The Palo Alto Networks Firewall Essentials lab kit is required, and therefore designed, to have Internet access. You agree that you are solely responsible for, and that NDG has no liability or responsibility for: (a) any Internet use by users of the Palo Alto Networks Academy laboratory training environment or any additional laboratory environments you set up using Palo Alto Network Firewalls, and (b) monitor, secure, and log Internet activity that occurs through the Palo Alto Networks Academy laboratory training environment.
NETLAB+ Pod Internet Access and Use Agreement
IMPORTANT: If you choose to add optional functionality to allow learners (including without limitation remote learners) to access and use the Internet through the Palo Alto Networks Academy lab environment, you are solely responsible for configuring and managing Palo Alto firewalls Networks and related software. that is provided by Palo Alto Networks for Internet access, including without limitation all security features and policies related to Palo Alto Networks firewalls.
Pod Setup Overview
The PAN_MGMT and PAN_UNTRUST networks are required for the FE Firewall to properly communicate with the GW Firewall. This guide provides specific information relevant to delivering the Palo Alto Networks Firewall Essentials course via NETLAB+.
Environment
It is assumed that you have knowledge of the following before attempting to deploy this lab suite to your VMware and NETLAB+. Palo Alto Networks Firewall Essentials support consists of 4 virtual machines that reside on your ESXi host(s).
Pod Creation Workflow
Pod Resource Requirements
ESXi Host Server Requirements
NETLAB+ Requirements
Software Requirements
Networking Requirements
Downloading OVF Files
Obtaining Software Licenses
Host Configuration
Port Group Configuration
For Connection Settings, enter PAN_MGMT in the Network Tag and 11 in the VLAN ID text boxes, and then click Next. In the Connection Settings window, type PAN_UNTRUST in the Network label and 12 in the VLAN ID text boxes, and then click Next.
NETLAB+ Virtual Machine Infrastructure Setup
Gateway Master (GW) Pod Setup
- Deploying GW Virtual Machine OVF/OVA Files
- Create Snapshots on the Master Virtual Machines
- NETLAB+ Virtual Machine Inventory Setup
- Install the Master GW Pod
- Update the Master Pod
- Bring the GW Master Pod Online
In the Gateway Firewall Network Mapping window, make sure the following networks are set, and then click Next. Snapshots must be created for the master virtual machines to continue cloning the assembly. This section will guide you in adding your templates to the virtual machine inventory of your NETLAB+ system.
Select the check box next to the Palo Alto Networks Firewall Essentials Gateway virtual machines and click Import Selected Virtual Machines. Check the drop-down box for the correct operating system for each imported virtual machine. The unit ID number determines the order in which the Palo Alto Networks Firewall Essentials Gateway units will appear in the scheduler.
Click the magnifying glass icon next to the virtual machine you are about to assign. In the Base Virtual Machine window, select your Palo Alto Networks Firewall Essentials Gateway virtual machine to map the space reserved for it in the pod. It is also recommended that you leverage VMware vSphere's virtual machine startup/shutdown to ensure that the gateway firewall turns on when your host boots.
Firewall Essentials Master (FE) Pod Setup
Deploying FE Virtual Machine OVF/OVA Files
Click Browse and locate the PAN7_FE_FM_
Install the Master FE pod
It is a best practice to use a block of sequential ID numbers to number the Palo Alto Networks Firewall Essentials pods that you will install. The Pod ID number determines the order in which Palo Alto Networks Firewall Essentials pods will appear in the scheduler. In the Equipment Pods list, click the Pod ID link to open the Pod Management interface.
In the Base Virtual Machine window, select your Palo Alto Networks Firewall Essentials virtual machine to connect to the slot reserved for it in the pod. Desktop1 graceful shutdown by OS Desktop2 graceful shutdown by OS server Graceful shutdown by OS firewall Graceful shutdown by OS 8. Since this is our main pod used for cloning pod- Other years, we'll keep it offline so we can use it to create instructor and student groups.
Pod Cloning
Linked Clones and Full Clones
Creating User Pods
Click the Clone button to create a new pod based on this pod's settings. If the pod IDs are not in numerical order, they will not appear in the scheduler in numerical order. Using a structured naming convention for your pods will allow for better use of PowerCLI scripts later in the installation guide.
Depending on your environment you can reduce this to something like PAN7_FE_DS1_H2_P1021. By doing this, you can programmatically identify the pods or virtual machines you want to manipulate using wildcards. The three most important columns for this Master Pod clone are Source Snapshot, Clone Type, and Clone Role.
Time saving: If you clone the first user pod instead of the main one, all the default values will be set correctly and you won't have to change the clone type and clone role every time. NETLAB+ will still assume that you want to connect to master virtual machines, since master virtual machines are ranked higher than normal or persistent virtual machines in the default choices for pod cloning.
GW Pod Configuration
- IP Address Assignment
- Static IP Address
- DHCP IP Address
- DNS Settings
- Licensing
- Startup and Shutdown the Firewall
Using a static IP address as shown in this section is the recommended method for using an IP address for a GW firewall. To give your firewall a static IP address, you'll need to know the IP address, subnet mask, and gateway IP to assign to ethernet1/1, the interface connected to vmnic 2 on the firewall VM. We can now perform a small test to ensure that the firewall has a default outbound access route via ethernet1/1 using a known IP address reachable via ICMP.
The use of a dynamic IP address, as shown in this section, is an alternative method of applying an IP address to the GW Firewall. The following procedure describes the steps required to assign a dynamic IP address to your GW Firewall. When using DHCP to provision your GW firewall, we recommend that you create an IP reservation for the IP address in your DHCP pool that the firewall will obtain.
You can let the pod discussion end on its own, as the firewall will continue to run. Log in to the Firewall terminal again, and then type the following command in the CLI. In the following procedure, we use VMware ESXi to automate the startup and shutdown of the GW Firewall with the power cycle of the ESXi host to ensure that the Firewall service is brought up on the host.
FE Pod Configuration
IP Addressing
- Boot FE Firewalls - Manual Method
- Boot FE Firewalls - PowerCLI Method
You can start the FE Firewalls using the manual method described in this section or by using PowerCLI as described in the next section. Manual boot requires you to access your ESXi host via the web client or vSphere Client and manually boot in > 10 second intervals. Click Hosts and Clusters, then select the host where your FE virtual machines are located, click Related Objects, and then click Virtual Machines.
Wait at least 10 seconds before performing the previous step on the next firewall in the list. You can start the FE Firewalls using PowerCLI as described in this section or using the manual method described in the previous section. The following describes how to boot the FE Firewall virtual machines for 10 seconds using PowerCLI.
Login to your vCenter using the connection string below and replace the appropriate placeholders with those that match your configuration. Once connected to your vCenter server, you can use the following program to start all your FE firewalls at a step of 1 every 10 seconds. When the program is finished and all FE Firewalls start, wait 5 minutes before proceeding to Licensing.
Licensing
- Troubleshooting
After confirming that all firewalls are working and responding, run the following command to license all firewalls with a single ID for aut. The reboot process takes about 4 minutes, so please wait enough time after the last system is licensed before proceeding to the next step. Note that the output now shows the actual serial numbers for all required firewalls.
If you haven't completed the previous steps, see the next section, Troubleshooting. There are various tools at our disposal to help find answers to the problems we may encounter when setting up these pods. You can check Internet access by opening a web browser on the GW Desktop machine and surfing to Google or Yahoo.
The default path for the desktop is PAN_UNTRUST, which FE firewalls use to access the Internet, making it a good place to test. The FE firewalls must be able to obtain an IP address from the GW firewall. The communication required for this to happen must take place on specific interfaces, and port groups (if configured on the same vswitch) must be assigned vlan IDs.
Pod Snapshots
- Snapshot the Virtual Machines - Manual Method
- Snapshot the Virtual Machines - PowerCLI Method
Choose one method: This section provides details on manually creating snapshots of your virtual machines. You can use this method or follow the instructions in the next section to create snapshots using PowerCLI. The following procedure highlights the use of the vSphere Web Client method, as it is probably the most used in newer installations.
In the Take VM Snapshot window, enter GOLDEN_MASTER in the Name text box and enter today's date in the Description, and click OK. Choose one method: This section details how to take snapshots of your virtual machines using PowerCLI. You can use this method or follow the instructions in the previous section to create snapshots manually.
The following procedure will use PowerCLI to create snapshots of all FE-pod virtual machines. The key for this procedure to work well is in the naming convention used for the FE pods. As long as the virtual machines can be selected accurately, using wildcards, this procedure will work without problems.
Bring Pods Online
Administration
Security Policies
Logging
Threat Prevention
URL Filtering
Wildfire
Monitoring
