How To Install Palo Alto Firewall On Vmware

Recently, in the dwelling house lab, I accept been doing a lot of lab networking configurations and testing various scenarios. Recently, thanks to the great guys at Palo Alto, I was able to get my hands on a VM-series firewall to do some testing across various fronts, including VMware NSX-T. However, before you tin can utilise the Palo VM-series firewall, you have to go it deployed into your virtual surround. I am installing the Palo VM inside a VMware vSphere vii U1 environment, with a few hosts running various network configurations. Allow's take a quick look at how to install Palo Alto VM series in VMware vSphere environments.

Deployment Scenarios on VMware vSphere Hypervisor (ESXi)

In that location are many supported deployment scenarios when it comes to getting a Palo VM serial in your VMware vSphere environment. These include the following scenarios:

• I VM-serial firewall per ESXi host – In this scenario, you lot apply the Palo VM series firewall to audit all traffic leaving the ESXi host. The guest servers are configured, so they have no other network connectivity aside from traversing the Palo VM. This is for due north-due south connectivity. You can too require all VM guests to traverse the firewall for all server to server communication (east-west).
• One VM-series firewall per virtual network – You tin also deploy a VM-serial firewall for each virtual network yous have configured on your ESXi host. A mutual use case for this is you may have an internal network, an external network, and a DMZ. You could have a VM=-series firewall sitting on each virtual switch, filtering traffic for each grouping. You would configure your vSwitches and guest virtual machine, so there is no other physical or virtual path to whatsoever other network. This ensures the VM-series will inspect all traffic betwixt the groups.
• Hybrid environment – Both physical and virtual hosts are used. Using the VM-series, you can replace a physical firewall apparatus that is typically used in an aggregation location. This allows implementing a common server platform and bypasses any hardware and software dependencies in the traditional firewall realm.
• Further secure VMware NSX-T environments – Most environments today have hybrid environments. NSX-only approach tin can provide micro-segmentation but is not foolproof. NSX is generally merely deployed in a portion of the hybrid environment. Allowed traffic betwixt micro-segmented boundaries can be a hole in security. Having L7 inspection between these trust zones is important. Palo VM-series bolster the NSX-T security mechanisms even further.

Install Palo Alto VM Series in VMware vSphere

Palo Alto will give you an authorization code that volition allow y'all to redeem the VM-serial firewalls from the Palo Alto back up portal. Below I am entering the authorisation code and submitting to add the VM-series to the dashboard.

Entering the potency lawmaking for downloading the Palo Alto VM-serial

After entering the dominance lawmaking, you lot will meet the pertinent VM-series firewalls displayed in the support portal for you to download. Click the downward triangle to launch the download dialog box.

Palo VMs display in the dashboard ready to download

Roll down in the download box to the PAN-Bone for VM-Series Base Images section. I made the mistake of simply downloading the first listing for PAN-Os for 10.0.2. However, the first download is the PAN-OS image and not the OVA file. You accept to scroll down to this department to retrieve the file.

Download PAN-Os for VM-serial vSphere OVA

The next several steps are just a normal OVA appliance deploy process for the OVA file. Choose your OVA file afterwards y'all download in the vSphere Client.

Cull the PAN-Os for vSphere OVA to deploy using the vSphere Client

Cull the proper noun and folder.

Select a binder and a name

Select your compute resource.

Select a compute resource

Review the initial deployment details.

Review the details of the initial deployment

Choose the storage for the Palo VM series appliance.

Select storage for the PAN-Os VM-series VM

Select the network to use with the appliance deployment. The showtime network adapter on the VM is the management network. The apparatus will deploy by default with three adapters configured. And then you can choose the appropriate vSwitch to use with the Palo VM-serial firewall for each interface to use the appliance for filtering, routing, etc. You tin can add up to x adapters on the apparatus to support up to 10 dissimilar vSwitch connections.

Select networks for the PAN-Bone VM-series

Finalize the deployment of the Palo VM-series firewall apparatus.

Ready to complete the PAN-OS Palo VM series deployment

Booting the Palo VM series firewall for the first time.

Booting the Palo VM serial firewall

Configuring the management network

The Palo VM series firewall will be set to employ DHCP on the first boot for the direction interface. Most likely, you volition want to assign a static address for the VM-series.

One quick niggling tidbit – the default user/password for the VM-series is admin/admin. I noticed that in one case you deploy, it won't accept this for the first 3 logins. Then later it fails for three consecutive tries, it will ask y'all to reset the countersign. This is part of the "reset to factory behavior," as noted here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloQCAS. Also notation, the password you lot set for the command line is only for the control line. You will need to enter admin/admin for the web console password also. It will prompt you lot to change it the first time y'all log in.

One time you lot are logged into the command line console with the password you fix, you can configure the management IP address. To do that, y'all will use the following commands:

configure set deviceconfig organization blazon static set up deviceconfig system ip-address<Firewall-IP>netmask<netmask>default-gateway<gateway-IP>dns-setting servers chief<DNS-IP> Instance:  set deviceconfig organisation ip-accost 10.one.149.28 netmask 255.255.255.0 default-gateway ten.one.149.ane dns-setting servers primary 8.8.8.8  commit exit ping host viii.8.8.8

Once you accept set the management IP address, y'all should exist able to browse there in a web browser and access the web admin console like normal. Also note, the password you fix for the command line is only for the command line. You lot volition demand to enter admin/admin for the spider web console password as well. It will prompt you to alter it the first time you log in.

Logging into the spider web console after configuring the management IP address

Terminal Thoughts

The procedure to Install Palo Alto VM Series in VMware vSphere is straightforward. It just took a few minutes from entering the authorization code, downloading the OVA, and deploying. Getting the Palo Alto VM-series firewall configured with a default configuration for your network is super easy. One time you have an IP configured, you can log in to the web console as expected to stop out your configuration, restore a configuration, etc.

Source: https://www.virtualizationhowto.com/2020/11/install-palo-alto-vm-series-in-vmware-vsphere/

Posted by: mathersvengland.blogspot.com

Share this post