Luck87 Posted April 11, 2018 Share Posted April 11, 2018 Hi all, Is it possible to run virtual firewall (checkpoint, palo alto) or virtual f5 appliance on unraid VM? Quote Link to comment
RifleJock Posted April 17, 2018 Share Posted April 17, 2018 I bet you it is! I just got a new job, and I will be learning much about each of the things you mentioned... So If you want, we can hit off this forum with all of our findings! I would like to try to simulate these for a lab environment, and eventually I will be implementing into a production environment. Quote Link to comment
xanvincent Posted April 18, 2018 Share Posted April 18, 2018 Pfsense and ipfire run well under KVM. It is discussed a lot on the forum. Not sure about the others. Give it a shot! Quote Link to comment
RifleJock Posted July 27, 2018 Share Posted July 27, 2018 (edited) I'VE DONE DONEIT! K, so here are my findings. Test was done with Check Point "R80.10_T462_Gaia.iso" downloaded to my ISO share. I generated a 30-day eval license from CP's website. You must create a RedHat VM. YOU MUST! You can see attached, but basically... In my environement (dual intel xeon) Tested with 80GB vdisk, 8GB RAM 4 cores and 8 threads... way overkill for CP. Also, I haven't seen CP utilize any threads.. I'm sure its just the nature of CP. =================================================== i440fx-2.11 SeaBIOS Sata (MUST HAVE) --- IDE and SCSI do not work. VirtIO disk (80GB in my case) No shares... VNC no sound selected two "v"-NIC's I'm running br0 and br1 =================================================== done! Check Point supports Red Hat Enterprise, so I guess we got lucky this time! On to Palo Alto! Edited July 27, 2018 by RifleJock Spelling Quote Link to comment
deagle Posted October 9, 2018 Share Posted October 9, 2018 PA-VM supports CentOS so I'm optimistic. Has anyone gotten it working? Quote Link to comment
deagle Posted November 1, 2018 Share Posted November 1, 2018 (edited) I got PA-VM working with Q35-2.6, anything newer hangs at boot. PCI passthrough works as well, I used an old Intel quad PT and the interfaces are detected as e1000e. Looking to buy an ixgbe card for DPDK support. Something to keep in mind, only the first virtio interface (mgmt) was detected so you may need to passthough. I tried rebooting a couple of times and it wouldn't recognize the other virtio NICs. There may be a troubleshooting step I missed but I was going to passthough anyway so I skipped that part. Edited November 1, 2018 by deagle Quote Link to comment
RifleJock Posted September 12, 2019 Share Posted September 12, 2019 (edited) I've got PA-VM (KVM) working. Here are the settings so far and the issues I've ran into. =================================================== I've been able to get 11 network interfaces to work. Any time I attempt to add the 12th network, the "Guest has not initialized the display (yet)" comes up. I've got nothing out of the ordinary in the logs other than the "hostnet12" is never registered. Additionally, all but the first CPU max out when attempting to initialize. ... -netdev tap,fd=48,id=hostnet10,vhost=on,vhostfd=49 \ -device virtio-net-pci,netdev=hostnet10,id=net10,mac=52:54:00:b7:f8:2a,bus=pci.13,addr=0x0 \ -netdev tap,fd=50,id=hostnet11,vhost=on,vhostfd=51 \ -device virtio-net-pci,netdev=hostnet11,id=net11,mac=52:54:00:a4:8c:87,bus=pci.14,addr=0x0 \ -chardev pty,id=charserial0 \ -device isa-serial,chardev=charserial0,id=serial0 \ -chardev socket,id=charchannel0,fd=52,server,nowait \ ... A force stop and removal of the 12th interface works great! I'm beginning to wonder if this is a limitation with UnRAID's ability to have that many iPXE bootable nic's registered to a single host vm. I'm going to be looking into how to disable the PXE capabilities to troubleshoot this theory later. Anyways, here is what it looks like in the web-ui for the PAN-OS. Interfaces start off grey as they are by default in "tap" mode. Configuring them to all be layer3 (and committing configuration) will bring the link up/down lights active. Yes only 10 interfaces show here, because the management interface counts as the "first" interface. This can also be proven when reviewing the MAC address in the console (vnc window) and in the configuration of the vm via unraid's web-ui. Oh, and additionally, my br0 is a 10Gbe NIC, Palo is only registering this as 1Gbe. Not sure if this is a limitation of the linux vm profile or if this is a limitation of the PAN Software for their VM builds. I do know their physical device do have 10Gbe capabilities. Here is the rest of the configuration in order to get this to work: Started out with "Linux" VM. In the past, I've used CentOS, but this limited me to 5 interfaces (4 active + mgmt) and only when custom added by XML rather than adding them additionally via the gui template. Even though SeaBIOS was used here, I've gotten a UUID (which I believe means that the device is booting UEFI capable.) My initial image was the 9.0.1 kvm build downloaded from Palo's site. This should give you a .qcow file. You can place this in any share (I've placed mine in the VM share(/device name/file.qcow) and manually selected it and used VirtIO for the bus. This, by design of palo, created a 60G vdisk as seen below. I've not found a limitation yet on how many cores can be added (Unlike Check Point) Thus far, I've had up to 80 "cpus" or 40 cores and their respective threads. In my system, this spans my dual E5 2696 v4's which are 22cores 44threads a piece. VM runs fine when spanning across both CPU's in the system. Additionally, I was able to register a license via palo's website and gain a serial number for the device. Which also allowed me to download and install an even newer version of code. Based on these findings... This could be a promising setup for those wanting to run Palo in a Virtual environment from an UnRAID build. Edited September 12, 2019 by RifleJock Added note about the physical NIC being 10gbe. Quote Link to comment
jwiener3 Posted July 20, 2020 Share Posted July 20, 2020 I know this is an old thread, but for anyone that stumbles across it looking for advice. I did get this working on 6.8.3 with the PAN os 9.1.2 qcow image (I did not try any other version). See below for my setting and I added 8 NICs the first being the management NIC. It takes a while to startup and I do get some errors (see screen shot), but it works well and I get the performance I need (500mbps down and 20mbps up). Quote Link to comment
RifleJock Posted July 21, 2020 Share Posted July 21, 2020 (edited) Hey jwiener3 and all others, As far as the perf: interrupt messages, I receive these as well, and the system seems to limit my login until it is done spitting those errors. Not sure if there are other processes still booting in the background. I'm assuming the "accessed a protected system..." is your banner/motd. As far as I know, those alerts don't actually cause any issues (that I have found). OH!!! Also, Update. Running Unraid 6.9.0-beta25. I'm now able to run much more interfaces. Currently running 25 (24 + mgmt). Adding the 26th does.... welp, apparently nothing. only eth1/1 - 1/24 show up, nothing after that. Even looking for the logical 26th unraid interface (25th palo alto, other than mgmt) I'm unable to find it's mac address. -Jockie Edited July 21, 2020 by RifleJock spelling 1 Quote Link to comment
buddylee7 Posted February 21, 2021 Share Posted February 21, 2021 Interested in getting a Palo to run on my Unraid instance. Are there any good places to go for a walk through? Quote Link to comment
RifleJock Posted February 21, 2021 Share Posted February 21, 2021 (edited) 17 hours ago, buddylee7 said: Interested in getting a Palo to run on my Unraid instance. Are there any good places to go for a walk through? Not exactly, the most recent post made by me I believe is the only thing seen on unraid's forum about Palo setup process. One thing to mention, that might not have been mentioned before is the licensing, if you are going to make this a legit license, you MUST not remove the UUID in your xml file for the device, as Palo Licensing is near impossible to move once established. Save a copy of it somewhere. Edited February 21, 2021 by RifleJock Spelling Quote Link to comment
buddylee7 Posted February 21, 2021 Share Posted February 21, 2021 (edited) Going through the screenshots helped. Thank you. Side note, how do you get the additional graphics/icons to choose from for aesthetics? Thanks again! Edited February 21, 2021 by buddylee7 Quote Link to comment
buddylee7 Posted February 22, 2021 Share Posted February 22, 2021 On 9/12/2019 at 12:44 PM, RifleJock said: I've got PA-VM (KVM) working. Here are the settings so far and the issues I've ran into. =================================================== I've been able to get 11 network interfaces to work. Any time I attempt to add the 12th network, the "Guest has not initialized the display (yet)" comes up. I've got nothing out of the ordinary in the logs other than the "hostnet12" is never registered. Additionally, all but the first CPU max out when attempting to initialize. ... -netdev tap,fd=48,id=hostnet10,vhost=on,vhostfd=49 \ -device virtio-net-pci,netdev=hostnet10,id=net10,mac=52:54:00:b7:f8:2a,bus=pci.13,addr=0x0 \ -netdev tap,fd=50,id=hostnet11,vhost=on,vhostfd=51 \ -device virtio-net-pci,netdev=hostnet11,id=net11,mac=52:54:00:a4:8c:87,bus=pci.14,addr=0x0 \ -chardev pty,id=charserial0 \ -device isa-serial,chardev=charserial0,id=serial0 \ -chardev socket,id=charchannel0,fd=52,server,nowait \ ... A force stop and removal of the 12th interface works great! I'm beginning to wonder if this is a limitation with UnRAID's ability to have that many iPXE bootable nic's registered to a single host vm. I'm going to be looking into how to disable the PXE capabilities to troubleshoot this theory later. Anyways, here is what it looks like in the web-ui for the PAN-OS. Interfaces start off grey as they are by default in "tap" mode. Configuring them to all be layer3 (and committing configuration) will bring the link up/down lights active. Yes only 10 interfaces show here, because the management interface counts as the "first" interface. This can also be proven when reviewing the MAC address in the console (vnc window) and in the configuration of the vm via unraid's web-ui. Oh, and additionally, my br0 is a 10Gbe NIC, Palo is only registering this as 1Gbe. Not sure if this is a limitation of the linux vm profile or if this is a limitation of the PAN Software for their VM builds. I do know their physical device do have 10Gbe capabilities. Here is the rest of the configuration in order to get this to work: Started out with "Linux" VM. In the past, I've used CentOS, but this limited me to 5 interfaces (4 active + mgmt) and only when custom added by XML rather than adding them additionally via the gui template. Even though SeaBIOS was used here, I've gotten a UUID (which I believe means that the device is booting UEFI capable.) My initial image was the 9.0.1 kvm build downloaded from Palo's site. This should give you a .qcow file. You can place this in any share (I've placed mine in the VM share(/device name/file.qcow) and manually selected it and used VirtIO for the bus. This, by design of palo, created a 60G vdisk as seen below. I've not found a limitation yet on how many cores can be added (Unlike Check Point) Thus far, I've had up to 80 "cpus" or 40 cores and their respective threads. In my system, this spans my dual E5 2696 v4's which are 22cores 44threads a piece. VM runs fine when spanning across both CPU's in the system. Additionally, I was able to register a license via palo's website and gain a serial number for the device. Which also allowed me to download and install an even newer version of code. Based on these findings... This could be a promising setup for those wanting to run Palo in a Virtual environment from an UnRAID build. How would one do VLAN interfaces in Unraid and get the Palo VM to see that as an interface? Quote Link to comment
RifleJock Posted February 22, 2021 Share Posted February 22, 2021 6 hours ago, buddylee7 said: Side note, how do you get the additional graphics/icons to choose from for aesthetics? https://www.youtube.com/watch?v=LkW3niAWAHs https://forums.unraid.net/topic/50882-guide-custom-vm-icons-automatically-downloaded-and-installed-to-unraid/ So, you have several physical interfaces in UnRAID, you can set these to their own VLAN in unraid, and then assign the bridge to Palo. You can also edit the xml I believe to be a different type of interface, rather than inet. Otherwise, just put a managed L2 switch next to your unraid box, and trunk your interfaces to Unraid. Quote Link to comment
buddylee7 Posted February 22, 2021 Share Posted February 22, 2021 (edited) 21 hours ago, RifleJock said: https://www.youtube.com/watch?v=LkW3niAWAHs https://forums.unraid.net/topic/50882-guide-custom-vm-icons-automatically-downloaded-and-installed-to-unraid/ So, you have several physical interfaces in UnRAID, you can set these to their own VLAN in unraid, and then assign the bridge to Palo. You can also edit the xml I believe to be a different type of interface, rather than inet. Otherwise, just put a managed L2 switch next to your unraid box, and trunk your interfaces to Unraid. (Update) I understand the switch part although where I'm struggling is the Unraid. When I create VLANs on one of the physical interfaces to create a logical L2 interface the mac address setup in the "edit" portion is on the Palo management interface. I have not added additional interface as I'm still figuring out how to get access to the management. I have even attempted to create an access port and use a non-VLAN interface on the Unraid with no luck. Edited February 23, 2021 by buddylee7 Quote Link to comment
RifleJock Posted March 13, 2021 Share Posted March 13, 2021 On 2/22/2021 at 4:38 PM, buddylee7 said: (Update) I understand the switch part although where I'm struggling is the Unraid. When I create VLANs on one of the physical interfaces to create a logical L2 interface the mac address setup in the "edit" portion is on the Palo management interface. I have not added additional interface as I'm still figuring out how to get access to the management. I have even attempted to create an access port and use a non-VLAN interface on the Unraid with no luck. So there is a big difference here... Your physical environment, and your virtual one. All things done within UnRAID are considered your virtual environment, and everything outside of that is considered your physicals. You can either setup UnRAID to have a L2 interface, of which you pass through as a bridge to your virtualized Palo Alto. (There wouldn't be much of a point in running a L2 within Palo if this is the case.) This will allow your Palo to communicate only on that physical L2 interface of UnRAID when trying to communicate with anything else on that same L2 interface in your physical environment. Perhaps a real Palo Alto with the same VLAN tagging for redundancy or whatever. Now lets say you have a virtual Check Point device and a virtual Palo both on your unraid, regardless of what physical interfaces are assigned in UnRAID, whatever bridge you passthrough to the virtual environments, you can create L2 interfaces within your CheckPoint and Palo Devices, and only devices on that same bridge (on UnRAID) in the same virtual L2 LAN will communicate. However, I believe any traffic destined to a network outside of UnRAID will get put onto UnRAID's physical configuration's interface when it is attempting to leave the UnRAID box itself. If your UnRAID is configured as a physical L3 with default tagging, then traffic will leave tagged as such. This type of configuration only separates the virtual traffic within the UnRAID box. Depending on what your scenario is, you could do either or both. It all comes down to your physical and virtual topology. LMK if you have any further questions, I can break this down further if needed. -Jockie. Quote Link to comment
jwiener3 Posted January 13, 2023 Share Posted January 13, 2023 (edited) Maybe only 3 of us care at this point, but I wanted to let everyone know this is still working in PAN-OS version 11, on UNRAID version 6.11.5 Edited January 13, 2023 by jwiener3 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.