The Palo Alto Networks firewall is quite an amazing piece of engineering. This state-of-the-art firewall not only includes traditional firewalling on layer 3 and 4, but it also provides application-level firewall capabilities, user-level policies, DDoS protection, threat prevention, and a whole lot more. In short, it makes a network and security guy like me drool.
I’ve got a strong background with Palo Alto Firewalls. I obtained my Palo Alto ACE certification after using it in the workplace as well as in school. I have spent a lot of time configuring the Palo Alto, using it to mitigate threats such as DDoS attacks, and more. If that wasn’t enough, Palo Alto Networks sponsors the Information Technology major at Brigham Young University. As a result, I have access to an education license to a Palo Alto virtual firewall as well as some training material. Thank you Palo Alto!
This post is a step-by-step guide of installing the Palo Alto firewall on my home network. I know it is a bit overkill for a home network, but for someone as involved like me it is the perfect learning opportunity.
Required Materials
- Palo Alto virtual firewall (VM-100) VMware image
- ESXi 6.0 server
Optional Materials
- A consumer router or access point
- A Windows/Linux VM
Hardware I used
- Dell OptiPlex 9020
- CPU: Intel core i5-4670 @ 3.40 GHz
- RAM: 8 GB
- Storage: 120 GB SSD
- 2 NICs: (I have an integrated NIC and TP-Link USB UE300)
End Result:
The VMWare diagram below shows you what I am working towards.
The Hardware setup
Before I dive into configuring the network and Palo Alto, let me tell you a bit about the hardware setup. I chose the OptiPlex 9020 simply because it was available for me to use for free (again through the IT major at BYU). Palo Alto recommends 4GB allocated to its VM as a minimum, and VMWare recommends about 4GB for its own ESXi server as well. After everything is installed and working, I’m only consuming about 5.2GB of RAM. The SSD is a nice bonus as well. But what might raise an eyebrow is that TP-Link NIC. The motherboard only has one NIC, so I needed a second. Thankfully I had the TP-Link NIC, and that Jose Gomes provides a driver for a few select USB NICs for ESXi servers.
Setting things up in VSphere
Connect ESXi to the LAN port on a router. This gives the NIC an IP address that you can connect to using VSphere.
- Connect to ESXi using VSphere.
- Upload the Palo Alto VM-100 to ESXi
- The VM I was given was originally compatible with VMWare Workstation 12. I had to make it compatible with older versions of VMWare before uploading it to my ESXi box.
- Create the VMWare networks
- My trusted/internal network is vSwitch0. I’ve put two port groups on here. The first is for devices connecting on the trusted network and is called VM Network. I also have a VMKernel for ESXi management connected on the trusted network. I also have a Windows VM called PAManager as a way to troubleshoot as needed.
The second port group is called PAManagementNetwork. - vSwitch1 is where the untrusted network connects at and connects to my ISP. Vmnic32 is the TP-Link NIC. The speed is 100 mbps instead of 1 Gbps due to my ISP and not the NIC.
- I don’t recommend plugging in the external interface at this time. Wait until you get the Palo Alto configuration going. Instead, physically plug this into a router’s WAN port.
- I do recommend you put a VMKernel with a static IP on vSwitch1 at this time. It makes managing VSphere easier so that it doesn’t hop around if you get disconnected or misconfigure something.
- My trusted/internal network is vSwitch0. I’ve put two port groups on here. The first is for devices connecting on the trusted network and is called VM Network. I also have a VMKernel for ESXi management connected on the trusted network. I also have a Windows VM called PAManager as a way to troubleshoot as needed.
- Configure Palo Alto virtual NICs accordingly in VSphere.
- The Palo Alto’s network adapter 1 is pre-configured as the management interface. I connected this to the port group PAManagementNetwork on vSwitch0. The Palo Alto updates and performs other management tasks through this management interface. By plugging that back into vSwitch0, it provides internet access for those tasks. If I had a 3rd physical NIC, I could alternatively connect it and the management NIC to a 3rd switch with various safeguards.
- Network adapter 2 is pre-configured to be for the untrusted/external network.
- Network adapter 3 is preconfigured to be for the trusted/internal network
- The other network adapters are there as needed. Although they show up as being on the VM Network (my internal network), they won’t actually be there since VMware figures you don’t need multiple NICs on the same port group.
- In VSphere, configure the Palo Alto VM to start automatically when the ESXi box first powers on. I followed VMWare’s KB article on this subject by selecting the physical box in the left pane, selecting the configuration tab, then under the Software pane selecting Virtual Machine Startup. I clicked Properties in the right corner of the window and adjusted the machine settings accordingly.
- Connect VSphere to ESXi using the static IP on the external interface. This will help you not lose a connection later. At this point, I unplugged my ESXi box from the LAN port of the router. My Palo Alto is pre-configured to be a DHCP server for the trusted network. This means that if I left the ESXi box plugged into a LAN port on the router, then the Palo Alto starts competing with my router’s DHCP server, so that any device connecting on the LAN could receive an IP address from either one. It also means the VMKernel could get a different IP address than the one it originally had, and thus you could lose connection to the ESXi box. If you happen to lose connection, you can do a port scan on the subnets in question to find the right box after you power on the Palo Alto. However, it would be simpler to configure the VMKernel with a static IP address.
- Power on the Palo Alto VM. Follow the prompt to activate the license. It takes a minute or two to reboot and get all its services fully running again.
- In Vsphere, I cleared the VMKernel’s network settings on vSwitch1 by configuring the VMKernel to not have any IP settings, saving the configuration, then configuring it to obtain IP settings automatically. Take note of it’s new IP address and default gateway.
- I then disconnected VSphere and reconnected using the IP address of the VMKernel I found in the previous step.
- Delete the external-facing VMKernel. You don’t want anyone to be able to access it when you plug in the ISP connection!
- Connect the cable you unplugged from the LAN port earlier into the WAN port.
- In a web browser, type in https://<defaultgateway>. This will bring up the Palo Alto web UI login page. Using the credentials supplied to you previously, log in.
- Connect the ISP connection into the external interface, aka vSwitch1.
At this point, VMWare and the physical setup are successfully configured and running the Palo Alto VM. Check out Part 2 blog post for steps to initially configure the Palo Alto firewall.
Leave a Reply