Is there a free Fortinet firewall simulator?

Fortinet does not offer a free public simulator. You can run FortiGate VMs in GNS3 or EVE-NG, but this requires sourcing the FortiGate image, a server with 16-32GB RAM, and manual setup. NetPilot supports FortiGate as a BYOI (bring your own image) device — upload once, and the AI generates complete firewall lab configurations in the cloud.

How do I set up a Palo Alto lab in GNS3?

In GNS3: download the PAN-OS QEMU image from Palo Alto's support portal (requires a valid support contract), import into GNS3 as a QEMU VM, allocate 4GB+ RAM per firewall instance, and configure networking manually. Total setup: 2-4 hours. With NetPilot: upload the PAN-OS image once, describe your firewall topology, and the AI generates zone configs, NAT rules, and security policies — deployed in minutes.

Can I integrate firewalls with routers and switches in one lab?

Yes. NetPilot supports mixed-vendor topologies: Palo Alto or Fortinet firewalls alongside Cisco IOL routers and switches, Nokia SR Linux, Arista cEOS, and other devices — all in a single cloud-hosted lab. Describe the complete topology including firewall placement, zone assignments, and routing, and the AI generates everything.

What firewall configurations can I practice?

You can practice all standard firewall configurations: security zones and inter-zone policies, NAT (source NAT, destination NAT, bidirectional), security policies and application-based rules, VPN (IPSec site-to-site, GlobalProtect), high availability (active/passive, active/active), URL filtering and threat prevention, and integration with routing protocols (OSPF, BGP).

Do I need a Palo Alto license for virtual labs?

To run PAN-OS in any virtual lab (GNS3, EVE-NG, or NetPilot), you need access to the PAN-OS VM image from Palo Alto's support portal, which requires an active support contract. NetPilot simplifies the process: upload the image once via the BYOI feature, and the platform handles Docker image building and deployment automatically. You don't need to manage QEMU, Docker, or vrnetlab manually.

Which is better for firewall practice: GNS3, EVE-NG, or NetPilot?

GNS3 gives you full control but requires 4+ hours of setup, 32GB RAM, and manual image management. EVE-NG is better for team environments but needs a dedicated server (16GB RAM minimum). NetPilot is cloud-hosted with AI that generates firewall configurations automatically — no server, no manual setup. All three support real Palo Alto and Fortinet images. Choose based on whether you prioritize control (GNS3), team access (EVE-NG), or speed (NetPilot).

AI-Powered Firewall Lab

Firewall Lab

Practice Palo Alto PAN-OS and Fortinet FortiGate in cloud-hosted labs. AI generates zone configs, NAT rules, and security policies. No hardware required.

Palo Alto PAN-OS

Fortinet FortiGate

AI-powered configuration

Free to start

See It in Action

Deploy a firewall alongside Cisco routers — AI configures zones, NAT, and security policies automatically.

Why AI-Powered Firewall Labs?

Setting up a firewall lab in GNS3 or EVE-NG takes hours. Describe what you need and get a working firewall topology in minutes.

AI Generates Policies

Describe your security requirements — the AI generates zone configs, NAT rules, security policies, and routing integration automatically.

No Hardware Required

No $1,000+ appliances. No server with 32GB RAM. Upload your firewall image once — labs deploy to the cloud.

Mixed Vendor Topologies

Palo Alto or Fortinet firewalls alongside Cisco routers, Nokia switches, Arista cEOS — all in a single topology with real CLIs.

What You Can Practice

Real firewall CLIs with AI-generated configurations — from basic zone setup to advanced threat prevention.

Zone & Policy

Security Zones
Inter-Zone Policies
Application-Based Rules
URL Filtering
Threat Prevention

NAT

Source NAT (SNAT)
Destination NAT (DNAT)
Bidirectional NAT
NAT Overload / PAT
Policy-Based NAT

VPN & HA

IPSec Site-to-Site VPN
GlobalProtect (Palo Alto)
SSL VPN (Fortinet)
Active/Passive HA
Active/Active HA

Integration

OSPF with Firewall
BGP with Firewall
Static Routing
Cisco + Firewall Topology
Multi-Vendor Security

How It Works

Upload Your Image

Upload Palo Alto PAN-OS or Fortinet FortiGate via BYOI. One-time upload — NetPilot builds the Docker image automatically.

Describe Your Lab

“Set up a Palo Alto firewall between two Cisco segments with NAT and security policies” — AI generates everything.

SSH Into Real CLIs

Your firewall lab deploys to cloud ContainerLab. SSH into Palo Alto or Fortinet alongside Cisco routers — real CLIs, real behavior.

Firewall Lab Options Compared

Every way to practice Palo Alto and Fortinet in 2026.

Feature	NetPilot	GNS3	EVE-NG	Physical
Cloud-Hosted	Yes — browser onlyYes	No — self-hosted	No — self-hosted server	No — physical appliance
Palo Alto PAN-OS	Yes (BYOI upload)Yes (BYOI upload)	Yes (BYO QEMU image)	Yes (BYO image)	Yes (purchase appliance)
Fortinet FortiGate	Yes (BYOI upload)Yes (BYOI upload)	Yes (BYO image)	Yes (BYO image)	Yes (purchase appliance)
AI Configuration	Yes — zones, NAT, policies from textYes	No — manual CLI	No — manual CLI	No — manual CLI
Setup Time	Minutes (after image upload)Minutes (after image upload)	2-4 hours (QEMU + networking)	1-2 days (server + images)	Hours (rack + cable + license)
Mixed Vendor Topology	Yes — firewall + Cisco + Nokia + AristaYes	Yes (BYO all images)	Yes (BYO all images)	Expensive (multiple appliances)
Cost	Free tier (bring your image)Free tier (bring your image)	Free (32GB RAM server needed)	Free / 150 EUR Pro	$1,000+ per appliance

Frequently Asked Questions

Common questions about firewall labs

Yes. NetPilot runs Palo Alto PAN-OS as a virtual appliance in cloud-hosted ContainerLab. You get real CLI access via SSH — zone configuration, NAT rules, security policies, VPN setup, and threat prevention. No physical hardware needed.

Fortinet does not offer a free public simulator. You can run FortiGate VMs in GNS3 or EVE-NG, but this requires sourcing the image and a server with 16-32GB RAM. NetPilot supports FortiGate as a BYOI device — upload once, and the AI generates complete firewall lab configurations in the cloud.

In GNS3: download the PAN-OS QEMU image (requires support contract), import as QEMU VM, allocate 4GB+ RAM per firewall, configure networking manually. Total: 2-4 hours. With NetPilot: upload the image once, describe your topology, AI generates everything — deployed in minutes.

Yes. NetPilot supports Palo Alto or Fortinet alongside Cisco IOL routers/switches, Nokia SR Linux, Arista cEOS — all in a single topology. Describe the complete setup including firewall placement and the AI generates everything.

Security zones, inter-zone policies, NAT (source/destination/bidirectional), security rules, VPN (IPSec, GlobalProtect), HA (active/passive), URL filtering, threat prevention, and routing integration (OSPF, BGP with firewall interfaces).

You need access to the PAN-OS VM image from Palo Alto's support portal (requires active support contract). NetPilot simplifies deployment: upload the image once via BYOI, the platform handles Docker image building automatically. No QEMU, Docker, or vrnetlab management needed.

GNS3: full control, 4+ hours setup, 32GB RAM. EVE-NG: team access, dedicated server needed. NetPilot: cloud-hosted, AI generates configs, no server. All three support real Palo Alto and Fortinet images. Choose based on control (GNS3), team access (EVE-NG), or speed (NetPilot).

Explore More

AI Network Emulator

Build complete multi-vendor labs from plain English — Cisco, Juniper, Arista, Nokia, and more.

Network Lab Online

Run real network labs in your browser — no downloads, no VMs, no servers.

Practice Firewalls Without the Hardware

Palo Alto and Fortinet configurations generated by AI, deployed to cloud labs with real CLIs — free to start.