>
    Strata Copilot
    Deploy HSF Using Software Firewall Orchestration Plugin
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Prisma AIRS as a Firewall - Hyperscale Security Fabric
    5. Deploy HSF Using Software Firewall Orchestration Plugin
    Download PDF
    Prisma AIRS

    Deploy HSF Using Software Firewall Orchestration Plugin

    Table of Contents

    Deploy HSF Using Software Firewall Orchestration Plugin

    The Software Firewall Orchestration plugin is introduced to orchestrate the HSF Cluster deployments in ESXi environments.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS
    • Software NGFW Credits
    • HSF subscription license
    The Software Firewall Orchestration plugin is introduced to orchestrate the HSF Cluster deployments in ESXi environments. Using the Software Firewall Orchestration plugin you can configure, deploy, update, and monitor your HSF cluster. You can also autoscale and manage software migrations in the Prisma AIRS firewall cluster using this plugin.
    The following are the prerequisites to deploy the HSF:

    Plugin Prerequistes

    You will need to install three plugins:
    • Software Firewall Orchestration plugin version 1.0.1 - The main plugin used to orchestrate HSF.
    • Clustering plugin version 3.0.0 - For visibility, monitoring and to obtain metric data needed for autoscaling.
    • VM-Series plugin on Panorama version 6.0.1 - To establish communication with the VM-Series plugin on your firewalls.

    Prerequistes on ESXi

    You will need to install three plugins:
    • vCenter: Add ESXi servers to the vCentre by navigating to Datacentre —> vSphere Cluster —-> ESXi Server hosts. vCenter credentials must have global level administrator privileges for cluster deployment.
      You can now enable a user to create successful deployments using the orchestration plugin without granting them full administrator privileges for the vSphere cluster, host, or content library. Configure the necessary roles by following these steps.
      1. Create a role on vCenter with the following permissions:
        1. Content Library: Download files, View configuration settings
        2. Datastore: Allocate space, Browse datastore
        3. Host:
          Configuration: Network configuration
        4. Network: Assign network
        5. Resource: Assign virtual machine to resource pool
        6. vApp: Import
        7. Virtual machine:
          1. Change Configuration: Add existing disk, Add new disk, Add or remove device, Advanced configuration, Change CPU count, Change Memory, Change Settings, Change resource
          2. Edit Inventory: Create from existing, Remove
          3. Interaction: Guest operating system management by VIX API, Power off, Power on
      2. Create a User.
      3. Navigate to Global Permissions, select the newly created user, and assign the created role. Ensure the Propagate to children option is selected.
      4. Use this user and the corresponding password while onboarding the setup within the Orchestration plugin. This is required to create a deployment.
    • vCenter and ESXi version: The plugin supports vCenter version 7.0+ and ESXi version 7.0.
    • vSphere cluster with ESXI servers: All ESXi servers in a vSphere cluster must have identical host resources, network resources.
    • Port Groups: Ensure that the port group and network is configured and available for the ESXi servers vNIC. Configure the portgroups with the same name across all the hosts. You can configure a standard switch or distributed switch.
      Create the following vSwitch and Port groups for the interfaces of the deployed resources.
      • Management
      • Cluster Control Interconnect
      • Cluster Traffic Interconnect
      • Data Interfaces
        You will need a minimum of three port groups for management, cluster control link, and cluster traffic link for the firewalls in the cluster. You may use the rest of the port groups to the data links.
      • Ensure to set the ​​MAC address changes of the Management VSwitch to accept config.
      • Cluster Traffic Interconnect interface is to be set between 2000 to 9000 MTU in ESXi environments.
    • vSphere Cluster:
      • Create 1-2 vSphere Clusters – Based on cluster deployment needs, both P-Nodes and S-Nodes can be deployed in the same or separate vSphere clusters. Ensure to have at least one dedicated vCenter cluster created on vCenter and have the ESXi hosts added to it before you go ahead with the VM HSF Cluster deployment.
      • All the hosts in a vCenter cluster must be identical (host resources, network, and so on).
      • Create an iSCSI shared storage on the vCENTER for multiple hosts to download the image from a common location.
        Shared storage can be used with multiple host deployment, to download the image from a common location. The P-Node and S-Node deployment happens using the shared storage. Alternatively, local datastore can also be used. All the hosts in the same cluster should have the same name for local datastore (for example, datastore, datastore(1), and so on).
        Ensure that the iSCSI drive is visible in the datastore of all the hosts in the cluster. It is recommended that you use a 10 gig link for your shared storage, for faster completion of the cluster deployment.
      • Image: Ensure to upload the OVA image of Prisma AIRS in the vCenter local content library.
        If the OVA deployment times out on the vCenter content library, ensure to increase the timeout to greater than 20 mins.
      • Credentials with administrator permission for VM HSF deployment.
      • If you are using Intel 810 SR-IOV, ensure to configure more queues (around 16).

    Prerequisites on Panorama

    • License authcode with HSF subscription.
      • Configure license API-key on panorama to delicense the deleted VMs as part of the undeploy workflow or scale-in event - generate licensing API.
        request license api-key set key <key>
    • (optional) Log Collector Group: Create a log collector group.
    • Template:
      • Policy template: Create a template for cluster nodes external interfaces and policies
      • Custer Template - The Software Firewall Orchestration plugin will automatically deploy a fixed template. This template contains interfaces for cluster traffic ports based on the required config for AI-Gateways to enable traffic flow. For SRIOV, clone and modify the fixed template which contains the cluster traffic interconnect interface config for all nodes.
        • You may choose the fixed template created by the plugin AI-HSF-CLUSTERING-DO-NOT-MODIFY.
        • If you are using SRIOV, then clone the AI-HSF-CLUSTERING-DO-NOT-MODIFY template and make the necessary changes to it and then choose the new cloned template.
        • By default, the fixed template is for VMxNet3 deployments and the first Interface (eth1/1 ) is used for Cluster traffic Interconnect. For SRIOV based deployments or if you change the CT interface to a different one, then a fixed template can be cloned or edited to change the Cluster Traffic for each node.
        • Download the same content on the Local and Device Deployment page of the Panorama.
        • Schedule Download and Install of App&Thread and AV at the same time on both local and Device Deployment page of the Panorama.
    • Clustering plugin should be installed on Panorama - This is needed to obtain metric data needed for autoscaling and for firewall cluster visibility.
    • Commit the vCenter credentials and check the validity of the onboarded credentials.

    © 2026 Palo Alto Networks, Inc. All rights reserved.