If you have been following along with the posts so far, you will know that we are using Vagrant to help automate the provision of VNFs within VirtualBox.
Vagrant uses “Box” files as a template to spin up multiple copies of a Virtual Machine (VM). To re-use this Palo Alto VM-Series, we need to convert it into a re-usable Box image.
Box files have a few requirements that should be applied to the VM to operate correctly. These are:
- The first interface (management) is set to get its address from DHCP.
- There is a user called vagrant configured with a password of “vagrant”.
- Vagrant must be able to SSH to the VM.
- There is a default SSH key applied to the “vagrant” user.
So, let’s configure these settings on our newly created firewall. Fortunately for us, DHCP is already set on the management interface, so let’s go straight to configuring the “vagrant” user. We need to start by disabling the default password complexity. Then we can configure a user called “vagrant” with a password of “vagrant”.
admin@PA-VM> configure
Entering configuration mode
[edit]
admin@PA-VM# set mgt-config password-complexity enabled no
[edit]
admin@PA-VM# commit
Commit job 2 is in progress. Use Ctrl+C to return to command prompt
......98%..............100%
Configuration committed successfully
[edit]
admin@PA-VM# set mgt-config users vagrant password
Enter password :
Confirm password :
[edit]
admin@PA-VM# set mgt-config users vagrant permissions role-based superuser yes
[edit]
admin@PA-VM# commit
Commit job 3 is in progress. Use Ctrl+C to return to command prompt
.......98%............100%
Configuration committed successfully
[edit]
admin@PA-VM# exit
Exiting configuration mode
admin@PA-VM>Open up a WSL2 terminal (either in Windows Terminal, VSCode or by searching “Ubuntu” in the start menu”) and try SSHing to the firewall (if asked to trust the host, type “yes”):
nfvdev@ubuntu:/mnt/c/Users/nfvdev$ ssh vagrant@192.168.56.109
The authenticity of host '192.168.56.109 (192.168.56.109)' can't be established.
RSA key fingerprint is SHA256:Y65FaU3GubFIk0tzCqm6ra/QUl4Yk1FOroEFiEDPLAw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.109' (RSA) to the list of known hosts.
Password:
Number of failed attempts since last successful login: 0
vagrant@PA-VM>Now are are logged in with the “vagrant” user, we have no need for the “admin” user, so we can delete it.
vagrant@PA-VM> configure
Entering configuration mode
[edit]
vagrant@PA-VM# delete mgt-config users admin
[edit]
vagrant@PA-VM# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
.......98%...........100%
Configuration committed successfully
[edit]Finally, we should add the Vagrant default SSH key into the vagrant user to log in without using a password. The Vagrant default SSH key can be found at https://github.com/hashicorp/vagrant/blob/master/keys/vagrant.pub. For Palo Alto, we need to convert to SSH key into a Base64 encoded version and paste that in instead.
Note: This is very insecure and should not be used in a production environment.
vagrant@PA-VM# set mgt-config users vagrant public-key c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBNk5GOGlhbGx2UVZwMjJXRGtUa3lydHZwOWVXVzZBOFlWcitrejRUakdZZTdnSHpJdytuaU5sdEdFRkh6RDgrdjFJMllKNm9YZXZjdDFZZVMwbzlIWnlOMVE5cWdDZ3pVRnRkT0tMdjZJZWRwbHFvUGtjbUYwYVlldDJQa0VEbzNNbFRCY2tGWFBJVEFNekY4ZEpTSUZvOUQ4SGZkT1YwSUFkeDRPN1B0aXhXS241eTJoTU5HMHpRUHlVZWNwNHB6QzZraXZBSWh5ZkhpbEZSNjFSR0wrR1BYUTJNV1pXRlliQUdqeWlZSm5BbUNQM05PVGQwak1aRW5Ea2JVdnhoTW1CWVNkRVRrMXJSZ20rUjRMT3pGVUdhSHFIRExLTFgrRklQS2NGOTZocnVjWHpjV3lMYkliRWdFOThPSGxuVllDelJkSzhqbHFtOHRlaFVjOWM5V2hRPT0gdmFncmFudCBpbnNlY3VyZSBwdWJsaWMga2V5
[edit]
vagrant@PA-VM# commit
Commit job 6 is in progress. Use Ctrl+C to return to command prompt
.....98%.............100%
Configuration committed successfully
[edit]
vagrant@PA-VM# exit
Exiting configuration mode
vagrant@PA-VM>Great, that should be it. Let’s test it out.
nfvdev@ubuntu:/mnt/c/Users/nfvdev$ ssh -i ~/.vagrant.d/insecure_private_key vagrant@192.168.56.109
Last login: Sun Feb 27 02:25:48 2022 from 192.168.56.1
Number of failed attempts since last successful login: 0
vagrant@PA-VM>Awesome, we logged into Palo Alto without a password using the Vagrant insure private key.
Ok, now it’s time to package everything up into a reusable Box file. Exit out of the firewall and run “vagrant package –base <name_of_vm> –output <name_of_output_file>.box”:
nfvdev@ubuntu:/mnt/c/Users/nfvdev$ export VAGRANT_HOME="/mnt/c/Users/nfvdev/.vagrant.d"
nfvdev@ubuntu:/mnt/c/Users/nfvdev$ vagrant package --base pa-10.0.4 --output pa-10.0.4.box
==> pa-10.0.4: Attempting graceful shutdown of VM...
pa-10.0.4: Guest communication could not be established! This is usually because
pa-10.0.4: SSH is not running, the authentication information was changed,
pa-10.0.4: or some other networking issue. Vagrant will force halt, if
pa-10.0.4: capable.
==> pa-10.0.4: Forcing shutdown of VM...
==> pa-10.0.4: Exporting VM...
==> pa-10.0.4: Compressing package to: /mnt/c/Users/nfvdev/pa-10.0.4.box
nfvdev@ubuntu:/mnt/c/Users/nfvdev$ export VAGRANT_HOME="~/.vagrant.d"This creates a file called pa-10.0.4.box for us to reuse. We can then test the box image by creating a Vagrantfile with the following contents. The entire file available at: https://github.com/nfvdev/nfvdev-blog/blob/main/09-how-to-create-a-paloalto-vm-series-box-image/single/Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.ssh.insert_key = false # By default, Vagrant will try and change the insecure SSH key to a better one. This won't work for us as it does not know how to talk Palo Alto.
config.vm.box = "pa-10.0.4.box" # Use the Palo Alto box image
config.vm.synced_folder '.', '/vagrant', disabled: true # Disable shared folders
config.vm.guest = :linux # Tell Vagrant that it is Linux so it doesn't error
config.vm.boot_timeout = 900 # Palo Alto takes a while to boot up.
endAnd then type “vagrant up” to spin up the VM.
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'pa-10.0.4.box'...
==> default: Matching MAC address for NAT networking...
==> default: Setting the name of the VM: NFVs_default_1645959358601_94220
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
default: Adapter 1: nat
==> default: Forwarding ports...
default: 22 (guest) => 2222 (host) (adapter 1)
default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
default: SSH address: 172.23.80.1:2222
default: SSH username: vagrant
default: SSH auth method: private key
default: Warning: Connection reset. Retrying...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
default: No guest additions were detected on the base box for this VM! Guest
default: additions are required for forwarded ports, shared folders, host only
default: networking, and more. If SSH fails on this machine, please install
default: the guest additions and repackage the box to continue.
default:
default: This is not an error message; everything may continue to work properly,
default: in which case you may ignore this message.Finally, we can check that Vagrant can SSH into the newly created firewall:
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant ssh default
Last login: Sun Feb 27 03:02:32 2022 from 10.0.2.2
Number of failed attempts since last successful login: 0
vagrant@PA-VM> exit
Connection to 172.23.80.1 closed.We can destroy the VM with “vagrant destroy” and remove our template VM.
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant destroy
default: Are you sure you want to destroy the 'default' VM? [y/N] y
==> default: Forcing shutdown of VM...
==> default: Destroying VM and associated drives...
Palo Alto VM-Series Vagrant Mini-Lab
Now that we have our VM-Series Box file created, we can use it in a mini-lab. This will set up 2 VM-Series firewalls connected back to back and do some ping tests between them.
- In an empty folder, create a Vagrantfile with the contents from https://github.com/nfvdev/nfvdev-blog/blob/main/09-how-to-create-a-paloalto-vm-series-box-image/minilab/Vagrantfile
- Spin up the VMs with “vagrant up” – this will take a while!
- SSH to paloalto1 with “vagrant ssh paloalto1” and configure it with the commands from https://github.com/nfvdev/nfvdev-blog/blob/main/09-how-to-create-a-paloalto-vm-series-box-image/minilab/paloalto1.cfg
- SSH to paloalto2 with “vagrant ssh paloalto2” and configure it with the commands from https://github.com/nfvdev/nfvdev-blog/blob/main/09-how-to-create-a-paloalto-vm-series-box-image/minilab/paloalto2.cfg
- From paloalto2 check connectivity with ping and OSPF commands.
- Destroy the lab with “vagrant destroy -f”
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant up
Bringing machine 'paloalto1' up with 'virtualbox' provider...
Bringing machine 'paloalto2' up with 'virtualbox' provider...
==> paloalto1: Importing base box 'pa-10.0.4.box'...
==> paloalto1: Matching MAC address for NAT networking...
==> paloalto1: Setting the name of the VM: minilab_paloalto1_1645978251146_75305
==> paloalto1: Clearing any previously set network interfaces...
==> paloalto1: Preparing network interfaces based on configuration...
paloalto1: Adapter 1: nat
paloalto1: Adapter 2: intnet
paloalto1: Adapter 3: intnet
==> paloalto1: Forwarding ports...
paloalto1: 22 (guest) => 2222 (host) (adapter 1)
paloalto1: 22 (guest) => 2222 (host) (adapter 1)
==> paloalto1: Booting VM...
==> paloalto1: Waiting for machine to boot. This may take a few minutes...
paloalto1: SSH address: 172.23.80.1:2222
paloalto1: SSH username: vagrant
paloalto1: SSH auth method: private key
paloalto1: Warning: Connection reset. Retrying...
==> paloalto1: Machine booted and ready!
==> paloalto1: Checking for guest additions in VM...
paloalto1: No guest additions were detected on the base box for this VM! Guest
paloalto1: additions are required for forwarded ports, shared folders, host only
paloalto1: networking, and more. If SSH fails on this machine, please install
paloalto1: the guest additions and repackage the box to continue.
paloalto1:
paloalto1: This is not an error message; everything may continue to work properly,
paloalto1: in which case you may ignore this message.
==> paloalto2: Importing base box 'pa-10.0.4.box'...
==> paloalto2: Matching MAC address for NAT networking...
==> paloalto2: Setting the name of the VM: minilab_paloalto2_1645978783598_87925
==> paloalto2: Fixed port collision for 22 => 2222. Now on port 2200.
==> paloalto2: Clearing any previously set network interfaces...
==> paloalto2: Preparing network interfaces based on configuration...
paloalto2: Adapter 1: nat
paloalto2: Adapter 2: intnet
paloalto2: Adapter 3: intnet
==> paloalto2: Forwarding ports...
paloalto2: 22 (guest) => 2200 (host) (adapter 1)
paloalto2: 22 (guest) => 2200 (host) (adapter 1)
==> paloalto2: Booting VM...
==> paloalto2: Waiting for machine to boot. This may take a few minutes...
paloalto2: SSH address: 172.23.80.1:2200
paloalto2: SSH username: vagrant
paloalto2: SSH auth method: private key
paloalto2: Warning: Connection reset. Retrying...
==> paloalto2: Machine booted and ready!
==> paloalto2: Checking for guest additions in VM...
paloalto2: No guest additions were detected on the base box for this VM! Guest
paloalto2: additions are required for forwarded ports, shared folders, host only
paloalto2: networking, and more. If SSH fails on this machine, please install
paloalto2: the guest additions and repackage the box to continue.
paloalto2:
paloalto2: This is not an error message; everything may continue to work properly,
paloalto2: in which case you may ignore this message.
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant ssh paloalto1
Last login: Sun Feb 27 08:18:38 2022
Number of failed attempts since last successful login: 0
vagrant@PA-VM> configure
Entering configuration mode
[edit]
vagrant@PA-VM# set deviceconfig system hostname paloalto1
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set network profiles interface-management-profile ALLOW-PING ping yes
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/1 comment External
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/1 link-state up
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/1 layer3 ip 10.100.12.1/24
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/1 layer3 interface-management-profile ALLOW-PING
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/2 comment Internal
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/2 link-state up
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/2 layer3 ip 10.100.1.1/24
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/2 layer3 interface-management-profile ALLOW-PING
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set import network interface ethernet1/1
[edit]
vagrant@PA-VM# set import network interface ethernet1/2
[edit]
vagrant@PA-VM# set network virtual-router default interface ethernet1/1
[edit]
vagrant@PA-VM# set network virtual-router default interface ethernet1/2
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf router-id 10.100.12.1
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf enable yes
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 0.0.0.0 type normal
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/1 enable yes
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 1.1.1.1 type normal
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 1.1.1.1 interface ethernet1/2 enable yes
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 1.1.1.1 interface ethernet1/2 passive yes
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set zone EXTERNAL network layer3 ethernet1/1
[edit]
vagrant@PA-VM# set zone INTERNAL network layer3 ethernet1/2
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL to any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL from any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL source any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL destination any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL source-user any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL category any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL application any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL service application-default
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL source-hip any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL destination-hip any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL action allow
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
........55%70%98%...............100%
Configuration committed successfully
[edit]
vagrant@paloalto1# exit
Exiting configuration mode
vagrant@paloalto1> exit
Connection to 172.23.80.1 closed.
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant ssh paloalto2
Last login: Sun Feb 27 08:18:38 2022
Number of failed attempts since last successful login: 0
vagrant@PA-VM> configure
Entering configuration mode
[edit]
vagrant@PA-VM# set deviceconfig system hostname paloalto2
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set network profiles interface-management-profile ALLOW-PING ping yes
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/1 comment External
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/1 link-state up
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/1 layer3 ip 10.100.12.2/24
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/1 layer3 interface-management-profile ALLOW-PING
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/2 comment Internal
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/2 link-state up
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/2 layer3 ip 10.100.2.2/24
[edit]
vagrant@PA-VM# set network interface ethernet ethernet1/2 layer3 interface-management-profile ALLOW-PING
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set import network interface ethernet1/1
[edit]
vagrant@PA-VM# set import network interface ethernet1/2
[edit]
vagrant@PA-VM# set network virtual-router default interface ethernet1/1
[edit]
vagrant@PA-VM# set network virtual-router default interface ethernet1/2
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf router-id 10.100.12.2
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf enable yes
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 0.0.0.0 type normal
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 0.0.0.0 interface ethernet1/1 enable yes
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 2.2.2.2 type normal
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 2.2.2.2 interface ethernet1/2 enable yes
[edit]
vagrant@PA-VM# set network virtual-router default protocol ospf area 2.2.2.2 interface ethernet1/2 passive yes
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set zone EXTERNAL network layer3 ethernet1/1
[edit]
vagrant@PA-VM# set zone INTERNAL network layer3 ethernet1/2
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL to any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL from any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL source any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL destination any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL source-user any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL category any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL application any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL service application-default
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL source-hip any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL destination-hip any
[edit]
vagrant@PA-VM# set rulebase security rules ALLOW-ALL action allow
[edit]
vagrant@PA-VM#
[edit]
vagrant@PA-VM# commit
Commit job 5 is in progress. Use Ctrl+C to return to command prompt
........55%70%98%...............100%
Configuration committed successfully
[edit]
vagrant@paloalto2# exit
Exiting configuration mode
vagrant@paloalto2> show routing protocol ospf neighbor
Options: 0x80:reserved, O:Opaq-LSA capability, DC:demand circuits, EA:Ext-Attr LSA capability,
N/P:NSSA option, MC:multicase, E:AS external LSA capability, T:TOS capability
==========
virtual router: default
neighbor address: 10.100.12.1
local address binding: 0.0.0.0
type: dynamic
status: full
neighbor router ID: 10.100.12.1
area id: 0.0.0.0
neighbor priority: 1
lifetime remain: 37
messages pending: 0
LSA request pending: 0
options: 0x42: O E
hello suppressed: no
restart helper status: not helping
restart helper time remaining: 0
restart helper exit reason: none
vagrant@paloalto2> ping source 10.100.2.2 host 10.100.1.1
PING 10.100.1.1 (10.100.1.1) from 10.100.2.2 : 56(84) bytes of data.
64 bytes from 10.100.1.1: icmp_seq=1 ttl=64 time=1.69 ms
64 bytes from 10.100.1.1: icmp_seq=2 ttl=64 time=0.955 ms
^C
--- 10.100.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.955/1.326/1.698/0.373 ms
vagrant@paloalto2> exit
Connection to 172.23.80.1 closed.
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ vagrant destroy -f
==> paloalto2: Forcing shutdown of VM...
==> paloalto2: Destroying VM and associated drives...
==> paloalto1: Forcing shutdown of VM...
==> paloalto1: Destroying VM and associated drives...