The next VNF we will create within our lab is the Palo Alto VM-Series Firewall. It is a virtual firewall designed by Palo Alto for use within virtual environments.
Disclaimer: Palo Alto do not support running this firewall on VirtualBox in any shape or form. How I got this to work is quite hacky and was born from technical stubbornness. I would not recommend running the firewall on VirtualBox unless you like a challenge. So with that out the way, let’s begin.
If you just try to download and run the VM-Series firewall on VirtualBox, you will end up at a “PA-HDF” login prompt and won’t be able to login. I suspect when the firewall first boots up, it checks the underlying hardware to see what sort of hypervisor it is running on. As VirtualBox is not supported, the VM does not fully boot.
The plan is to boot the image on Hyper-V first, then take a snapshot of the VM once booted and use that snapshot on VirtualBox. Messy, I know.
Obtaining an Image
If you have access to the Palo Alto Support portal, simply login and download the Hyper-V version of the firewall. It should end in a .vdhx file extension.
If you do not have an account, you can request access to a 30 Day Free trial image here: https://www.paloaltonetworks.com/vm-series-trial. Once you have access, you should end up with a vm-series-trial.zip file. Go ahead and extract the PA-VM-KVM-10.0.4.vm_eval.qcow2 file to a convenient location.
Converting the Image
You only need to do this step if you downloaded the trial qcow2 version. The first thing we need to do is to convert our .qcow2 into a .vhdx file to work with the Windows Hyper-V hypervisor. For the following steps, we need to open up a Linux Terminal and navigate to the location of our QCOW image. For me, it at the following location:
C:\Users\nfvdev\Documents\NFVs\PA-VM-KVM-10.0.4.vm_eval.qcow2In Linux, start by navigating to the folder of the QCOW image:
nfvdev@ubuntu:~$ cd /mnt/c/Users/nfvdev/Documents/NFVs/
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$To convert the image, we will need to install an application called “qemu-utils” (if not already installed):
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ sudo apt-get update
[sudo] password for nfvdev:
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
...
Get:29 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [536 B]
Fetched 7074 kB in 1s (4888 kB/s)
Reading package lists... Done
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ sudo apt-get install qemu-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
ibverbs-providers libboost-iostreams1.71.0 libboost-thread1.71.0 libibverbs1 libiscsi7 libnl-3-200
libnl-route-3-200 librados2 librbd1 librdmacm1 qemu-block-extra sharutils
Suggested packages:
debootstrap sharutils-doc bsd-mailx | mailx
The following NEW packages will be installed:
ibverbs-providers libboost-iostreams1.71.0 libboost-thread1.71.0 libibverbs1 libiscsi7 libnl-3-200
libnl-route-3-200 librados2 librbd1 librdmacm1 qemu-block-extra qemu-utils sharutils
0 upgraded, 13 newly installed, 0 to remove and 26 not upgraded.
Need to get 7118 kB of archives.
After this operation, 33.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 libnl-3-200 amd64 3.4.0-1 [53.9 kB]
...
Setting up qemu-utils (1:4.2-3ubuntu6.19) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
/sbin/ldconfig.real: /usr/lib/wsl/lib/libcuda.so.1 is not a symbolic link
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for install-info (6.7.0.dfsg.2-5) ...Now that it is installed, we can convert the file with the following command:
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ qemu-img convert PA-VM-KVM-10.0.4.vm_eval.qcow2 -O vhdx PA-VM-KVM-10.0.4.vm_eval.vhdx
You should now see two files in the folder. Feel free to remove the .qcow2 image now (we can always extract it from the zip or redownload it again).
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ ls -lh
total 17G
-rwxrwxrwx 1 nfvdev nfvdev 2.9G Sep 24 16:48 PA-VM-KVM-10.0.4.vm_eval.qcow2
-rwxrwxrwx 1 nfvdev nfvdev 14G Feb 27 09:14 PA-VM-KVM-10.0.4.vm_eval.vhdx
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ rm PA-VM-KVM-10.0.4.vm_eval.qcow2Installing Hyper-V
This does require Windows 10 Pro.
In the start menu, type “Turn Windows features on or off” and press Enter. Locate the checkbox next to “Hyper-V”, tick it and press OK.
Once complete, this will require a reboot.
Creating the VM in Hyper-V
Now that Hyper-V is installed, we can boot up the VM. From the Start menu, open up “Hyper-V Manager”.
Go to “Action”, “New”, “Virtual Machine…”.
Choose a name for the VM, I will be using “pa-10.0.4”.
On the next screen, leave the default selection of “Generation 1”.
For the memory, input a minimum value of 5632.
For the networking, just select “Default Switch”.
For the Hard Disk, select “Use an existing virtual hard disk”. Browse to your vhdx file and select it.
Then select Finish.
Next, right-click on your virtual machine and go to “Settings…”. Navigate to the Processor tab and increase the number of virtual processors to 2.
Finally, go down to “Checkpoints” and un-tick “Enable checkpoints”.
Click on OK.
Booting the VM in Hyper-V
Right-click the Virtual Machine and press Start. Then do the same thing again and press “Connect…”.
After a while, you will be presented with a vm login prompt. Enter the default credentials of “admin” and “admin”. It will then ask you to change your password. I chose “Test1234!”.
After logging in, you can run “show system info” to see that it has booted correctly.
Now go ahead and power down the VM with the command “request shutdown system”.
Converting the Image part 2
Head back to your Linux Terminal and convert the vhdx file into a VirtualBox VDI file.
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ qemu-img convert PA-VM-KVM-10.0.4.vm_eval.vhdx -O vdi PA-VM-KVM-10.0.4.vm_eval.vdiOnce this is done, you can go back to Hyper-V, right-click on the VM and select “Delete…”.
Then clean up the vhdx file:
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ ls -lh
total 49G
-rwxrwxrwx 1 nfvdev nfvdev 31G Feb 27 09:52 PA-VM-KVM-10.0.4.vm_eval.vdi
-rwxrwxrwx 1 nfvdev nfvdev 18G Feb 27 09:46 PA-VM-KVM-10.0.4.vm_eval.vhdx
nfvdev@ubuntu:/mnt/c/Users/nfvdev/Documents/NFVs$ rm PA-VM-KVM-10.0.4.vm_eval.vhdxUninstalling Hyper-V
In the start menu, type “Turn Windows features on or off” and press Enter. Locate the checkbox next to “Hyper-V”, untick it and press OK. Then Reboot.
Creating the VNF
Open up VirtualBox, click the “New” button and give it a name. I will be using “pa-10.0.4”. Give it a type of “Linux” and a version of “Other (64-bit)”.
For the RAM, again enter a minimum of 5632.
Select “Use an existing virtual hard disk file” for the hard disk, then click the browse button next to it. From here, click “Add” and then browse to your vdi file and confirm it.
After clicking “Create,” you should be back at the main VirtualBox screen. Before booting the Virtual Machine (VM), there are some settings we need to tweak. Make sure the VM is selected, click “Settings”, and go to the “System”, “Processor” tab. Increase the number of processors to 2.
I’m not entirely sure if the next step is needed, but it did seem to help my performance.
Go to the Storage tab. Add a new “SATA (AHCI)” controller. Remove the hard disk from the IDE controller and attach it to the new SATA one.
Finally, go to the Network Tab.
For “Adapter 1”, make sure the “Attached to:” to be “Host-only Adapter” – this will be our Management interface.
I also like to change the “Adapter Type” (which is under Advanced) to “Paravirtualized Network (virtio-net)”.
Now it’s time to start the Virtual Machine. Click “Start”, and it should boot up until you see the login prompt. It will take a while before it lets you login. You can eventually login with “admin” and “admin” – like we did on Hyper-V.
You now have a working Palo Alto VM-Series firewall running in VirtualBox!
