I've built my virtual lab towards the end of my Palo Alto Networks studies. You can run a PA VM-100 in VirtualBox and integrate it with GNS3. Below is the network topology that I've used for my virtual lab.
You can issue show jobs all in CLI to checking the status of the changes made.
You’ll need to re-login via HTTPS using the new IP address and admin password.
Open VirtalBox >
File > Import Appliance > choose the .ova file > Next.
It will preload all the appliance settings. Click Import.
You can edit the settings before you power on the virtual
machine by clicking on the PA-VM-6.1.0 > Settings > under System > uncheck: Floppy and Optical.
Under Network >
choose Not attached for Adapter 1, 2, 3 and 4.
Since my PAN firewall
lab topology have a trust, untrust, DMZ and management interfaces, I need to
create the subnets for the interfaces I’ll be using:
MGT: 192.168.2.0/24
TRUST: 10.1.1.0/24
UNTRUST: 192.168.222.0/34
DMZ: 172.16.1.0/24
On VirtualBox, click on
PA-VM-6.1.0 > File > Preferences
> Network > Host-only Networks.
Click on VirtualBox Host-Onnly Ethernet Adapter >
Edit. By default it’s 192.168.56.1/24
and I’ve changed it to 192.168.2.1/24 according to my topology diagram. Click
OK and add more adapters by clicking on network adapter icon with plus sign and
click edit icon (screw driver icon).
You also need to check Enable Network adapter and select Not attached under Adapter 3 and 4.
Click OK to save the new settings.
Add the VirtualBox VM in GNS3 by going to Preferences > VirtualBox > VirtualBox
VMs > New > choose the specific VM.
You need to manuall add 4
interfaces (trust, untrust, dmz and management) on the Palo Alto VM firewall by
clicking on PA-VM-6.1.0 > Edit >
Network > either type 3 or click on the up arrow to increase > then click
OK.
Power on the VM in GNS3 by doing a right-click on PA-VM-6.1.0 > Start. A pop-up window will appear
asking to allow VirtualBox in Windows firewall. Click Allow access.
VirtualBox will automatically open and will run the Palo
Alto VM. There’s a warning displayed (just an audio device error), just click OK and VM login will be displayed.
Enter the default Palo Alto firewall login and password: admin / admin
The PA firewall will ask to change the default password.
Issue a show
management interface and it will display the default management IP address
on the PA firewall, which is 192.168.1.1/24.
You initially configure your PC with IP address
192.168.1.2/24 and HTTPS to 192.168.1.1.
Click Continue to this
website (for Internet Explorer) to accept the PA firewall self-signed
certificate. Login using the default username and password: admin / admin and it will ask again to
change the default password.
As a best security practice, we need to change the default
password and management IP address on the PA firewall. To change the admin
password, go to Device > Setup >
Administrators > click admin and type the Old and New Password > click
OK.
To change the PA firewall management IP address, go to Device > Setup > Management >
Management Interface Setting > click the edit button (gear icon), type the
new management IP address and click OK.
You’ll need to click Commit
for the changes to take effect.
The changes took a minute to be completed. It will not show 100% since the new management IP address has already taken effect.
You can issue show jobs all in CLI to checking the status of the changes made.
You’ll need to re-login via HTTPS using the new IP address and admin password.
