New Virtual Lab - Updated Operating Systems and More!

Date:  June 4, 2024
By:  Charles Buege, charles.buege@fuelusergroup.org

After several years with only minimal updates, Fuel has finally had the bandwidth to dedicate to upgrading the virtual test lab in a number of ways.

The first way the lab received upgrades is that all the virtual machines have been replaced with the latest versions of their respective operating systems.

  • The Windows 2008 R2 Server that was running for many years has been replaced with a Windows 2022 Server.  There was a more pressing reason beyond just the OS being several years past EOL that it needed an upgrade.  The instance of Chrome that was running in the operating system was constantly complaining that the operating system that it was running under, Windows 7, didn’t support upgrades anymore and would lose functionality moving forward.  Disregarding the fact that Chrome wasn’t giving us the correct operating system version, it did tell us that we needed to get this virtual machine upgraded.

  • While the Ubuntu desktop, running version 20.04, wasn’t too far out of date, the fact that there is now available 22.04 LTS, we figured that upgrading it to the latest LTS version would be easiest for the upkeep of the VM for the next year or two at the very least.  While “Jammy Jellyfish” (the codename of Ubuntu 22.04 LTS) is guaranteed until April 2027, we’re sure that at some point in the future the operating system will be upgraded and/or replaced prior to that date.  But, in the meantime, as the lab is continuously updated, we won’t have to worry about issues with this fine LTS operating system.

  • Due to the decision of IBM and Red Hat to stop offering CentOS as an open source operating system anymore, we wanted to get the Apache demo server onto an OS that we know would keep getting maintained for the foreseeable future.  Enter Rocky Linux – the new open source Enterprise Linux (EL) based operating system that is the replacement for many for CentOS.  Utilizing Rocky Linux, we’ve been able to go ahead and recreate the very basic Apache instance that was present previously with an updated operating system that would allow the users of the lab to know that they would have an OS that wouldn’t be pulled out from under them.

  • While the virtual machine itself for the Palo Alto Networks Next Gen Firewall (NGFW) wasn’t upgraded in the same manner as these other three virtual machines were, the PAN-OS version of the NGFW has been upgraded to the latest release of 11.1 at the time of the writing of this article.  In the coming weeks and months, as new minor and major updates for the PAN-OS come out, the NGFW will be upgraded accordingly to keep up with the top of the line security enhancements and updates as they are released.  The lab is only as good as its least updated component, so Fuel will do its best to keep everything up to date for its members.

Beyond the replacement/upgrade to each of the operating systems of the virtual machines, each of the VMs have had software packages put into place to enable the members to be able to work with each VM in the most optimum manner possible.

Windows 2022 Server

Several changes were made to this server.  First, the latest version of Chrome was installed alongside Microsoft Edge, that came with the operating system.  Most users tend to prefer to use Chrome and many companies have it as a corporate standard, so we wanted to have that in place for the users right from the start so they could have immediate access to it without needing to install it themselves.  With regards to Chrome, we also further configured it to auto-start with the virtual machine – not just from the start of the snapshot/lab, but immediately upon logging into Windows after a reboot of the operating system.  Chrome was further configured to auto-start with two tabs.  One tab goes directly to the management interface of the NGFW for easy access while working in Windows (copying/pasting information, performing searches, etc.) and the other tab attempts to connect directly to the Fuel website.  Now, with the initial start-up of the lab, the users need to enable the external interface so they can get out to the internet, but this tab helps make your testing easier.  Once the external interface is enabled, the user can simply go to this tab and refresh the page.  Presuming you enabled the interface correctly, you’ll see the Fuel website come right up.  If you didn’t configure the interface correctly, or if there is any kind of an arp problem, you’ll also know right away too.

Also on the Windows 2022 Server, we’ve gone ahead and put a copy of putty right into the path on the server.  This will give you the ability to directly connect to any of the other three VMs from the Windows server to allow for any advanced work you want to do from a single machine.  All three systems – Ubuntu, Rocky Linux, and the NGFW – all have putty enabled on them.  Presuming you’ve configured your security policies correctly, putty will allow you SSH access into each system.

Ubuntu 22.04 LTS Desktop

To keep systems consistent across both environments, we went ahead and installed Chrome under the Ubuntu operating system as well.  While Ubuntu doesn’t have direct access to the management interface of the NGFW, having Chrome there will give the users the same experience as most companies have standardized on, as mentioned earlier.

Other than that, not much else has changed with regards to additional components installed under Ubuntu.  Security and other standard updates were installed, but after installing Chrome and disabling the screensaver, no other changes were made to the system.

Rocky Linux 8

As previously mentioned, the decision to replace the CentOS 7 server running Apache with Rocky Linux 8 was due to the IBM/Red Hat decision to stop offering CentOS as an open source virtual machine option and incorporate the OS into their development process.  Since that decision was made, once Rocky Linux became available generally, its stability was shown by the number of adoptees of it, and by the amount of support it has garnered in its very short life, moving over to this EL-type distribution of Linux was easy.

Offering both an EL-style and a Debian-style distribution to the user base was another important factor to the virtual lab team.  Having encountered numerous little differences between each distro over the years got the team to thinking that, in the event that one distro vs the other was handled differently by a PAN-OS firewall, we wanted the users to have the ability to work with both distro styles just in case.

With this said, we wanted to further extend what a Linux server OS could offer to the users.  Apache, while installed and configured for use, we also wanted to make more items available right off the bat.  Hence why MariaDB (MySQL) was installed as well.  While the MariaDB server is installed on the system, no configuration was done to the database so that each user would be able to set their own password, change the port that it is running on if desired, and make any other modifications to the system that they could.

PAN-OS 11.1+

Last, but certainly not least, is the upgrade to the PAN-OS.  The PAN-OS being upgraded to the latest version of 11.1 is two-fold.  First, it gives the members the ability to use the latest version of PAN-OS Cosmos, allowing them to work with the latest availability functionality that is being offered.  Any new features, any new capabilities, all of these are available for the testing.  Secondly, we are always doing our best to make sure that the lab is as secure as possible.  This latest upgrade to the OS takes into account CVE-2024-3400 with its priority 10 issues.  Granted, this vulnerability doesn’t really apply to the lab because none of the interfaces are exposed externally to be breached from the outside world, but we’d always rather be safe than sorry.

Conclusion

With all this new functionality available to the members, we also concede that this may still not be enough for what some people want to do in the lab.  The lab is intended to be used by you, so if there is functionality that is not available that you’d like to see added, please let us know.  Feel free to fill out this form or email the Fuel team at fuel@fuelusergroup.org.  We are always looking for ideas, suggestions, and ways to make things better, so please don’t hesitate to reach out.