How to connect a VM Palo Alto Firewall to GNS3

This is a guide for connecting VMWare Workstation running a virtual Palo Alto Firewall PA-100 image to GNS3.
With this guide I have made a few assumptions about what stages people will be at, but it might be able to help you
with some ideas on how to set it up.
First off, make sure you have an install of VMWare Workstation (VirtualBox will NOT work due to not supporting
VMXNET3 Drivers which are required for the Palo Alto Firewall to work).
Once you have VMWare Workstation installed you will need to install some local host NICs (I personally remove all
the defaults first).

Next add some host only adapters as each of the host only adapters will be a part of the firewalls interfaces.
Therefore, I have created VMnet0 host-only interface on the subnet 192.168.1.0 as the Management Subnet (the
default range on a new Palo Firewall) (This can be changed later if you wish).
VMnet1 will be the internal network on 10.128.1.0/24 (These can be anything you wish).
VMnet2 will be the external network on 50.0.0.0/24.
VMnet3 will be DMZ network on 172.16.1.0/24.

Next we will need to import our Palo Alto Firewall Image (Google is your friend here).
File -> Open

By default you will only have 2 interfaces You will need to add 2 more interfaces and set them to you Host-only
interfaces (under custom).

Before you start the VM Firewall you need to edit the .VMX file (Your file extensions maybe hidden).

Under the .vmx file you need to edit ALL the ethernetX.virtualDev = e1000 to vmxnet3

If you get the following error you might not have changed all the NICs.

Once it has loaded sucessfully you will see the console login - Username and Password default: admin /admin.

Next navigate to your network adapters (Windows 7)

Under the VMnet0 adapter you will need to tick the VMware Bridge Protocol and add an IP address to allow
connection to the Firewall Management Interface. (Beware if your normal LAN or wireless is on this same subnet you
might need to disable it temporarily).

Under VMnet 1 to 3 You only need VMware Bridge Protocol ticked.

Then you can use a web browser to navigate to https://192.168.1.1 (Remember the s on https://).
This might take 2-3 minutes after the booting of the VM Image.

You will then be able to login with admin/admin.

This is the dashboard.

On the Palo First we need to add 3 Zones.

Under Network -> Zones -> Add.
Create 3 Zones: Trust / Untrust / DMZ with type Layer 3.

Under Network -> Interfaces -> Add

ethernet1/1 = VMnet1
Interface Type = Layer 3
Comment = LAN
Virtual Router = default
Security Zone = Trust

Under IPv4 you will need to create a new interface and you will need to give the Interface an IP address
10.128.1.1/24.

To make an interface PINGable on a Palo we need to create an Interface Mgmt profile and assign it to the Interface.

Network -> Network Profiles -> Interface Mgmt.

New -> Name Allow PING and tick permitted services ping.

Then under the ethernet interface -> Advanced -> Other Info -> Management Profile -> Allow PING.

Now you will need to Commit the changes for them to take effect (Top right hand side).

Once this is all up and running you will see the Link State has gone Green.

Within GNS3 add a router and cloud then point the cloud to the VMnet1 Interface.

Then connect the cloud to the router, in my case fa0/0 and add an IP address (*If this fails REBOOT your computer):
conf t
int fa0/0
ip address 10.128.1.2 255.255.255.0
no shut
end
wr
ping 10.128.1.1

This should be successful .

We then need to repeat the process another two times for the WAN and DMZ.
Under Network -> Interfaces -> Add
ethernet1/1 = VMnet2
Interface Type = Layer 3
Comment = WAN
Virtual Router = default
Security Zone = Untrust

Under IPv4 you will need to create a new interface and you will need to give the Interface an IP address 50.0.0.1/24.

*Remember to add the Allow PING to the management profile and commit.
Then add a second cloud to GNS3 and attach to VMnet2.

conf t
int fa0/0
ip address 50.0.0.2 255.255.255.0
no shut
end
wr
ping 50.0.0.1

*Repeat the same for the DMZ but with 172.16.1.X Addressing

You should then get three green Link State interfaces.

You then need to add some static routes under network -> Virtual Routers -> Static Routes to allow routing for the
network.

Finally, I changed the icons in GNS3 and renamed the devices to make it look more like one device.

I hope this guide is useful to some people that would like to use the Palo Firewall and can hopefully play with it using
a GNS3 network as well.
Any questions please let me know other then where can I get the Palo Alto firewall image from? As I cant distubrute
it freely (but Google is your friend).
As for licenses my copy doesnt have a license installed and it still fuctions enough for my testing but many features
will NOT work without a license.
Any mistakes or edits needed again let me know
Happy Labbing & I hope this has been informative and I would like to thank you for reading.