Palo Alto Networks AAC Lab Creation Guidelines v1.0
Contact Information Corporate Headquarters: Palo Alto Networks 3300 Olcott Street Santa Clara, CA 95054 http://www.paloaltonetworks.com/ About this Guide This guide gives recommendations for creating a lab environment to support Palo Alto Networks classes. To provide feedback, please contact: education@paloaltonetworks.com. Palo Alto Networks, Inc. www.paloaltonetworks.com 2013 Palo Alto Networks. All rights reserved. Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners.
Table of Contents 1. Lab Equipment Requirements 2. Lab Designs 201/205 221 311 3. Lab Licensing
1 Lab Equipment Requirements Effective delivery of the Palo Alto Networks courses requires the support of a lab environment for student use. Currently, there are four courses that require a lab environment: EDU-201, EDU- 205, EDU-221, and EDU-311. The following requirements assume a minimum class size of 8 students, with up to 2 students sharing a single lab environment. It is strongly recommended that each lab environment be planned to accommodate each student with a dedicated desktop and firewall. All Palo Alto Networks training lab hardware and software must be purchased through an authorized NextWave channel partner. ATC Partners are welcome to leverage NFR pricing and promotions offered through Palo Alto Networks regional channel marketing team. Technical support and subscription services must also be purchased for every device and kept current annually. FIREWALLS: DESKTOPS: VIRTUAL ENVIRONMENTS REQUIREMENTS EDU-201/205/311 4 student firewalls (VM-100 or larger) 1 instructor firewall (PA-200 or larger; optional) EDU-221 8 student firewalls (VM-100 or larger) VIRTUAL ENVIRONMENTS EDU-201/205/221/311 4 student desktops (Windows XP or newer) 1 instructor desktop (Windows XP or newer) 2 browser clients (minimum) Telnet/SSH clients for each desktop Support for multiple network adapters
NETWORKING EQUIPMENT: SERVERS: VIRTUAL ENVIRONMENTS EDU-201 Virtual Switch: Support for 3 adapters Switches: Sufficient ports for connecting to SANS, ESXi servers, uplinks to the network edge, and remote access solutions. Gateway Device: Acts as your edge device. Remote Access Option: Hardware or RDP may be used. SANS EDU-205 Same as 201, plus: Virtual Switches: Additional virtual adapter EDU-221 Same as 201 EDU-311 Same as 201, plus: Router/Firewall: A device needs to provide OSPF support VIRTUAL ENVIRONMENTS EDU-201/205/221/311 1 Domain Controller (Windows 2000 or newer) 1 Physical Server for hosting ESXi
2 Lab Designs EDU-201 (Virtual) VIRTUAL LAB Remote Student Student Desktop Student Desktop Student Desktop Student Desktop PA PA PA PA Pano rama Active Directory Server VPN Local Student Laptop Diagram 1 For these environments, a gateway device will need to be in place to provide edge services for the lab network environment. This device will not be directly accessible by the Instructors or their students. This device should support 802.1Q VLAN tagging in order to ensure segregation of network traffic.
The gateway device will provide connectivity for two distinct network subnets within the environment: the Management Network (10.30.11.0/24) and the Untrust-L3 (172.16.x.0/24) network. Cables will need to connect between the gateway device and a switch to support these networks. WAN IP PA- 2050 10.30.11.x.24 172.16.x.0/24 ESXi WAN IP: As per your network Gateway Device Management LAN IP: 10.30.11.254 Gateway Device Student LAN IPs: 172.16.x.254* * x = Student ID Number Diagram 2
The switch will need to connect an uplink to the gateway device, while also connecting the Management adapter on the desktops, the Management Interface of the firewalls, and the Untrust- L3 interface of the firewalls. The firewall itself will have three cables connected: one to the upstream switch (Untrust-L3), one to the desktop (-L3; 192.168.x.0/24), and another cable to the switch (Management Port). The desktops will have a total of 2 network connections using different network adapters: one for the management network (10.30.11.0/24) and the other for the -L3 network (192.168.x.0/24). WAN IP PA- 2050 10.30.11.x.24 172.16.x.0/24 Managemet 10.30.11.X/24 Management 192.168.X.0/24 MGT PA Un Untrust 172.16.x.0/24 ESXi Diagram 3 PANW Firewall Untrust-L3 IP: 172.16.x.1 PANW Firewall Untrust-L3 Gateway IP: 172.16.x.254* PANW Firewall MGT IP: 10.30.11.x* PANW Firewall MGT Gateway IP: 10.30.11.254 Desktop MGT Adapter IP: 10.30.11.1x* Desktop MGT Adapter Gateway IP: 10.30.11.254 * x = Student ID Number
The following example is a diagram of what the lab would look like if configured for students 1 and students 2: WAN IP PA- 2050 10.30.11.x/24 172.16.x.0/24 Managemet 10.30.11.X/24 10.30.11.1/24 MGT 10.30.11.2/24 - L3 Dynamic 192.168.X.0/24 ESXi MGT: 10.30.11.X/24 1/ 2: 192.168.1.1/24 1/ 2: 192.168.2.1/24 PA PA MGT: 10.30.11.X/24 1/1.201: 172.16.1.1/24 Un 1/1.202: 172.16.2.1/24 Untrust 172.16.x.0/24 Diagram 4
EDU-205 (VIRTUAL) The configuration is the same as for the 201 class, with one exception: an additional cable will need to connect interface 1/6 of the student firewalls to the switch. WAN IP PA- 2050 10.30.11.x.24 172.16.x.0/24 OSPF- Router Managemet 10.30.11.X/24 Management 192.168.X.0/24 MGT 1/ 2 PA 1/6 1/1.201 Un Untrust 172.16.x.0/24 ESXi Diagram 5
The completed configuration of the student 1 and 2 firewalls: WAN IP 10.30.11.x/24 PA- 2050 172.16.x.0/24 OSPF- Router Managemet 10.30.11.X/24 10.30.11.1/24 MGT 10.30.11.2/24 - L3 Dynamic MGT: 10.30.11.X/24 1/ 2 192.168.1.1/24 192.168.X.0/24 ESXi 1/ 2 192.168.2.1/24 MGT: 10.30.11.X/24 PA 1/1.201: 172.16.1.1/24 Un PA 1/6 10.199.1.1/24 1/1.202 172.16.2.1/24 1/6 10.199.2.1/24 Untrust 172.16.x.0/24 Diagram 6
3 Lab Licensing OVF templates and VM-100 Capacity Licenses for lab device installation are provided to AACs by Palo Alto Networks. Feature licensing of the virtual devices is the responsibility of the Academy. Standard License Bundles are offered at a 90% discount of current suggested retail price. For purchases, Academies should contact their local Sales Representative for additional details. To install the licenses, please open the Management Interface of the respective VM-100 and log in as an Administrator, then navigate to Device > Licenses, and click on Activate feature using auth code. To install Support licenses, navigate to Device > Support. For additional information on setting up and licensing an individual VM-100, refer to the Getting Started Guide located at support.paloaltonetworks.com (you will need a support account for logging into the site, and then you will need to navigate to the Documentation section via the options on the center pane of the site).