Palo alto FW for home/lab

Reply
Highlighted
L1 Bithead

Palo alto FW for home/lab

Hello,

 

I would like to ask you regarding PA firewall for Home/Lab. I worked like Network engineer, mostly with Cisco devices in ISP (MPLS, BGP, IPSEC, QinQ), and now I desided to learn new things. Which things I can learn, study with PA200 PAN OS 8.0  without license ? I am trying to find any cheeper devices with licence but it is impossible for now. 

Thank you in advance :):):)

 

 

 

Highlighted
L3 Networker

Hi @ZEENMC

 

Palo Alto firewalls without license will:

1. Security profiles (Anti-Virus, Anti-Spyware, URL Filtering, Wildfire) will not work

2. Clientless GlobalProtect, HIP will not work

3. All the updates will not work (software and dynamic)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloiCAC

 

You should be able to set up network interfaces & routing, NAT & security rules without problems but not use the above profiles in them. You will also be able to do Application based (layer-7) rules.

 

You could also go down the VM-series path instead of the older PA-200. The VM will give you better management performance compared to PA-200, but read this about unlicensed VMs:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2mCAC

 

FYI Palo Alto provides a LAB license but I have no idea as to it's cost.

 

Shai

 

Highlighted
Cyber Elite

Hello,

Contact your sales team for a price ofr a lab unit. At last chekc the PA-220 was around $500, but dont quote me on that.

 

Regards,

 

Highlighted
Cyber Elite

@ZEENMC,

As @OtakarKlier mentioned you really want to be looking at a LAB unit for something like this. Cheaper hardware and you can license the thing for a minimal amount of money on a yearly basis. A PA-220 (don't go for a 200 at this point) is going to run you $495.99 or less (US Pricing). The license renewal depends a lot on how you are buying it, I would really recommend you reach out to your sales team for accurate pricing on that. 

Highlighted
L1 Bithead

Hello Team :)

 

I bought one PA-500, with licence till end of January 2019. We will see, it has ver 8.0.13 verision.
I hope so this was good choise :)

What you think guys?

Highlighted
L3 Networker

Hello @ZEENMC

 

Quite frankly, it is a solid machine with a good (recommended) PAN-OS version.

Your main issue will be the long commit times on that device, that can take 5 minutes.

 

If you are new to Palo Alto Firewalls, create a guest account on the learning center:

https://education.paloaltonetworks.com/learningcenter

search for EDU-110, request and view it (~9 hours).

 

Shai

Highlighted
L7 Applicator

You can also grab one on Azure/AWS. 

 

AWS has a bundle for about US$1/hour that will let you play with most things on the firewall without having to do a dedicated lab. I think Azure is similar, but haven't set it up myself yet.

 

It might not be exactly what you need, but might be a cheap way to get your feet wet with the platform.

 

https://aws.amazon.com/marketplace/seller-profile?id=0ed48363-5064-4d47-b41b-a53f7c937314

https://azuremarketplace.microsoft.com/en/marketplace/apps/paloaltonetworks.vmseries-ngfw?tab=Overvi...

 

Highlighted
L1 Bithead

Hello @ShaiW

 

I managed to configurure a few things , still I am looking what is what, and where to find. I have one more firewall Juniper SRX 240, and now I am trying to configure basic routing, like Static and OSPF. 
This is big change for me because what I see till now, primary way to configure PA devices is web GUI,
and I have hard time because I used to use console to configure Cisco/linux devices.
I tried to use console with my Linux laptop but something is not working properly, output is not right after I enter commands in console.

 

Do you know what can be issue with console/serial access?

Highlighted
L3 Networker

Hi

 

I use the Cyan Cisco cable with putty (set to serial, 9600 baud, no parity, xon/xoff flow control) without any problems.

The console port is a must if you want or need to factory reset a device. Once the device has booted up normally, the serial behaves the same as SSH to the management IP. The Management port is a dedicated & out-of-band.

 

In order to set the management IP from serial, issue these commands (change IP as needed):

configure

set deviceconfig system ip-address 10.0.0.254 netmask 255.255.255.0 default-gateway 10.0.0.1 dns-settings servers primary 8.8.8.8

commit

exit (after commit is finished)

 

Hope this helps,

Shai

 

Highlighted
L1 Bithead

Hello,

 

I managed to configure OSPF between Juniper and Palo Alto firewall :), but I am not able to ping PA interfaces from Juniper,
see mac address in ARP table, must be security policy.
I can open another topic regarding this problem.

Is it same configuration for Cisco and Palo alto console, I think it is same, but I am not sure, my console works for cisco and juniper without issues, I can open Palo Alto console, but like I said, when I press enter, I don't have good output, but if I press ? I can see properly options.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!