NOTE: for educational purposes only.
NOTE: this procedure places a Oracle Enterprise Linux system "behind" a Palo Alto NGFW (firewall) and registers the OEL system with the ULN (Unbreakable Linux Network). It is part of investigation into an issue noticed with OEL 8.x in combination with Palo Alto v10.1.x/10.2.x where once a certain profile is applied on the Palo Alto, the OEL system is no longer able to communicate with the ULN (initial registration fails for new systems, and retrieving packages via yum fails for already registered systems). In one scenario, editing the file /etc/sysconfig/rhn/up2date and setting the useNoSSLForPackages=1 (default is 0) appeared to resolve the issue.
NOTE: For some reason, the Palo Alto qcow2 image does not boot up completely by default in VirtualBox. It boots up to the PA-HDF login prompt instead of the PA VM login prompt. The PA-HDF prompt implies the system has not booted up completely.
Setup Palo Alto VM on VirtualBox: https://nfv.dev/blog/2022/03/how-to-run-a-palo-alto-vm-series-firewall-in-virtualbox/
1. Convert the qcow2 disk image o hyper-v VHDX, setup Hyoer-V on your Windows 10 host, create a VM with the PA disk in Hyper-V, launch the VM, login ( be patient as it takes a while to get the "PA VM" prompt. The initial "PA-HDF" should be ignored. You might need to press ENTER key a few times for the prompt to change). Shut down the Hyper-V VM ("request shutdown system" command in PA). Then convert the VHDX disk to VMDK/VDI. Now use the new VMDK/VDI disk to create a VirtualBox VM.
2. Convert PA qcow2 disk to VHDX:
C:\PaloAlto1010>c:\qemu\qemu-img.exe convert -f qcow2 PA-VM-KVM-10.1.0.qcow2 -O vhdx PA-VM-1010.vhdx (qemu makes a sparse copy of the disk which is not supported by Hyper-V which will complain that the file must not be sparse: https://email@example.com/msg04963.html)
3. Make a non-sparse copy of the VHDX disk using "copy" command or even the Windows Explorer copy.
C:\PaloAlto1010>copy PA-VM-1010.vhdx PA-VM-1010a.vhdx
4. Create Hyper-V VM from PA-VM-10102a.vhdx, power it on, login, change password if prompted, shutdown the VM
Note that since the PA VM boots up properly on Hyper-V, you can use Hyper-V instead of VirtualBox.
5. Convert VHDX to VDI after shutting down the Hyper-V VM:
C:\PaloAlto1010>c:\qemu\qemu-img.exe convert PA-VM-10102a.vhdx -O vdi PA-VM-1010.vdi
NOTE: default PA credential is admin/admin (it takes some time after boot-up for the credentials to be accepted i.e., the true login prompt when the system is fully up should be something like "PA VM" but you may initially be presented with the "PA-HDF" prompt)
INITIAL BASIC CONFIG OF PALO ALTO VM TO SERVE AS INTERNET GATEWAY: https://rowelldionicio.com/setting-up-palo-alto-networks-firewall-first-time/
My test config (all on a Windows 10 host system):
- OEL8.6 VM (VBox) <-----> PA 10.1.0 VM (VBox) <------> Windows 10 laptop (Host) <------> Home Internet Router
- IMPORTANT: all 4x NICs on the PA VM was enabled in VBox. First NIC is mgmt, second NIC is Ethernet1/1, third NIC is Ethernet1/2
- First and second NIC are bridged to the WiFi adapter in Windows 10 host so they can get DHCP IPs from my home router
- Third NIC (Ethernet1/2) is connected to the default "Internal Network" named "intnet" in VBox
- The single NIC attached to the OEL8.6 VM is also connected to the default "Internal Network" named "intnet" in VBox so that it can communicate with the PA VM which will serve as the DHCP server and gateway for the OEL8.6 VM
- NOTE: the PA 10.1.0 did NOT come with the "rule1" ACL (mentioned in the referenced URL above)that allows traffic between trusted and untrusted zone. You NEED to create the ACL rule.
- NOTE: you need to add a "Static Route" (default route) to the default "Virtual Router" that sends all traffic to the Internet Router IP. For example, I created a "Static Route" nanmed "Default Route" with Destination 0.0.0.0/0 ; Interface ethernet1/1 ; Next Hop "IP Address" 192.168.10.1 (the LAN IP address of my home internet router)
- NOTE: you can add a second NIC to the OEL8.6 VM in Vbox and attach the NIC to the "Host-Only Adapter". This allows you to connect via SSH from the Windows 10 host to the OEL 8.6 for troubleshooting purposes.
- Other NOTES:
- install the UEK kernel on the OEL 8.6 VM:
[root@oel86vb ~]# yum install -y kernel-uek.x86_64
How to run a Palo Alto VM Series Firewall in VirtualBox
Oracle Linux: How to De-Register a System from ULN (Doc ID 2133228.1)
Register a system with ULN:
[root@oel86 ~]# wget https://linux-update.oracle.com/rpms/uln_register_ol8.tgz
[root@oel86 ~]# wget https://linux-update.oracle.com/rpms/uln_register-gnome_ol8.tgz
[root@oel86 ~]# tar xf uln_register-gnome_ol8.tgz
[root@oel86 ~]# tar xf uln_register_ol8.tgz
[root@oel86 ~]# yum install -y *rpm
[root@oel86 ~]# uln_register
- use uln_register command for the interactive option or ulnreg_ks for the CLI option. The profilename is optional. Without it, the entry in ULN for the system will be named the system's hostname e.g., # ulnreg_ks --profilename=OEL86vbox --username=<my-registered-uln-email> --password=<my-oracle-support-password> --csi=<my-oracle-support-csi-#>
De-register a system from ULN:
- Login to the ULN registration page (http://linux.oracle.com ) and delete the registered system from ULN. You must login as the user that registered the system with ULN.
- Select the System tab > Select the system to be removed and select the Delete button
- Remove the system registration information from the local system. This can be done by removing the systemid file: # rm /etc/sysconfig/rhn/systemid
- Setup the public yum repository files in /etc/yum.repos.d/ . Instructions for setting up public yum can be found at the following URL: http://yum.oracle.com/
- Some commands:
- Get details of the IP received via DHCP over the bridge to the host WNIC from the home router
admin@PA-VM> show dhcp client mgmt-interface-state
- Assign same IP permanently:
set deviceconfig system type static
set deviceconfig system ip-address 192.168.10.60 netmask 255.255.255.0 default-gateway 192.168.10.1
- Enable HTTPS web mgmt on the mgmt interface:
set deviceconfig system service disable-https no
set deviceconfig system service disable-ssh no
set deviceconfig system service disable-icmp no
- Retreive mgmt interface IP details:
admin@PA-VM> show interface management
- Graceful shutdown:
admin@PA-VM> request shutdown system
- Ping a host from the PA:
admin@PA-VM> ping host 18.104.22.168