>
    Strata Copilot
    VM-Series Firewall on a Cisco ENCS Network
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on a Cisco ENCS Network
    Download PDF
    VM-Series

    VM-Series Firewall on a Cisco ENCS Network

    Table of Contents

    VM-Series Firewall on a Cisco ENCS Network

    Learn how to add a VM-Series firewall image into Cisco Enterprise NFV Infrastructure Software (NFVIS).
    Where Can I Use This?What Do I Need?
    • VM-Series firewall deployment
    • VM-Series 10.1.x and above
    • Panorama running PAN-OS 9.1.x or above version
    • VM-Series licenses
    If you have virtualized the traditional appliance-based network infrastructure at your branch or remote office with the Cisco 5400 Series Enterprise Network Compute System (ENCS) appliance, you can use Enterprise NFV Infrastructure Software (NFVIS) to deploy the VM-Series firewall within your Cisco network. The VM-Series firewall serves as a virtual network function (VNF) with next-generation firewall capabilities to safely enable all applications and protect your branch or remote office users and network from threats.
    The Cisco Enterprise Network Compute System (ENCS) appliances combine with Cisco Integrated Services Virtual Routers (ISRV) and NFVIS software to support Software-Defined Branch (SD-Branch) network architectures.
    In your Cisco SD-Branch, deploy the VM-Series Firewall on the Cisco ENCS appliance as a VNF that provides next generation firewall capabilities to secure your applications and users at the branch office. You can deploy the firewall in a virtual wire, Layer 2, or Layer 3 deployment, and in high availability configuration.
    To manage the VM-Series firewall, the Panorama appliance can be deployed on premises or in the cloud. The following topology shows the VM-Series firewall at the branch edge.

    Cisco ENCS Requirements

    For supported NFVIS versions and hardware platforms, see the Palo Alto Networks Compatibility Matrix.
    • In NFVIS, set up networks and bridges.
      • Create virtual NICs and attach them to a virtual bridge so the ENCS appliance can steer traffic through the VM-Series firewall.
        On the Cisco ENCS appliance, the VM-Series firewall supports up to 8 dataplane interfaces.
        The dataplane interfaces of the VM-Series firewall on Cisco ENCS support Virtio mode only; ENCS SR-IOV and PCI pass-through modes are not supported.
      • Set up network connections for VM-Series firewall management access. If you are using Panorama, ensure that Panorama has network access to manage the firewall you deploy.
    • Python 2.7. Required on your local machine if you are using the command line to convert.

    VM-Series Firewall and Panorama Requirements

    • VM-Series firewall—The VM-50 and VM-100 are recommended. The VM-300, VM-500, and VM-700 are also supported, provided the ENCS hardware has sufficient resources that can be assigned to the VM-Series firewall. Consult the VM-Series System Requirements to ensure that the Cisco ENCS appliance has adequate resources to support the VM-Series model you choose.
    • Panorama hardware or virtual appliance. While you can deploy a single VM-Series firewall in a Cisco SD-Branch network, it's more common to deploy firewalls in many branches and centrally manage them with Panorama.
      • Panorama version 9.1 or later. The version must be the same or higher than the version on your VM-Series firewall.
      • A VM auth key generated on Panorama. This key allows the VM-Series firewall to authenticate with Panorama.

    © 2026 Palo Alto Networks, Inc. All rights reserved.