Thank you Palo Alto! This post is a step-by-step guide of installing the Palo Alto firewall on my home network. I know it is a bit overkill for a home network, but for someone as involved like me it is the perfect learning opportunity. Required Materials. Palo Alto virtual firewall (VM-100) VMware image; ESXi 6.0 server; Optional Materials. There’s no question about the business value of the cloud – the question is how to adapt your security to work for the cloud. Palo Alto Networks ® allows you to deploy consistent, automated security for your apps and data on AWS taking either an inline approach with the VM.
- Palo Alto Vm 100 Download Trial Version
- Palo Alto Networks Vm-100 Trial Download
- Palo Alto Vm 100 Download Trial Software
- Palo Alto Vm 100 Download Trial Download
The Palo Alto Networks firewall is quite an amazing piece of engineering. This state-of-the-art firewall not only includes traditional firewalling on layer 3 and 4, but it also provides application-level firewall capabilities, user-level policies, DDoS protection, threat prevention, and a whole lot more. In short, it makes a network and security guy like me drool.
I’ve got a strong background with Palo Alto Firewalls. I obtained my Palo Alto ACE certification after using it in the workplace as well as in school. I have spent a lot of time configuring the Palo Alto, using it to mitigate threats such as DDoS attacks, and more. If that wasn’t enough, Palo Alto Networks sponsors the Information Technology major at Brigham Young University. As a result, I have access to an education license to a Palo Alto virtual firewall as well as some training material. Thank you Palo Alto!
This post is a step-by-step guide of installing the Palo Alto firewall on my home network. I know it is a bit overkill for a home network, but for someone as involved like me it is the perfect learning opportunity.
Required Materials
- Palo Alto virtual firewall (VM-100) VMware image
- ESXi 6.0 server
Optional Materials
- A consumer router or access point
- A Windows/Linux VM
Hardware I used
- CPU: Intel core i5-4670 @ 3.40 GHz
- RAM: 8 GB
- Storage: 120 GB SSD
- 2 NICs: (I have an integrated NIC and TP-Link USB UE300)
End Result:
The VMWare diagram below shows you what I am working towards.
The Hardware setup
Before I dive into configuring the network and Palo Alto, let me tell you a bit about the hardware setup. I chose the OptiPlex 9020 simply because it was available for me to use for free (again through the IT major at BYU). Palo Alto recommends 4GB allocated to its VM as a minimum, and VMWare recommends about 4GB for its own ESXi server as well. After everything is installed and working, I’m only consuming about 5.2GB of RAM. The SSD is a nice bonus as well. But what might raise an eyebrow is that TP-Link NIC. The motherboard only has one NIC, so I needed a second. Thankfully I had the TP-Link NIC, and that Jose Gomes provides a driver for a few select USB NICs for ESXi servers.
Setting things up in VSphere
Connect ESXi to the LAN port on a router. This gives the NIC an IP address that you can connect to using VSphere.
- Connect to ESXi using VSphere.
- Upload the Palo Alto VM-100 to ESXi
- The VM I was given was originally compatible with VMWare Workstation 12. I had to make it compatible with older versions of VMWare before uploading it to my ESXi box.
- Create the VMWare networks
- My trusted/internal network is vSwitch0. I’ve put two port groups on here. The first is for devices connecting on the trusted network and is called VM Network. I also have a VMKernel for ESXi management connected on the trusted network. I also have a Windows VM called PAManager as a way to troubleshoot as needed.
The second port group is called PAManagementNetwork. - vSwitch1 is where the untrusted network connects at and connects to my ISP. Vmnic32 is the TP-Link NIC. The speed is 100 mbps instead of 1 Gbps due to my ISP and not the NIC.
- I don’t recommend plugging in the external interface at this time. Wait until you get the Palo Alto configuration going. Instead, physically plug this into a router’s WAN port.
- I do recommend you put a VMKernel with a static IP on vSwitch1 at this time. It makes managing VSphere easier so that it doesn’t hop around if you get disconnected or misconfigure something.
- My trusted/internal network is vSwitch0. I’ve put two port groups on here. The first is for devices connecting on the trusted network and is called VM Network. I also have a VMKernel for ESXi management connected on the trusted network. I also have a Windows VM called PAManager as a way to troubleshoot as needed.
- Configure Palo Alto virtual NICs accordingly in VSphere.
- The Palo Alto’s network adapter 1 is pre-configured as the management interface. I connected this to the port group PAManagementNetwork on vSwitch0. The Palo Alto updates and performs other management tasks through this management interface. By plugging that back into vSwitch0, it provides internet access for those tasks. If I had a 3rd physical NIC, I could alternatively connect it and the management NIC to a 3rd switch with various safeguards.
- Network adapter 2 is pre-configured to be for the untrusted/external network.
- Network adapter 3 is preconfigured to be for the trusted/internal network
- The other network adapters are there as needed. Although they show up as being on the VM Network (my internal network), they won’t actually be there since VMware figures you don’t need multiple NICs on the same port group.
- In VSphere, configure the Palo Alto VM to start automatically when the ESXi box first powers on. I followed VMWare’s KB article on this subject by selecting the physical box in the left pane, selecting the configuration tab, then under the Software pane selecting Virtual Machine Startup. I clicked Properties in the right corner of the window and adjusted the machine settings accordingly.
- Connect VSphere to ESXi using the static IP on the external interface. This will help you not lose a connection later. At this point, I unplugged my ESXi box from the LAN port of the router. My Palo Alto is pre-configured to be a DHCP server for the trusted network. This means that if I left the ESXi box plugged into a LAN port on the router, then the Palo Alto starts competing with my router’s DHCP server, so that any device connecting on the LAN could receive an IP address from either one. It also means the VMKernel could get a different IP address than the one it originally had, and thus you could lose connection to the ESXi box. If you happen to lose connection, you can do a port scan on the subnets in question to find the right box after you power on the Palo Alto. However, it would be simpler to configure the VMKernel with a static IP address.
- Power on the Palo Alto VM. Follow the prompt to activate the license. It takes a minute or two to reboot and get all its services fully running again.
- In Vsphere, I cleared the VMKernel’s network settings on vSwitch1 by configuring the VMKernel to not have any IP settings, saving the configuration, then configuring it to obtain IP settings automatically. Take note of it’s new IP address and default gateway.
- I then disconnected VSphere and reconnected using the IP address of the VMKernel I found in the previous step.
- Delete the external-facing VMKernel. You don’t want anyone to be able to access it when you plug in the ISP connection!
- Connect the cable you unplugged from the LAN port earlier into the WAN port.
- In a web browser, type in https://<defaultgateway>. This will bring up the Palo Alto web UI login page. Using the credentials supplied to you previously, log in.
- Connect the ISP connection into the external interface, aka vSwitch1.
At this point, VMWare and the physical setup are successfully configured and running the Palo Alto VM. Check out Part 2 blog post for steps to initially configure the Palo Alto firewall.
Palo Alto Vm 100 Download Trial Version
What you need
- A computer with VMware or VirtualBox on it.
Purpose
To get a Palo Alto virtual firewall workingand see how to configure its basic security settings.Downloading the OVA File
Go to the page linked below, and log inwith the credentials given in class.Find the 'CNIT 140' section and download the Palo Alto Firewall file.
You end up with a 1.7 GB file named PA-VM-ESX-7.1.0.ova.
Importing the OVA File into VMware Fusion
In VMware Fusion, click File, Import.Browse to the PA-VM-ESX-7.1.0.ova file and double-click it.
In the 'Choose an Existing Virtual Machine' window, clickthe Continue button.
Choose a location to save your Palo Alto VM and clickthe Save button.
Wait till the import completes. Then click theFinish button.
The Palo Alto starts up, saying 'Welcome to the PanOS Bootloader'.
Logging in to the Palo Alto Directly
This may be the most secure method, butnot a very convenient one.In the VM window, at the 'vm login' prompt, log in with these credentials:
Username: admin
Password: admin
You're in, as shown below:
Using Help
Type ?A list of available commands appears,as shown below.
Type show? to see a list of parametersfor the 'show' command.
Using the Web Interface
Open a Browser and go tohttps://192.168.1.1/
Accept the certificate, and log in as admin/admin.
In the Welcome box, click Close.
You now have the PAN GUI,as shown below.
Changing the Administrator Password
At the top right, click Device.Near the top of the left pane, clickAdministrators.
In the center pane, click the blue admin.
A box appears, allowing you to change thepassword,as shown below.
Configure the Management Interface
Select Device > Setup > Management and then edit the Management Interface Settings.Enter the IP Address, Netmask, and Default Gateway.(Leave them alone).
To prevent unauthorized access to the management interface, it is a best practice to Add the Permitted IP Addresses from which an administrator can access the MGT interface.
Palo Alto Networks Vm-100 Trial Download
Set the Speed to auto-negotiate.
Select which management services to allow on the interface.
Make sure Telnet and HTTP are not selected because these services use plaintext and are not as secure as the other services and could compromise administrator credentials.
Click OK.
Commit Your Changes
At the top right of the Web interface,click Commit.A Commit box pops up. Click Commit.
The device may take up to 90 seconds to save your changes.
request shutdown system
To add another NIC
Add it through the GUI, then edit the VMX file and change thethe virtualDev line to this:ethernet2.virtualDev = 'vmxnet3'
Palo Alto Vm 100 Download Trial Software
References
Palo Alto Vm 100 Download Trial Download
Initial ConfigurationPAN 1: PAN-OS® Command Line Interface (CLI) Reference Guide
PAN 2: PAN-OS� 7.0 CLI Quick Start
PAN 3: CLI Cheat Sheets
PAN 4: Use the Command Line Interface (CLI)
PAN 5: Importing an OVA file into VMware Fusion