Palo Alto Support

Before posting something, READ the changelog, WATCH the videos, howto and provide following:
Your install is: Bare metal, ESXi, what CPU model, RAM, HD, what EVE version you have, output of the uname -a and any other info that might help us faster.

Moderator: mike

Post Reply
Grinder
Posts: 4
Joined: Mon Mar 20, 2017 1:35 pm

Palo Alto Support

Post by Grinder » Thu Mar 23, 2017 7:59 pm

After successfully installing the Palo Alto FW in the EVE-NG environment following the instructions here (tried PA-VM-ESX-6.1.0.ova and PA-VM-ESX-7.1.0.ova):

http://eve-ng.com/index.php/documentati ... lto-vm-100

I was getting interface errors with the default e1000 interface type.

After searching around I came accross the following article titled "PaloAlto UNL Basic config":

https://nbctcp.wordpress.com/2016/08/10 ... ic-config/

The first step, as per the article is "make sure all nics in UNL vm using vmxnet3 and not e1000".

So I changed adapter type in /opt/unetlab/html/templates/paloalto.php to vmxnet3 by adding the following line:

$p['qemu_nic'] = 'vmxnet3';

Once I was done with that, I connected a VPCS VM to the mgmt interface in the Palo Alto, enabled ICMP on that interface (via CLI) but still couldn't ping it (with or without the extra command).

I noticed Uldis intro video to the newest EVE-NG had a Palo Alto lab. so he must have been able to get it up and running. I'm trying to get it to work and would like this thread to be helpful for anyone trying to get Palo Alto up and running in EVE-NG.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Palo Alto Support

Post by Uldis (UD) » Thu Mar 23, 2017 8:11 pm

The best is to get qcow2 image from Palo mate. It works great

PA-VM-7.0.1.qcow2

Grinder
Posts: 4
Joined: Mon Mar 20, 2017 1:35 pm

Re: Palo Alto Support

Post by Grinder » Sat Mar 25, 2017 5:59 am

Thank you for the recommendation Uldis.

I did download the qcow2 image from Palo Alto. It did fix the issue of being able to ping the management interface without changing adapter type to vmxnet3 (leaving it as e1000). This still gives me the following error message:

"e1000: eth1: e1000_phy_read_status: Error reading PHY register"

In turn, when I configure the ethernet1/1 (assign it a zone, assign it to the default virtual-router, assign an IP to it, enable ping to it), this interface is unreachable. On the VPCS instance connected to ethernet1/1 does have a correct ARP entry but the Palo Alto doesn't have one.

When I changed the interface type to vmxnet3, no interface was reachable, not even the management interface.

I am back to wondering how you have a fully functional, integrated lab. running.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Palo Alto Support

Post by Uldis (UD) » Sat Mar 25, 2017 8:54 am

I would say it is more cosmetic error, which is observed on CSR as well, anctually does nothing, just only annoying.
But you can try change image name inside folder from hda.qcow2 to virtioa.qcow2.
Check if it helps, I just did that with Palo 8.0.0 and seems works ok, personally I have not full scale Palo labs, but know guys who did even HA on EVE Palo labs, and reported as great.
Plaoweb.PNG
You do not have the required permissions to view the files attached to this post.

Mikeee
Posts: 2
Joined: Sun Mar 26, 2017 9:08 pm

Re: Palo Alto Support

Post by Mikeee » Sun Mar 26, 2017 10:37 pm

Hi All,

Grinder is correct in what he says down to the MAC address analysis. (Grinder don't despair this used to work fine in unetlab) Find attached packet captures of this when connecting inside router was IOL router then another when connecting inside router was VIOS router. Palo in each case does not get MAC. Actually Sorry can not attach capture as getting invalid extension error(Using chrome Win10X64 latest everything) to try and add attachment on this new forum. Anyway first packet capture give lots of LOOP packets(packets with same src and dst mac add's - clearly messed up). With Vios I get no response from inside Vios router to inside ip of Palo. Yes I have configured the palo correctly. I am ccie level network sec engineer for 15 years.

Thanks so much for latest version - though its not as stable yet and has caused me many issues.

Please try keep major version stable now for a while with no more major changes to base image or at least make it clear what is beta and what is not. I recently demo'ed eve-ng to large corporate I am working at to have it fail in multiple ways. Most due to my old labs not working(My fault I did not copy /opt/unetlab/tmp/0 over and modify which contained my VM instances for each lab(Yeah like palo, checkpoint, asa, nexus, linux VMS). Anyway I am a big fan of this software and a big advocate of it. This was my fault though as should not have used eve-ng to demonstrate. I thought though it would have been as stable as any other unetlab upgrade.

Good luck and thanks again.

Please let me know when this issue is fixed or if you need some diagnostic info from me.

Grinder
Posts: 4
Joined: Mon Mar 20, 2017 1:35 pm

Re: Palo Alto Support

Post by Grinder » Sun Mar 26, 2017 10:50 pm

I did connect an IOL device to ethernet1/1 and configured everything as described in my previous post but I'm still facing the same connectivity issues with data/revenue ports even thought the management interface is reachable.

If anyone could provide any guidance on the steps to get a successful lab. up and running I would greatly appreciate it.

Thank you!

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Palo Alto Support

Post by Uldis (UD) » Sun Mar 26, 2017 11:35 pm

just used palo 8.0, simple lab assigned int e1/1 to IOL and all works, used default router, trusted sone, mgmnt profile with ping.
e1/1 has dhcp ip setup, on IOL router is dhcp pool.
palo management is my home cloud, as well dhcp

maybe i miss someting?
capture below is on e1/1 palo interface

and be sure that your palo image name inside palo folder is in correct name, it is virtioa.qcow2
http://www.eve-ng.net/index.php/documen ... ages-table

I recommend do not convert but use KVM image from Palo
You do not have the required permissions to view the files attached to this post.

Mikeee
Posts: 2
Joined: Sun Mar 26, 2017 9:08 pm

Re: Palo Alto Support

Post by Mikeee » Mon Mar 27, 2017 1:36 am

got this working now. Changed the routers IOS image rebooted seems ok. Not sure what this issue was.

I still have issues pinging from internal router to palo int interface (this could be palo conf issue)

To get working you need to

Setup routers each side
add interfaces on palo
configure policy (allow any any from internal lan to external lan for testing)
save and commit policy

You should be able to ping from palo to these new routers though make sure u get syntax correct
ping source "source ip of palo int" host "internal ip of internal router"

You should now be able to ping through palo as well from int router to ext router. Setup ssh and test this too.

So all good working now but did have initial issue but did not route cause it.

Essam
Posts: 4
Joined: Wed Apr 26, 2017 10:34 pm

Re: Palo Alto Support

Post by Essam » Sat Oct 13, 2018 11:58 am

Dear
Can you send me PA image 8 or 7 version as .qcow2 extension to my email (eng_essam.h@hotmail.com) plz because I was try to convert it from OVA to qcow2 according to eve documentation with 1 and 2 methods but still not work and always face this error according the attachment picture.
You do not have the required permissions to view the files attached to this post.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Palo Alto Support

Post by Uldis (UD) » Sat Oct 13, 2018 6:24 pm

It is illegal to ask or distribute images in this forum.
Use our How to create image yourself

Post Reply