>
    Strata Copilot
    Onboard Device Security on VM-Series Virtual Metadata Collector
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Onboard Device Security
    4. Onboard Device Security on VM-Series Virtual Metadata Collector
    Download PDF
    Device Security

    Onboard Device Security on VM-Series Virtual Metadata Collector

    Table of Contents

    Onboard Device Security on VM-Series Virtual Metadata Collector

    Use Software NGFW credits to onboard Device Security on VM-Series virtual metadata collector.
    Where Can I Use This?What Do I Need?
    • VM-Series, funded with Software NGFW Credits
    • Palo Alto Networks Activation Console
    • Device Security X subscription
    In addition to using a VM-Series as a virtualized form factor of a firewall for Device Security, you can use a VM-Series as a virtual metadata collector (VMC). Configuring a VM-Series in virtual metadata collector mode improves Device Security data collection while minimizing resource consumption.
    To use a VM-Series in virtual metadata collector mode, you need the following:
    • A Device Security X license
    • Activated Software NGFW credits
    • VM-Series running on an ESXi or KVM platform
    • PAN-OS version 11.2.5 or later
    • A bootstrapped configuration
    Deploying a VM-Series in virtual metadata collector mode provides flexible deployment options while maintaining familiar management forms. The virtual metadata collector mode comes with a limited feature set, with no policy rule enforcement, as the VMC primarily provides device discovery. The benefit to using a VMC is that you can manage the VMC in Panorama and choose how to get visibility by deploying virtual wire interfaces, tap interfaces, and more. You can also configure the VMC as standalone or high availability.
    When you use the virtual metadata collector mode, you must use flexible vCPUs, but each VMC only consumes one flex credit worth of vCPUs, regardless of how many vCPUs a VMC uses.
    The following onboarding procedure is for the VM-Series virtual metadata collector with a Device Security X subscription. It assumes that you have already purchased Software NGFW credits and activated them. At this point, you can use the Software NGFW credits to purchase VM-Series and deploy them in virtual metadata collector mode.
    1. Before creating a VM-Series VMC, activate your Device Security X subscription.
    2. Deploy a virtual metadata collector by following the steps to create a deployment profile for your VMC with the following required configurations:
      • Create the deployment profile in the same Customer Support Portal account associated with your Device Security X license.
      • When you Select a vCPU configuration type, you must choose Flexible vCPUs (PAN-OS 10.0.4 and above).
      • For the Security Use Case, select Custom.
      • Under Customize Subscriptions, leave IoT unchecked.
    3. Activate your Device Security X subscription based on the deployment profile in Common Services.
      1. Log in to the hub, navigate to Common ServicesSubscriptions & Add-ons, and in the Activate Subscriptions based on Deployment Profile(s) section, click Activate Now to go to the Activate Subscriptions based on Deployment Profile(s) page.
      2. Choose the Customer Support Account that you're using for your Device Security X subscription.
      3. Choose a tenant that you have onboarded with your Device Security X subscription.
        Selecting the tenant also populates the Region with the region associated to that tenant.
      4. Select the deployment profile that you configured for your VMC.
      5. Under Additional Services, select Device Security X.
      6. Agree to the terms and conditions, and Activate.
    4. Bootstrap the VM-Series in virtual metadata collector mode and configure your init-cfg.txt file and authcodes file.
      The init-cfg.txt must contain at least the following: 
      
## Panorama
type=dhcp-client
vm-auth-key=your_vm_auth_key
panorama-server=your_panorama_server_address
tplname=your_device_template_name_from_panorama
dgname=your_device_group_name_from_panorama
op-command-modes=metadata-sensor

## No Panorama
type=dhcp-client //can also be static
vm-series-auto-registration-pin-id=your_registration_pin_id //required for device cert installation when not using Panorama
vm-series-auto-registration-pin-value=your_registration_pin_value //required for device cert installation when not using Panorama
op-command-modes=metadata-sensor
      We recommend adding an authcodes file to the license folder. In the authcodes file, provide the deployment auth code to the VMC. After applying the auth code, the VMC automatically registers to the tenant under the device association page and to the Device Security X tenant. By providing the auth code, you don't need to manually associate the Device Security X product to the VMC device in Common Services.
    5. Optional Associate more VMCs to the tenant through the same deployment profile, or create additional deployment profiles as needed.
    6. Configure the VM-Series VMC to provide network traffic logs.
      Follow the steps in Prepare Your Firewall for Device Security to configure the VMC to log network traffic and forward the traffic logs to Strata Logging Service, which then streams network traffic metadata to Device Security for analysis.

    © 2026 Palo Alto Networks, Inc. All rights reserved.