Initial Setup of Palo Alto PA-VM on Hyper-V
Steps to install and perform initial setup of Palo Alto PA-VM on Hyper-V in our lab
Download & Install PA-VM
Login to Palo Alto Network Customer Support Portal and download the Hyper-V base image via Update – Software Update
Provision a new VM by following Perform Initial Configuration on the VM-Series Firewall
2 x vCPU, 6GB RAM with 4 x Network Adapters are assigned for PA-VM
- 1st Network Adapter – Management Interface
- 2nd Network Adapter – Untrust Interface
- 3nd Network Adapter – Trust Interface
- 4th Network Adapter – DMZ Interface
Initial Setup of Palo Alto PA-VM on Hyper-V
Management Interface
Management Interface not only provide Web Interface & SSH access to perform configuration & monitoring tasks for PA-VM, but also need to have Internet access to receive the latest update from Pala Alto Network.
Interfaces
3 x Layer 3 interfaces are created
- ethernet 1/1 – 192.168.4.48/24 (untrust)
- ethernet 1/2 – 192.168.1.10/24 (trust)
- ethernet 1/3 – 172.16.1.1/24 (DMZ)
Virtual Router
**Each Layer 3 Ethernet, loopback, VLAN, and tunnel interface defined on the Firewall must be associated with a virtual router. **
Default Route is configured in Static Routes
Zones
A security zone is a group of one or more physical or virtual firewall interfaces and the network segments connected to the zone’s interfaces. You control protection for each zone individually so that each zone receives the specific protections it needs.
NAT Policies for Internet Access
The following 2 x NAT Policies are created
- Out-NAT-LAN – Allow Trust to Untrust for LAN IP – 192.168.1.0/24 to access Internet by translating to Untrust Interface IP
- Out-NAT-DMZ – Allow DMZ to Untrust for LAN IP – 172.16.1.0/24 to access Internet by translating to Untrust Interface IP
Security Policies
The following 2 x Security Policies are created
- TrustToUntrust – Allow Trust & DMZ Zone to have full access to Untrust Zone (Internet)
- TrustToDMZ – Allow full access from Trust to DMZ Zone
Machines from Trust Zone (192.168.1.0/24) and Servers from DMZ Zone (172.16.1.0/24) should have full Internet access now
Continue to my next post on How to Configure Inbound NAT in Palo Alto PA-VM
Appendix
U Turn NAT
U-Turn NAT is configured to allow users to access Internal Servers via its public IP
Create a NAT Rule called U Turn NAT and put it on top of others NAT Rules with the configuration below
Original Packet
- Source Zone – Trust (LAN)
- Destination Zone – Untrust (WAN)
- Destination Address – Public IP of Exchange Server
Translated Packet
-
Source Address Translation
- Translation Type – Dynamic IP And Port
- Address Type – Interface Address
- Interface – Ethernet 1/2 (Trust / LAN Interface)
- IP Address – IP Address of Trust Interface
-
Destination Address Translation
- Translation Type – Static IP
- Translated Address – LAN IP of Exchange 2013 Server
Create a Security Policy called NAT-UTURN-ACCESS with the settings below
- Source Zone = Trust
- Destination Zone = Untrust
- Destination Address = Public IP of Exchange 2013 Server
- Services = ANY
- Action = ALLOW
Users should be able to access https://mail.aventislab.info which is resolved to Public IP Address in LAN now
Reference Link
Reset to Factory Default Settings
Boot PA-VM into Maintenance Mode from Hyper-V Console
debug system maintenance-mode
Select Factory Reset and press Enter
Select Factory Reset and press Enter with all the default settings
Select Reboot to reboot PA-VM with factory default settings
Login to PA-VM with default username and password, admin / admin
IP Address for Management Interface
Enter Configuration Mode
> configure
Change from DHCP to Static Mode and configure the IP Address, Subnet Mask, Default Gateway, and DNS Server
# set deviceconfig system type static
# set deviceconfig system ip-address 10.10.8.254 netmask 255.255.255.0 default-gateway 10.10.8.1 dns-setting servers primary 1.1.1.1
# commit
Verify the IP Address had been configured successfully
# exit
> show interface management
Login to https://10.10.8.254 from Windows 10 Machine to continue the setup with GUI