Strata Copilot
    VM-Series Deployment Guide
    : Create and Configure the VM-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on Alibaba Cloud
    5. Deploy the VM-Series Firewall on Alibaba Cloud
    6. Create and Configure the VM-Series Firewall
    Download PDF

    VM-Series Deployment Guide

    Create and Configure the VM-Series Firewall

    Table of Contents
    End-of-Life (EoL)

    Create and Configure the VM-Series Firewall

    Learn how to create a VM-Series instance in Alibaba Cloud, and create the network interfaces for the VM-Series firewall.
    This task uses the ECS console to create a VM-Series firewall instance with a minimum of three interfaces: management, untrust, and trust. An ECS instance supports a single NIC by default, and automatically attaches an Elastic Network Interface (ENI) to it. To support the VM-Series firewall, you must separately create the Untrust and Trust Elastic Network Interfaces (ENIs) and attach them to your instance.
    1. From the Alibaba Cloud console home page, select Elastic Compute ServiceInstances & ImagesInstances, and click Create Instance on the upper right.
    2. Select Custom Launch.
    3. Basic Configurations.
      1. Fill in the following values. For example:
        PropertyValue
        Billing MethodSubscription.
        RegionYour choice. You can also select a Zone. The region you select must provide one of the required instance types.
        Instance TypeOne of the types in Alibaba Cloud Instance Type Recommendations for the VM-Series Firewall. You can use Type-based Selection to search for the instance type.
        ImageSelect Marketplace Image and search the Alibaba Marketplace for “VM-Series”. The image combines the OS and the VM-Series firewall.
        StorageChoose a disk type and specify 60 GB.
        SnapshotYour choice.
        DurationYour choice.
      2. Select Next: Networking.
    4. On the Networking page, supply the following values.
      1. Network (select VPC).
      2. Public IP Address.
        If you do not have a public IP address, enable Assign Public IP address and the system will allocate one. If you must use a specific IP address, or an address in a specific range, you can request a custom IP address. Refer to the Elastic IP Address User Guide.
      3. Security Group.
        Select the Management security group.
      4. Elastic Network Interface.
        The Management interface is already attached to eth0.
      5. Select Next: System Configurations.
    5. On the System Configurations page, fill in the following values.
      1. Logon Credentials: Select Key Pair.
        Password authentication is not supported.
      2. Name the VM-Series firewall instance and supply a Host name.
        Make any corrections.
        Select Preview to view your settings thus far.
      3. Following Advanced (based or instance RAM roles or cloud-init) click Show.
        • The RAM role is optional.
        • In the User Data field, enter basic bootstrap information as key-value pairs separated by newlines. See Enter a Basic Configuration as User Data (Public Clouds). For example, enter the following in the User Data field.
          type=dhcp-client
hostname=Ca-FW-DC1
vm-auth-key=7550362253****
panorama-server=10.*.*.20
panorama-server-2=10.*.*.21
tplname=FINANCE_TG4
dgname=finance_dg
op-cmd-dpdk-pkt-io=on
dhcp-send-hostname=yes
dhcp-send-client-id=yes
dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=yes
authcodes=I7115398
vm-series-auto-registration-pin-id=abcdefgh1234****
vm-series-auto-registration-pin-value=zyxwvut-0987****
          op-command-modes (mgmt-interface-swap and jumbo frame) are not supported for Alibaba Cloud.
          op-cmd-dpdk-pkt-io=on supports DPDK. If you want to specify PacketMMAP, specify op-cmd-dpdk-pkt-io=off
          Grouping is Optional. Select Preview to view the configuration before ordering.
    6. View the terms of service, and select Create Order to create the VM-Series firewall instance.
      View the purchase order and select Subscribe.
    7. From the console home page, choose Elastic Compute ServiceNetworks and SecurityENIs and select Create ENI in the top right corner. Create elastic network interfaces for the Untrust and Trust interfaces.
      1. Create the Untrust ENI.
        In the Actions column, select Bind to Instance and select the instance you just created.
      2. Create the Trust ENI and bind it to the instance.
    8. Allocate Elastic IP (EIP) addresses.
      Allocate EIP addresses for the VM-Series firewall Management interface and the Untrust network interface. In this example the Trust interface is not exposed to the internet, so you don’t need a third IP address.
      If you already have two EIPs, go to the next step.
      1. Associate an EIP with the VM-Series firewall Management interface.
      2. Associate an EIP with the VM-Series firewall Untrust network interface.
        The second interface you attach is assigned to network interface 1 on the VM-Series firewall.
    9. Restart your instance to attach the new network interfaces.
      On the Instances list, select your instance, select Manage, and select Restart on the upper right.
    10. SSH in to the VM-Series firewall with the security key and set the admin password:
      developer1$ ssh -i dev1-vpc1.pem admin@18.***.145.153
Welcome admin.

admin> configure
Entering configuration mode
[edit]
admin# set mgt-config users admin password
Enter password:<password>
Confirm password:<password>
[edit]
admin# commit
    11. Access the VM-Series firewall web interface.
      Open a web browser and enter the EIP for the management interface.

    © 2025 Palo Alto Networks, Inc. All rights reserved.