>
    Strata Copilot
    VM-Series Firewall on OpenStack
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on OpenStack
    Download PDF
    VM-Series

    VM-Series Firewall on OpenStack

    Table of Contents

    VM-Series Firewall on OpenStack

    Learn how to set up the VM-Series firewall on OpenStack.
    Where Can I Use This?What Do I Need?
    • OpenStack
    • VM-Series Firewall License (BYOL)
    • Heat Template
    • Panorama
    • VM-Series plugin
    The VM-Series firewall for OpenStack allows you to provide secure application delivery along with network security, performance, and visibility.
    The Heat Orchestration templates provided by Palo Alto Networks allow you to deploy the VM-Series firewall individually, through service chaining, or dynamically with service scaling.

    Basic Gateway

    The VM-Series firewall for OpenStack allows you to deploy the VM-Series firewall on the KVM hypervisor running on a compute node in your OpenStack environment. This solution uses Heat Orchestration templates and bootstrapping to deploy the VM-Series firewall and a Linux server. The VM-Series firewall protects the deployed Linux server by inspecting the traffic going in and out of the server. The sample bootstrap files allow the VM-Series firewall to boot with basic configuration for handling traffic.
    These heat template files and the bootstrap files combine to create two virtual machines, the VM-Series firewall and Linux server, in a network configuration similar to that shown below.

    Service Chaining and Service Scaling

    OpenStack Queens do not support VM-Series firewall deployment through service chaining or service scaling.
    Service chaining is a Contrail feature that deploys a VM-Series firewall as a service instance in your OpenStack environment. A service chain is a set of service virtual machines, such as firewalls or load balancers, and each virtual machine in the service chain is a service instance. Service scaling allows you to dynamically deploy additional instances of the VM-Series firewall. Using CPU utilization or incoming bytes per second metrics gathered by Ceilometer, OpenStack deploys or shuts down additional instances of the VM-Series firewall to meet the current needs of your network.
    The VM-Series firewall in OpenStack solution leverages heat orchestration templates to configure and deploy the components required for service chaining and service scaling. The heat templates provided by Palo Alto Networks create a service template, service instance, and service policy (to direct traffic to the VM-Series firewall) to deploy two Linux servers and the VM-Series firewall service instance between them.

    © 2026 Palo Alto Networks, Inc. All rights reserved.