Establish the Connection Between the Firewall and ACI Fabric

Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
VM-Series
VM-Series Deployment Guide
Set Up a Firewall in Cisco ACI
Integrate the Firewall with Cisco ACI in Network Policy Mode
Deploy the Firewall to Secure East-West Traffic in Network Policy Mode
Establish the Connection Between the Firewall and ACI Fabric

Last Updated:

Oct 19, 2022

Current Version:

10.0 (EoL)

Version 11.0
Version 10.2
Version 10.1
Version 10.0 (EoL)
Version 9.1

End-of-Life (EoL)

Table of Contents

Filter

About the VM-Series Firewall

VM-Series Deployments

VM-Series in High Availability

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (HA Pair)

Upgrade the PAN-OS Software Version Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

VM-Series Plugin

Configure the VM-Series Plugin on the Firewall

Upgrade the VM-Series Plugin

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

Custom PAN-OS Metrics Published for Monitoring

Interface Used for Accessing External Services on the VM-Series Firewall

PacketMMAP and DPDK Driver Support

Enable ZRAM on the VM-Series Firewall

License the VM-Series Firewall

VM-Series Firewall Licensing

Create a Support Account

Serial Number and CPU ID Format for the VM-Series Firewall

Licensing API

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

Install a License API Key

Use Panorama-Based Software Firewall License Management

Software NGFW Credits

Maximum Limits Based on Memory

Activate Credits

Create a Deployment Profile

Manage a Deployment Profile

Register the VM-Series Firewall (Software NGFW Credits)

Provision Panorama

Migrate Panorama to a FW-Flex License

Transfer Credits

Renew Your Software NGFW Credit License

Deactivate License (Software NGFW Credits)

Create and Apply a Subscription-Only Auth Code

Migrate to a Flexible VM-Series License

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-50 Lite Mode

VM-Series Model License Types

VM-Series Firewall Licenses for Public Clouds

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Activate VM-Series Model Licenses

Activate the License for the VM-Series Firewall (Standalone Version)

Activate the License for the VM-Series Firewall for VMware NSX

Activate Licenses on VM-Series Firewalls on NSX When Panorama has Internet Access

Activate Licenses on VM-Series Firewalls on NSX When Panorama has No Internet Access

Troubleshoot License Activation Issues

Register the VM-Series Firewall

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code)

Install a Device Certificate on the VM-Series Firewall

Switch Between the BYOL and the PAYG Licenses

Switch Between VM-Series Model Licenses

Deactivate License(s)

Deactivate a Feature License or Subscription Using the CLI

Deactivate VM

Renew VM-Series Firewall License Bundles

What Happens When Licenses Expire?

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Firewall

Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal)

Add End-Customer Information for a Registered VM-Series Firewall (API)

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi)

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air

Use vMotion to Move the VM-Series Firewall Between Hosts

Use the VM-Series CLI to Swap the Management Interface on ESXi

VM Monitoring on vCenter

About VM Monitoring on VMware vCenter

Install the Panorama Plugin for VMware vCenter

Configure the Panorama Plugin for VMware vCenter

Troubleshoot ESXi Deployments

Basic Troubleshooting

Installation Issues

Issues with Deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM-1000-HV license?

Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM-Series firewall not have a valid license?

Does moving the VM-Series firewall cause license invalidation?

Connectivity Issues

Why is the VM-Series firewall not receiving any network traffic?

Performance Tuning of the VM-Series for ESXi

Install the NIC Driver on ESXi

Enable DPDK on ESXi

Enable SR-IOV on ESXi

Enable ESXi VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on ESXi

VNF Tuning for Performance

Set Up the VM-Series Firewall on vCloud Air

About the VM-Series Firewall on vCloud Air

Deployments Supported on vCloud Air

Deploy the VM-Series Firewall on vCloud Air

Set Up the VM-Series Firewall on VMware NSX

Set Up the VM-Series Firewall on VMware NSX-V

VM-Series for Firewall NSX-V Overview

What are the Components of the VM-Series for NSX-V Solution?

vCenter Server

NSX-V Manager

Panorama

VM-Series Firewall for NSX-V

Ports/Protocols used Network Communication

How Do the Components in the VM-Series Firewall for NSX-V Solution Work Together?

Integrated Policy Rules

Policy Enforcement using Dynamic Address Groups

What are the Benefits of the NSX-V VM-Series firewall for NSX-V Solution?

What is Multi-Tenant Support on the VM-Series Firewall for NSX-V?

VM-Series Firewall for NSX-V Deployment Checklist

Install the VMware NSX Plugin

Register the VM-Series Firewall as a Service on the NSX-V Manager

Enable Communication Between the NSX-V Manager and Panorama

Create Template(s), Template Stack(s), and Device Group(s) on Panorama

Create the Service Definitions on Panorama

Deploy the VM-Series Firewall

Define an IP Address Pool

Prepare the ESXi Host for the VM-Series Firewall

Deploy the Palo Alto Networks NGFW Service

Enable Large Receive Offload

Create Security Groups and Steering Rules

Create Security Groups and Steering Rules in a Security Centric Deployment

Set Up Dynamic Address Groups on Panorama

Create Steering Rules on Panorama

Create Security Groups and Steering Rules in an Operations Centric Deployment

Set Up Security Groups on the NSX-V Manager

Create Steering Rules on NSX-V Manager

Apply Security Policies to the VM-Series Firewall

Steer Traffic from Guests that are not Running VMware Tools

What is Multi-NSX Manager Support on the VM-Series for NSX-V?

Plan Your Multi-NSX Deployment

Deploy the VM-Series Firewall in a Multi-NSX Manager Environment

Dynamically Quarantine Infected Guests

Migrate Operations-Centric Configuration to Security-Centric Configuration

Add a New Host to Your NSX-V Deployment

Use Case: Shared Compute Infrastructure and Shared Security Policies

Use Case: Shared Security Policies on Dedicated Compute Infrastructure

Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama

Set Up the VM-Series Firewall on VMware NSX-T (North-South)

Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)

Components of the VM-Series Firewall on NSX-T (North-South)

Deploy the VM-Series Firewall on NSX-T (North-South)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Deploy the VM-Series Firewall

Direct Traffic to the VM-Series Firewall

Apply Security Policy to the VM-Series Firewall on NSX-T

Use vMotion to Move the VM-Series Firewall Between Hosts

Extend Security Policy from NSX-V to NSX-T

Set Up the VM-Series Firewall on NSX-T (East-West)

Components of the VM-Series Firewall on NSX-T (East-West)

VM-Series Firewall on NSX-T (East-West) Integration

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

Deploy the VM-Series Using the Operations-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Add a Service Chain

Direct Traffic to the VM-Series Firewall

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Use vMotion to Move the VM-Series Firewall Between Hosts

Deploy the VM-Series Using the Security-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Groups

Create Security Policies

Use the Pre Rulebase to Define NSX-T Steering Rules

Use the Post Rulebase to Define NSX-T Steering Rules

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Group Membership Criteria

Generate Steering Policy

Generate Steering Rules

Delete a Service Definition from Panorama

Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Extend Security Policy from NSX-V to NSX-T

Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T

Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T

Set Up the VM-Series Firewall on AWS

About the VM-Series Firewall on AWS

AWS EC2 Instance Types

VM-Series Firewall on AWS GovCloud

VM-Series Firewall on AWS China

VM-Series Firewall on AWS Outposts

AWS Terminology

Management Interface Mapping for Use with Amazon ELB

Performance Tuning for the VM-Series Firewall on AWS

Deployments Supported on AWS

Deploy the VM-Series Firewall on AWS

Obtain the AMI

AMI in the Public AWS Cloud

AMI on AWS GovCloud

Get the VM-Series Firewall Amazon Machine Image (AMI) ID

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall on AWS

Launch the VM-Series Firewall on AWS Outpost

Create a Custom Amazon Machine Image (AMI)

Encrypt EBS Volume for the VM-Series Firewall on AWS

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable CloudWatch Monitoring on the VM-Series Firewall

Panorama Orchestrated Deployments in AWS

Prepare for an Orchestrated AWS Deployment

Orchestrate a VM-Series Firewall Deployment in AWS

View the Deployment Status

Traffic Flow and Configurations

VM-Series Integration with an AWS Gateway Load Balancer

Manual Integration of the VM-Series with a Gateway Load Balancer

Enable VM-Series Integration with a Gateway Load Balancer

Manually Integrate the VM-Series with a Gateway Load Balancer

Associate a VPC Endpoint with a VM-Series Interface

Enable Overlay Routing for the VM-Series on AWS

VM-Series Auto Scaling Group with AWS Gateway Load Balancer

Before Launching the Templates

Launch the Firewall Template

Launch the Application Template

High Availability for VM-Series Firewall on AWS

Overview of HA on AWS

IAM Roles for HA

HA Links

Heartbeat Polling and Hello Messages

Device Priority and Preemption

HA Timers

Configure Active/Passive HA on AWS Using a Secondary IP

Configure Active/Passive HA on AWS Using Interface Move

Migrate Active/Passive HA on AWS

Migrate Active/Passive HA on AWS to Secondary IP Mode

Migrate Active/Passive HA on AWS to Interface Move Mode

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS

Components of the GlobalProtect Infrastructure

Deploy GlobalProtect Gateways on AWS

Resource Monitoring on AWS

AWS Resource Monitoring with the AWS Plugin on Panorama

Set Up the AWS Plugin for Monitoring on Panorama

Auto Scaling VM-Series Firewalls with the Amazon ELB Service

VM-Series Auto Scaling Templates for AWS Version 2.0

What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?

How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?

Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)

Customize the Firewall Template Before Launch (v2.0 and v2.1)

Launch the VM-Series Auto Scaling Template for AWS (v2.0)

Customize the Bootstrap.xml File (v2.0)

Create a new Bootstrap File from Scratch

Use the GitHub Bootstrap Files as Seed

SQS Messaging Between the Application Template and Firewall Template

Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)

Modify Administrative Account and Update Stack (v2.0)

VM-Series Auto Scaling Templates for AWS Version 2.1

Launch the Firewall Template (v2.1)

Launch the Application Template (v2.1)

Create a Custom Amazon Machine Image (v2.1)

VM-Series Auto Scaling Template Cleanup (v2.1)

SQS Messaging Between the Application Template and Firewall Template (v2.1)

Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)

Modify Administrative Account (v2.1)

Change Scaling Parameters and CloudWatch Metrics (v2.1)

List of Attributes Monitored on the AWS VPC

IAM Permissions Required for Monitoring the AWS VPC

Set Up the VM-Series Firewall on KVM

VM-Series on KVM—Requirements and Prerequisites

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall

Supported Deployments on KVM

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts

Install the VM-Series Firewall on KVM

Install the VM-Series Firewall Using Virt-Manager

Provision the VM-Series Firewall on a KVM Host

Perform Initial Configuration of the VM-Series Firewall on KVM

Install the VM-Series Firewall Using an ISO

Use an ISO File to Deploy the VM-Series Firewall

Sample XML file for the VM-Series Firewall

Use the VM-Series CLI to Swap the Management Interface on KVM

Enable the Use of a SCSI Controller

Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall

Performance Tuning of the VM-Series for KVM

Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS

Enable Open vSwitch on KVM

Integrate Open vSwitch with DPDK

Install QEMU, DPDK, and OVS on Ubuntu

Configure OVS and DPDK on the Host

Edit the VM-Series Firewall Configuration File

Enable SR-IOV on KVM

Enable VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on KVM

Isolate CPU Resources in a NUMA Node on KVM

Set Up the VM-Series Firewall on Hyper-V

Supported Deployments on Hyper-V

Secure Traffic on a Single Hyper-V Host

Secure Traffic Across Multiple Hyper-V Hosts

System Requirements on Hyper-V

Linux Integration Services

Install the VM-Series Firewall on Hyper-V

Before You Begin

Virtual Switch Types

MAC Address Spoofing

Performance Tuning of the VM-Series Firewall on Hyper-V

Disable Virtual Machine Queues

Isolate CPU Resources in a NUMA Node

Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager

Provision the VM-Series Firewall on a Hyper-V host with PowerShell

Perform Initial Configuration on the VM-Series Firewall

Set up the VM-Series Firewall on Azure

About the VM-Series Firewall on Azure

Azure Networking and VM-Series Firewall

Azure Security Center Integration

VM-Series Firewall Templates on Azure

Minimum System Requirements for the VM-Series on Azure

Support for High Availability on VM-Series on Azure

VM-Series on Azure Service Principal Permissions

Deployments Supported on Azure

Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)

Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)

Panorama Orchestrated Deployments in Azure

Prepare for an Orchestrated Deployment

Orchestrate a VM-Series Firewall Deployment in Azure

Create a Custom VM-Series Image for Azure

Use Azure Security Center Recommendations to Secure Your Workloads

Use Panorama to Forward Logs to Azure Security Center

Deploy the VM-Series Firewall on Azure Stack

Enable Azure Application Insights on the VM-Series Firewall

Monitoring on Azure

About Monitoring on Azure

Set Up the Azure Plugin for Monitoring on Panorama

Attributes Monitored Using the Panorama Plugin on Azure

Set up Active/Passive HA on Azure

Use the ARM Template to Deploy the VM-Series Firewall

Deploy the VM-Series and Azure Application Gateway Template

VM-Series and Azure Application Gateway Template

Start Using the VM-Series & Azure Application Gateway Template

Deploy the Template to Azure

VM-Series and Azure Application Gateway Template Parameters

Sample Configuration File

Adapt the Template

Secure Kubernetes Services on Azure

How Does the Panorama Plugin for Azure Secure Kubernetes Services?

Secure an AKS Cluster

Set Up the VM-Series Firewall on OpenStack

VM-Series Deployments in OpenStack

Basic Gateway

Service Chaining and Service Scaling

Components of the VM-Series for OpenStack Solution

Heat Template for a Basic Gateway Deployment

Heat Templates for Service Chaining and Service Scaling

Virtual Network

Virtual Machine

Service Template

Service Instance

IPAM

Service Policy

Alarm

Install the VM-Series Firewall in a Basic Gateway Deployment

Install the VM-Series Firewall with Service Chaining or Scaling

Set Up the VM-Series Firewall on Google Cloud Platform

About the VM-Series Firewall on Google Cloud Platform

Supported Deployments on Google Cloud Platform

Prepare to Set Up VM-Series Firewalls on Google Public Cloud

Deploy the VM-Series Firewall on Google Cloud Platform

Deploy the VM-Series Firewall from Google Cloud Platform Marketplace

Management Interface Swap for Google Cloud Platform Load Balancing

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable Google Stackdriver Monitoring on the VM Series Firewall

Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

Use Dynamic Address Groups to Secure Instances Within the VPC

Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall

VM Monitoring with the Panorama Plugin for GCP

Configure VM Monitoring with the Panorama Plugin for GCP

Auto Scaling the VM-Series Firewall on Google Cloud Platform

Auto Scaling Components for Google Cloud Platform

Deploy GCP Auto Scaling Templates

Set Up a VM-Series Firewall on a Cisco ENCS Network

Plan Your Cisco ENCS Deployment

Prepare the VM-Series Firewall Image for Cisco ENCS

Deploy the VM-Series Firewall on Cisco ENCS

Set up the VM-Series Firewall on Oracle Cloud Infrastructure

OCI Shape Types

Deployments Supported on OCI

Prepare to Set Up the VM-Series Firewall on OCI

Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

Configure Active/Passive HA on OCI

Set Up the VM-Series Firewall on Alibaba Cloud

VM-Series Firewall on Alibaba Cloud

Minimum System Requirements for the VM-Series Firewall on Alibaba Cloud

Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

Deploy the VM-Series Firewall on Alibaba Cloud

Create a VPC and Configure Networks

Create and Configure the VM-Series Firewall

Secure North-South Traffic on Alibaba Cloud

Configure Load Balancing on Alibaba Cloud

Set Up a Firewall in Cisco ACI

Palo Alto Networks Firewall Integration with Cisco ACI

Service Graph Templates

Multi-Context Deployments

Prepare Your ACI Environment for Integration

Integrate the Firewall with Cisco ACI in Network Policy Mode

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Create a Virtual Router and Security Zone

Configure the Network Interfaces

Configure a Static Default Route

Create Address Objects for the EPGs

Create Security Policy Rules

Create a VLAN Pool and Domain

Configure an Interface Policy for LLDP and LACP for East-West Traffic

Establish the Connection Between the Firewall and ACI Fabric

Create a VRF and Bridge Domain

Create an L4-L7 Device

Create a Policy-Based Redirect

Create and Apply a Service Graph Template

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Create a VLAN Pool and External Routed Domain

Configure an Interface Policy for LLDP and LACP for North-South Traffic

Create an External Routed Network

Configure Subnets to Advertise to the External Firewall

Create an Outbound Contract

Create an Inbound Web Contract

Apply Outbound and Inbound Contracts to the EPGs

Create a Virtual Router and Security Zone for North-South Traffic

Configure the Network Interfaces

Configure Route Redistribution and OSPF

Configure NAT for External Connections

Endpoint Monitoring in Cisco ACI

Install the Panorama Plugin for Cisco ACI

Configure the Cisco ACI Plugin

Panorama Plugin for Cisco ACI Dashboard

Set Up the VM-Series Firewall on Cisco CSP

VM-Series on Cisco CSP System Requirements

Deploy the VM-Series Firewall on Cisco CSP

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Set Up the VM-Series Firewall on Nutanix AHV

VM Monitoring on Nutanix

About VM Monitoring on Nutanix

Install the Panorama Plugin for Nutanix

Configure the Panorama Plugin for Nutanix

Bootstrap the VM-Series Firewall

Choose a Bootstrap Method

VM-Series Firewall Bootstrap Workflow

Bootstrap Package

Bootstrap Configuration Files

Generate the VM Auth Key on Panorama

Create the init-cfg.txt File

init-cfg.txt File Components

Sample init-cfg.txt File

Create the bootstrap.xml File

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM-Series Firewall on AWS

Bootstrap the VM-Series Firewall on Azure

Bootstrap the VM-Series Firewall on ESXi

Bootstrap the VM-Series Firewall on ESXi with an ISO

Bootstrap the VM-Series Firewall on ESXi with a Block Storage Device

Bootstrap the VM-Series Firewall on Google Cloud Platform