Plan Your Cisco ENCS Deployment

Ensure the Cisco ENCS environment can support the VM-Series firewall.
In your Cisco SD-Branch, deploy the VM-Series Firewall on the Cisco ENCS appliance as a VNF that provides next generation firewall capabilities to secure your applications and users at the branch office. You can deploy the firewall in a virtual wire, Layer 2, or Layer 3 deployment, and in high availability configuration.
To manage the VM-Series firewall, the Panorama appliance can be deployed on premises or in the cloud. The following topology shows the VM-Series firewall at the branch edge.

Cisco ENCS Requirements

For supported NFVIS versions and hardware platforms, see the Palo Alto Networks Compatibility Matrix.
  • In NFVIS, set up networks and bridges.
    • Create virtual NICs and attach them to a virtual bridge so the ENCS appliance can steer traffic through the VM-Series firewall.
      On the Cisco ENCS appliance, the VM-Series firewall supports up to 8 dataplane interfaces.
      The dataplane interfaces of the VM-Series firewall on Cisco ENCS support Virtio mode only; ENCS SR-IOV and PCI passthrough modes are not supported.
    • Set up network connections for VM-Series firewall management access. If you are using Panorama, ensure that Panorama has network access to manage the firewall you deploy.
  • Python 2.7. Required on your local machine if you are using the command line to convert.

VM-Series Firewall and Panorama Requirements

  • VM-Series Firewall—The VM-50 and VM-100 are recommended. The VM-300, VM-500, and VM-700 are also supported, provided the ENCS hardware has sufficient resources that can be assigned to the VM-Series firewall. Consult the VM-Series System Requirements to ensure that the Cisco ENCS appliance has adequate resources to support the VM-Series model you choose.
  • Panorama hardware or virtual appliance. While you can deploy a single VM-Series firewall in a Cisco SD-Branch network, it is more common to deploy firewalls in many branches and centrally manage them with Panorama.
    • Panorama version 9.1 or later. The version must be the same or higher than the version on your VM-Series firewall.
    • A VM auth key generated on Panorama. This key allows the VM-Series firewall to authenticate with Panorama.

Recommended For You