Contents

Initial Setup of Palo Alto PA-VM on Hyper-V

You are here:
← All Topics

Steps to install and perform initial setup of Palo Alto PA-VM on Hyper-V in our lab

Download & Install PA-VM

Login to Palo Alto Network Customer Support Portal and download the Hyper-V base image via Update – Software Update

Initial Setup of Palo Alto PA-VM on Hyper-V

Provision a new VM by following Perform Initial Configuration on the VM-Series Firewall

2 x vCPU, 6GB RAM with 4 x Network Adapters are assigned for PA-VM

  • 1st Network Adapter – Management Interface
  • 2nd Network Adapter – Untrust Interface
  • 3nd Network Adapter – Trust Interface
  • 4th Network Adapter – DMZ Interface

Initial Setup of Palo Alto PA-VM on Hyper-V

Management Interface

Management Interface not only provide Web Interface & SSH access to perform configuration & monitoring tasks for PA-VM, but also need to have Internet access to receive the latest update from Pala Alto Network.

Interfaces

3 x Layer 3 interfaces are created

  • ethernet 1/1 – 192.168.4.48/24 (untrust)
  • ethernet 1/2 – 192.168.1.10/24 (trust)
  • ethernet 1/3 – 172.16.1.1/24 (DMZ)

Virtual Router

**Each Layer 3 Ethernet, loopback, VLAN, and tunnel interface defined on the Firewall must be associated with a virtual router. **

Default Route is configured in Static Routes

Zones

A security zone is a group of one or more physical or virtual firewall interfaces and the network segments connected to the zone’s interfaces. You control protection for each zone individually so that each zone receives the specific protections it needs.

NAT Policies for Internet Access

The following 2 x NAT Policies are created

  • Out-NAT-LAN – Allow Trust to Untrust for LAN IP – 192.168.1.0/24 to access Internet by translating to Untrust Interface IP
  • Out-NAT-DMZ – Allow DMZ to Untrust for LAN IP – 172.16.1.0/24 to access Internet by translating to Untrust Interface IP

Security Policies

The following 2 x Security Policies are created

  • TrustToUntrust – Allow Trust & DMZ Zone to have full access to Untrust Zone (Internet)
  • TrustToDMZ – Allow full access from Trust to DMZ Zone

Machines from Trust Zone (192.168.1.0/24) and Servers from DMZ Zone (172.16.1.0/24) should have full Internet access now

Continue to my next post on How to Configure Inbound NAT in Palo Alto PA-VM

Appendix

U-TURN NAT

U-Turn NAT is configured to allow users to access Internal Server via public IP

Create a NAT Policy to perform source & destination translation using PA-VM trust Interface & Internal IP Address of Server

Top Posts & Pages

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top