Académique Documents
Professionnel Documents
Culture Documents
Contact Information
Corporate Headquarters:
Palo Alto Networks
3300 Olcott Street
Santa Clara, CA 95054
http://www.paloaltonetworks.com/
Table of Contents
1. Lab Equipment Requirements
2. Lab Designs
201/205
221
311
3. Lab Licensing
FIREWALLS:
VIRTUAL ENVIRONMENTS
EDU-201/205/311
4 student firewalls (VM-100 or larger)
1 instructor firewall (PA-200 or larger; optional)
EDU-221
8 student firewalls (VM-100 or larger)
DESKTOPS:
VIRTUAL ENVIRONMENTS
EDU-201/205/221/311
4 student desktops (Windows XP or newer)
1 instructor desktop (Windows XP or newer)
2 browser clients (minimum)
Telnet/SSH clients for each desktop
Support for multiple network adapters
NETWORKING EQUIPMENT:
VIRTUAL ENVIRONMENTS
EDU-201
Virtual Switch: Support for 3 adapters
Switches: Sufficient ports for connecting to SANS, ESXi servers,
uplinks to the network edge, and remote access solutions.
Gateway Device: Acts as your edge device.
Remote Access Option: Hardware or RDP may be used.
SANS
EDU-205
Same as 201, plus:
Virtual Switches: Additional virtual adapter
EDU-221
Same as 201
EDU-311
Same as 201, plus:
Router/Firewall: A device needs to provide OSPF support
SERVERS:
VIRTUAL ENVIRONMENTS
EDU-201/205/221/311
1 Domain Controller (Windows 2000 or newer)
1 Physical Server for hosting ESXi
2 Lab Designs
EDU-201 (Virtual)
VIRTUAL
LAB
Remote
Student
Internet
Student
Desktop
Student
Desktop
VPN
vSwitch
Student
Desktop
Student
Desktop
PA
PA
PA
vSwitch
PA
Pano
rama
Active
Directory
Server
vSwitch
Internet
Diagram 1
For these environments, a gateway device will need to be in place to provide edge services for the
lab network environment. This device will not be directly accessible by the Instructors or their
students. This device should support 802.1Q VLAN tagging in order to ensure segregation of
network traffic.
The gateway device will provide connectivity for two distinct network subnets within the
environment: the Management Network (10.30.11.0/24) and the Untrust-L3 (172.16.x.0/24)
network. Cables will need to connect between the gateway device and a switch to support these
networks.
Internet
WAN
IP
PA-2050
10.30.11.x.24
172.16.x.0/24
ESXi
The switch will need to connect an uplink to the gateway device, while also connecting the
Management adapter on the desktops, the Management Interface of the firewalls, and the UntrustL3 interface of the firewalls.
The firewall itself will have three cables connected: one to the upstream switch (Untrust-L3), one
to the desktop (Trust-L3; 192.168.x.0/24), and another cable to the switch (Management Port).
The desktops will have a total of 2 network connections using different network adapters: one for
the management network (10.30.11.0/24) and the other for the Trust-L3 network
(192.168.x.0/24).
Internet
WAN
IP
PA-2050
Management
Trust
MGT
Trust
PA
UnTrust
vSwitch
Untrust
172.16.x.0/24
172.16.x.0/24
vSwitch
Trust
192.168.X.0/24
vSwitch
Managemet
10.30.11.X/24
10.30.11.x.24
ESXi
Diagram 3
PANW Firewall Untrust-L3 IP: 172.16.x.1
PANW Firewall Untrust-L3 Gateway IP: 172.16.x.254*
PANW Firewall MGT IP: 10.30.11.x*
PANW Firewall MGT Gateway IP: 10.30.11.254
Desktop MGT Adapter IP: 10.30.11.1x*
Desktop MGT Adapter Gateway IP: 10.30.11.254
* x = Student ID Number
The following example is a diagram of what the lab would look like if configured for students 1
and students 2:
Internet
WAN
IP
PA-2050
172.16.x.0/24
10.30.11.1/24
MGT
10.30.11.2/24
Trust-L3
Dynamic
PA
Trust
1/1.201:
172.16.1.1/24
UnTrust
PA
1/1.202:
172.16.2.1/24
1/
2:
192.168.2.1/24
MGT:
10.30.11.X/24
ESXi
Diagram 4
vSwitch
Untrust
172.16.x.0/24
MGT:
10.30.11.X/24
1/
2:
192.168.1.1/24
vSwitch
Trust
192.168.X.0/24
vSwitch
Managemet
10.30.11.X/24
10.30.11.x/24
EDU-205 (VIRTUAL)
The configuration is the same as for the 201 class, with one exception: an additional cable will
need to connect interface 1/6 of the student firewalls to the switch.
Internet
WAN
IP
PA-2050
172.16.x.0/24
Trust
OSPF-Router
1/6
1/
2
Trust
PA
1/1.201
UnTrust
MGT
ESXi
Diagram 5
vSwitch
Untrust
172.16.x.0/24
Management
vSwitch
Trust
192.168.X.0/24
vSwitch
Managemet
10.30.11.X/24
10.30.11.x.24
Internet
WAN
IP
PA-2050
MGT:
10.30.11.X/24
1/
2
192.168.1.1/24
10.30.11.2/24
Trust-L3
Dynamic
Trust
1/
2
192.168.2.1/24
MGT:
10.30.11.X/24
1/6
10.199.1.1/24
PA 1/1.201:
172.16.1.1/24
UnTrust
PA
1/1.202
172.16.2.1/24
1/6
10.199.2.1/24
ESXi
Diagram 6
vSwitch
Untrust
172.16.x.0/24
10.30.11.1/24
MGT
OSPF-Router
172.16.x.0/24
vSwitch
Trust
192.168.X.0/24
vSwitch
Managemet
10.30.11.X/24
10.30.11.x/24
3 Lab Licensing
OVF templates and VM-100 Capacity Licenses for lab device installation are provided to AACs
by Palo Alto Networks. Feature licensing of the virtual devices is the responsibility of the
Academy. Standard License Bundles are offered at a 90% discount of current suggested retail
price.
For purchases, Academies should contact their local Sales Representative for additional details.
To install the licenses, please open the Management Interface of the respective VM-100 and log
in as an Administrator, then navigate to Device > Licenses, and click on Activate feature using
auth code. To install Support licenses, navigate to Device > Support.
For additional information on setting up and licensing an individual VM-100, refer to the
Getting Started Guide located at support.paloaltonetworks.com (you will need a support
account for logging into the site, and then you will need to navigate to the Documentation section
via the options on the center pane of the site).