- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-03-2018 10:05 PM
Hello,
I would like to ask you regarding PA firewall for Home/Lab. I worked like Network engineer, mostly with Cisco devices in ISP (MPLS, BGP, IPSEC, QinQ), and now I desided to learn new things. Which things I can learn, study with PA200 PAN OS 8.0 without license ? I am trying to find any cheeper devices with licence but it is impossible for now.
Thank you in advance :):):)
11-04-2018 01:39 AM
Hi @ZEENMC
Palo Alto firewalls without license will:
1. Security profiles (Anti-Virus, Anti-Spyware, URL Filtering, Wildfire) will not work
2. Clientless GlobalProtect, HIP will not work
3. All the updates will not work (software and dynamic)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloiCAC
You should be able to set up network interfaces & routing, NAT & security rules without problems but not use the above profiles in them. You will also be able to do Application based (layer-7) rules.
You could also go down the VM-series path instead of the older PA-200. The VM will give you better management performance compared to PA-200, but read this about unlicensed VMs:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2mCAC
FYI Palo Alto provides a LAB license but I have no idea as to it's cost.
Shai
11-05-2018 11:51 AM
Hello,
Contact your sales team for a price ofr a lab unit. At last chekc the PA-220 was around $500, but dont quote me on that.
Regards,
11-05-2018 01:27 PM
As @OtakarKlier mentioned you really want to be looking at a LAB unit for something like this. Cheaper hardware and you can license the thing for a minimal amount of money on a yearly basis. A PA-220 (don't go for a 200 at this point) is going to run you $495.99 or less (US Pricing). The license renewal depends a lot on how you are buying it, I would really recommend you reach out to your sales team for accurate pricing on that.
11-12-2018 11:09 PM
Hello @ZEENMC
Quite frankly, it is a solid machine with a good (recommended) PAN-OS version.
Your main issue will be the long commit times on that device, that can take 5 minutes.
If you are new to Palo Alto Firewalls, create a guest account on the learning center:
https://education.paloaltonetworks.com/learningcenter
search for EDU-110, request and view it (~9 hours).
Shai
11-13-2018 12:48 PM
You can also grab one on Azure/AWS.
AWS has a bundle for about US$1/hour that will let you play with most things on the firewall without having to do a dedicated lab. I think Azure is similar, but haven't set it up myself yet.
It might not be exactly what you need, but might be a cheap way to get your feet wet with the platform.
https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314
11-13-2018 08:22 PM
Hello @ShaiW
I managed to configurure a few things , still I am looking what is what, and where to find. I have one more firewall Juniper SRX 240, and now I am trying to configure basic routing, like Static and OSPF.
This is big change for me because what I see till now, primary way to configure PA devices is web GUI,
and I have hard time because I used to use console to configure Cisco/linux devices.
I tried to use console with my Linux laptop but something is not working properly, output is not right after I enter commands in console.
Do you know what can be issue with console/serial access?
11-14-2018 03:11 AM
Hi
I use the Cyan Cisco cable with putty (set to serial, 9600 baud, no parity, xon/xoff flow control) without any problems.
The console port is a must if you want or need to factory reset a device. Once the device has booted up normally, the serial behaves the same as SSH to the management IP. The Management port is a dedicated & out-of-band.
In order to set the management IP from serial, issue these commands (change IP as needed):
configure
set deviceconfig system ip-address 10.0.0.254 netmask 255.255.255.0 default-gateway 10.0.0.1 dns-settings servers primary 8.8.8.8
commit
exit (after commit is finished)
Hope this helps,
Shai
11-14-2018 10:28 AM
Hello,
I managed to configure OSPF between Juniper and Palo Alto firewall :), but I am not able to ping PA interfaces from Juniper,
see mac address in ARP table, must be security policy.
I can open another topic regarding this problem.
Is it same configuration for Cisco and Palo alto console, I think it is same, but I am not sure, my console works for cisco and juniper without issues, I can open Palo Alto console, but like I said, when I press enter, I don't have good output, but if I press ? I can see properly options.
11-15-2018 12:18 PM
By default PAN FW is not accepting traffic destine to any of its data plane interfaces. To be able to ping firewall interfaces, you need you configure "Interface management profile" - Network -> Network profiles -> interface mgmt -> create new profile allowing ping -> Assign it to the interface you desire ( network -> interfaces -> select int -> advance tab -> management profile)
12-20-2019 07:56 PM
You may want to consider running a PAN VM in a public cloud environment like AWS, Azure or Google Cloud. Pricing is per hour and starts at $0.86/hr
https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!