How to add Palo Alto firewall to VIRL

Get a Palo Alto VM image in *.qcow2 format
If you have a Palo Alto support account – login to your Support Panel at and navigate to Software Updates section

Look for PAN-OS for VM-Series KVM Base Images section and download PA installation image.

If you don’t have Palo Alto support account, please don’t ask me about an image and look in the Internet.

How To:

1) Login to the VIRL User Workspace Management http://[VIRL IP]:19400/admin/ and select Node Resources – Subtypes from the menu.

2) Click the Import button on the top right-hand side and paste in the following config.

"dynamic-subtypes": [
"hw_vcpus": 2,
"plugin_desc": "Palo Alto Firewall 7.1.4",
"cli_serial": 1,
"plugin_name": "Palo_Alto_7_1_4",
"gui_visible": true,
"interface_range": 24,
"interface_pattern": "Ethernet1/{0}",
"hw_disk_bus": "virtio",
"baseline_flavor": "",
"hw_vm_extra": "",
"hw_ram": 4096,
"gui_icon": "firewall",
"interface_first": 1,
"config_file": "/bootstrap-networkconfig.xml",
"hw_vif_model": "virtio",
"interface_management": "mgt",
"baseline_image": "",
"plugin_base": "generic"

Click Import. You should see your new subtype in the list.

3) Click Node Resources – Images from the menu and then click Add. 

Select the Palo_Alto_7_1_4 subtype and enter 7.1.4 for Name/Version and Release (you can put any information here, it doesn’t matter as long as it meaningful for you).

Under Source select Local image file and click Browse and select your Palo Alto *.qcow image file that you downloaded (Step 1) and click Create. After a few minutes you should see a message saying the Image “Palo_Alto_7_1_4” was created.

4) Open VM Maestro and click File – Preferences – Node Subtypes and click the Fetch from Server button, then Apply and OK.

Agree to overwrite your local images with VIRL server images.

You should see Palo Alto firewall now in the list.

5) Open a new topology and set the topology management network to Shared flat network 

6) Drag the Palo Alto node from the Palette.

Click on the palo_alto-1 node/object and make sure you have a VM Image assigned as below, your number will be different.

In my case I don’t have image and flavor set once I put PA firewall into topology. Set the proper values using Browse button.

7) Start the Simulation and login to the device using the Console port or VNC.

Wait for “PA-VM login:” at the prompt. Login with username: admin password: admin

8) Configure management access.

Important: you have to match the IP address that you got assigned from VIRL during simulation boot up.


set deviceconfig system ip-address X.X.X.X netmask XXX.XXX.XXX.XXX default-gateway X.X.X.X dns-setting servers primary X.X.X.X

In my case it looks like this:

Check the management interface IP address

show interface management

Now you should be able to reach your PA firewall using HTTPS protocol.

Post your questions in comments.


  1. Samuel

    First, thank you very much for this quality write-up. It has been very helpful and I really appreciate it. While following this guide I ran into an issue with assigning an ip to the Palo MGMT interface. It seems the firewall MGMT interface keeps getting an IP via DHCP via VIRL which is different than the external address (shared flat network) that displays in Palo properties window (External address [x.x.x.x]). When I manually assign a static IP to the Palo mgmt interface and commit, DHCP assigns another IP to the interface at the 99% mark right before commit completes. I was wondering if you ran into this, and what was the solution if you found one. Thanks

      • Albert

        Hi Andrew,

        I am able to get this up and running but I am getting an error on the cisco VM saying “vcpu0 disabled perfctr wrmsr: 0xc1 data 0xFFFF” would you know how to rectify this?


  2. Albert

    Hi Andrew,

    I am able to get this up and running but I am getting an error on the cisco VM saying “vcpu0 disabled perfctr wrmsr: 0xc1 data 0xFFFF” would you know how to rectify this?


  3. David

    Great write up! I am experiencing the same as Samuel but its getting late so I will revisit it and let you know what the issues is. If you find it before I do please let me know 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *