>
    Strata Copilot
    Install a VM-Series Firewall on VMware vSphere Hypervisor (ESXi)
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on an ESXi Server
    4. Install a VM-Series Firewall on VMware vSphere Hypervisor (ESXi)
    Download PDF
    VM-Series

    Install a VM-Series Firewall on VMware vSphere Hypervisor (ESXi)

    Table of Contents

    Install a VM-Series Firewall on VMware vSphere Hypervisor (ESXi)

    This section provides step-by-step guidance for installing the VM-Series firewall using the OVA template. Covers deployment prerequisites, virtual machine settings, and networking considerations.
    Where Can I Use This?What Do I Need?
    • ESXi Server
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    • Panorama plugin for ESXi
    To install a VM-Series firewall you must have access to the Open Virtualization Alliance format (OVA) template. Use the auth code you received in your order fulfillment email to register your VM-Series firewall and download the OVA template. The OVA template is a zip archive that contains three types of files:
    • .mf: OVF manifest file that contains the SHA-1 digests of individual files in the package
    • .ovf: OVF descriptor file that contains all metadata for the package and its contents
    • .vmdk: Virtual disk image file that contains the virtualized version of the firewall

    Plan the Interfaces for the VM-Series for ESXi

    Learn what you need to consider when planning the interfaces for your VM-Series.
    By planning the mapping of VM-Series firewall vNICs and interfaces, you can avoid reboots and configuration issues. The following table describes the default mapping between VMware vNICs and VM-Series interfaces when all 10 vNICs are enabled on ESXi.
    VMware vNIC
    VM-Series Interfaces
    1
    Ethernet 1/0 (mgmt)
    2
    Ethernet 1/1 (eth1)
    3
    Ethernet 1/2 (eth2)
    4
    Ethernet 1/3 (eth3)
    5
    Ethernet 1/4 (eth4)
    6
    Ethernet 1/5 (eth5)
    7
    Ethernet 1/6 (eth6)
    8
    Ethernet 1/7 (eth7)
    9
    Ethernet 1/8 (eth8)
    10
    Ethernet 1/9 (eth9)
    The mapping on the VM-Series firewall remains the same no matter which vNICs you add on ESXi. Interfaces you activate on the firewall always take the next available vNIC on ESXi.
    In the following diagram, eth3 and eth4 on the VM-Series firewall are paired to vNICs 2 and 3 on ESXi, and eth1 and eth2 are unmapped, as shown on the left.
    If you want to add two additional interfaces while maintaining the current mapping, activate vNICs 4 and 5 and reboot down the firewall. The existing vNIC mapping is preserved because you added the interfaces after the last-mapped interface.
    If you activate eth1 and eth2 on the VM-Series firewall, the interfaces reorder themselves as shown on the right, resulting in a mapping mismatch that impacts traffic.
    To avoid the issues described in the preceding example, you can do the following:
    • When provisioning your ESXi host for the first time, activate all nine vNICs beyond the first. Adding all nine vNICs as placeholders before powering on the VM-Series firewall allows you to use any VM-Series interfaces regardless of order.
    • If all vNICs are active, adding additional interfaces no longer requires a reboot. Because each vNIC on ESXi requires that you choose a network, you can create an empty port group as a network placeholder.
    • Don’t remove VM-Series firewall vNICs to avoid mapping mismatches.

    © 2026 Palo Alto Networks, Inc. All rights reserved.