VMWare Fusion and Palto Alto VMs

Working with Palto Alto VMs is kind of annoying. Instead of it being ready to be deployed, you would have to do some extra work to get the interfaces working. What I mean by extra work, Palto Alto does not send or receive traffic by default. Probably because it is a trial version regardless it should not behave like that. We will get into that later on. Also, I think this only applies in VMWare Fusion. When you try to view your interfaces, it shows nothing.

In addition, some of the terminal short-cuts don’t work either such as ctrl+w

This post is about the resolution to the issues mentioned above.

The first time you boot the Palto Alto VM, you will be prompted with a username and password. The username is admin and the password is also admin

vm login: admin
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.

So far, so good at this point. Now, for some reason the CLI is kind of a mess. What I mean by that, when you do any show or any commands that would populate the screen, the cursor will jump back several lines up which overlaps with the previous output. I don’t know if yours is the same as mine, but the work around or let’s say a bandaid that I found is by fixing the CLI height and width. The settings that works for me is height = 50, and width = 100

admin@PA-VM> set cli terminal height 50
admin@PA-VM> set cli terminal width 100

Now, that we got the CLI output fix, let’s get to the issue. As I mentioned at the beginning of this post. The VM does have some issues with its interfaces. It does not have any interfaces as you can see below:

admin@PA-VM> show interface hardware 

total configured hardware interfaces: 0

name             id      speed/duplex/state         mac address 

aggregation groups: 0


Now, in regards to Fusion it seems like Palto Alto VM only works with vmnet3 in Fusion, so keep that in mind. By default, the VM only has one interface which is the management interface (OOB interface). This interface is used for managing the VM and not for passing users traffic. Therefore, we have to add some interfaces. For this post, I am going to add two interfaces. To add a new network adapter, you would need to shutdown the VM, and navigate to the VM’s Settings > Add Device Network Adapter then choose the “Network Adapter” and click Add. This will create another network adapter for the VM.

Figure 1

Figure 1

Figure 2

Figure 2

If you power-on your VM, you won’t be able to fully boot it up. The reason is you added some devices in our case the two Network Adapters – see Figure 3 for error. To resolve this, we would need to modify the VM’s vmx file.

Figure 3

Figure 3

You would need to use any terminal text editor. Basically, you need to open the .vmx file, which can be found within the .vmwarevm file, via any text editor application, and modify the line that states ethernet2.virtualDev = “e1000” these lines can be found somewhere near the very bottom. The e1000 needs to be changed to vmxnet3. It should look like this ethernet2.virtualDev = “vmxnet3”

Once this is done, you can assign a new vmnet interface for each VM Network Adapter you created – In this post, I assigned vmnet 6 to Network Adapter 2 and vmnet7 to Network Adapter 7. Power-on the VM again and it should boot up properly, and you should be able to login. Use the command show system state filter sys.s1.p*.hwaddr as shown in Figure 4. The VM will automatically map the Network Adapter 2 to ethernet1/1, Network Adapter 3 to ethernet1/2, Network Adapter 4 to ethernet1/3, etc… … … You get the idea. Network Adapter 1 is dedicated for the Management interface.

Figure 4

Figure 4

As you can see, we have two new MAC addresses that do not have BA:DB:AD OUI. These new MAC addresses should match what your vmnets’ MAC addresses. You can tell by looking at the name of the system state sys.s1.pX.hwaddr where X is a number. In this case, they are 1 and 2. The X represent the ethernet port number; therefore p1 maps to ethernet1/1, p2 maps to ethernet1/2, p3 maps to ethernet1/3, etc… … …

Use the show interface hardware command. This will show the MAC address of your interfaces. At this point, if you are using Fusion, the output is empty. You would need to manually add an interface by going to global config mode and use the command set network interface ethernet ethernet1/X (where X is the port number) then use the

admin@PA-VM# set network interface ethernet ethernet1/1

admin@PA-VM# set network interface ethernet ethernet1/2

admin@PA-VM# exit
Exiting configuration mode
admin@PA-VM> show interface hardware 

total configured hardware interfaces: 2

name                 id    speed/duplex/state          mac address 
ethernet1/1          16    10000/full/up               ba:db:ee:fb:ad:10 
ethernet1/2          17    10000/full/up               ba:db:ee:fb:ad:11 

aggregation groups: 0


If you compare the MAC addresses of sys.s1.pX.hwaddr and ethernet1/X, they don’t match, and the traffic will not pass. The resolution to this issue is:

  1. Copy the MAC address of the ethernet1/X
  2. Shutdown the VM
  3. Open the VM’s Settings > Network Adapter X
  4. Expand the Advanced options
  5. Replace the vmnetX MAC address with the ethernet1/X
  6. Save
  7. Power on the VM

Login to the VM again, and use the commands show system state filter sys.s1.p*.hwaddr and show interface hardware. At this point, the MAC addresses should match with their appropriate port numbers, and networking part should also work.


About networkshinobi

My name is Karlo, I work as a Network Engineer. A little about myself. I started as a PC gamer back when I was in high school. PC gaming became my addiction and pushed me to learn more about computers. Slowly got my some certifications and landed an IT Tier 1 Helpdesk job. This job opened the door for me to work to push further on my certifications and going deeper into the IT world. My goal was to get my Cisco CCIE Routing and Switching, but my journey for CCIE has changed due to I always ended up working on non-Cisco network appliances. Therefore, I have to pivot and decided to jump to the dark side and go with Juniper. Hopefully, I would get my JNCIE in the near future. All the entries/post I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks
This entry was posted in Firewall, Sec, Security and tagged , , , , , . Bookmark the permalink.

8 Responses to VMWare Fusion and Palto Alto VMs

  1. JobiOne says:

    Thanks! I’ve been baning my head using PA-VM 7.1 with Workstation 12. This was the fix!

  2. Prav says:

    Thanks so much mate, you just made my day, was so annoyed by this silly issue, your instructions very clear and its all fixed now. thanks again

  3. hamware says:

    Hello Sir,
    I’m not sure how to thank you, I’ve been battling with it for a week. you’re the BEST. Thank you.

  4. hamware says:

    Forgot to mention, I’m using VMware workstation 12, with Pal Alto 7.1.0. Thanks a million times.

  5. Fig Lee says:

    don’t forget to “commit” along the way

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s