| Date post: | 06-Jul-2018 |
| Category: |
Documents |
| Upload: | ankur-saxena |
| View: | 237 times |
| Download: | 1 times |
of 20
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
1/20
How to connect Palo Alto Next Generation Firewall VM to GNS 3
In this guide I will show how to connect VMware running Palo Alto Next Generation Firewall image toGNS3 and configure some of the basic functions.
First things first, we need to install VMware Workstation(Virtual Box will not work with Palo Alto coz
we need to use VMXNET 3 drivers)
After successful instalation of VMware, we need to add some local host adapters. My configuration
will be based on the network topology shown below:
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
2/20
So, we will need 5 adapters;
VMnet 0 for our management interface (default range used by PA = 192.168.1.0 but I need to change
it for my tests).
VMnet 1 for internal network (INSIDE).
VMnet 2 for external network(OUTSIDE).VMnet 3 for DMZ network.
VMnet 4 for Windows XP (this one is optional).
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
3/20
Next, we need to add our adapters to PA virtual machine;
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
4/20
Now we will need to edit the VMX file;
We need to change all ethernet”x”.VirtualDev values to vmxnet3;
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
5/20
Now we can login into our device(default username and password admin/admin. But If it will not
work try to set some random values to ethernet”x”.VirtualDev this will force the VM to start in some
kind of “same mode” and then you can restore the default settings.
After successful login we need to set up our management interface.
Ip address 172.168.1.150
Default-gateway 172.168.1.2 (in my case this is ip address of Router 2 interface)
Dns server 8.8.8.8
After configuration we need to use command “commit” to save configuration.
Now we need to match MAC addresses used by PA interfaces with our VM adapters;
Ethernet1/1 = VMnet 1
Ethernet1/2 = VMnet 2
Ethernet1/3 = VMnet 3
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
6/20
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
7/20
Now we can access GUI by web browser using https://172.168.1.150
Like in CLI we need to login using name=admin and password=admin
Dashboard looks like that; (I have cleared out the dashboard for a bit ;)
https://172.168.1.150/https://172.168.1.150/https://172.168.1.150/https://172.168.1.150/
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
8/20
We need to create 3 zones. Under Network chose Zones and then Add.
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
9/20
Next we need to configure Interface management profile. We can define what kind of services will
be allowed.
Under Network chose Network Profiles -> Interface Mgmt -> Add.
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
10/20
Now we can go to configuration of our interfaces;
Under Network chose Interfaces and Add
For interface ethernet 1/1 configuration looks like this:
Interface Type Layer 3Virtual Router default (if you need to split your routing table you can create as many virtual routers
as you need and assign them to different interfaces).
Next we need to give the interface an IP address 10.128.1.1/24.
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
11/20
Now we need to assign our management profile to our interface.
Under the ethernet interface chose Advenced then Other info and chose management profile;
Remember to use the commit button to save your configuration.
Creation of all interfaces looks the same. The final configuration should look like this;
Once everything is up and running the Link State should have green colour.
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
12/20
Now we can go to configuration some static routes (to subnet 10.0.0.0 and internet)
Under Virtual router chose “default” Static Routes and Add
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
13/20
Now we can configure some NAT rules.
At first, we need to configure the dynamic NAT to enable connection to the internet for hosts placed
in our INSIDE zone.
Under Policies chose NAT and Add.
Next we need to select the source zone and destination zone;
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
14/20
Next we need to select translation type and interface which is facing the internet.
In case of static NAT I cannot show the right way to do this, so mb someone else would explain it ;)
Now we can configure some security policies to allow or deny connections between two zones.
Under Policies chose Security and Add.
Now we need to name our security policy.
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
15/20
Select the source zone.
Select the destination zone.
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
16/20
Select applications.
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
17/20
Now we can chose whether we want to allow or deny connections through selected applications
between zone INSIDE and OUTSIDE.
Security policies for other zones;
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
18/20
Sample of traffic logs (you need to have licensed version of PA to check logs)
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
19/20
Under ACC you can check specific information about applications.
8/17/2019 How to Connect Palo Alto Next Generation Firewall VM to GNS 3
20/20
I hope this guide will useful for someone Happy labbing
