VM-Series on ESXi System Limitations

The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations:
  • Do not use the VMware snapshots functionality on the VM-Series on ESXi. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See the VMware best practice recommendation for using snapshots.
    If you need configuration backups, use Panorama, or from the firewall, use
    Export named configuration snapshot
    (Device > Set up > Operations). Using
    Export named configuration snapshot
    exports the firewall’s active configuration (
    running-config.xml
    ) and allows you to save it to any network location.
  • Dedicated CPU cores are recommended.
  • High Availability (HA) Link Monitoring is not supported on VM-Series firewalls on ESXi. Use Path Monitoring to verify connectivity to a target IP address or to the next hop IP address.
  • Up to 10 total ports can be configured; this is a VMware limitation. One port is used for management traffic and up to 9 can be used for data traffic.
  • Only the vmxnet3 driver is supported.
  • Virtual systems are not supported.
  • vMotion of the VM-Series firewall is supported on vSphere 6.5, 6.7, and 7.0 if the ESXi hosts have homogeneous CPU configuration. PAN-OS 9.1.6 and later is required to Use vMotion to Move the VM-Series Firewall Between Hosts installed on vSphere 6.5 or 6.7.
  • Forged transmit and promiscuous mode must be enabled on the ESXi vSwitch port groups connected to Layer 2 and vwire interfaces on the VM-Series firewall.
  • To use PCI devices with the VM-Series firewall on ESXi, memory mapped I/O (MMIO) must be below 4GB. You can disable MMIO above 4GB in your server’s BIOS. This is an ESXi limitation.
  • When using ESXi 7.0, interfaces do not come up when attaching VFs to virtual machines with PCI device passthrough.

Recommended For You