Virtual firewall running on unraid


16 posts in this topic Last Reply

Recommended Posts

I bet you it is! I just got a new job, and I will be learning much about each of the things you mentioned... So If you want, we can hit off this forum with all of our findings! I would like to try to simulate these for a lab environment, and eventually I will be implementing into a production environment.

Link to post
  • 3 months later...

I'VE DONE DONEIT! 

 

K, so here are my findings. Test was done with Check Point "R80.10_T462_Gaia.iso" downloaded to my ISO share. I generated a 30-day eval license from CP's website.

You must create a  RedHat VM. YOU MUST!

 

You can see attached, but basically... 

In my environement (dual intel xeon) Tested with 80GB vdisk, 8GB RAM 4 cores and 8 threads... way overkill for CP. Also, I haven't seen CP utilize any threads.. I'm sure its just the nature of CP.

===================================================

i440fx-2.11

SeaBIOS

Sata (MUST HAVE) --- IDE and SCSI do not work.

VirtIO disk (80GB in my case)

No shares...

VNC

no sound

selected two "v"-NIC's

I'm running br0 and br1

===================================================

done!

 

Check Point supports Red Hat Enterprise, so I guess we got lucky this time!

On to Palo Alto!

image.png

Edited by RifleJock
Spelling
Link to post
  • 2 months later...
  • 4 weeks later...

I got PA-VM working with Q35-2.6, anything newer hangs at boot. PCI passthrough works as well, I used an old Intel quad PT and the interfaces are detected as e1000e. Looking to buy an ixgbe card for DPDK support. 

 

Something to keep in mind, only the first virtio interface (mgmt) was detected so you may need to passthough. I tried rebooting a couple of times and it wouldn't recognize the other virtio NICs. There may be a troubleshooting step I missed but I was going to passthough anyway so I skipped that part.

Edited by deagle
Link to post
  • 10 months later...

I've got PA-VM (KVM) working. Here are the settings so far and the issues I've ran into.
===================================================
I've been able to get 11 network interfaces to work. Any time I attempt to add the 12th network, the "Guest has not initialized the display (yet)" comes up. I've got nothing out of the ordinary in the logs other than the "hostnet12" is never registered. Additionally, all but the first CPU max out when attempting to initialize.

 

...
-netdev tap,fd=48,id=hostnet10,vhost=on,vhostfd=49 \
-device virtio-net-pci,netdev=hostnet10,id=net10,mac=52:54:00:b7:f8:2a,bus=pci.13,addr=0x0 \
-netdev tap,fd=50,id=hostnet11,vhost=on,vhostfd=51 \
-device virtio-net-pci,netdev=hostnet11,id=net11,mac=52:54:00:a4:8c:87,bus=pci.14,addr=0x0 \
-chardev pty,id=charserial0 \
-device isa-serial,chardev=charserial0,id=serial0 \
-chardev socket,id=charchannel0,fd=52,server,nowait \

...

 

image.png.83b0f7b5bde05c185db43a9d05dc461c.png

 

 

A force stop and removal of the 12th interface works great!

 

image.png.399a7aea3b01d3d43e71355fb651b18d.png

 

 

I'm beginning to wonder if this is a limitation with UnRAID's ability to have that many iPXE bootable nic's registered to a single host vm.

I'm going to be looking into how to disable the PXE capabilities to troubleshoot this theory later.

 

Anyways, here is what it looks like in the web-ui for the PAN-OS. Interfaces start off grey as they are by default in "tap" mode. Configuring them to all be layer3 (and committing configuration) will bring the link up/down lights active.

image.thumb.png.f8e1a0fd76339c611f6472ebffd44890.png


Yes only 10 interfaces show here, because the management interface counts as the "first" interface. This can also be proven when reviewing the MAC address in the console (vnc window) and in the configuration of the vm via unraid's web-ui.

 

image.png.18f5eeee2482d11322c4f1eeef480fc1.png

image.png.c4417c7ecf9faf82e1efe3ea157d134d.png

Oh, and additionally, my br0 is a 10Gbe NIC, Palo is only registering this as 1Gbe. Not sure if this is a limitation of the linux vm profile or if this is a limitation of the PAN Software for their VM builds. I do know their physical device do have 10Gbe capabilities.

 

Here is the rest of the configuration in order to get this to work:

 

Started out with "Linux" VM. In the past, I've used CentOS, but this limited me to 5 interfaces (4 active + mgmt) and only when custom added by XML rather than adding them additionally via the gui template.

image.png.5da448a17048b14cbb7a841c188d8e5b.png

 

Even though SeaBIOS was used here, I've gotten a UUID (which I believe means that the device is booting UEFI capable.)

image.png.54f222e26d8f103317ecb328e96f3e40.png

My initial image was the 9.0.1 kvm build downloaded from Palo's site. This should give you a .qcow file. You can place this in any share (I've placed mine in the VM share(/device name/file.qcow) and manually selected it and used VirtIO for the bus.

This, by design of palo, created a 60G vdisk as seen below.

image.thumb.png.11d0e6a0d5939712b1e265f111a6ea41.png

 

I've not found a limitation yet on how many cores can be added (Unlike Check Point) Thus far, I've had up to 80 "cpus" or 40 cores and their respective threads. In my system, this spans my dual E5 2696 v4's which are 22cores 44threads a piece. VM runs fine when spanning across both CPU's in the system.

 

 

Additionally, I was able to register a license via palo's website and gain a serial number for the device. Which also allowed me to download and install an even newer version of code.

 

Based on these findings... This could be a promising setup for those wanting to run Palo in a Virtual environment from an UnRAID build.

Edited by RifleJock
Added note about the physical NIC being 10gbe.
Link to post
  • 10 months later...

I know this is an old thread, but for anyone that stumbles across it looking for advice. I did get this working on 6.8.3 with the PAN os 9.1.2 qcow image (I did not try any other version). See below for my setting and I added 8 NICs the first being the management NIC. It takes a while to startup and I do get some errors (see screen shot), but it works well and I get the performance I need (500mbps down and 20mbps up).

 

2020-07-20_9-09-14.png

2020-07-20_9-13-47.png

Link to post

Hey jwiener3 and all others,

 

As far as the perf: interrupt messages, I receive these as well, and the system seems to limit my login until it is done spitting those errors. Not sure if there are other processes still booting in the background.

 

I'm assuming the "accessed a protected system..." is your banner/motd.

As far as I know, those alerts don't actually cause any issues (that I have found).

 

OH!!! Also, Update.

Running Unraid  6.9.0-beta25. I'm now able to run much more interfaces. Currently running 25 (24 + mgmt).

image.thumb.png.d65ae058b7b248f07536550f0834e70e.png

image.thumb.png.108a0c2a4ff4245b3ab8006cecede307.png

 

Adding the 26th does.... welp, apparently nothing. only eth1/1 - 1/24 show up, nothing after that. Even looking for the logical 26th unraid interface (25th palo alto, other than mgmt) I'm unable to find it's mac address.

 

-Jockie

Edited by RifleJock
spelling
Link to post
  • 6 months later...
17 hours ago, buddylee7 said:

Interested in getting a Palo to run on my Unraid instance.  Are there any good places to go for a walk through?

Not exactly, the most recent post made by me I believe is the only thing seen on unraid's forum about Palo setup process.



One thing to mention, that might not have been mentioned before is the licensing, if you are going to make this a legit license, you MUST not remove the UUID in your xml file for the device, as Palo Licensing is near impossible to move once established. Save a copy of it somewhere.

Edited by RifleJock
Spelling
Link to post
On 9/12/2019 at 12:44 PM, RifleJock said:

I've got PA-VM (KVM) working. Here are the settings so far and the issues I've ran into.
===================================================
I've been able to get 11 network interfaces to work. Any time I attempt to add the 12th network, the "Guest has not initialized the display (yet)" comes up. I've got nothing out of the ordinary in the logs other than the "hostnet12" is never registered. Additionally, all but the first CPU max out when attempting to initialize.

 

...
-netdev tap,fd=48,id=hostnet10,vhost=on,vhostfd=49 \
-device virtio-net-pci,netdev=hostnet10,id=net10,mac=52:54:00:b7:f8:2a,bus=pci.13,addr=0x0 \
-netdev tap,fd=50,id=hostnet11,vhost=on,vhostfd=51 \
-device virtio-net-pci,netdev=hostnet11,id=net11,mac=52:54:00:a4:8c:87,bus=pci.14,addr=0x0 \
-chardev pty,id=charserial0 \
-device isa-serial,chardev=charserial0,id=serial0 \
-chardev socket,id=charchannel0,fd=52,server,nowait \

...

 

image.png.83b0f7b5bde05c185db43a9d05dc461c.png

 

 

A force stop and removal of the 12th interface works great!

 

image.png.399a7aea3b01d3d43e71355fb651b18d.png

 

 

I'm beginning to wonder if this is a limitation with UnRAID's ability to have that many iPXE bootable nic's registered to a single host vm.

I'm going to be looking into how to disable the PXE capabilities to troubleshoot this theory later.

 

Anyways, here is what it looks like in the web-ui for the PAN-OS. Interfaces start off grey as they are by default in "tap" mode. Configuring them to all be layer3 (and committing configuration) will bring the link up/down lights active.

image.thumb.png.f8e1a0fd76339c611f6472ebffd44890.png


Yes only 10 interfaces show here, because the management interface counts as the "first" interface. This can also be proven when reviewing the MAC address in the console (vnc window) and in the configuration of the vm via unraid's web-ui.

 

image.png.18f5eeee2482d11322c4f1eeef480fc1.png

image.png.c4417c7ecf9faf82e1efe3ea157d134d.png

Oh, and additionally, my br0 is a 10Gbe NIC, Palo is only registering this as 1Gbe. Not sure if this is a limitation of the linux vm profile or if this is a limitation of the PAN Software for their VM builds. I do know their physical device do have 10Gbe capabilities.

 

Here is the rest of the configuration in order to get this to work:

 

Started out with "Linux" VM. In the past, I've used CentOS, but this limited me to 5 interfaces (4 active + mgmt) and only when custom added by XML rather than adding them additionally via the gui template.

image.png.5da448a17048b14cbb7a841c188d8e5b.png

 

Even though SeaBIOS was used here, I've gotten a UUID (which I believe means that the device is booting UEFI capable.)

image.png.54f222e26d8f103317ecb328e96f3e40.png

My initial image was the 9.0.1 kvm build downloaded from Palo's site. This should give you a .qcow file. You can place this in any share (I've placed mine in the VM share(/device name/file.qcow) and manually selected it and used VirtIO for the bus.

This, by design of palo, created a 60G vdisk as seen below.

image.thumb.png.11d0e6a0d5939712b1e265f111a6ea41.png

 

I've not found a limitation yet on how many cores can be added (Unlike Check Point) Thus far, I've had up to 80 "cpus" or 40 cores and their respective threads. In my system, this spans my dual E5 2696 v4's which are 22cores 44threads a piece. VM runs fine when spanning across both CPU's in the system.

 

 

Additionally, I was able to register a license via palo's website and gain a serial number for the device. Which also allowed me to download and install an even newer version of code.

 

Based on these findings... This could be a promising setup for those wanting to run Palo in a Virtual environment from an UnRAID build.

 How would one do VLAN interfaces in Unraid and get the Palo VM to see that as an interface?

Link to post
6 hours ago, buddylee7 said:

Side note, how do you get the additional graphics/icons to choose from for aesthetics?

https://www.youtube.com/watch?v=LkW3niAWAHs
https://forums.unraid.net/topic/50882-guide-custom-vm-icons-automatically-downloaded-and-installed-to-unraid/

So, you have several physical interfaces in UnRAID, you can set these to their own VLAN in unraid, and then assign the bridge to Palo.
You can also edit the xml I believe to be a different type of interface, rather than inet. Otherwise, just put a managed L2 switch next to your unraid box, and trunk your interfaces to Unraid.

Link to post
21 hours ago, RifleJock said:

https://www.youtube.com/watch?v=LkW3niAWAHs
https://forums.unraid.net/topic/50882-guide-custom-vm-icons-automatically-downloaded-and-installed-to-unraid/

So, you have several physical interfaces in UnRAID, you can set these to their own VLAN in unraid, and then assign the bridge to Palo.
You can also edit the xml I believe to be a different type of interface, rather than inet. Otherwise, just put a managed L2 switch next to your unraid box, and trunk your interfaces to Unraid.

(Update) I understand the switch part although where I'm struggling is the Unraid. When I create VLANs on one of the physical interfaces to create a logical L2 interface the mac address setup in the "edit" portion is on the Palo management interface.  I have not added additional interface as I'm still figuring out how to get access to the management.

 

I have even attempted to create an access port and use a non-VLAN interface on the Unraid with no luck.

Edited by buddylee7
Link to post
  • 3 weeks later...
On 2/22/2021 at 4:38 PM, buddylee7 said:

(Update) I understand the switch part although where I'm struggling is the Unraid. When I create VLANs on one of the physical interfaces to create a logical L2 interface the mac address setup in the "edit" portion is on the Palo management interface.  I have not added additional interface as I'm still figuring out how to get access to the management.

 

I have even attempted to create an access port and use a non-VLAN interface on the Unraid with no luck.

So there is a big difference here... Your physical environment, and your virtual one. All things done within UnRAID are considered your virtual environment, and everything outside of that is considered your physicals.

You can either setup UnRAID to have a L2 interface, of which you pass through as a bridge to your virtualized Palo Alto. (There wouldn't be much of a point in running a L2 within Palo if this is the case.) This will allow your Palo to communicate only on that physical L2 interface of UnRAID when trying to communicate with anything else on that same L2 interface in your physical environment. Perhaps a real Palo Alto with the same VLAN tagging for redundancy or whatever.

Now lets say you have a virtual Check Point device and a virtual Palo both on your unraid, regardless of what physical interfaces are assigned in UnRAID, whatever bridge you passthrough to the virtual environments, you can create L2 interfaces within your CheckPoint and Palo Devices, and only devices on that same bridge (on UnRAID) in the same virtual L2 LAN will communicate. However, I believe any traffic destined to a network outside of UnRAID will get put onto UnRAID's physical configuration's interface when it is attempting to leave the UnRAID box itself. If your UnRAID is configured as a physical L3 with default tagging, then traffic will leave tagged as such. This type of configuration only separates the virtual traffic within the UnRAID box.

Depending on what your scenario is, you could do either or both. It all comes down to your physical and virtual topology.

 

LMK if you have any further questions, I can break this down further if needed.

 

-Jockie.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.