As you know if you wanted to get hands-on and practice the Palo alto firewalls, the best place is to virtualize them. As many of you out there may not have the options to set up a physical lab. However, there are alternate ways to spin up the Palo alto lab in the cloud using AWS, but that again will incur a cost when you use the compute resources.
So, it is better to virtualize them on your local environment to practice the lab. I have covered, how you can setup a Palo alto lab in gns3, also allow the end-user machine to the internet in my previous posts.
Can I install Palo alto in VMware workstation?
If you have good decent computer configuration, you can setup Palo alto firewall in VMware workstation.
In this blog, we are going to install Palo alto firewall in VMware workstation. Post which we would configure NAT and security policies, and DHCP services in the Palo alto firewall. Finally, test the connectivity using the end-user hosts.
And here is the topology that we are going to build.
- Download Palo alto ova image.
I am using PA-VM-ESX-9.0.0.ova. You need to have partner account in order to download the Palo alto ova image from the Palo alto web portal. If you don’t have one, google will be your best friend 😊
- VMware workstation pro
I am using VMware workstation 16 in this lab and any older versions of VMware workstation will work as well. You can get VMware workstation here.
Steps to configure palo alto firewall on VMware.
- Setup the VMware network for Palo Alto.
- Configure Palo alto in VMware workstation.
- Configure the Palo alto interface in VMware workstation.
- log in to the VM and Verify the Palo Alto management network.
- Access the Paloalto web GUI.
- Interface Management profile creation.
- Palo alto Firewall Zone creation.
- Create the outside interface.
- Validate the outside interface.
- Verify the ICMP traffic.
- Configure the inside interface.
- Configure the LAN users to access the internet.
1. Setup the VMware network for Palo Alto.
We would require 3 network interfaces to start the lab.
Open VMware workstation pro and click on edit and click virtual Network Editor.
1st interface – Palo alto Management interface – will use VMnet2.
As you can see the VMnet2 I configured with DHCP that way the management interface will get the IP address from the virtual adapter DHCP server
2nd interface – Outside (Untrusted) interface connected to the internet – Will use VMnet8 (NAT) interface.
3rd interface – inside interface – we will use VMnet3 for this purpose. I have disabled the DHCP for the 3rd interface.
2. Configure Palo alto in VMware workstation.
After the VMware network configuration part is completed, you need to import the Paloalto VM appliance into the VMware workstation.
- Go back to the file that you have downloaded.
You can double click or right click on click on open with VMware workstation.
- You will be asked to name the VM and choose the storage for the VM.
Name the firewall according to your lab setup, I am using Palo-alto-fw-01 and the path I changed to custom location. You may leave the default if needed.
The VM import now begin, and it will take few minutes to complete.
Once completed you should be able to see the VM properties, as you can see below though we didn’t configure the VM resources, it is picked up by the VM automatically.
3. Configure the Palo alto interface in VMware workstation.
The Palo alto VM picked up the memory as 5.5GB, you may reduce it if you would like, the 4GB is the minimum recommended by the Palo alto.
It also picked up the 3 network interfaces, we need make some changes on that according to our lab. So click on Edit virtual machine settings on the top, a new pop window will open.
All the three interfaces have been configured to use bridged interface by default, but we are not going to use the bridged interface rather we will use the custom adapter which we have setup initially.
We have configured the network as per our network configuration, you may click on Ok now.
Let’s go ahead and power on the Virtual machine by clicking power on the virtual machine.
4. log in to the VM and Verify the Palo Alto management network.
It will take some time for the VM to load, just give it about 5mins for the VM to load properly. During this time, when you get a prompt to enter the credentials you won’t be able to login, as it would say the credentials are incorrect.
You will have to wait to see the login prompt as PA-VM login:
The default credentials are
And I was able to login to the VM successfully, once logged in you should be able to see the screen below.
If you have followed the steps till this point, your paloalto VM will be configured with the management interface with the DHCP IP address.Type show interface management to see the management IP configuration.
As you can see the management IP is configured with DHCP IP address, lets try to ping the management default gateway to see whether you are able to reach the gateway or not.
Awesome! we are able to reach the default gateway which means you should now be able to access the Paloalto gui from your local machine.
In case if you are planning to use Static IP address for the management purpose, then you can follow the guide here and come back.
5. Access the Paloalto web GUI.
We have successfully configured the Paloalto management interface in the VMware workstation.
Open the browser and type https://192.168.120.133
You will be presented with the security warning, ignore that and you should now be able to see the palo alto web GUI page, where it is prompting you to enter the username and password.
Enter the same credentials that you entered before.
6. Interface Management profile creation.
We are going to create a management profile that we can use to attach to the interface for the ICMP traffic to work.
Click on the Network tab and under Network profiles click on Interface Mgmt.
On the screen, click on Add on the left bottom corner to add the interface management profile.
Name the profile as Allow-ping and tick the Ping option and click on Ok.
7. Palo alto Firewall Zone creation.
The management configuration is done, and we are now able to access the firewall using the management IP.
Next we need to configure the zone for the inside as well as the outside.
Click on Network and click on Zone.
On the down bottom left corner, click on Add to add new zone.
Provide the name outside and select the interface type Layer3 and click on Ok.
We don’t have any interfaces to add yet, which we will be doing it next.
The outside zone is created, now click on the same add button to create the inside zone with the layer3 type.
You have now created the outside and inside zone.
You can go ahead and commit the configuration that you have mad so far.
Click on Commit on the right top corner.
After the commit was successful, let’s go ahead and configure interfaces to be part of these zone.
8. Create the outside interface.
Remember we have configured the first interface as NAT on the VMware workstation, and we are going to configure the same interface inside the Palo alto firewall.
Go to the network and click on the interfaces.
The first interface ethernet1/1 is our outside interface connected to the NAT, after the configuration the outside interface will start to receive the IP address from the DHCP server on the NAT.
Click on the Ethernet1/1, the interface configuration window will pop up.
Choose the interface type as Layer3 and In the config tab attach the virtual router as default and the security zone as outside.
Click on the IPv4 tab.
As we are going to configure the outside interface as DHCP, tick the DHCP Client.
We are not going to configure IPv6 here, hence click on Advanced tab.
Under Other info, you need to attach the management profile that we created earlier, from the management profile drop down, select Allow-ping and click on OK.
Commit the configuration you just made.
9. Validate the outside interface.
We just configured the outside interface a DHCP client, how do you see the IP address configured on the interface?
On the interfaces tab, under IP address you should be able to see Dynamic-DHCP client, click on that and that will show the interface that is configured on the device.
As you can see the we got the ip address 192.168.127.130 from the NAT DHCP server from the VMware workstation.
10. Verify the ICMP traffic.
You should now be able to reach the internet using the outside interface.
Lets first check the default gateway reachability and then the internet.
Go back to the firewall CLI, ping the default gateway 4 times, that is 192.168.127.2 from the outside interface.
The ping command will be ping count 4 source 192.168.127.130 host 192.168.127.2
And to test the internet connectivity, let’s try to ping the google dns IP 220.127.116.11, so replace the default gateway from the previous command.
As you can see, I am getting the response from both the gateway as well as the internet IP addresses which indicate that we are able to reach the internet via outside interface.
11. Configure the inside interface.
Like how we have configured the outside interface, lets go ahead and configure the inside interface.
You can back to the network and click on interfaces, in the interfaces click on ethernet1/2 which is our internal interface.
Configure the interface Type as Layer3.
In the config tab, choose the virtual router as default and the security zone as inside.
You may click on the IPv4 tab now.
All our Lan users will be connected to the inside interfaces, and remember we disabled the DHCP from the VMware workstation ? we are going to configure the IP address manulaly here.
The IP address that we are going to configure is 10.1.1.1/24.
Click on Static and add the same Ip address.
Click on Advanced tab
Add the management profile allow-ping here.
Click on Ok and commit the configuration.
So far, we configured the management interface, and created the outside and inside zones, then added outside interface that is connected to the internet and another inside interface that is connected to the LAN.
12. Configure the LAN users to access the internet.
The next objective is to allow inside users to outside so that they can access the internet. Follow the steps below to accomplish that.
- Configure the policy to allow inside users to outside.
- Configure NAT policy
- Configure the DHCP server.
- Test the connectivity.
1.Configure the policy to allow inside users to outside.
We are going to allow the inside users to talk to the outside world in Palo alto firewall, to do that we need to configure security policies on the firewall.
Click on Policies tab and click on Security
Click on the Add button to add the security policy.
Provide the name for the Policy under General tab.
Click on Source tab.
Choose the security zone as inside and the source address as our inside interface subnet which is 10.1.1.0/24
Click on the Destination tab.
Choose the source zone as outside.
Click on the Action tab and choose the action to allow.
That’s it you just configured the policy to allow the end users to reach the outside.
2. Configure the NAT policy.
In the same Policies tab, click on NAT on the left side.
Click on the Add button.
Name the NAT policy name under the General tab.
In the Original packet, choose inside as the source Zone, add the source address as 10.1.1.0/24
Click on Translated packet.
We are using dynamic IP and port based transalation.
Click on Translation Type as Dynamic IP and Port.
Address Type as Interface Address.
Click on Ok.
3. Configure the DHCP server.
For the end users to talk to the outside world the end user machine should have IP configured, you can configure the IP as static or dynamic. We are going to configure the dynamic IP configuration on the Paloalto firewall using the DHCP.
Click on the network and click on DHCP on the left.
Click on Add to configure the DHCP service.
Our inside LAN interface is ethernet1/2 hence choose that.
We are going to configure the IP address range from 10.1.1.10-10.1.1.100 so configure the pool accordingly.
Click on the Options tab.
Configure the gateway as 10.1.1.1
Configure the Primary and secondary DNS as 18.104.22.168 and 22.214.171.124 respectively.
That’s it you have successfully configured the DHCP, go ahead and commit the changes on the firewall.
4. Test the connectivity.
Let’s assume for a second our current setup with the real network. We have configured everything with respect to the network or the infrastructure, now you need to ask the users to start connecting their host to the network to test the connectivity. So, in the lab how do we do that.
We can rely on the virtualization again.
I have already configured the Centos and the Linux mint in VMware workstation, right click on both the VM’s and change its interface to VMnet3 that is the inside interface of our firewall.
Power on both the VM.
I have configured both the VM to get the network via DHCP.
As soon as Linux mint came up, it got the IP address 10.1.1.10 – The first IP on the DHCP pool that we configured.
Lets try to ping www.google.com also browse the internet.
Also, I am able to access the internet on the Linux mint host.
Let’s look at the second host which is a CentOS.
As you can see, I got the second IP in the lease from the DHCP server, I am able to ping www.google.com as well.
We can successfully able to browse the internet from the Centos as well.
We have successfully configured a simple Palo alto lab using VMware workstation. We can do many more with the unlicensed version of the firewall and it should work fine. But there will be certain roadblocks with respect to configuring the advanced features of the Palo alto firewall. However, for those who wanted to start off, the unlicensed version should work just fine.