Documente Academic
Documente Profesional
Documente Cultură
In this guide I will show how to connect VMware running Palo Alto Next Generation Firewall image to
GNS3 and configure some of the basic functions.
First things first, we need to install VMware Workstation(Virtual Box will not work with Palo Alto coz
we need to use VMXNET 3 drivers)
After successful instalation of VMware, we need to add some local host adapters. My configuration
will be based on the network topology shown below:
So, we will need 5 adapters;
VMnet 0 for our management interface (default range used by PA = 192.168.1.0 but I need to change
it for my tests).
VMnet 1 for internal network (INSIDE).
VMnet 2 for external network(OUTSIDE).
VMnet 3 for DMZ network.
VMnet 4 for Windows XP (this one is optional).
Next, we need to add our adapters to PA virtual machine;
Now we will need to edit the VMX file;
Ip address 172.168.1.150
Default-gateway 172.168.1.2 (in my case this is ip address of Router 2 interface)
Dns server 8.8.8.8
Now we need to match MAC addresses used by PA interfaces with our VM adapters;
Ethernet1/1 = VMnet 1
Ethernet1/2 = VMnet 2
Ethernet1/3 = VMnet 3
Now we can access GUI by web browser using https://172.168.1.150
Dashboard looks like that; (I have cleared out the dashboard for a bit ;)
We need to create 3 zones. Under Network chose Zones and then Add.
Next we need to configure Interface management profile. We can define what kind of services will
be allowed.
Under Network chose Network Profiles -> Interface Mgmt -> Add.
Now we can go to configuration of our interfaces;
Under the ethernet interface chose Advenced then Other info and chose management profile;
Creation of all interfaces looks the same. The final configuration should look like this;
Once everything is up and running the Link State should have green colour.
Now we can go to configuration some static routes (to subnet 10.0.0.0 and internet)
Under Virtual router chose default Static Routes and Add
Now we can configure some NAT rules.
At first, we need to configure the dynamic NAT to enable connection to the internet for hosts placed
in our INSIDE zone.
In case of static NAT I cannot show the right way to do this, so mb someone else would explain it ;)
Now we can configure some security policies to allow or deny connections between two zones.