Alto Firewall Simulator — Palo

Palo Alto Networks provides this tool through their Strata Cloud Manager (SCM) learning portal.

The simulator allows testing of advanced threat prevention:

The simulator is not a "dumbed-down" version of the firewall; it is the same PAN-OS software that runs on physical appliances (PA-Series), virtualized to run on standard compute infrastructure. palo alto firewall simulator

Firewalls are zone-based. Traffic can only flow between zones if a policy allows it.

Step 1: Create Zones

admin@PA-VM# set zone trust network layer3 ethernet1/2
admin@PA-VM# set zone untrust network layer3 ethernet1/1
admin@PA-VM# set zone dmz network layer3 ethernet1/3

Step 2: Virtual Router Configuration We must add the interfaces to the virtual router so the firewall knows how to route traffic.

admin@PA-VM# set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3 ]

(Note: In a real setup, you would also configure a Default Route 0.0.0.0/0 pointing to the ISP Gateway on ethernet1/1). Palo Alto Networks provides this tool through their

This is a full firewall that runs in VMware, Hyper-V, KVM, or AWS/Azure. It’s not a simulator—it’s the real OS.

How to generate a helpful report:

Problem: You configured something (like a Zone Protection Profile) that requires a specific license you don't have in the simulator. Solution: In the simulator, go to Device > Setup > Content-ID and disable "Threat Prevention" and "URL Filtering" if they aren't licensed. Stick to basic Firewall functions until the license is active.

If you are serious about security engineering, you will want to run the VM-Series on your local machine or in the cloud. The simulator allows testing of advanced threat prevention: