Double click on Internet protocol version 4 (TCP/IPv4). Enter the IP address and its subnet masks like below. I am configuring the IP address as 10.1.1.15 and subnet mask 255.255.255.192, then click on OK.
Add the one more cloud to the project area,
Right-click configures on the cloud, check the option which says Show special Ethernet interfaces.
Then select VMnet5 and delete all other Ethernet interfaces and click on OK.
Now you cannot connect both the webterm and the local machine to the same management interface. So to do that, you may add a built-in ethernet switch to the topology and connect both the cloud and webterm to it.
Once connected, the topology would look like below
Try to ping the firewall IP from your local machine, and you should be able to receive a response.
Finally, Access the Palo Alto GUI in GNS3
Try to access the management IP address of the Paloalto now from both the webterm and the local machine.
You may get a security warning. Just add the exception in firefox, and you should be able to see the Palo-Alto GUI window like below.
You may log in with the default credentials, which is admin and admin
If you are using version 9.0 or higher, then the firewall would prompt you to change the GUI password as well, as you can see below.
After typing the new password, click on the Change password.
Then you can log in with the new credentials.
As you can see below, we have successfully installed Palo alto VM version 9 and gns3.
8. Connect the Palo Alto to the internet
Remember that you configured a cloud in Step1, but we never connected that with the Palo alto VM. Connect the cloud with Palo alto interface ethernet1/1
Once connected, the topology would look like below.
9. Configure an internet IP address for the firewall outside interface.
Goto network, then click on interfaces.
Click on ethernet 1/1
Change the interface type to Layer3 and choose the router as default.
Click on IPv4, and check the option DHCP client and click on OK.
On the right top corner, click on commit to take effects.
After you committed the changes, you should be able to see the interface with the green colour that indicates the interface configured successfully.
To see the IP address that is given by the DHCP, you may click the interface again.
In the IPv4, click on Show DHCP client Runtime info.
Here you can find the IP address that is allocated by the DHCP, which is 192.168.137.9
We have successfully installed the Palo alto firewall in GNS3. In case if you have run into any issues I have added some troubleshooting steps below.
Now we need to also see how you can allow the inside users to the internet, which covered here in more details.
There are times your Palo alto firewall cannot communicate with the host machine, maybe after you left the PC for idle and it went to sleep. And this is how you can troubleshoot the issue.
- Make sure the local machine firewall or antivirus software is not blocking the network coming out of gns3. To test that, you may disable the antivirus software on your local PC and reopen the topology again.
If disable did the trick, you may go to the antivirus software rules and allow the subnets that we cannot access.
- If that didn’t fix the issue, then follow the below.
- You can disconnect the link between the Paloalto firewall and the cloud.
- In GNS3 goto edit->preferences->VMware->Advanced settings.
On the interfaces, select the interface that you have issues with, for example, VMnet5 to VMnet5, and then click on configure.
Gns3 will reset the interface to its default.
- You may close the gns3 and go back to the network adapter configuration on your local machine and reconfigure the subnet that you wanted to use, for example, 10.1.1.15/24
- Open Gns3 and the topology that you were working, connect the cloud to the firewall again, it should fix the issue, and you should be able to access the firewall GUI from your local machine.