Overall Summary of Installing and Configuring Palo Alto VM-Series Software Firewall 10.0.4 in Ubuntu Desktop 22.04.5 LTS KVM Host

Subject: Overall Summary of Installing and Configuring Palo Alto VM-Series Software Firewall 10.0.4 in Ubuntu Desktop 22.04.5 LTS KVM Host

Author: Mr. Turritopsis Dohrnii Teo En Ming
Country: Singapore
Date: 31 Mar 2025 Monday

DETAILED INSTRUCTIONS
=======================

Download and install Ubuntu Desktop 22.04.5 LTS on a hardware appliance with 3 or 4 network interface cards.

Please *DO NOT* install and run openssh-server, as Advanced Persistent Threats (APT) hackers may use this avenue to hack into your Ubuntu KVM host.

On the morning of 30 March 2025 Sunday, Advanced Persistent Threats (APT) hackers hacked into my previous installation of Ubuntu KVM host and changed my netplan
configuration. The APT hackers removed all the network interfaces from the network bridges. I have since erased and reinstalled my Ubuntu Desktop 22.04.5 LTS KVM host.

Install KVM and Dependencies
===============================

Run the following command to install KVM, Virt-Manager, and dependencies:

sudo apt update && sudo apt upgrade -y

sudo apt install -y qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager

Verify if KVM is installed:

sudo kvm-ok

INFO: /dev/kvm exists
KVM acceleration can be used

Start and enable the libvirt service:

sudo systemctl enable --now libvirtd

Download and Prepare the QCOW2 Image
========================================

Download the Palo Alto VM-Series software firewall QCOW2 image from Palo Alto Networks.

The filename of my image is PA-VM-KVM-10.0.4.vm_eval.qcow2.

Copy the image to the KVM images directory:

sudo cp PA-VM-KVM-10.0.4.vm_eval.qcow2 /var/lib/libvirt/images/

Adjust file permissions:

sudo chown libvirt-qemu:kvm /var/lib/libvirt/images/PA-VM-KVM-10.0.4.vm_eval.qcow2

sudo chmod 644 /var/lib/libvirt/images/PA-VM-KVM-10.0.4.vm_eval.qcow2

Configuring Multiple Interfaces for the Palo Alto VM-Series software firewall
==============================================================================

To configure ***multiple interfaces*** for the Palo Alto VM-Series firewall on Ubuntu KVM, follow these steps:

Identify Network Interfaces
================================

First, determine the network interfaces available on your KVM host using:

ip link show

You'll need at least:

    1 interface for management

    1 or more interfaces for data traffic (inside, outside, DMZ, etc.)
    
Create Network Bridges
=====================================

If you want Palo Alto firewall to be on different networks, create Linux bridges.

Install bridge utilities:

sudo apt install bridge-utils

Configure bridges in Netplan (/etc/netplan/01-netcfg.yaml):

sudo nano /etc/netplan/01-netcfg.yaml

My netplan configuration:

network:
  version: 2
  renderer: networkd
  ethernets:
    enp1s0:
      dhcp4: no
    enp2s0:
      dhcp4: no
    enp3s0:
      dhcp4: no
    enp4s0:
      dhcp4: no
  bridges:
    br0:
      interfaces: [enp1s0]
      dhcp4: yes
    br1:
      interfaces: [enp2s0]
      dhcp4: no
    br2:
      interfaces: [enp3s0]
      dhcp4: no
    br3:
      interfaces: [enp4s0]
      dhcp4: no
      
cd /etc/netplan

sudo chmod 600 01-netcfg.yaml
      
Apply changes:

sudo netplan apply

sudo brctl show

bridge name    bridge id        STP enabled    interfaces
br0        8000.da16c5ba83c0    yes        enp1s0
br1        8000.2a1de38524c1    yes        enp2s0
br2        8000.2ac0bc028fe3    yes        
br3        8000.4eb2b8fe7743    yes        
virbr0        8000.525400f9e6d6    yes    

Perform a reboot of Ubuntu KVM host.

sudo reboot

Create a Virtual Machine Using Virt-Manager (GUI)
=====================================================

Use the following guide.

Guide: VM-Series Deployment Guide: Provision the VM-Series Firewall on a KVM Host
Link: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-kvm/install-the-vm-series-firewall-on-kvm/install-the-vm-series-firewall-using-virt-manager/provision-the-vm-series-firewall-on-a-kvm-host

Start the Virtual Machine Manger (GUI).

sudo virt-manager

Configure the Palo Alto firewall virtual machine as per above guide.

You need to set the date of PA-VM 10.0.4 virtual machine to 12 Sep 2021, which is 111833956 seconds ago.

sudo virsh edit PA-VM-KVM-10.0.4

  <clock offset='variable' adjustment='-111833956' basis='utc'>
    <timer name='rtc' tickpolicy='catchup'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='hpet' present='no'/>
  </clock>

Start the virtual machine in Virtual Machine Manager (GUI).

sudo brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.da16c5ba83c0    yes        enp1s0
                            vnet4
br1        8000.2a1de38524c1    yes        enp2s0
                            vnet5
br2        8000.2ac0bc028fe3    yes        vnet6
br3        8000.4eb2b8fe7743    yes        vnet7
virbr0        8000.525400f9e6d6    yes

You MUST wait for PA-HDF login prompt to change to PA-VM login prompt. The waiting time is usually around 10 minutes.

Open your web browser and access the Palo Alto VM-series firewall web login page at https://<IP address>

Login with the default username and password of admin/admin.

Change the admin password immediately.

Configuring the Palo Alto VM-Series Software Firewall
======================================================

Use the following 2 guides.

Guide 1: Example Configuration for Palo Alto Network VM-Series in GCP
Link: https://docs.aviatrix.com/documentation/latest/security/paloalto-vmseries-gcp.html

Guide 2: Setting up a Palo Alto Networks Firewall for the First Time
Link: https://rowelldionicio.com/setting-up-palo-alto-networks-firewall-first-time/

Please note that Guide 2 is more detailed and comprehensive.

Outstanding Issues / Issues Pending to be Resolved
===================================================

As of 31 Mar 2025 Monday at 4.34 PM, when I connect my laptop to Port 2 on my hardware appliance, which is mapped to network bridge br1, which is in turn mapped to ethernet1/2 (LAN) in the Palo Alto VM-Series software firewall, there is still no network connectivity at all. I can't get an IP address from the Palo Alto firewall DHCP server and I can't ping the LAN gateway 192.168.1.1 at all.

Currently the network bridge mapping is:

br0 => ethernet1/1 (WAN)
br1 => ethernet1/2 (LAN)

Perhaps there could be issues with Port 2 on my hardware appliance, or the network bridge br1 may not be working properly. I have flushed all the iptables firewall rules on the Ubuntu KVM host and there is still no network connectivity between my laptop and Port 2 on the hardware appliance.

I suspect I could have done the network bridge mapping wrongly and this could turn out to be the real scenario:

br0 - MANAGEMENT - ethernet1/1
br1 - WAN - ethernet1/2 (untrust, outside)
br2 - LAN - ethernet1/3 (trust, inside)

If I have done the network bridge mapping wrongly, I will have to configure the Palo Alto VM-Series firewall all over again.

Let me check with Palo Alto Networks technical support. At the mean time, please advise whether my netplan configuration for my Ubuntu KVM host is correct or not.

Lastly, the command for connecting to the console of Palo Alto VM-Series software firewall.

sudo virsh console PA-VM-KVM-10.0.4

Regards,

Mr. Turritopsis Dohrnii Teo En Ming
Singapore
31 March 2025 Monday 5.15 PM




REFERENCES
============

[1] https://lists.ubuntu.com/archives/ubuntu-users/2025-March/314210.html

[2] https://marc.info/?l=ubuntu-users&m=174341235914678&w=2

        

Comments

Post a Comment

Popular posts from this blog

How the Singapore Government cheated my family of a HDB flat (Draft 22 Aug 2023)

Subject: How the Singapore Government cheated my family of a HDB flat (Draft 22 Aug 2023) It is a Well-Known Fact that government(s) invented mental illness to punish and torture people (and their families) who criticise the government or say bad things about the government. The Singapore Government rewarded my mother with a mental illness (schizophrenia). By leveraging mind control technology, the Singapore Government is able to make my mother hear voices in her head and trick her into believing that her neighbors are scolding her and targeting her everyday. Yes, the Singapore Government resorted to using this trickery. My mother firmly believes that her neighbors are scolding her and targeting her everyday. So we sold off our 1st HDB flat at Bedok North Street 3 and purchased another HDB flat at Yishun without careful consideration, planning and advice. When we moved to the HDB flat at Yishun, my mother still firmly believes that her neighbors are scolding her and targeting her every...
Read more

[DRAFT 26 SEP 2022] HDB refuses to reduce monthly rental fees of my rental flat despite many appeals

Subject: [DRAFT 26 SEP 2022] HDB refuses to reduce monthly rental fees of my rental flat despite many appeals DRAFT 26 SEP 2022 FOR IMMEDIATE RELEASE My name is Mr. Turritopsis Dohrnii Teo En Ming. I am 44 years old. I am a Targeted Individual (TI) living in Singapore. A Targeted Individual is a person who is persecuted, targeted, marked and blacklisted by the government. After graduation from the National University of Singapore in Dec 2006, I started working in Defense Science and Technology Agency (DSTA) as an IT Engineer. But I offended Singapore Minister Mentor Lee Kuan Yew in the year 2007. When I was having a private conversation with my manager Mr. Loh Choon Fah in his office, I said: "When Lee Kuan Yew is gone, Singapore would be more democratic.". This is how I offended Singapore strongman Lee Kuan Yew. Within a few months, I started hearing threatening and menacing voices from the Singapore government. Hearing voices is also known as schizophrenia (mental illness)....
Read more