Introduction

In 2021 I am starting a new role were I will be working with Palo Alto products. In preperation for that I want to get familiar with Palo Alto firewalls again after not using them for about 5 years.

In this post I will show you how to add a Palo Alto PanOS 10.0 VM to EVE-NG.

Software Versions

The following software was used in this post.

  • EVE-NG - Pro 3.0.1-16
  • PanOS - 10.0

Installation

Transfer the PA VM to the EVE-NG host. I am using the scp utility on Windows 10.

cmd

scp PA-VM-ESX-10.0.0.ova <user>@<eve-ng-host>:~/
    

Once the transfer is complete SSH to the EVE-NG host.

Make a temporary directory and extract the .ova file.

cmd

mkdir /tmp/pavm
  
tar -xvf PA-VM-ESX-10.0.0.ova -C /tmp/pavm/
    

Convert the .ova file to a .qemu

cmd

/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 /tmp/pavm/PA-VM-ESX-10.0.0-disk1.vmdk /tmp/pavm/virtioa.qcow2
    

Note

From this point on you will need to switch to the root user. Or a user with sudo permissions.

cmd

su -
  
password: <root-password>
    

Create a directory for the PA VM in the /opt/unetlab/addons/qemu/ directory.

cmd

mkdir /opt/unetlab/addons/qemu/paloalto-10.0.0/
    

Move the virtioa.qcow2 file into the /opt/unetlab/addons/qemu/paloalto-10.0.0/ directory.

cmd

mv /tmp/pavm/virtioa.qcow2 /opt/unetlab/addons/qemu/paloalto-10.0.0/
    

Clean up the temp directory.

cmd

rm -rf /tmp/pavm/
    

Dont forget to fix the permissions.

cmd

/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
    

Testing

Add a node to a topology and check the VM settings.

  • Interface - virtio-net-pci
  • CPU - 2
  • RAM - 5632
  • Console - telnet

Note

Change the Console type to telnet. Unless you want to access the VM terminal via VNC.

Start the VM. When the VM is booted up login with the default admin/admin credentials.

Important

It takes a bit of time before you can login. The prompt will change from vm login:, to PA-HDF login:, then eventually PA-VM login: before you can successfully login. It does take a bit of time for all the services to start.

Note

Once you successfully login you will be prompted to change the admin password. Some password complexity is required.

Setup

Configure the management interface IP Address

cmd

configure
set deviceconfig system type static
set deviceconfig system ip-address <ip address> netmask <netmask> default-gateway <default gateway> dns-setting servers primary <DNS ip address>
commit
    

Check the management interface is configured with the correct IP details and the state is up.

cmd

show interface management
    

Access Web Interface

To access the PA VM web interface, I am currently connecting connecting to it by VNC'ing to a linux VM in EVE-NG and browsing to the management IP address.

The user credentials are admin and the password configured in the previous step.

Summary

In this post, we added a Palo Alto PanOS 10 VM to EVE-NG. Happy firewall labbing.

eveng palo-alto