Palo Alto lab in VMware Workstation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto lab in VMware Workstation

L1 Bithead

Hi guys,

I need some help with configuring network in VMware Workstation and Palo Alto. I tried to build VMware lab using both Udemy and CBT Nuggets video courses:


The problem is that I can't have my Palo Alto to have an access to the Internet. It doesn't matter what type of network adapter I use NAT or BRIDGE. Below are my network settings:
Network adapter 1 - Vmnet2 (Host-only) for Managament interface
Network adapter 2 - Vmnet0 (Bridged) OR Vmnet8 (NAT) for Internet interface
Network adapter 3 - LAN Segment for LAN interface

IP address of my physical WI-FI adapter is 192.168.0.1
IP address of my NAT adapter (Vmnet8) is 192.168.27.1

In Palo Alto:
e1/1 - internet 192.168.0.254 (if Bridged) OR 192.168.27.254 (if NAT)
e1/2 - LAN 172.16.1.1

Could you please help me or share or configuration.

1 accepted solution

Accepted Solutions

Your issue is that as you mentioned your management interface is host only.

>> Network adapter 1 - Vmnet2 (Host-only) for Managament interface

 

All requests that go out from Palo by default use management interface.

And as this interface is connected to host-only network DNS requests never get out.

 

You should either configure management interface into NAT network or even better under

Device > Setup > Services > Service Route Configuration

Choose option "customize" and change DNS requests to go out from external interface.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

14 REPLIES 14

L7 Applicator

Actually it's now some months ago since I last used a VMWare WS Lab but I think I had the same or similar issue.

 

Open the *.vmx file of your vm and check what virtual Device type your network interfaces are:

Search for lines like this:

ethernet1.virtualDev = "vmxnet3"

When I add a new interface to the vm I get the following interface devicetype:

ethernet2.virtualDev = "e1000"

So if you now have all on e1000 try to change them to vmxnet3.

Hi AXI_IIEN_Remo,

 

It's done so it's not a reason of the issue.

 

Thanks.

To exclude nat issues log to firewall with cli and ping outside world.

For example in bridged mode command is probably this:

ping source 192.168.0.254 host 192.168.0.1

 

Do you have reply?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Could you maybe also clarify: Is the problem with the internet access of your PA-VM or are you talking about the internet access from your LAN subnet?

Hi Raido,

 

I tried this command ping source 192.168.0.254 host 192.168.0.1 but still no luck. I get:

ping: unknown host www.google.com

Hi AXI_IIEN_Remo,

 

Unfortunately I have an issue with Internet access from both LAN and PA firewall itself.

Guys, I attached some screenshots. I hope it will shed some light on my problem. Just some information about my network adapters:

custom (vmnet2) - 192.168.128/24 for management

bridged - for Internet (192.168.0.1 - WI-Fi router, 192.168.0.254 - Internet interface)

LAN segment - for LAN

LAN segment - for DMZ

 

pa1.jpg

 

pa3.jpg

 

pa4.jpg

Please, let me know if you would like me to make some other screenshots.

 

Thanks.

Another two screenshots. 

 

pa2.jpg

 

pa5.jpg

did you really use the command proposed by Raido?

because the output you posted here looks like you tried to ping www.google.com

Sorry guys, just mistyped. So, in my previous post I tried to ping www.google.com. Now I'm trying to ping 192.168.0.1 and I get reponse. But why I can't ping the rest of the world and why I can't ping my router without specifying source address? 

Your issue is that as you mentioned your management interface is host only.

>> Network adapter 1 - Vmnet2 (Host-only) for Managament interface

 

All requests that go out from Palo by default use management interface.

And as this interface is connected to host-only network DNS requests never get out.

 

You should either configure management interface into NAT network or even better under

Device > Setup > Services > Service Route Configuration

Choose option "customize" and change DNS requests to go out from external interface.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L3 Networker

+ 1 Raido.

 

Hi Guys,

 

l would use this configuration:

 

On VMware workstation:

 

network adapter = BRIDGED. This is actually your management interface and you don't see it in the network TAB of the device

network adapter 2 = VMnet(X) This is actually your first interface = ethernet1/1

network adapter 3 = VMnet(X) This is actually your first interface = ethernet1/2

network adapter 4 = VMnet(X) This is actually your first interface = ethernet1/3

 

Worked for me 100 times.  Need assistance, let me know. Can do a quick remote session.  

 

Cheers

Hi Raido,

 

Finally, I have my PA work as intended. So, I did exactly as you adviced. Now I have:

Vmnet Bridged 192.168.0.10 - for MGMT

Vmnet Bridged 192.168.0.254 - for Intenet Interface

Vmnet LAN - 172.16.1.1 - for LAN interface

Vmnet DMZ - 172.16.2.1 - for DMZ interface

 

Thank you very much for your help. 

 

Cheers,

 

4kusnik

It works thanks for sharing 

  • 1 accepted solution
  • 19140 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!