EVE-NG add Palo Alto PanOS 10 VM
Updated: 25th of January 2021
Published: 31st of December 2020
Intro
In 2021 I am starting a new role were I will be working with Palo Alto products. In preperation for that I want to get familiar with Palo Alto firewalls again after not using them for about 5 years.
In this post I will show you how to add a Palo Alto PanOS 10.0 VM to EVE-NG.
Software Versions
The following software was used in this post.
- EVE-NG - Pro 3.0.1-16
- PanOS - 10.0
Installation
Transfer the PA VM to the EVE-NG host. I am using
the scp
utility on Windows 10.
scp PA-VM-ESX-10.0.0.ova <user>@<eve-ng-host>:~/
Once the transfer is complete SSH to the EVE-NG host.
Make a temporary directory and extract the .ova file.
mkdir /tmp/pavm
tar -xvf PA-VM-ESX-10.0.0.ova -C /tmp/pavm/
Convert the .ova file to a .qemu
/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 /tmp/pavm/PA-VM-ESX-10.0.0-disk1.vmdk /tmp/pavm/virtioa.qcow2
Note
From this point on you will need to switch to the root user. Or a user with sudo permissions.
su -
password: <root-password>
Create a directory for the PA VM in the /opt/unetlab/addons/qemu/ directory.
mkdir /opt/unetlab/addons/qemu/paloalto-10.0.0/
Move the virtioa.qcow2 file into the /opt/unetlab/addons/qemu/paloalto-10.0.0/ directory.
mv /tmp/pavm/virtioa.qcow2 /opt/unetlab/addons/qemu/paloalto-10.0.0/
Clean up the temp directory.
rm -rf /tmp/pavm/
Dont forget to fix the permissions.
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Testing
Add a node to a topology and check the VM settings.
- Interface - virtio-net-pci
- CPU - 2
- RAM - 5632
- Console - telnet
Note
Change the Console type to telnet. Unless you want to access the VM terminal via VNC.
Start the VM. When the VM is booted up login with the default admin/admin credentials.
Important
It takes a bit of time before you can login. The prompt will change from vm login:, to PA-HDF login:, then eventually PA-VM login: before you can successfully login. It does take a bit of time for all the services to start.
Note
Once you successfully login you will be prompted to change the admin password. Some password complexity is required.
Setup
Configure the management interface IP Address
configure
set deviceconfig system type static
set deviceconfig system ip-address <ip-address>
set deviceconfig system netmask <netmask>
set deviceconfig system default-gateway <default-gateway>
set deviceconfig system dns-setting servers primary <dns-ip-address>
commit
Check the management interface is configured with the correct IP details and the state is up.
show interface management
Access Web Interface
To access the PA VM web interface, I am currently connecting connecting to it by VNC'ing to a linux VM in EVE-NG and browsing to the management IP address.
The user credentials are admin and the password configured in the previous step.
Note
If you connect the PA-VM management interface to Cloud-0 you can access the device from your LAN. By default this is the same network as your EVE-NG management address.
Outro
In this post, we added a Palo Alto PanOS 10 VM to EVE-NG. Happy firewall labbing.
Links
https://www.eve-ng.net/index.php/documentation/howtos/howto-add-palo-alto/
https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm-series-firewall-on-kvm/vm-series-on-kvm-requirements-and-prerequisites.html#ide75ec290-9f1d-4e95-9511-adadfd636943
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZuCAK
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK