Palo Alto and Fortinet firewalls are everywhere in enterprise networks, but practicing on them traditionally requires either expensive hardware ($1,000+ per appliance) or hours of virtual lab setup. Here's every way to practice in 2026 without buying physical appliances.
Quick Comparison
| Approach | Setup Time | Cost | Real CLI? | AI Config? |
|---|---|---|---|---|
| NetPilot | Minutes (after image upload) | Free tier | Yes | Yes |
| GNS3 + PAN-OS/FortiGate | 2-4 hours | Free (32GB RAM server) | Yes | No |
| EVE-NG + PAN-OS/FortiGate | 1-2 days | Free / 150 EUR Pro | Yes | No |
| Palo Alto VM-Series eval | 1-2 hours | Free (30-day eval) | Yes | No |
| Physical appliance | Hours (rack + cable) | $1,000+ | Yes | No |
Key consideration: All virtual approaches require access to the vendor's VM image — Palo Alto PAN-OS from the support portal (needs active contract) or Fortinet FortiGate from the support site. The question is how much infrastructure you want to manage around that image.
What You Can Practice
Regardless of which platform you choose, firewall labs cover these core skills:
Zone-Based Security:
- Creating security zones (trust, untrust, DMZ)
- Inter-zone policies (allow, deny, monitor)
- Application-based rules (Layer 7 inspection)
NAT:
- Source NAT (outbound internet access)
- Destination NAT (inbound server publishing)
- Bidirectional NAT
- NAT with policy-based routing
VPN:
- IPSec site-to-site VPN (IKEv1, IKEv2)
- GlobalProtect remote access (Palo Alto)
- SSL VPN (Fortinet)
- VPN with redundancy and failover
High Availability:
- Active/passive HA pairs
- Active/active HA
- Session synchronization
- Failover testing
Integration with Routing:
- OSPF and BGP with firewall interfaces
- Static routing through firewall zones
- Policy-based forwarding
- Firewall between Cisco network segments
The GNS3/EVE-NG Approach
The traditional method: run the firewall VM image inside GNS3 or EVE-NG alongside virtual routers and switches.
What you need:
- GNS3 or EVE-NG installed and configured (4-8 hours for GNS3, 1-2 days for EVE-NG)
- Server with 32GB RAM recommended (firewall VMs are resource-hungry — PAN-OS needs 4GB+ RAM per instance)
- Palo Alto PAN-OS QEMU image OR Fortinet FortiGate image
- Manual topology building and device configuration
The setup process for Palo Alto in GNS3:
- Download PAN-OS VM image from Palo Alto support portal
- Convert to QEMU-compatible format if needed
- Import into GNS3 as a QEMU VM, allocate 4GB+ RAM
- Add Cisco routers/switches to the topology
- Configure all networking manually
- Configure firewall zones, policies, NAT rules via CLI
Total time: 2-4 hours for the first lab, 30-60 minutes for subsequent labs.
The advantage: Full control over every parameter. You can test edge cases, reproduce specific production scenarios, and run any topology you can imagine.
The cost: Your time. Every lab is built from scratch. Every zone, policy, and NAT rule configured by hand.
The AI-Powered Approach
NetPilot takes a different approach: describe the firewall topology in plain English, and the AI generates zone configurations, NAT rules, security policies, and routing integration.
What you need:
- A browser (any device)
- Your Palo Alto or Fortinet image uploaded once via BYOI
The process:
- Upload your firewall image once (NetPilot builds the Docker image automatically)
- Describe your topology: "Set up a Palo Alto firewall between two Cisco network segments with source NAT, destination NAT for a web server, and a security policy allowing HTTP/HTTPS from untrust to DMZ"
- AI generates: zone assignments, interface IPs, NAT rules, security policies, Cisco router configs, and routing
- Deploy to cloud ContainerLab — SSH into all devices
Total time: Minutes (after the one-time image upload).
The advantage: Speed. The AI handles the repetitive configuration work. You focus on verifying, testing, and troubleshooting — the skills that actually matter.
The trade-off: Less granular control for very specific edge-case configurations. You can always SSH in and adjust manually after AI generates the baseline.
Getting Firewall Images
Both approaches require vendor images:
Palo Alto PAN-OS:
- Available from the Palo Alto support portal (paloaltonetworks.com/support)
- Requires an active support contract or evaluation license
- VM-Series evaluation available for 30 days (contact your Palo Alto SE)
Fortinet FortiGate:
- Available from the Fortinet support site (support.fortinet.com)
- FortiGate VM evaluation available
- KVM/QEMU images work with GNS3, EVE-NG, and NetPilot
FAQ
Can I practice Palo Alto firewall configurations for free?
You need the PAN-OS VM image (requires Palo Alto support contract or evaluation license). Once you have the image, GNS3 is free (but needs 32GB RAM) and NetPilot has a free tier (cloud-hosted). The firewall software itself is not free, but the lab platform can be.
Is there a Fortinet simulator online?
Fortinet does not offer a free public simulator. You can run FortiGate VMs in GNS3, EVE-NG, or NetPilot — all require the FortiGate VM image from Fortinet. NetPilot is the only cloud-hosted option with AI configuration.
Can I combine Palo Alto firewalls with Cisco routers in one lab?
Yes. GNS3, EVE-NG, and NetPilot all support mixed-vendor topologies. In NetPilot, describe the complete topology — "Palo Alto firewall between two Cisco IOL routers with NAT and security policies" — and the AI generates configurations for all devices.
How much RAM do I need for a firewall virtual lab?
Palo Alto PAN-OS VM requires 4-6GB RAM per instance. Fortinet FortiGate VM requires 2-4GB. Combined with Cisco routers (512MB each), a basic firewall lab needs 8-12GB. For GNS3/EVE-NG, 32GB total server RAM is recommended. NetPilot is cloud-hosted — no local RAM requirements.
Ready to practice firewalls? Try NetPilot — upload your firewall image once, describe your topology, and get a working lab with real CLIs in minutes. Or learn more about firewall labs.