2020 has been one to remember for sure. Of all the terrible things that happened there is one that flew under the radar. Mostly because I didn't write this blog until 2021, but lets ignore that.
A burning question had been asked. "Can you run a Fortinet Firewall inside a Palo Alto Firewall inside a Checkpoint Firewall on a Ubuntu GNS3 box?". "Thats crazy!" you say. Why would you even want to do that?
Do you know what they said to David Chubinashvili when he applied Peanut Butter to Jelly and modified his beard to accommodate said sandwich? I'll tell you.
They said "That isn't your name and you didn't invent the PBJ".
Let that sink in for moment.
Ubuntu Donor Box - Create the chroot container for later user.
# To start things off we need to create a Linux chroot. This will be more or less a
# container to run everything in. Think of it as an old school Docker container.
# We've made a few of these but here is our latest version. These commands
# all need to be run on a donor Linux system. In this case I used Ubuntu 20.04
# (codenamed Focal) even though I use arch, btw.
root@Focal:~# debootstrap focal focal
root@Focal:~# cp /etc/apt/sources.list focal/etc/apt/
root@Focal:~# chroot focal bash -l
root@Focal:~# apt update
root@Focal:~# apt install qemu-system tcpdump
root@Focal:~# apt upgrade
root@Focal:~# dpkg-reconfigure locales
- select "en_US.UTF-8 UTF-8" ; assuming English
root@Focal:~# dpkg-reconfigure tzdata
root@Focal:~# echo PA-Chroot > /etc/debian_chroot
root@Focal:~# exit
root@Focal:~# tar -zxvf focal-chroot.tgz focalCheckpoint Firewall - Level 0 - Priming the Checkpoint for running the Palo Alto Chroot.
# Upload said focal-chroot.tgz to a Checkpoint firewall. I've put mine in /home/admin/
# Next load up the tun driver. This is a special network interface that
# will link our QEMU VM's virtual nic to a bridge interface in Checkpoint shortly.
[Expert@CHKP8040:0]# modprobe tun# Next we need to load the KVM kernel module.
# In addition we need to make sure running nested VM support is enabled.
# This allows terrible things like running a VM inside of a VM in a speedier way.
# The KVM module gives us access to virtualization extensions
# (Intel VT or AMD-V). I'll be using kvm_intel module because this is running
# on a Intel box (Dell R720).
[Expert@CHKP8040:0]# modprobe kvm_intel nested=1# Ok now we're going to get a little crazy. We need to load a driver (nbd) that
# will allow us to mount a qcow2 virtual hard drive image. This way we can
# add files and do terrible things to qcow2 images. More on this later.
# Note: Could also use guestmount to modify qcow2, but I opted for ndb.
[Expert@CHKP8040:0]# modprobe nbd max_part=8# Now we're going to extract our Ubuntu chroot container on our Checkpoint box.
[Expert@CHKP8040:0]# cd /home/admin
[Expert@CHKP8040:0]# tar -zxvf focal-chroot.tgz# Create tap interfaces in checkpoint using the tap driver we loaded earlier
# we're only going to use tap0 for this write up.
# 1,2 are for future use that didn't make it into this write up.
[Expert@CHKP8040:0]# ip tuntap add mode tap tap0
[Expert@CHKP8040:0]# ip tuntap add mode tap tap1
[Expert@CHKP8040:0]# ip tuntap add mode tap tap2
[Expert@CHKP8040:0]# ip link set tap0 up
[Expert@CHKP8040:0]# ip link set tap1 up
[Expert@CHKP8040:0]# ip link set tap2 up# We'll be adding eth2 and tap0 to a bridge interface called br0
# Eth2 is connected to a production network and doesn't have an
# IP attached to it but is state up.
[Expert@CHKP8040:0]# clish
CHKP8040> add bridging group 0 interface eth2
CHKP8040> save config# add tap0 to br0
# I don't do this via clish as there isn't a good way to create
# tap0 at boot before the bridge gets configured at boot time.
[Expert@CHKP8040:0]# brctl addif br0 tap0# mount dev, proc and sys into the chroot container.
[Expert@CHKP8040:0]# mount --rbind /dev /home/admin/focal/dev
[Expert@CHKP8040:0]# mount --bind /sys /home/admin/focal/sys
[Expert@CHKP8040:0]# mount --bind /proc /home/admin/focal/proc# Now we need to take the focal-chroot, Palo Alto VM and Fortinet VM
# and copy it inside the chroot image so we can
# .. uh... make friends with them.
[Expert@CHKP8040:0]# cp PA-VM-KVM-9.1.2.qcow2 focal/root/
[Expert@CHKP8040:0]# cp focal-chroot.tgz focal/root
[Expert@CHKP8040:0]# cp FGT_VM64_KVM-v6-build1142-FORTINET.qcow2 focal/rootPalo Alto Ubuntu Chroot - Level 1 - Getting ready to run our Palo VM for the first time.
# log into the chroot
[Expert@CHKP8040:0]# chroot focal bash -l
(PA-Chroot)root@CHKP8040:/#Palo Alto VM - Level 2 - Start PA VM and commit initial config.
# Now we start the PA VM up!
# Note we're just going to fire it up so it provisions.
# We'll then shut it down to add a new user once complete.
# It takes about 10 mins to finish this initial boot.
# default login is admin / admin
# Note: I'm hard coding the MACs of the nics so the VM doesn't get upset
# should they change on the next boot up.
(PA-Chroot)root@CHKP8040:/# /usr/bin/qemu-system-x86_64 \
-name PA-VM -m 8192M -smp cpus=8 \
-cpu host -enable-kvm -machine q35 \
-boot order=c \
-drive file=/root/PA-VM-KVM-9.1.2.qcow2,if=virtio,index=0,media=disk,id=drive0 \
-uuid 4ebdb5f2-9ff4-4f43-96fc-02711a4b2327 \
-netdev tap,id=mynet0,ifname=tap0,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:54:01 \
-netdev tap,id=mynet1,ifname=tap1,script=no,downscript=no -device e1000,netdev=mynet1,mac=52:55:00:d1:54:02 \
-netdev tap,id=mynet2,ifname=tap2,script=no,downscript=no -device e1000,netdev=mynet2,mac=52:55:00:d1:54:03 -nographic# PA-VM Login prompt!
# Login (admin / admin) and you'll be prompted to change the password,
# commit the new password and shutdown the system from the PA shell.
admin@PA-VM> configure
Entering configuration mode
[edit]
admin@PA-VM> commit force
.......55%70%98%..........100%
Configuration committed successfully
[edit]
admin@PA-VM> request shutdown system
y
(PA-Chroot)root@CHKP8040:/#
Palo Alto Ubuntu Chroot - Level 1 - Continue configuration and rooting() the PA VM.
# Now we'll modify the image once shut down to
# add a 2nd admin user with uid 0 (root privs).
# Connect the qcow2 of the PA image to /dev/nbd0.
# This will allow us to mount to root filesystem
# which is partition 2.
(PA-Chroot)root@CHKP8040:/# qemu-nbd --connect /dev/nbd0 /root/PA-VM-KVM-9.1.2.qcow2# Mount the root filesystem of the PA VM and copy focal chroot tgz file into the
# PA's root fileststem.
(PA-Chroot)root@CHKP8040:/# mount /dev/nbd0p2 /mnt# Copy focal chroot to the PA's root filesystem. This will become the place where we
# run the Fortinet VM.
(PA-Chroot)root@CHKP8040:/# cp /root/focal-chroot.tgz /mnt/root/# Copy Fortinet qcow to PA's root filesystem also.
(PA-Chroot)root@CHKP8040:/# cp /root/FGT_VM64_KVM-v6-build1142-FORTINET.qcow2 /mnt/root (PA-Chroot)root@CHKP8040:/# chroot /mnt bash -l# Add admin2 user. Default shell will be bash.
# This will allow us to login with a root shell on the
# Palo Alto firewall.
bash-4.2# adduser admin2
bash-4.2# usermod -u 0 -o admin2
bash-4.2# passwd admin2
bash-4.2# exit# We are now back in the chroot of focal
# umount PA qcow2 root filesystem.
(PA-Chroot)root@CHKP8040:/# umount /mnt# disconnect qcow2 from nbd driver.
(PA-Chroot)root@CHKP8040:/# qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected# Now fire up the PA firewall again. We should be able to login as admin2 now
# if you ever want to get back to the PA shell issue this command.
# also network access for mgmt interface should be working.
su - admin
Palo Alto VM - Level 2 - Configure the Palo Alto VM for running the Fortinet VM.
(PA-Chroot)root@CHKP8040:/# /usr/bin/qemu-system-x86_64 \
-name PA-VM -m 8192M -smp cpus=8 -cpu host -enable-kvm \
-machine q35 \
-boot order=c \
-drive file=/root/PA-VM-KVM-9.1.2.qcow2,if=virtio,index=0,media=disk,id=drive0 \
-uuid 4ebdb5f2-9ff4-4f43-96fc-02711a4b2327 \
-netdev tap,id=mynet0,ifname=tap0,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:54:01 \
-netdev tap,id=mynet1,ifname=tap1,script=no,downscript=no -device e1000,netdev=mynet1,mac=52:55:00:d1:54:02 \
-netdev tap,id=mynet2,ifname=tap2,script=no,downscript=no -device e1000,netdev=mynet2,mac=52:55:00:d1:54:03 -nographic
# Login as admin2
# /opt/planlogs has the most free diskspace so we'll put our focal chroot
# that will store the Fortinet VM in there. BTW updating the contents
# of /etc/debian_chroot is a quick way to keep the prompts clear.
[root@PA-VM ~]# cd /opt/panlogs
[root@PA-VM ~]# tar -zxvf /root/focal-chroot.tgz
[root@PA-VM ~]# echo Fortinet-Chroot > /opt/panlogs/focal/etc/debian_chroot# Now we need to mount up linux dirs
[root@PA-VM ~]# mount --rbind /dev /opt/panlogs/focal/dev/
[root@PA-VM ~]# mount --bind /sys /opt/panlogs/focal/sys
[root@PA-VM ~]# mount --bind /proc /opt/panlogs/focal/proc
# copy the Fortinet qcow2 to the chroot.
[root@PA-VM ~]# cp FGT_VM64_KVM-v6-build1142-FORTINET.qcow2 /opt/panlogs/focal/root# make sure nested kvm is enabled on hyper visor
[root@PA-VM ~]# modprobe kvm_intel nested=1# bring up a br0 interface
[root@PA-VM ~]# ip link add name br0 type bridge
[root@PA-VM ~]# ip link set dev br0 up# 1-2 are for future use.
[root@PA-VM ~]# ip tuntap add mode tap tap4
[root@PA-VM ~]# ip tuntap add mode tap tap5
[root@PA-VM ~]# ip tuntap add mode tap tap6
[root@PA-VM ~]# ip link set tap4 up
[root@PA-VM ~]# ip link set tap5 up
[root@PA-VM ~]# ip link set tap6 up
[root@PA-VM ~]# ip link set dev tap4 master br0# login as admin and change the system type to static.
[root@PA-VM ~]# su - admin# now we're in the PA shell.
[root@PA-VM ~]# configure
Entering configuration mode
[edit]
admin@PA-VM# set deviceconfig system type static
admin@PA-VM# set deviceconfig system ip-address 192.168.0.100 netmask 255.255.255.0 default-gateway 192.168.0.1
admin@PA-VM# commit# now leave the PA admin shell
admin@PA-VM# exit
Exiting configuration mode
admin@PA-VM> exit
[root@PA-VM ~]## should now be back as admin2 root user.
# now we're going to move the IP from eth0 (mgmt) to br0 the bridge interface.
[root@PA-VM ~]# ip addr del 192.168.0.100/24 dev eth0
[root@PA-VM ~]# ip link set dev eth0 master br0
[root@PA-VM ~]# ip addr add 192.168.0.100/24 dev br0
[root@PA-VM ~]# ip route add default via 192.168.0.1# ok time to login to the Fortinet chroot
Fortinet Chroot - level 3 - configure the Fortinet container for running Fortinet VM.
[root@PA-VM ~]# chroot /opt/panlogs/focal/ bash -l
(Fortinet-Chroot)root@PA-VM:/## Fortinet Fortigate needs an extra blank hd so lets make one
(Fortinet-Chroot)root@PA-VM:/# qemu-img create -f qcow2 /root/empty30G.qcow2 30G
Fortinet VM - level 4 - Fire up Fortinet VM
# Time to boot the Fortinet Fortigate!
# Note I changed the MACS compared to the Palo Alto VM. (:55:x ver :54:x)
(Fortinet-Chroot)root@PA-VM:/ /usr/bin/qemu-system-x86_64 \
-name Fortinet -m 2048M -smp cpus=2 -cpu host \
-enable-kvm -machine q35 \
-boot order=c \
-drive file=/root/FGT_VM64_KVM-v6-build1142-FORTINET.qcow2,if=virtio,index=0,media=disk,id=drive0 \
-drive file=/root/empty30G.qcow2,if=virtio,index=1,media=disk,id=drive1 \
-uuid 4ebdb5f2-9ff4-4f43-96fc-02711a4b2327 \
-netdev tap,id=mynet0,ifname=tap4,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 \
-netdev tap,id=mynet1,ifname=tap5,script=no,downscript=no -device e1000,netdev=mynet1,mac=52:55:00:d1:55:02 \
-netdev tap,id=mynet2,ifname=tap6,script=no,downscript=no -device e1000,netdev=mynet2,mac=52:55:00:d1:55:03 -nographic# Fortinet will take about 10 mins to format and install on
# the no longer empty empty30G.qcow2.
# When you login Fortinet will ask you to change the password.
# You are now fully up. Port1 on the fortinet should have network
# access all the way back out to the internet.
# Here we'll set a static IP on the fortinet.
FortiGate-VM64-KVM # config system interface
FortiGate-VM64-KVM # edit port1
FortiGate-VM64-KVM # set mode static
FortiGate-VM64-KVM # set ip 192.168.0.101 255.255.255.0# This command will take a very long time to complete
# for some reason which can in no way be related to inception based VM issues.
FortiGate-VM64-KVM # next
FortiGate-VM64-KVM # end# And next we'll set a default route
FortiGate-VM64-KVM # config router static
FortiGate-VM64-KVM # edit 1
FortiGate-VM64-KVM # set device port1
FortiGate-VM64-KVM # set gateway 192.168.0.1
FortiGate-VM64-KVM # next
FortiGate-VM64-KVM # end# when your ready to end the Fortinet VM.
FortiGate-VM64-KVM # execute shutdown# Lets see it start to finish.
[Expert@CHKP8040:0]# mount | grep focal
/dev on /home/admin/focal/dev type none (rw,bind,rbind)
/sys on /home/admin/focal/sys type none (rw,bind)
/proc on /home/admin/focal/proc type none (rw,bind)
[Expert@CHKP8040:0]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0c09d1a7e102 no eth2
tap0
[Expert@CHKP8040:0]#
[Expert@CHKP8040:0]# chroot /home/admin/focal bash -l
groups: cannot find name for group ID 1055
(PA-Chroot)root@CHKP8040:/# (PA-Chroot)root@CHKP8040:/# /usr/bin/qemu-system-x86_64 -name PA-VM -m 8192M -smp cpus=8 -cpu host -enable-kvm -machine q35 \
> -boot order=c \
> -drive file=/root/PA-VM-KVM-9.1.2.qcow2,if=virtio,index=0,media=disk,id=drive0 \
> -uuid 4ebdb5f2-9ff4-4f43-96fc-02711a4b2327 \
> -netdev tap,id=mynet0,ifname=tap0,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:54:01 \
> -netdev tap,id=mynet1,ifname=tap1,script=no,downscript=no -device e1000,netdev=mynet1,mac=52:55:00:d1:54:02 \
> -netdev tap,id=mynet2,ifname=tap2,script=no,downscript=no -device e1000,netdev=mynet2,mac=52:55:00:d1:54:03 -nographic
SeaBIOS (version 1.13.0-1ubuntu1)
Machine UUID 4ebdb5f2-9ff4-4f43-96fc-02711a4b2327
iPXE (http://ipxe.org) 00:02.0 CA00 PCI2.10 PnP PMM+7FF8C5C0+7FECC5C0 CA00
iPXE (http://ipxe.org) 00:03.0 CB00 PCI2.10 PnP PMM 7FF8C5C0 7FECC5C0 CB00
iPXE (http://ipxe.org) 00:04.0 CC00 PCI2.10 PnP PMM 7FF8C5C0 7FECC5C0 CC00
Booting from Hard Disk...
Welcome to the PanOS Bootloader.
Hit any key to stop autoboot...
Enter 'maint' for boot menu.
Booting PANOS (sysroot0) after 5 seconds...
Entry:
Booting 'PANOS (sysroot0)'
root (hd0,1)
Filesystem type is ext2fs, partition type 0x83
kernel /boot/vmlinuz ro root=/dev/sda2 init=/sbin/init_single_core console=ttyS
0,9600n8 console=tty0 alternate_root=/dev/vda2 alternate_root=/dev/xvda2 hugepa
ges=0 alternate_root=/dev/nvme0n1p2
[Linux-bzImage, setup=0x4200, size=0x7e6940]
Probing EDD (edd=off to disable)... ok
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.10.0-957.21.3.10.pan.x86_64 (build@b632ce5e9889) (gcc version 7.3.1 20180303 (Red Hat 7.3.1-5) (GCC) ) #1 SMP Mon Jan 13 14:25:52 PST 2020
[ 0.000000] Command line: ro root=/dev/sda2 init=/sbin/init_single_core console=ttyS0,9600n8 console=tty0 alternate_root=/dev/vda2 alternate_root=/dev/xvda2 hugepages=0 alternate_root=/dev/nvme0n1p2
[ 0.000000] e820: BIOS-provided physical RAM map:
[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000007ffdbfff] usable
[ 0.000000] BIOS-e820: [mem 0x000000007ffdc000-0x000000007fffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000b0000000-0x00000000bfffffff] reserved
etc etc long wait
[ 7.686082] EXT3-fs (vda2): using internal journal
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::5055:ff:fed1:5401 prefixlen 64 scopeid 0x20<link>
ether 52:55:00:d1:54:01 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 386 (386.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
PA-VM login: login: timed out after 60 seconds
PA-VM login: admin2
Password:
Last login: Thu Dec 31 11:10:28 on ttyS0
[root@PA-VM ~]# whoami
root
[root@PA-VM ~]# uname -a
Linux PA-VM 3.10.0-957.21.3.10.pan.x86_64 #1 SMP Mon Jan 13 14:25:52 PST 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@PA-VM ~]# mount --rbind /dev /opt/panlogs/focal/dev/
[root@PA-VM ~]# mount --bind /sys /opt/panlogs/focal/sys
[root@PA-VM ~]# mount --bind /proc /opt/panlogs/focal/proc
[root@PA-VM ~]# modprobe kvm_intel nested=1
[root@PA-VM ~]# ip link add name br0 type bridge
[root@PA-VM ~]# ip link set dev br0 up
[root@PA-VM ~]# ip tuntap add mode tap tap4
[root@PA-VM ~]# ip tuntap add mode tap tap5
[root@PA-VM ~]# ip tuntap add mode tap tap6
[root@PA-VM ~]# ip link set tap4 up
[root@PA-VM ~]# ip link set tap5 up
[root@PA-VM ~]# ip link set tap6 up
[root@PA-VM ~]# ip addr del 192.168.0.100/24 dev eth0
[root@PA-VM ~]# ip link set dev eth0 master br0
[root@PA-VM ~]# ip link set dev tap4 master br0
[root@PA-VM ~]# ip addr add 192.168.0.100/24 dev br0
[root@PA-VM ~]# ip route add default via 192.168.0.1
[root@PA-VM ~]# su - admin
admin@PA-VM> ping host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=7.84 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=3.47 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 3.473/5.658/7.843/2.185 ms
admin@PA-VM> exit
[root@PA-VM ~]# chroot /opt/panlogs/focal/ bash -l
groups: cannot find name for group ID 1006
(Fortinet-Chroot)root@PA-VM:/# /usr/bin/qemu-system-x86_64 -name Fortinet -m 2048M -smp cpus=2 -cpu host -enable-kvm -machine q35 \
-boot order=c \
-drive file=/root/FGT_VM64_KVM-v6-build1142-FORTINET.qcow2,if=virtio,index=0,media=disk,id=drive0 \
-drive file=/root/empty30G.qcow2,if=virtio,index=1,media=disk,id=drive1 \
-uuid 4ebdb5f2-9ff4-4f43-96fc-02711a4b2327 \
-netdev tap,id=mynet0,ifname=tap4,script=no,downscript=no -device e1000,netdev=mynet0,mac=52:55:00:d1:55:01 \
-netdev tap,id=mynet1,ifname=tap5,script=no,downscript=no -device e1000,netdev=mynet1,mac=52:55:00:d1:55:02 \
-netdev tap,id=mynet2,ifname=tap6,script=no,downscript=no -device e1000,netdev=mynet2,mac=52:55:00:d1:55:03 -nographic
SeaBIOS (version 1.13.0-1ubuntu1)
Machine UUID 4ebdb5f2-9ff4-4f43-96fc-02711a4b2327
iPXE (http://ipxe.org) 00:02.0 CA00 PCI2.10 PnP PMM+7FF8C580+7FECC580 CA00
iPXE (http://ipxe.org) 00:03.0 CB00 PCI2.10 PnP PMM 7FF8C580 7FECC580 CB00
iPXE (http://ipxe.org) 00:04.0 CC00 PCI2.10 PnP PMM 7FF8C580 7FECC580 CC00
Booting from Hard Disk...
SYSLINUX 6.04 EDD 6.04-pre1 Copyright (C) 1994-2015 H. Peter Anvin et al
Loading flatkc... ok
Loading /rootfs.gz...
# the sign of an unhappy KVM VM.
[ 1341.148161] perf: interrupt took too long (41342 > 40222), lowering kernel.perf_event_max_sample_rate to 4000
System is starting...
Serial number is FGVMEV9QJN-4CQF2
FortiGate-VM64-KVM login: admin
Password: ***********
Welcome!
FortiGate-VM64-KVM # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=115 time=74.1 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=22.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=37.4 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=16.3 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 16.3/37.6/74.1 ms
FortiGate-VM64-KVM # execute shutdown
This operation will shutdown the system !
Do you want to continue? (y/n)y
System is shutting down...
The system is going down NOW !!
FortiGate-VM64-KVM #
The system is halted.
Power down.
(Fortinet-Chroot)root@PA-VM:/# exit
logout
[root@PA-VM ~]# su - admin
Number of failed attempts since last successful login: 0
admin@PA-VM> request shutdown system
Warning: executing this command will leave the system in a shutdown state. Power must be removed and reapplied for the system to restart. Do you want to continue? (y or n)
y
Broadcast message from root (ttyS0) (Thu Dec 31 13:20:19 2020):
[ 1698.735268] nfsd: last server has exited, flushing export cache
[ 1736.775653] Power down.
(PA-Chroot)root@CHKP8040:/# exit
logout
[Expert@CHKP8040:0]#Well thats it. Now you have something else terrible to remember from 2020.