VMWare Fusion and Palto Alto VMs

Working with Palto Alto VMs is kind of annoying. Instead of it being ready to be deployed, you would have to do some extra work to get the interfaces working. What I mean by extra work, Palto Alto does not send or receive traffic by default. Probably because it is a trial version regardless it should not behave like that. We will get into that later on. Also, I think this only applies in VMWare Fusion. When you try to view your interfaces, it shows nothing.

In addition, some of the terminal short-cuts don’t work either such as ctrl+w

This post is about the resolution to the issues mentioned above.

The first time you boot the Palto Alto VM, you will be prompted with a username and password. The username is admin and the password is also admin

vm login: admin
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.

So far, so good at this point. Now, for some reason the CLI is kind of a mess. What I mean by that, when you do any show or any commands that would populate the screen, the cursor will jump back several lines up which overlaps with the previous output. I don’t know if yours is the same as mine, but the work around or let’s say a bandaid that I found is by fixing the CLI height and width. The settings that works for me is height = 50, and width = 100

admin@PA-VM> set cli terminal height 50
admin@PA-VM> set cli terminal width 100

Now, that we got the CLI output fix, let’s get to the issue. As I mentioned at the beginning of this post. The VM does have some issues with its interfaces. It does not have any interfaces as you can see below:

admin@PA-VM> show interface hardware 

total configured hardware interfaces: 0

name             id      speed/duplex/state         mac address 

aggregation groups: 0


Now, in regards to Fusion it seems like Palto Alto VM only works with vmnet3 in Fusion, so keep that in mind. By default, the VM only has one interface which is the management interface (OOB interface). This interface is used for managing the VM and not for passing users traffic. Therefore, we have to add some interfaces. For this post, I am going to add two interfaces. To add a new network adapter, you would need to shutdown the VM, and navigate to the VM’s Settings > Add Device Network Adapter then choose the “Network Adapter” and click Add. This will create another network adapter for the VM.

Figure 1

Figure 1

Figure 2

Figure 2

If you power-on your VM, you won’t be able to fully boot it up. The reason is you added some devices in our case the two Network Adapters – see Figure 3 for error. To resolve this, we would need to modify the VM’s vmx file.

Figure 3

Figure 3

You would need to use any terminal text editor. Basically, you need to open the .vmx file, which can be found within the .vmwarevm file, via any text editor application, and modify the line that states ethernet2.virtualDev = “e1000” these lines can be found somewhere near the very bottom. The e1000 needs to be changed to vmxnet3. It should look like this ethernet2.virtualDev = “vmxnet3”

Once this is done, you can assign a new vmnet interface for each VM Network Adapter you created – In this post, I assigned vmnet 6 to Network Adapter 2 and vmnet7 to Network Adapter 7. Power-on the VM again and it should boot up properly, and you should be able to login. Use the command show system state filter sys.s1.p*.hwaddr as shown in Figure 4. The VM will automatically map the Network Adapter 2 to ethernet1/1, Network Adapter 3 to ethernet1/2, Network Adapter 4 to ethernet1/3, etc… … … You get the idea. Network Adapter 1 is dedicated for the Management interface.

Figure 4

Figure 4

As you can see, we have two new MAC addresses that do not have BA:DB:AD OUI. These new MAC addresses should match what your vmnets’ MAC addresses. You can tell by looking at the name of the system state sys.s1.pX.hwaddr where X is a number. In this case, they are 1 and 2. The X represent the ethernet port number; therefore p1 maps to ethernet1/1, p2 maps to ethernet1/2, p3 maps to ethernet1/3, etc… … …

Use the show interface hardware command. This will show the MAC address of your interfaces. At this point, if you are using Fusion, the output is empty. You would need to manually add an interface by going to global config mode and use the command set network interface ethernet ethernet1/X (where X is the port number) then use the

admin@PA-VM# set network interface ethernet ethernet1/1

admin@PA-VM# set network interface ethernet ethernet1/2

admin@PA-VM# exit
Exiting configuration mode
admin@PA-VM> show interface hardware 

total configured hardware interfaces: 2

name                 id    speed/duplex/state          mac address 
ethernet1/1          16    10000/full/up               ba:db:ee:fb:ad:10 
ethernet1/2          17    10000/full/up               ba:db:ee:fb:ad:11 

aggregation groups: 0


If you compare the MAC addresses of sys.s1.pX.hwaddr and ethernet1/X, they don’t match, and the traffic will not pass. The resolution to this issue is:

  1. Copy the MAC address of the ethernet1/X
  2. Shutdown the VM
  3. Open the VM’s Settings > Network Adapter X
  4. Expand the Advanced options
  5. Replace the vmnetX MAC address with the ethernet1/X
  6. Save
  7. Power on the VM

Login to the VM again, and use the commands show system state filter sys.s1.p*.hwaddr and show interface hardware. At this point, the MAC addresses should match with their appropriate port numbers, and networking part should also work.



About networkshinobi

This blog is about the things I learned about computers and networking to help me to remember them as I push further my studies. I created this blog to help myself to continue my education; and if you find this blog helpful for your studies, that is great. That is one of the reasons why I made this blog, to share my interest and knowledge. Also, all the entries/posts I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks BTC: 14wVPFBWNAKmfNsgUrPpw8EytkXFLjxYoU ETH: 0x8528793dF77a57186f5B15dA6DC1eaA3c5e92c4a LTC : LMpW2rGYnYdUwvnHA4huB6TGcPEEc1JzXw
This entry was posted in Firewall, Sec, Security and tagged , , , , , . Bookmark the permalink.

7 Responses to VMWare Fusion and Palto Alto VMs

  1. JobiOne says:

    Thanks! I’ve been baning my head using PA-VM 7.1 with Workstation 12. This was the fix!

  2. Prav says:

    Thanks so much mate, you just made my day, was so annoyed by this silly issue, your instructions very clear and its all fixed now. thanks again

  3. hamware says:

    Hello Sir,
    I’m not sure how to thank you, I’ve been battling with it for a week. you’re the BEST. Thank you.

  4. hamware says:

    Forgot to mention, I’m using VMware workstation 12, with Pal Alto 7.1.0. Thanks a million times.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s