EVE-NG add Palo Alto PanOS 10 VM

updated: 25th of January 2021

published: 31st of December 2020

Intro

In 2021 I am starting a new role were I will be working with Palo Alto products. In preperation for that I want to get familiar with Palo Alto firewalls again after not using them for about 5 years.

In this post I will show you how to add a Palo Alto PanOS 10.0 VM to EVE-NG.

Software Versions

The following software was used in this post.

  • EVE-NG - Pro 3.0.1-16
  • PanOS - 10.0

Installation

Transfer the PA VM to the EVE-NG host. I am using the scp utility on Windows 10.

cmd 
scp PA-VM-ESX-10.0.0.ova <user>@<eve-ng-host>:~/

Once the transfer is complete SSH to the EVE-NG host.

Make a temporary directory and extract the .ova file.

cmd 
mkdir /tmp/pavm
  
tar -xvf PA-VM-ESX-10.0.0.ova -C /tmp/pavm/

Convert the .ova file to a .qemu

cmd 
/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 /tmp/pavm/PA-VM-ESX-10.0.0-disk1.vmdk /tmp/pavm/virtioa.qcow2
Note
From this point on you will need to switch to the root user. Or a user with sudo permissions.
cmd 
su -
  
password: <root-password>

Create a directory for the PA VM in the /opt/unetlab/addons/qemu/ directory.

cmd 
mkdir /opt/unetlab/addons/qemu/paloalto-10.0.0/

Move the virtioa.qcow2 file into the /opt/unetlab/addons/qemu/paloalto-10.0.0/ directory.

cmd 
mv /tmp/pavm/virtioa.qcow2 /opt/unetlab/addons/qemu/paloalto-10.0.0/

Clean up the temp directory.

cmd 
rm -rf /tmp/pavm/

Dont forget to fix the permissions.

cmd 
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Testing

Add a node to a topology and check the VM settings.

  • Interface - virtio-net-pci
  • CPU - 2
  • RAM - 5632
  • Console - telnet
Note
Change the Console type to telnet. Unless you want to access the VM terminal via VNC.

Start the VM. When the VM is booted up login with the default admin/admin credentials.

Important

It takes a bit of time before you can login. The prompt will change from vm login:, to PA-HDF login:, then eventually PA-VM login: before you can successfully login. It does take a bit of time for all the services to start.

Note

Once you successfully login you will be prompted to change the admin password. Some password complexity is required.

Setup

Configure the management interface IP Address

cmd 
configure
set deviceconfig system type static
set deviceconfig system ip-address <ip-address>
set deviceconfig system netmask <netmask>
set deviceconfig system default-gateway <default-gateway>
set deviceconfig system dns-setting servers primary <dns-ip-address>
commit

Check the management interface is configured with the correct IP details and the state is up.

cmd 
show interface management

Access Web Interface

To access the PA VM web interface, I am currently connecting connecting to it by VNC'ing to a linux VM in EVE-NG and browsing to the management IP address.

The user credentials are admin and the password configured in the previous step.

Note

If you connect the PA-VM management interface to Cloud-0 you can access the device from your LAN. By default this is the same network as your EVE-NG management address.

Outro

In this post, we added a Palo Alto PanOS 10 VM to EVE-NG. Happy firewall labbing.

https://www.eve-ng.net/index.php/documentation/howtos/howto-add-palo-alto/

https://docs.paloaltonetworks.com/vm-series/9-0/vm-series-deployment/set-up-the-vm-series-firewall-on-kvm/vm-series-on-kvm-requirements-and-prerequisites.html#ide75ec290-9f1d-4e95-9511-adadfd636943

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZuCAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN7CAK