How to install Palo Alto’s PAN-OS on a FortiGate

It happens occasionally that a customer has to choose between a Palo and a Forti. While I would always favour the Palo for good reasons, I can understand that the Forti is chosen for cost savings, for example.

Fortunately, there is a hidden way of installing PAN-OS, the operating system from Palo Alto Networks, on FortiGate hardware firewalls. Here’s how you can do it:

I’m using a Fortinet FortiGate FG-501E for this demo with (formerly) FortiOS v7.2.7. I’m upgrading it to PAN-OS 11.1.1.

As always: Please save a backup of your current FortiGate configuration. During this upgrade process, the firewall will reboot and lose all of its configuration. It will start as a factory-resetted Palo Alto firewall.

The main step is to upload and reboot the FortiGate into an alternative image, that is: a PAN-OS image. For generic FortiGates, you must choose the KVM-based PAN-OS images. With the following CLI command on the FortiGate, you can download the image from an TFTP server and reboot into it:

The whole process in my lab was as follows. Note that you have to acknowledge the upgrade to an “unsupported image”:

After the reboot, you’re in the normal startup configuration of a Palo Alto firewall. –> Connect to it via the default IPv4 address of with username:password of admin:admin.

In the dashboard, you can see the model and serial number, which are the ones from my FortiGate in this case:

Funnily enough, all those different interface names are used as well, that is:

In the end, you’ve got a fully featured PAN-OS-based firewall with all of its advantages on your FortiGate hardware. Have a nice day!

Soli Deo Gloria.

Photo by Lindsay Henwood on Unsplash.

9 thoughts on “How to install Palo Alto’s PAN-OS on a FortiGate

  1. What a great blog post. Even the instant commit is working, no waiting for slow commits :-)

  2. Totally false info , lol

    Even the info in first image ( mgmt ip) with second image don’t match.

    1. That’s because the real mgmt-interface (on a Palo) is configured at Device -> Setup -> Interfaces. The “mgmt” interface shown in the screenshot above is just the hardware port which is literally named “mgmt” on this FortiGate FG-501E device. I’m not using this interface in my lab, hence it’s shown as “none” at the IP address column.

      1. Even though, the mgmt ip is shown in the first screenshot doesn’t match the sub-interface port1.21.

        Another reason, you mentioned you were using firmware of FortiOS 7.2.8 which was released on 2024-03-14 (16 days ago). As per the first screenshot, the device was running for more than 35 days :)

          1. So you recognize the images (and the whole article info by the way)were false?

            1. Same feelings here.. just waiting for the confirmation if this is false or not… (suspense sound)

Leave a Reply

Your email address will not be published. Required fields are marked *