https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6897#M5080 <HTML><HEAD></HEAD><BODY><P>I do not think you can simulate any hardware platforms with a VM firewall. Vm-firewall does not implement all the features supported by all the platforms. For example HA; VM does not support Active/Active HA. So loading an Active/Active config from a 5000 platform on to VM firewall not sure what will be the result.</P><P></P><P>Sandeep T</P></BODY></HTML> Tue, 08 Jan 2013 17:50:11 GMT sdurga 2013-01-08T17:50:11Z https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6896#M5079 <HTML><HEAD></HEAD><BODY><P>Group</P><P></P><P>I am pretty sure it can be done (have not tested), but I thought maybe a SE or partner could test and confirm, or provide warnings/pitfalls.</P><P></P><P>I am thinking that if I offloaded a copy of a customer's FW, for archival purposes and then needed to make changes, when I am not at the customer site, that I could just load their configuration into my blank VM version of the PA FW, and then "see" their configuration in the UI, all rules, policies, etc.</P><P></P><P>I could make changes to the offline version, on behalf of my customer, and then either commit it when I am onsite, or perhaps securely send the configuration to them, and they could load it.</P><P></P><P>I am sure there are a lot of holes in this concept/thought.&nbsp; I am just thinking that perhaps the VM version of the FW could a stepping stone to a remote/offline configuration utility application, which a partner/SE could pre-configure a customer's FW before going onsite (or even before a demo).&nbsp; Imagine the amount of time savings this could be.</P><P></P><P>Again, I am not sure if the VM could emulate a all hardware platforms, but I wanted to get a response from the community, and if there was enough support, maybe Palo Alto Networks would consider this.</P><P></P><P>Please provide your feedback.</P></BODY></HTML> Tue, 08 Jan 2013 16:50:02 GMT https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6896#M5079 scantwell 2013-01-08T16:50:02Z https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6897#M5080 <HTML><HEAD></HEAD><BODY><P>I do not think you can simulate any hardware platforms with a VM firewall. Vm-firewall does not implement all the features supported by all the platforms. For example HA; VM does not support Active/Active HA. So loading an Active/Active config from a 5000 platform on to VM firewall not sure what will be the result.</P><P></P><P>Sandeep T</P></BODY></HTML> Tue, 08 Jan 2013 17:50:11 GMT https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6897#M5080 sdurga 2013-01-08T17:50:11Z https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6898#M5081 <HTML><HEAD></HEAD><BODY><P>Agreed and thanks for the fast response.&nbsp; That is why I was bringing it to the Community.&nbsp; I am wondering just how much could be possibly be configured.</P><P></P><P>We know HA would not work, Aggregrate Ports would not work.</P><P>What other items would not work?</P><P></P><P>I bet a PA200 could be configured and its config imported into a VM FW.</P><P></P><P>Need lots of response and we can then generate a working list of what CAN/CANT be done.</P></BODY></HTML> Tue, 08 Jan 2013 18:02:35 GMT https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6898#M5081 scantwell 2013-01-08T18:02:35Z https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6899#M5082 <HTML><HEAD></HEAD><BODY><P>Firewall features not available in VM Series Firewall as of 5.0:</P><P> - Jumbo Frames</P><P> - Link Aggregation</P><P> - A/A High Availability</P><P> - A/P High Availability (with session Sync)</P><P></P><P>One quick note, the VM Series supports HA-Lite (A/P w/o session sync) just like the PA200.&nbsp; </P><P></P><P>Some other things to keep in mind:&nbsp; The VM Series firewall supports 10 Ethernet interfaces (one of them reserved for management), and no dedicated "HA" ports.&nbsp; To move configs between VM Series &amp; hardware devices, be sure that the only interfaces referenced are ethernet1/1 to ethernet1/9, along with the management port.&nbsp; This means if you plan on exporting to a PA200, only use ports e1/1 to e1/4 in the VM Series.&nbsp; And if you plan on exporting to a PA5020, you'll only be able to stage/configure ports e1/1 to e1/9 on the VM Series and any other interface configuration will have to be done on the PA5020 "after-the-fact".&nbsp; This is no different than if you used a PA200 to stage a config for a PA5060.&nbsp; </P><P></P><P>Finally, since the VM Series is supported starting with 5.0, all configs created/modified by the VM Series will be in the 5.0 format.&nbsp; This will likely cause issues if you try to import one of these configs into a hardware device running a previous version of PAN-OS (4.0.x, 4.1.x, etc.).&nbsp; This is no different than if you were to stage a config on a hardware device running 5.0 and attempt to import on a similar hardware device running 4.1.&nbsp; </P><P></P><P>All-in-all, I am quite impressed with the VM Series.&nbsp; Other than the few features that are not supported, it is a full implementation of PAN-OS.&nbsp; </P></BODY></HTML> Tue, 08 Jan 2013 18:19:45 GMT https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6899#M5082 jvalentine 2013-01-08T18:19:45Z https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6900#M5083 <HTML><HEAD></HEAD><BODY><P>However shouldnt it work if you just copy the &lt;rulebase&gt; ... &lt;/rulebase&gt; stuff?</P><P></P><P>I mean:</P><P></P><P>1) Open the archived config in your VM and make the changes.</P><P></P><P>2) Save the config and export it (lets call it modified.xml).</P><P></P><P>3) Open modified.xml in a texteditor and copy the stuff in between &lt;rulebase&gt; ... &lt;/rulebase&gt; and insert that into a copy of the archived config in 1) above.</P><P></P><P>And perhaps other xml-blocks aswell (like application-groups etc).</P></BODY></HTML> Tue, 08 Jan 2013 18:29:53 GMT https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6900#M5083 mikand 2013-01-08T18:29:53Z https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6901#M5084 <HTML><HEAD></HEAD><BODY><P>Sorry, but i have a question . How can it get VM-Series Firewall , just like ISO file or somthing like that in order to simulate PANOS . My company is partner of Palo Anto. Thank for helping me.</P></BODY></HTML> Thu, 28 Feb 2013 00:45:32 GMT https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6901#M5084 MinhTuan 2013-02-28T00:45:32Z https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6902#M5085 <HTML><HEAD></HEAD><BODY><P>Minh, You would need to purchase the VM firewall, just like any other piece of hardware/software. Please have your company submit a purchase order through whatever normal process they would to purchase the VM firewall. You would not want to download the FW without having a license or support attached to it. Steve</P></BODY></HTML> Thu, 28 Feb 2013 01:05:25 GMT https://live.paloaltonetworks.com/t5/general-topics/using-vm-firewall-as-quot-offline-quot-configuration-management/m-p/6902#M5085 scantwell 2013-02-28T01:05:25Z