Building my Palo Alto Networks Firewall Virtual Lab Using VirtualBox and GNS3

I've built my virtual lab towards the end of my Palo Alto Networks studies. You can run a PA VM-100 in VirtualBox and integrate it with GNS3. Below is the network topology that I've used for my virtual lab.

Open VirtalBox > File > Import Appliance > choose the .ova file > Next.

It will preload all the appliance settings. Click Import.

 

You can edit the settings before you power on the virtual machine by clicking on the PA-VM-6.1.0 > Settings > under System > uncheck: Floppy and Optical.

Under Network > choose Not attached for Adapter 1, 2, 3 and 4.

 

Since my PAN firewall lab topology have a trust, untrust, DMZ and management interfaces, I need to create the subnets for the interfaces I’ll be using:

MGT: 192.168.2.0/24

TRUST: 10.1.1.0/24

UNTRUST: 192.168.222.0/34

DMZ: 172.16.1.0/24

On VirtualBox, click on PA-VM-6.1.0 > File > Preferences > Network > Host-only Networks.

Click on VirtualBox Host-Onnly Ethernet Adapter > Edit. By default it’s 192.168.56.1/24 and I’ve changed it to 192.168.2.1/24 according to my topology diagram. Click OK and add more adapters by clicking on network adapter icon with plus sign and click edit icon (screw driver icon).

 

You also need to check Enable Network adapter and select Not attached under Adapter 3 and 4. Click OK to save the new settings.

 

Add the VirtualBox VM in GNS3 by going to Preferences > VirtualBox > VirtualBox VMs > New > choose the specific VM.

You need to manuall add 4 interfaces (trust, untrust, dmz and management) on the Palo Alto VM firewall by clicking on PA-VM-6.1.0 > Edit > Network > either type 3 or click on the up arrow to increase > then click OK.

 

Power on the VM in GNS3 by doing a right-click on PA-VM-6.1.0 > Start. A pop-up window will appear asking to allow VirtualBox in Windows firewall. Click Allow access.

 

VirtualBox will automatically open and will run the Palo Alto VM. There’s a warning displayed (just an audio device error), just click OK and VM login will be displayed.

 

Enter the default Palo Alto firewall login and password: admin / admin

The PA firewall will ask to change the default password.

 

Issue a show management interface and it will display the default management IP address on the PA firewall, which is 192.168.1.1/24.

 

You initially configure your PC with IP address 192.168.1.2/24 and HTTPS to 192.168.1.1.

 

Click Continue to this website (for Internet Explorer) to accept the PA firewall self-signed certificate. Login using the default username and password: admin / admin and it will ask again to change the default password.

 

As a best security practice, we need to change the default password and management IP address on the PA firewall. To change the admin password, go to Device > Setup > Administrators > click admin and type the Old and New Password > click OK.

To change the PA firewall management IP address, go to Device > Setup > Management > Management Interface Setting > click the edit button (gear icon), type the new management IP address and click OK.

You’ll need to click Commit for the changes to take effect.

The changes took a minute to be completed. It will not show 100% since the new management IP address has already taken effect.

 

You can issue show jobs all in CLI to checking the status of the changes made.

You’ll need to re-login via HTTPS using the new IP address and admin password.