Palo Alto Firewall Simulator 【2025】
Firewalls are zone-based. Traffic can only flow between zones if a policy allows it.
Step 1: Create Zones
admin@PA-VM# set zone trust network layer3 ethernet1/2
admin@PA-VM# set zone untrust network layer3 ethernet1/1
admin@PA-VM# set zone dmz network layer3 ethernet1/3
Step 2: Virtual Router Configuration We must add the interfaces to the virtual router so the firewall knows how to route traffic.
admin@PA-VM# set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ]
(Note: In a real setup, you would also configure a Default Route 0.0.0.0/0 pointing to the ISP Gateway on ethernet1/1). palo alto firewall simulator
You run the real VM-Series inside EVE-NG Community (free) with 15-day trial licenses.
Helpful report example:
"Testing App-ID accuracy for 10 custom applications"
Unlike traditional firewalls that filter by port, the simulator can identify applications regardless of port. Firewalls are zone-based
For engineers building complex multi-vendor networks (Cisco routers acting as PCs, Palo Alto as the firewall), EVE-NG is the ultimate simulator.
We define the "Rules" for traffic flow. We create a rule allowing employees to browse the web securely.
Step 1: Create Address Objects Defining the network assets makes policies readable. Step 2: Virtual Router Configuration We must add
admin@PA-VM# set address "LAN-Subnet" ip-netmask 192.168.10.0/24
admin@PA-VM# set address "Web-Server-01" ip-netmask 172.16.0.5
Step 2: Create the Security Policy (Rulebase)
admin@PA-VM# set rulebase security rules "Allow-Web-Browsing"
from trust
to untrust
source "LAN-Subnet"
destination any
application [ web-browsing ssl ]
service application-default
action allow
profile-setting profiles
virus default
spyware default
vulnerability default
Step 3: Create a DMZ Policy Allow internet users to access the Web Server on port 80/443.
admin@PA-VM# set rulebase security rules "Allow-Web-Traffic"
from untrust
to dmz
source any
destination "Web-Server-01"
application [ web-browsing ssl ]
service [ tcp-80 tcp-443 ]
action allow