Initial Setup of Palo Alto PA-VM on Hyper-V

You are here:
← All Topics

Steps to install and perform initial setup of Palo Alto PA-VM on Hyper-V in our lab

Download & Install PA-VM

Login to Palo Alto Network Customer Support Portal and download the Hyper-V base image via Update – Software Update

Initial Setup of Palo Alto PA-VM on Hyper-V

Provision a new VM by following Perform Initial Configuration on the VM-Series Firewall

2 x vCPU, 6GB RAM with 4 x Network Adapters are assigned for PA-VM

  • 1st Network Adapter – Management Interface
  • 2nd Network Adapter – Untrust Interface
  • 3nd Network Adapter – Trust Interface
  • 4th Network Adapter – DMZ Interface

Initial Setup of Palo Alto PA-VM on Hyper-V

Management Interface

Management Interface not only provide Web Interface & SSH access to perform configuration & monitoring tasks for PA-VM, but also need to have Internet access to receive the latest update from Pala Alto Network.

Interfaces

3 x Layer 3 interfaces are created

  • ethernet 1/1 – 192.168.4.48/24 (untrust)
  • ethernet 1/2 – 192.168.1.10/24 (trust)
  • ethernet 1/3 – 172.16.1.1/24 (DMZ)

Virtual Router

**Each Layer 3 Ethernet, loopback, VLAN, and tunnel interface defined on the Firewall must be associated with a virtual router. **

Default Route is configured in Static Routes

Zones

A security zone is a group of one or more physical or virtual firewall interfaces and the network segments connected to the zone’s interfaces. You control protection for each zone individually so that each zone receives the specific protections it needs.

NAT Policies for Internet Access

The following 2 x NAT Policies are created

  • Out-NAT-LAN – Allow Trust to Untrust for LAN IP – 192.168.1.0/24 to access Internet by translating to Untrust Interface IP
  • Out-NAT-DMZ – Allow DMZ to Untrust for LAN IP – 172.16.1.0/24 to access Internet by translating to Untrust Interface IP

Security Policies

The following 2 x Security Policies are created

  • TrustToUntrust – Allow Trust & DMZ Zone to have full access to Untrust Zone (Internet)
  • TrustToDMZ – Allow full access from Trust to DMZ Zone

Machines from Trust Zone (192.168.1.0/24) and Servers from DMZ Zone (172.16.1.0/24) should have full Internet access now

Continue to my next post on How to Configure Inbound NAT in Palo Alto PA-VM

Appendix

U Turn NAT

U-Turn NAT is configured to allow users to access Internal Servers via its public IP

Create a NAT Rule called U Turn NAT and put it on top of others NAT Rules with the configuration below

Original Packet

  • Source Zone – Trust (LAN)
  • Destination Zone – Untrust (WAN)
  • Destination Address – Public IP of Exchange Server

Translated Packet

  • Source Address Translation

    • Translation Type – Dynamic IP And Port
    • Address Type – Interface Address
    • Interface – Ethernet 1/2 (Trust / LAN Interface)
    • IP Address – IP Address of Trust Interface
  • Destination Address Translation

    • Translation Type – Static IP
    • Translated Address – LAN IP of Exchange 2013 Server

Create a Security Policy called NAT-UTURN-ACCESS with the settings below

  • Source Zone = Trust
  • Destination Zone = Untrust
  • Destination Address = Public IP of Exchange 2013 Server
  • Services = ANY
  • Action = ALLOW

Users should be able to access https://mail.aventislab.info which is resolved to Public IP Address in LAN now

Reference Link

  1. How to Configure U-Turn NAT

Reset to Factory Default Settings

Boot PA-VM into Maintenance Mode from Hyper-V Console

debug system maintenance-mode

Select Factory Reset and press Enter

Select Factory Reset and press Enter with all the default settings

Select Reboot to reboot PA-VM with factory default settings

Login to PA-VM with default username and password, admin / admin

IP Address for Management Interface

Enter Configuration Mode

> configure

Change from DHCP to Static Mode and configure the IP Address, Subnet Mask, Default Gateway, and DNS Server

# set deviceconfig system type static

# set deviceconfig system ip-address 10.10.8.254 netmask 255.255.255.0 default-gateway 10.10.8.1 dns-setting servers primary 1.1.1.1

# commit

Verify the IP Address had been configured successfully

# exit

> show interface management

Login to https://10.10.8.254 from Windows 10 Machine to continue the setup with GUI

Contents

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top