[UPDATE 1] Overall Summary of Installing and Configuring Palo Alto VM-Series Software Firewall 10.0.4 in Ubuntu Desktop 22.04.5 LTS KVM Host

Subject: [UPDATE 1] Overall Summary of Installing and Configuring Palo Alto VM-Series Software Firewall 10.0.4 in Ubuntu Desktop 22.04.5 LTS KVM Host


Author: Mr. Turritopsis Dohrnii Teo En Ming

Country: Singapore

Date: 31 Mar 2025 Monday


DETAILED INSTRUCTIONS

=======================


Download and install Ubuntu Desktop 22.04.5 LTS on a hardware appliance with 3 or 4 network interface cards.


Please *DO NOT* install and run openssh-server, as Advanced Persistent Threats (APT) hackers may use this avenue to hack into your Ubuntu KVM host.


On the morning of 30 March 2025 Sunday, Advanced Persistent Threats (APT) hackers hacked into my previous installation of Ubuntu KVM host and changed my netplan

configuration. The APT hackers removed all the network interfaces from the network bridges. I have since erased and reinstalled my Ubuntu Desktop 22.04.5 LTS KVM host.


Install KVM and Dependencies

===============================


Run the following command to install KVM, Virt-Manager, and dependencies:


sudo apt update && sudo apt upgrade -y


sudo apt install -y qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager


Verify if KVM is installed:


sudo kvm-ok


INFO: /dev/kvm exists

KVM acceleration can be used


Start and enable the libvirt service:


sudo systemctl enable --now libvirtd


Download and Prepare the QCOW2 Image

========================================


Download the Palo Alto VM-Series software firewall QCOW2 image from Palo Alto Networks.


The filename of my image is PA-VM-KVM-10.0.4.vm_eval.qcow2. 


Copy the image to the KVM images directory:


sudo cp PA-VM-KVM-10.0.4.vm_eval.qcow2 /var/lib/libvirt/images/


Adjust file permissions:


sudo chown libvirt-qemu:kvm /var/lib/libvirt/images/PA-VM-KVM-10.0.4.vm_eval.qcow2


sudo chmod 644 /var/lib/libvirt/images/PA-VM-KVM-10.0.4.vm_eval.qcow2


Configuring Multiple Interfaces for the Palo Alto VM-Series software firewall

==============================================================================


To configure ***multiple interfaces*** for the Palo Alto VM-Series firewall on Ubuntu KVM, follow these steps:


Identify Network Interfaces

================================


First, determine the network interfaces available on your KVM host using:


ip link show


You'll need at least:


    1 interface for management


    1 or more interfaces for data traffic (inside, outside, DMZ, etc.)

    

Create Network Bridges 

=====================================


If you want Palo Alto firewall to be on different networks, create Linux bridges.


Install bridge utilities:


sudo apt install bridge-utils


Configure bridges in Netplan (/etc/netplan/01-netcfg.yaml):


sudo nano /etc/netplan/01-netcfg.yaml


My netplan configuration:


network:

  version: 2

  renderer: networkd

  ethernets:

    enp1s0:

      dhcp4: no

    enp2s0:

      dhcp4: no

    enp3s0:

      dhcp4: no

    enp4s0:

      dhcp4: no

  bridges:

    br0:

      interfaces: [enp1s0]

      dhcp4: yes

    br1:

      interfaces: [enp2s0]

      dhcp4: no

    br2:

      interfaces: [enp3s0]

      dhcp4: no

    br3:

      interfaces: [enp4s0]

      dhcp4: no

      

cd /etc/netplan


sudo chmod 600 01-netcfg.yaml

      

Apply changes:


sudo netplan apply


sudo brctl show


bridge name bridge id STP enabled interfaces

br0 8000.da16c5ba83c0 yes enp1s0

br1 8000.2a1de38524c1 yes enp2s0

br2 8000.2ac0bc028fe3 yes

br3 8000.4eb2b8fe7743 yes

virbr0 8000.525400f9e6d6 yes


Perform a reboot of Ubuntu KVM host.


sudo reboot


Create a Virtual Machine Using Virt-Manager (GUI)

=====================================================


Use the following guide.


Guide: VM-Series Deployment Guide: Provision the VM-Series Firewall on a KVM Host

Link: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-kvm/install-the-vm-series-firewall-on-kvm/install-the-vm-series-firewall-using-virt-manager/provision-the-vm-series-firewall-on-a-kvm-host


Start the Virtual Machine Manger (GUI).


sudo virt-manager


Configure the Palo Alto firewall virtual machine as per above guide.


You need to set the date of PA-VM 10.0.4 virtual machine to 12 Sep 2021, which is 111833956 seconds ago.


sudo virsh edit PA-VM-KVM-10.0.4


  <clock offset='variable' adjustment='-111833956' basis='utc'>

    <timer name='rtc' tickpolicy='catchup'/>

    <timer name='pit' tickpolicy='delay'/>

    <timer name='hpet' present='no'/>

  </clock>


Start the virtual machine in Virtual Machine Manager (GUI).


sudo brctl show

bridge name bridge id STP enabled interfaces

br0 8000.da16c5ba83c0 yes enp1s0

vnet4

br1 8000.2a1de38524c1 yes enp2s0

vnet5

br2 8000.2ac0bc028fe3 yes vnet6

br3 8000.4eb2b8fe7743 yes vnet7

virbr0 8000.525400f9e6d6 yes


You MUST wait for PA-HDF login prompt to change to PA-VM login prompt. The waiting time is usually around 10 minutes.


Open your web browser and access the Palo Alto VM-series firewall web login page at https://<IP address>


Login with the default username and password of admin/admin.


Change the admin password immediately.


Configuring the Palo Alto VM-Series Software Firewall

======================================================


Use the following 2 guides.


Guide 1: Example Configuration for Palo Alto Network VM-Series in GCP

Link: https://docs.aviatrix.com/documentation/latest/security/paloalto-vmseries-gcp.html


Guide 2: Setting up a Palo Alto Networks Firewall for the First Time

Link: https://rowelldionicio.com/setting-up-palo-alto-networks-firewall-first-time/


Please note that Guide 2 is more detailed and comprehensive.


Outstanding Issues / Issues Pending to be Resolved

===================================================


As of 31 Mar 2025 Monday at 4.34 PM, when I connect my laptop to Port 2 on my hardware appliance, which is mapped to network bridge br1, which is in turn mapped to ethernet1/2 (LAN) in the Palo Alto VM-Series software firewall, there is still no network connectivity at all. I can't get an IP address from the Palo Alto firewall DHCP server and I can't ping the LAN gateway 192.168.1.1 at all.


Currently the network bridge mapping is:


br0 => ethernet1/1 (WAN)

br1 => ethernet1/2 (LAN)


Perhaps there could be issues with Port 2 on my hardware appliance, or the network bridge br1 may not be working properly. I have flushed all the iptables firewall rules on the Ubuntu KVM host and there is still no network connectivity between my laptop and Port 2 on the hardware appliance.


I suspect I could have done the network bridge mapping wrongly and this could turn out to be the real scenario:


br0 - MANAGEMENT - ethernet1/1

br1 - WAN - ethernet1/2 (untrust, outside)

br2 - LAN - ethernet1/3 (trust, inside)


If I have done the network bridge mapping wrongly, I will have to configure the Palo Alto VM-Series firewall all over again.


Let me check with Palo Alto Networks technical support. At the mean time, please advise whether my netplan configuration for my Ubuntu KVM host is correct or not.


Lastly, the command for connecting to the console of Palo Alto VM-Series software firewall.


sudo virsh console PA-VM-KVM-10.0.4


Regards,


Mr. Turritopsis Dohrnii Teo En Ming

Singapore

31 March 2025 Monday 5.15 PM




REFERENCES

===========


[1] https://lists.ubuntu.com/archives/ubuntu-users/2025-March/314210.html


[2] https://marc.info/?l=ubuntu-users&m=174341235914678&w=2


[3] https://lore.kernel.org/netdev/W7-9ud6OsKlsNj2TxreqwNR_nZuD6PvhV8zMRFNgZd67mh1eKrzugdgVtRJOouvoJ0tXr3ksDXF6QiSr6s7qBASErhpZT-oRrOlizjTFcJU=@protonmail.com/


[4] https://marc.info/?l=linux-netdev&m=174345943813596&w=2


Comments

Post a Comment

Popular posts from this blog

How the Singapore Government cheated my family of a HDB flat (Draft 22 Aug 2023)

Subject: How the Singapore Government cheated my family of a HDB flat (Draft 22 Aug 2023) It is a Well-Known Fact that government(s) invented mental illness to punish and torture people (and their families) who criticise the government or say bad things about the government. The Singapore Government rewarded my mother with a mental illness (schizophrenia). By leveraging mind control technology, the Singapore Government is able to make my mother hear voices in her head and trick her into believing that her neighbors are scolding her and targeting her everyday. Yes, the Singapore Government resorted to using this trickery. My mother firmly believes that her neighbors are scolding her and targeting her everyday. So we sold off our 1st HDB flat at Bedok North Street 3 and purchased another HDB flat at Yishun without careful consideration, planning and advice. When we moved to the HDB flat at Yishun, my mother still firmly believes that her neighbors are scolding her and targeting her every...
Read more

[DRAFT 26 SEP 2022] HDB refuses to reduce monthly rental fees of my rental flat despite many appeals

Subject: [DRAFT 26 SEP 2022] HDB refuses to reduce monthly rental fees of my rental flat despite many appeals DRAFT 26 SEP 2022 FOR IMMEDIATE RELEASE My name is Mr. Turritopsis Dohrnii Teo En Ming. I am 44 years old. I am a Targeted Individual (TI) living in Singapore. A Targeted Individual is a person who is persecuted, targeted, marked and blacklisted by the government. After graduation from the National University of Singapore in Dec 2006, I started working in Defense Science and Technology Agency (DSTA) as an IT Engineer. But I offended Singapore Minister Mentor Lee Kuan Yew in the year 2007. When I was having a private conversation with my manager Mr. Loh Choon Fah in his office, I said: "When Lee Kuan Yew is gone, Singapore would be more democratic.". This is how I offended Singapore strongman Lee Kuan Yew. Within a few months, I started hearing threatening and menacing voices from the Singapore government. Hearing voices is also known as schizophrenia (mental illness)....
Read more