PANW AAC Lab Design Guide

Palo Alto Networks
AAC Lab Creation Guidelines

v1.0
Contact Information
Corporate Headquarters:
Palo Alto Networks
3300 Olcott Street
Santa Clara, CA 95054
http://www.paloaltonetworks.com/
About this Guide

This guide gives recommendations for creating a lab
environment to support Palo Alto Networks classes.
To provide feedback, please contact:

education@paloaltonetworks.com.
Palo Alto Networks, Inc.

www.paloaltonetworks.com
2013 Palo Alto Networks. All rights reserved.
Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo
Alto Networks, Inc. All other trademarks are the property of their
respective owners.
Table of Contents
1. Lab Equipment Requirements
2. Lab Designs
201/205
221
311
3. Lab Licensing
1 Lab Equipment Requirements

Effective delivery of the Palo Alto Networks courses requires the support of a lab environment
for student use. Currently, there are four courses that require a lab environment: EDU-201, EDU205, EDU-221, and EDU-311.
The following requirements assume a minimum class size of 8 students, with up to 2 students
sharing a single lab environment. It is strongly recommended that each lab environment be
planned to accommodate each student with a dedicated desktop and firewall.
All Palo Alto Networks training lab hardware and software must be purchased through an
authorized NextWave channel partner. ATC Partners are welcome to leverage NFR pricing and
promotions offered through Palo Alto Networks regional channel marketing team. Technical
support and subscription services must also be purchased for every device and kept current
annually.
REQUIREMENTS
FIREWALLS:
VIRTUAL ENVIRONMENTS
EDU-201/205/311
4 student firewalls (VM-100 or larger)
1 instructor firewall (PA-200 or larger; optional)
EDU-221
8 student firewalls (VM-100 or larger)
DESKTOPS:
EDU-201/205/221/311
4 student desktops (Windows XP or newer)
1 instructor desktop (Windows XP or newer)
2 browser clients (minimum)
Telnet/SSH clients for each desktop
Support for multiple network adapters
NETWORKING EQUIPMENT:
EDU-201
Virtual Switch: Support for 3 adapters
Switches: Sufficient ports for connecting to SANS, ESXi servers,
uplinks to the network edge, and remote access solutions.
Gateway Device: Acts as your edge device.
Remote Access Option: Hardware or RDP may be used.
SANS
EDU-205
Same as 201, plus:
Virtual Switches: Additional virtual adapter
EDU-221
Same as 201
EDU-311
Same as 201, plus:
Router/Firewall: A device needs to provide OSPF support
SERVERS:
EDU-201/205/221/311
1 Domain Controller (Windows 2000 or newer)
1 Physical Server for hosting ESXi
2 Lab Designs
EDU-201 (Virtual)
VIRTUAL LAB
Remote Student
Internet
Student
Desktop
Student
Desktop
VPN
vSwitch
Student
Desktop
Student
Desktop
PA
PA
PA
vSwitch
PA
Pano
rama
Active
Directory
Server
vSwitch
Internet
Local Student Laptop
Diagram 1
For these environments, a gateway device will need to be in place to provide edge services for the
lab network environment. This device will not be directly accessible by the Instructors or their
students. This device should support 802.1Q VLAN tagging in order to ensure segregation of
network traffic.
The gateway device will provide connectivity for two distinct network subnets within the
environment: the Management Network (10.30.11.0/24) and the Untrust-L3 (172.16.x.0/24)
network. Cables will need to connect between the gateway device and a switch to support these
networks.
Internet
WAN IP
PA-2050
10.30.11.x.24
172.16.x.0/24
ESXi
WAN IP: As per your network

Gateway Device Management LAN IP: 10.30.11.254
Gateway Device Student LAN IPs: 172.16.x.254*
* x = Student ID Number
Diagram 2
The switch will need to connect an uplink to the gateway device, while also connecting the
Management adapter on the desktops, the Management Interface of the firewalls, and the UntrustL3 interface of the firewalls.
The firewall itself will have three cables connected: one to the upstream switch (Untrust-L3), one
to the desktop (Trust-L3; 192.168.x.0/24), and another cable to the switch (Management Port).
The desktops will have a total of 2 network connections using different network adapters: one for
the management network (10.30.11.0/24) and the other for the Trust-L3 network
(192.168.x.0/24).
Internet
WAN IP
PA-2050
Management
Trust
MGT
Trust
PA
UnTrust
vSwitch
Untrust 172.16.x.0/24
172.16.x.0/24
vSwitch
Trust
192.168.X.0/24
vSwitch
Managemet 10.30.11.X/24
10.30.11.x.24
ESXi

Diagram 3
PANW Firewall Untrust-L3 IP: 172.16.x.1
PANW Firewall Untrust-L3 Gateway IP: 172.16.x.254*
PANW Firewall MGT IP: 10.30.11.x*
PANW Firewall MGT Gateway IP: 10.30.11.254
Desktop MGT Adapter IP: 10.30.11.1x*
Desktop MGT Adapter Gateway IP: 10.30.11.254
* x = Student ID Number

The following example is a diagram of what the lab would look like if configured for students 1
and students 2:
Internet
WAN IP
PA-2050
172.16.x.0/24
10.30.11.1/24
MGT
10.30.11.2/24
Trust-L3
Dynamic
PA
Trust
1/1.201:
172.16.1.1/24
UnTrust
PA
1/1.202:
172.16.2.1/24
1/ 2:
192.168.2.1/24
MGT: 10.30.11.X/24
ESXi
Diagram 4
vSwitch
Untrust 172.16.x.0/24
MGT: 10.30.11.X/24
1/ 2:
192.168.1.1/24
vSwitch
Trust
192.168.X.0/24
vSwitch
10.30.11.x/24
EDU-205 (VIRTUAL)
The configuration is the same as for the 201 class, with one exception: an additional cable will
need to connect interface 1/6 of the student firewalls to the switch.
Internet
WAN IP
PA-2050
172.16.x.0/24
Trust
OSPF-Router
1/6
1/ 2
Trust
PA
1/1.201
UnTrust
MGT
ESXi
Diagram 5
vSwitch
Untrust 172.16.x.0/24
Management
vSwitch
Trust
192.168.X.0/24
vSwitch
10.30.11.x.24
The completed configuration of the student 1 and 2 firewalls:
Internet
WAN IP
PA-2050
MGT: 10.30.11.X/24
1/ 2
192.168.1.1/24
10.30.11.2/24
Trust-L3
Dynamic
Trust
1/ 2
192.168.2.1/24
MGT: 10.30.11.X/24
1/6
10.199.1.1/24
PA 1/1.201:
172.16.1.1/24
UnTrust
PA
1/1.202
172.16.2.1/24
1/6
10.199.2.1/24
ESXi
Diagram 6
vSwitch
Untrust 172.16.x.0/24
10.30.11.1/24
MGT
OSPF-Router
172.16.x.0/24
vSwitch
Trust
192.168.X.0/24
vSwitch
10.30.11.x/24
3 Lab Licensing
OVF templates and VM-100 Capacity Licenses for lab device installation are provided to AACs
by Palo Alto Networks. Feature licensing of the virtual devices is the responsibility of the
Academy. Standard License Bundles are offered at a 90% discount of current suggested retail
price.
For purchases, Academies should contact their local Sales Representative for additional details.
To install the licenses, please open the Management Interface of the respective VM-100 and log
in as an Administrator, then navigate to Device > Licenses, and click on Activate feature using
auth code. To install Support licenses, navigate to Device > Support.
For additional information on setting up and licensing an individual VM-100, refer to the
Getting Started Guide located at support.paloaltonetworks.com (you will need a support
account for logging into the site, and then you will need to navigate to the Documentation section
via the options on the center pane of the site).

PANW AAC Lab Design Guide

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

PANW AAC Lab Design Guide

Transféré par

Droits d'auteur :

Formats disponibles

Palo Alto Networks

AAC Lab Creation Guidelines

About this Guide

To provide feedback, please contact:

Palo Alto Networks, Inc.

1 Lab Equipment Requirements

Local Student Laptop

WAN IP: As per your network

The completed configuration of the student 1 and 2 firewalls:

Vous aimerez peut-être aussi