Palo alto FW for home/lab

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo alto FW for home/lab

L1 Bithead

Hello,

 

I would like to ask you regarding PA firewall for Home/Lab. I worked like Network engineer, mostly with Cisco devices in ISP (MPLS, BGP, IPSEC, QinQ), and now I desided to learn new things. Which things I can learn, study with PA200 PAN OS 8.0  without license ? I am trying to find any cheeper devices with licence but it is impossible for now. 

Thank you in advance :):):)

 

 

 

11 REPLIES 11

L4 Transporter

Hi @ZEENMC

 

Palo Alto firewalls without license will:

1. Security profiles (Anti-Virus, Anti-Spyware, URL Filtering, Wildfire) will not work

2. Clientless GlobalProtect, HIP will not work

3. All the updates will not work (software and dynamic)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloiCAC

 

You should be able to set up network interfaces & routing, NAT & security rules without problems but not use the above profiles in them. You will also be able to do Application based (layer-7) rules.

 

You could also go down the VM-series path instead of the older PA-200. The VM will give you better management performance compared to PA-200, but read this about unlicensed VMs:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2mCAC

 

FYI Palo Alto provides a LAB license but I have no idea as to it's cost.

 

Shai

 

Hello,

Contact your sales team for a price ofr a lab unit. At last chekc the PA-220 was around $500, but dont quote me on that.

 

Regards,

 

@ZEENMC,

As @OtakarKlier mentioned you really want to be looking at a LAB unit for something like this. Cheaper hardware and you can license the thing for a minimal amount of money on a yearly basis. A PA-220 (don't go for a 200 at this point) is going to run you $495.99 or less (US Pricing). The license renewal depends a lot on how you are buying it, I would really recommend you reach out to your sales team for accurate pricing on that. 

L1 Bithead

Hello Team 🙂

 

I bought one PA-500, with licence till end of January 2019. We will see, it has ver 8.0.13 verision.
I hope so this was good choise 🙂

What you think guys?

Hello @ZEENMC

 

Quite frankly, it is a solid machine with a good (recommended) PAN-OS version.

Your main issue will be the long commit times on that device, that can take 5 minutes.

 

If you are new to Palo Alto Firewalls, create a guest account on the learning center:

https://education.paloaltonetworks.com/learningcenter

search for EDU-110, request and view it (~9 hours).

 

Shai

You can also grab one on Azure/AWS. 

 

AWS has a bundle for about US$1/hour that will let you play with most things on the firewall without having to do a dedicated lab. I think Azure is similar, but haven't set it up myself yet.

 

It might not be exactly what you need, but might be a cheap way to get your feet wet with the platform.

 

https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314

https://azuremarketplace.microsoft.com/en/marketplace/apps/paloaltonetworks.vmseries-ngfw?tab=Overvi...

 

Hello @ShaiW

 

I managed to configurure a few things , still I am looking what is what, and where to find. I have one more firewall Juniper SRX 240, and now I am trying to configure basic routing, like Static and OSPF. 
This is big change for me because what I see till now, primary way to configure PA devices is web GUI,
and I have hard time because I used to use console to configure Cisco/linux devices.
I tried to use console with my Linux laptop but something is not working properly, output is not right after I enter commands in console.

 

Do you know what can be issue with console/serial access?

Hi

 

I use the Cyan Cisco cable with putty (set to serial, 9600 baud, no parity, xon/xoff flow control) without any problems.

The console port is a must if you want or need to factory reset a device. Once the device has booted up normally, the serial behaves the same as SSH to the management IP. The Management port is a dedicated & out-of-band.

 

In order to set the management IP from serial, issue these commands (change IP as needed):

configure

set deviceconfig system ip-address 10.0.0.254 netmask 255.255.255.0 default-gateway 10.0.0.1 dns-settings servers primary 8.8.8.8

commit

exit (after commit is finished)

 

Hope this helps,

Shai

 

Hello,

 

I managed to configure OSPF between Juniper and Palo Alto firewall :), but I am not able to ping PA interfaces from Juniper,
see mac address in ARP table, must be security policy.
I can open another topic regarding this problem.

Is it same configuration for Cisco and Palo alto console, I think it is same, but I am not sure, my console works for cisco and juniper without issues, I can open Palo Alto console, but like I said, when I press enter, I don't have good output, but if I press ? I can see properly options.

By default PAN FW is not accepting traffic destine to any of its data plane interfaces. To be able to ping firewall interfaces, you need you configure "Interface management profile" - Network -> Network profiles -> interface mgmt -> create new profile allowing ping -> Assign it to the interface you desire ( network -> interfaces -> select int -> advance tab -> management profile)

 

 

L0 Member

You may want to consider running a PAN VM in a public cloud environment like AWS, Azure or Google Cloud. Pricing is per hour and starts at $0.86/hr

 

https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314

  • 43497 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!