In 2021 I am starting a new role were I will be working with Palo Alto products. In preperation for that I want to get familiar with Palo Alto firewalls again after not using them for about 5 years.

In this post I will show you how to add a Palo Alto PanOS 10.0 VM to EVE-NG.

Software Versions

The following software was used in this post.

  • EVE-NG - Pro 3.0.1-16
  • PanOS - 10.0


Transfer the PA VM to the EVE-NG host. I am using the scp utility on Windows 10.

scp PA-VM-ESX-10.0.0.ova <user>@<eve-ng-host>:~/

Once the transfer is complete SSH to the EVE-NG host.

Make a temporary directory and extract the .ova file.

mkdir /tmp/pavm
tar -xvf PA-VM-ESX-10.0.0.ova -C /tmp/pavm/

Convert the .ova file to a .qemu

/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 /tmp/pavm/PA-VM-ESX-10.0.0-disk1.vmdk /tmp/pavm/virtioa.qcow2
From this point on you will need to switch to the root user. Or a user with sudo permissions.
su -
password: <root-password>

Create a directory for the PA VM in the /opt/unetlab/addons/qemu/ directory.

mkdir /opt/unetlab/addons/qemu/paloalto-10.0.0/

Move the virtioa.qcow2 file into the /opt/unetlab/addons/qemu/paloalto-10.0.0/ directory.

mv /tmp/pavm/virtioa.qcow2 /opt/unetlab/addons/qemu/paloalto-10.0.0/

Clean up the temp directory.

rm -rf /tmp/pavm/

Dont forget to fix the permissions.

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions


Add a node to a topology and check the VM settings.

  • Interface - virtio-net-pci
  • CPU - 2
  • RAM - 5632
  • Console - telnet
Change the Console type to telnet. Unless you want to access the VM terminal via VNC.

Start the VM. When the VM is booted up login with the default admin/admin credentials.


It takes a bit of time before you can login. The prompt will change from vm login:, to PA-HDF login:, then eventually PA-VM login: before you can successfully login. It does take a bit of time for all the services to start.


Once you successfully login you will be prompted to change the admin password. Some password complexity is required.


Configure the management interface IP Address

set deviceconfig system type static
set deviceconfig system ip-address <ip-address>
set deviceconfig system netmask <netmask>
set deviceconfig system default-gateway <default-gateway>
set deviceconfig system dns-setting servers primary <dns-ip-address>

Check the management interface is configured with the correct IP details and the state is up.

show interface management

Access Web Interface

To access the PA VM web interface, I am currently connecting connecting to it by VNC'ing to a linux VM in EVE-NG and browsing to the management IP address.

The user credentials are admin and the password configured in the previous step.


If you connect the PA-VM management interface to Cloud-0 you can access the device from your LAN. By default this is the same network as your EVE-NG management address.


In this post, we added a Palo Alto PanOS 10 VM to EVE-NG. Happy firewall labbing.