PA-VM network setting in VirtualBox?

L1 Bithead

PA-VM network setting in VirtualBox?

Here is my basic network topology.

1. Linux Client (PC01)
2. Palo Alto Firewall (PA-VM)


Traffic Flow.jpg

Both configured with 2 interfaces enabled in VirtualBox

Adapter 1: Host-only. This is for out of band management interface
Adapter 2: Internal Network. This is for actual communication between PC01 and PA-VM.

I have no issue at all with Adapter 1 setting. It's working as expected.


user@PC01:~$ ifconfig | grep ad | grep -v 127
eth0      Link encap:Ethernet  HWaddr AA:AA:AA:AA:AA:A1 
          inet addr:  Bcast:  Mask:
eth1      Link encap:Ethernet  HWaddr AA:AA:AA:AA:AA:A2
          inet addr:  Bcast:  Mask:


Ping using Adapter 1


user@PC01:~$ ping -c 3
PING ( 56 data bytes
64 bytes from seq=0 ttl=64 time=0.770 ms
64 bytes from seq=1 ttl=64 time=0.554 ms
64 bytes from seq=2 ttl=64 time=0.855 ms

--- ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.554/0.726/0.855 ms

Ping using Adapter 2


user@PC01:~$ ping -c 3    
PING ( 56 data bytes

--- ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

tcpdump from Adapter 2 test


tcpdump output from PC01 shows that vm firewall is completely unreachable even though they're (supposed to) connected back to back in the same network segement.


user@PC01:~$ sudo tcpdump -i any net 10.1.1 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
21:49:38.979460 ARP, Request who-has tell, length 28
21:49:39.981377 ARP, Request who-has tell, length 28
21:49:40.985748 IP > ICMP host unreachable, length 92
21:49:40.985763 IP > ICMP host unreachable, length 92
21:49:40.985766 IP > ICMP host unreachable, length 92

Incomplete ARP on eth1 shows the packet actually doesn't reach to PA-VM at all


user@PC01:~$ arp -i eth1
? ( at <incomplete>  on eth1

I also notice that MAC Address on PA-VM (ethernet1/1 = zz:zz:zz:zz:zz:z1) doesn't match with what I have on ARP table PC01 (incomplete). The one that I set on VirtualBox was AA:AA:AA:AA:AA:A2, not ZZ:ZZ:ZZ:ZZ:ZZ:Z1.


admin@PA-VM> show interface all 

total configured hardware interfaces: 1

name                    id    speed/duplex/state        mac address       
ethernet1/1             16    1000/full/up              zz:zz:zz:zz:zz:z1 

aggregation groups: 0

total configured logical interfaces: 1

name                id    vsys zone             forwarding               tag    address           
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1         16    1                     N/A                      0     


This explains why I cannot ping using secondary interface (Adapter 2) at all. Seems like there is Layer 1 issue problem.


For the record, I was able to use the same VirtualBox setting on 2 Linux guests. May I know why the same setting doesn't work on PA-VM? Any idea how to make Layer 1 communication successful in VirtualBox?


This is the screenshot of my VirtualBox network setting.

Network.jpgAdapter 1.jpgAdapter 2.jpg



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!