Using VM firewall as "offline" configuration management for ALL models of PAN devices?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using VM firewall as "offline" configuration management for ALL models of PAN devices?

L4 Transporter

Group

I am pretty sure it can be done (have not tested), but I thought maybe a SE or partner could test and confirm, or provide warnings/pitfalls.

I am thinking that if I offloaded a copy of a customer's FW, for archival purposes and then needed to make changes, when I am not at the customer site, that I could just load their configuration into my blank VM version of the PA FW, and then "see" their configuration in the UI, all rules, policies, etc.

I could make changes to the offline version, on behalf of my customer, and then either commit it when I am onsite, or perhaps securely send the configuration to them, and they could load it.

I am sure there are a lot of holes in this concept/thought.  I am just thinking that perhaps the VM version of the FW could a stepping stone to a remote/offline configuration utility application, which a partner/SE could pre-configure a customer's FW before going onsite (or even before a demo).  Imagine the amount of time savings this could be.

Again, I am not sure if the VM could emulate a all hardware platforms, but I wanted to get a response from the community, and if there was enough support, maybe Palo Alto Networks would consider this.

Please provide your feedback.

1 accepted solution

Accepted Solutions

Firewall features not available in VM Series Firewall as of 5.0:

- Jumbo Frames

- Link Aggregation

- A/A High Availability

- A/P High Availability (with session Sync)

One quick note, the VM Series supports HA-Lite (A/P w/o session sync) just like the PA200. 

Some other things to keep in mind:  The VM Series firewall supports 10 Ethernet interfaces (one of them reserved for management), and no dedicated "HA" ports.  To move configs between VM Series & hardware devices, be sure that the only interfaces referenced are ethernet1/1 to ethernet1/9, along with the management port.  This means if you plan on exporting to a PA200, only use ports e1/1 to e1/4 in the VM Series.  And if you plan on exporting to a PA5020, you'll only be able to stage/configure ports e1/1 to e1/9 on the VM Series and any other interface configuration will have to be done on the PA5020 "after-the-fact".  This is no different than if you used a PA200 to stage a config for a PA5060. 

Finally, since the VM Series is supported starting with 5.0, all configs created/modified by the VM Series will be in the 5.0 format.  This will likely cause issues if you try to import one of these configs into a hardware device running a previous version of PAN-OS (4.0.x, 4.1.x, etc.).  This is no different than if you were to stage a config on a hardware device running 5.0 and attempt to import on a similar hardware device running 4.1. 

All-in-all, I am quite impressed with the VM Series.  Other than the few features that are not supported, it is a full implementation of PAN-OS. 

View solution in original post

6 REPLIES 6

L6 Presenter

I do not think you can simulate any hardware platforms with a VM firewall. Vm-firewall does not implement all the features supported by all the platforms. For example HA; VM does not support Active/Active HA. So loading an Active/Active config from a 5000 platform on to VM firewall not sure what will be the result.

Sandeep T

Agreed and thanks for the fast response.  That is why I was bringing it to the Community.  I am wondering just how much could be possibly be configured.

We know HA would not work, Aggregrate Ports would not work.

What other items would not work?

I bet a PA200 could be configured and its config imported into a VM FW.

Need lots of response and we can then generate a working list of what CAN/CANT be done.

Firewall features not available in VM Series Firewall as of 5.0:

- Jumbo Frames

- Link Aggregation

- A/A High Availability

- A/P High Availability (with session Sync)

One quick note, the VM Series supports HA-Lite (A/P w/o session sync) just like the PA200. 

Some other things to keep in mind:  The VM Series firewall supports 10 Ethernet interfaces (one of them reserved for management), and no dedicated "HA" ports.  To move configs between VM Series & hardware devices, be sure that the only interfaces referenced are ethernet1/1 to ethernet1/9, along with the management port.  This means if you plan on exporting to a PA200, only use ports e1/1 to e1/4 in the VM Series.  And if you plan on exporting to a PA5020, you'll only be able to stage/configure ports e1/1 to e1/9 on the VM Series and any other interface configuration will have to be done on the PA5020 "after-the-fact".  This is no different than if you used a PA200 to stage a config for a PA5060. 

Finally, since the VM Series is supported starting with 5.0, all configs created/modified by the VM Series will be in the 5.0 format.  This will likely cause issues if you try to import one of these configs into a hardware device running a previous version of PAN-OS (4.0.x, 4.1.x, etc.).  This is no different than if you were to stage a config on a hardware device running 5.0 and attempt to import on a similar hardware device running 4.1. 

All-in-all, I am quite impressed with the VM Series.  Other than the few features that are not supported, it is a full implementation of PAN-OS. 

However shouldnt it work if you just copy the <rulebase> ... </rulebase> stuff?

I mean:

1) Open the archived config in your VM and make the changes.

2) Save the config and export it (lets call it modified.xml).

3) Open modified.xml in a texteditor and copy the stuff in between <rulebase> ... </rulebase> and insert that into a copy of the archived config in 1) above.

And perhaps other xml-blocks aswell (like application-groups etc).

L0 Member

Sorry, but i have a question . How can it get VM-Series Firewall , just like ISO file or somthing like that in order to simulate PANOS . My company is partner of Palo Anto. Thank for helping me.

Minh, You would need to purchase the VM firewall, just like any other piece of hardware/software. Please have your company submit a purchase order through whatever normal process they would to purchase the VM firewall. You would not want to download the FW without having a license or support attached to it. Steve

  • 1 accepted solution
  • 3804 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!