Installation and Configuration Procedure

For this procedure port 57 is assigned to the “inside” VLAN on the switch. This VLAN requires an internal DHCP server on the 192.168.1.x/24 subnet. To create this, use the following command:

# configure Default add ports 57

To verify the Default VLAN configuration:

# show inside
X465-24MU-24W.5 # sh inside
VLAN Interface with name inside created by user
    Admin State:         Enabled     Tagging:   802.1Q Tag 10 
    Description:         None
    Virtual router:      VR-Default
    IP Anycast:          Disabled
    IPv4 Forwarding:     Disabled
    IPv4 MC Forwarding:  Disabled
    Primary IP:          192.168.1.254/24
    IPv6 Forwarding:     Disabled
    IPv6 MC Forwarding:  Disabled
    IPv6:                None
    STPD:                None
    Protocol:            Match all unfiltered protocols
    Loopback:            Disabled
    NetLogin:            Disabled
    QosProfile:          None configured
    Egress Rate Limit Designated Port: None configured
    Flood Rate Limit QosProfile:       None configured
    Suppress ARP:        Disabled
    Suppress ND:         Disabled
    Proxy ARP:           Entry required
    Ports:   2.           (Number of active ports=1)
       Untag:       1,*57(Insight)

1. Transfer the firewall image to the switch by entering the directory of the images:
   

   # cd /usr/local/vm/packages/

   

   Note

   If you are unable to change to this directory, you are likely missing a Core license on your switch.
2. Transfer the image to the server/host with SFTP/SCP services:
   

   # scp2 vr VR-Default <username>@<IP Address of SCP Host>:PA-KVM-9.1.2.qcow2 PA-KVM-9.1.2.qcow2 

3. Create the VM:
   

   # create vm PAN image PA-VM-KVM-9.1.2.qcow2 cpu 2 memory 5730
   Creating VM..........................................................................................................
   VM PAN created successfully.
   

4. Configure the VM with interfaces.

   Assign two interfaces to the firewall: port 57 and 58. The VM picks up the first interface that comes up. The management port is shared with the front panel management port of the switch and should be addressed for that management interface. Port 57 on the ExtremeSwitching X465 is directly connected to the forwarding plane of the switch

   

   # configure vm PAN add ports mgmt
   # configure vm PAN add ports 57
   # configure vm PAN add ports 58

   Adding these ports in sequence maps them in sequence as the VM boots. Palo Alto takes the first port for management, then the second port as Ethernet 1/1, and the third as Ethernet 1/2. The ports are configured on the switch to VLAN Mgmt (10.10.10.x), VLAN inside (192.168.1.x), and VLAN outside (10.10.100.x). Each VLAN has a DHCP server available for their respective subnets. If you want the VM to start automatically every time the switch is booted, add this command:

   

   # enable vm pan autostart

5. Verify the configuration of the VM:
   

   # shOW vm pan 
       VM Name:         pan
       State:       Stopped
       Memory size: 5370 MB
       CPUs:        2
       Auto-start:  Disabled
       VNC:         127.0.0.1:1 (Port 5901)
       Disk:        vda
           Source:                  /mnt/vmdisk/.vm/pan_PA-VM-KVM-9.1.2.qcow2
           Disk bus type:           virtio
           Allocated size in bytes: 64424509440 (60.00 GB)
           Physical size in bytes:  5583732736 (5.20 GB)
           Read requests:           0
           Bytes read:              0
           Write requests:          0
           Bytes written:           0
       Network interfaces:
           Attached switch ports:   mgmt,57-58

6. Start the VM:
   

   # start vm pan

7. Open a console connection into the VM:
   

   # open vm PAN
   Connected to domain PAN
   Escape character is ^Y

   

   Note

   The Palo Alto firewall VM takes a moment to boot-up. It may be a few minutes before the prompt appears on the CLI.
   The firewall will report the IP address it retrieved in the CLI before logon: DHCP: new IP 10.10.10.149 : mask 255.255.255.0

   

   Palo Alto Firewall Logon Window

   

8. Open the serial connection to the firewall VM on the ExtremeXOS CLI:
   

   Connected to the domain pan
   Escape character is ^Y
   
   PA-VIM Login:

9. Log on with the credentials: admin/admin.
10. Connect using VNC:

    The IAH complex on ExtremeXOS also offers a proxy to a switch with a VNC connection to the VM. You can map up to 16 connections. In this case, VNC connection 1 is mapped. Opening this VNC session provides direct access to the VM “screen”. No special configuration of the virtual machine is required.

    You can see this configuration using the command show vm pan. The mapped port is 5901, but it is not directly accessible. To reach this port, it is necessary to map an SSH tunnel on the client accessing the switch. On MacOS and Linux environments, us the following command:

    

    # ssh admin@<ip address of the switch> -L 5901:127.0.0.1:5901

    You are prompted for your password, and a successful logon to the switch also creates an SSH tunnel to the VNC server. Use your favorite VNC client to open: 127.0.0.1:1.

11. Activate the firewall interface and assign VLANs for zones:
    Configure according to Palo Alto instructions. The firewall interface is Eth1/1 and Eth1/2. This example is configured with each in Layer 3 mode for the X465. The interfaces are directed to request IP addressing from the switch DHCP server.
12. Confirm the DHCP server setup:
    

    # show dhcp-server 
        VLAN "inside":
        DHCP Address Range   : 192.168.1.100->192.168.1.110
        Netlogin Lease Timer : Not configured (Default = 10 seconds)
        DHCP Lease Timer     : Not configured (Default = 7200 seconds)
        Default Gateway      : 192.168.1.1
        Primary DNS Server   : 8.8.8.8
        Ports DHCP Enabled   : 1,57
    
        ===========================================================================
        IP                MAC                 State      Lease Time Left
        ===========================================================================
          192.168.1.100   48:9b:d5:eb:1e:42   Assigned   0001:22:17
    
    VLAN "outside":
        DHCP Address Range   : 10.10.100.100->10.10.100.110 
        Netlogin Lease Timer : Not configured (Default = 10 seconds)
        DHCP Lease Timer     : Not configured (Default = 7200 seconds)
        Ports DHCP Enabled   : 58
    
        ===========================================================================
        IP                MAC                 State      Lease Time Left
        ===========================================================================
          10.10.100.100   48:9b:d5:eb:1e:43   Assigned   0001:22:17
    

13. Continue configuring the firewall. For more information, see the Palo Alto Networks documentation.
    The X465 is configured for two firewall interfaces mapped to non-trunked ports on the switch in Layer 3 mode for a total of two zones: inside and outside. DHCP was used to assign IP addresses. You can chose instead to use tagged VLANs on the switch ports 57 and 58 to present more switch VLANs to the firewall by sub-interfaces or VLANs. Using two sideband ports give the X465 a theoretical bandwidth of 20Gb/s in and 20Gb/s out for firewall inspection.
14. Configure the interfaces to allow PING and other services, so that bi-directional communication can be verified.
    Network > Network Profiles > Interface Management.

    

    Palo Alto Firewall Interface Management Profile Window

    

15. PING your interfaces and populate the IPARP and FDB tables on the switch.
16. Check the interface mapping against the switch MAC addresses. From the VM side, use the command:
    

    admin@PA-VM> debug show vm-series interfaces all
    
    Interface_name	Base-OS_port     Base-OS_MAC	       PCI-ID       Driver
      Mgt			   eth0       52:54:00:7d:e5:c1   		    	  virtio_net
     Ethernet1/1         eth1       48:9b:d5:eb:1e:42   0000:00:07.0    net_ixgbe
     Ethernet1/2         eth2       48:9b:d5:eb:1e:43   0000:00:08.0    net_ixgbe
    

    Compare this to the switch mapping by the ExtremeXOS CLI.

17. Inspect the ARP table:
    

    # show iparp
    VR          Destination      Mac                Age Static VLAN   VID   Port
    VR-Default  192.168.1.100    48:9b:d5:eb:1e:42   6   NO   inside   10    57
    VR-Default  10.10.100.100    48:9b:d5:eb:1e:43   1   NO   outside  100   58

18. Inspect the forwarding database:
    

    # show fdb
    MAC                  VLAN Name( Tag)    Age Flags   Port/Virtual Port List
    ----------------------------------------------------------------------------
    48:9b:d5:eb:1e:42    inside(0010) 0091   d     m          57
    48:9b:d5:eb:1e:43    outside(0100) 0026  d     m          58
    
    

    As each interface is mapped, activated, and used on the VM, they appear the IP ARP table and the switch forwarding database. Port management is shared with the front panel Management port and limited to 1 Gb/s. Ports 57 and 58 are connected directly to the forwarding plane on an X465. (A X695 has only one port connected to the forwarding plane and requires VLANs to instantiate multiple interfaces. Check the hardware guide for your switch for the number and port designations of the forwarding plane ports.)

Example

ExtremeSwitching X695 series switches provide greater CPU and memory capacity, but have only one sideband port: port 63. This is a 10Gb/s port. The configuration of the firewall on the X695 requires the use of sub-interfaces or VLANs on the firewall to gain more than one firewall traffic port. The configuration is as above, but the two ports (Mgmt and port 63) are mapped. Mgmt provides the web UI and port 63 maps to Ethernet 1/1.

When using a ExtremeSwitching X695 switch for the above procedure, the following applies.

# sh vm PAN 
VM Name:         PAN
    State:       Running
    Memory size: 8192 MB
    CPUs:        2
    Auto-start:  Disabled
    VNC:         127.0.0.1:1 (Port 5901)
    Disk:        vda
        Source:                  /mnt/vmdisk/.vm/PAN_PA-VM-KVM-9.1.2.qcow2
        Disk bus type:           virtio
        Allocated size in bytes: 64424509440 (60.00 GB)
        Physical size in bytes:  5405478912 (5.03 GB)
        Read requests:           48213
        Bytes read:              1188752896
        Write requests:          17699
        Bytes written:           1011475968
    Network interfaces:
        Attached switch ports:   mgmt,63
    CPU utilization:
        User:                    0.16%
        System:                  62.53%
    Memory utilization:
        Used:                    0.67 GB
        Available:               7.33 GB

The VLAN configuration of the sideband port is as follows:

# sh ports 63 vlan
         Untagged  
Port     /Tagged   VLAN Name(s)
-------- --------  ------------------------------------------------------------
Insight  Untagged  Default
         Tagged    v1, v2

They are mapped directly to interface Ethernet 1/1 (Default VLAN on 63), sub-interface Ethernet 1/1.10 (VLAN 10, v1), sub-interface Ethernet 1/1.20 (VLAN 20, v2).

Palo Alto Firewall Interface Management Profile Window for X695

The total availability of bandwidth for this VM is one 10Gb/s port: 10Gb/s in, 10Gb/s out.