VM-Series Deployment Guide
    : ESXi Simplified Onboarding
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up a VM-Series Firewall on an ESXi Server
    5. ESXi Simplified Onboarding
    Download PDF

    VM-Series Deployment Guide

    ESXi Simplified Onboarding

    Table of Contents

    ESXi Simplified Onboarding

    Configure simplified onboarding of VM-Series on ESXi or vSphere client.
    The ESXi Simplified Onboarding addresses the challenges faced by new users while configuring and setting up the firewall. ESXi Simplified Onboarding aims at simplifying the experience of deploying the Palo Alto Networks (PANW) firewalls on ESXi, and reducing the need for in-depth configuration expertise at the outset.

    Prerequisites

    For simplified onboarding of VM-Series firewall on ESXi, ensure to use the following PAN-OS versions and license types:
    Supported PAN-OS Versions
    • PAN-OS version 11.2.8 or above
    • PAN-OS version 11.1.11 or above
    Supported License Types
    • BYOL (Bring your own license)
    Supported ESXi versions
    • ESXi 7.0 and vCenter server 7.0
    • ESXi 8.0 and vCenter server 8.0
    Bring up a VM-Series bootstrapped with any of the following desirable parameters through your ESXi or vSphere client:
    ParametersDescription
    HostnameThe name assigned to the firewall with which it is identified in the network and Panorama.
    Type of management IP
    Defines the management interface IP address:
    • Static – Manually assign IP, netmask, and gateway.
    • DHCP – IP information is automatically obtained from a DHCP server.
    IPv4 addressThe static management IP address assigned to the VM-Series firewall. Used for management access (Web UI, CLI, Panorama).
    IPv4 netmaskThe subnet mask of the corresponding management IP address.
    IPv4 default-gatewayThe default gateway for management traffic. When the management IP needs to communicate outside its local subnet, IPv4 default-gateway is used, (e.g., reaching Panorama or external update servers).
    Primary DNS serverThe main DNS server used to resolve domain names.
    Secondary DNS serverBackup DNS server used when the primary DNS server is unavailable.
    Primary PanoramaThe FQDN or the IP address of the primary Panorama management server to which the VM-Series firewall must connect.
    Secondary Panorama (optional)The FQDN or the IP address of the secondary Panorama server.
    Template Stack nameThe name of the template stack to which the firewall is attached in Panorama. Template stacks define interface, zone, and network configurations.
    Device Group nameThe device group to which the firewall belongs. Device groups define security policies and objects.
    VM AuthkeyA registration key generated in Panorama that allows the VM-Series firewall to securely connect and register with the Panorama during the bootstrap process.
    AuthcodesThe license authorization codes for the VM-Series firewall (for example, Threat Prevention, URL Filtering, GlobalProtect). These enable automated license activation during bootstrap.
    Device certificate PIN IDA pin identifier for retrieving the device certificate from the licensing portal.
    Device certificate PIN valueThe pin value that corresponds to the pin ID. The pin value is used to automatically retrieve and install the device certificate.
    Option(s)To cover bootstrap options that might be supported in the future.

    Simplified Onboarding of VM-Series in VMware ESXi or vSphere Client

    1. Log in to your VMware ESXi or vSphere client.
    2. In the Navigator section, click Virtual Machines and click Create to create a new virtual machine.
    3. Click Select creation type and click Deploy a virtual machine from an OVF or OVA file and click Next.
    4. In the Select OVF and VMDK files window:
      1. Enter a name for the virtual machine.
      2. Select or drag and drop the required OVF file
      3. Click Next.
    5. In the Select storage window, select the datastore required for your virtual machine click Next.
    6. In the Deployment options window:
      1. Select the required VM Network and the Disk provisioning type.
      2. Select Power on automatically, if you want your VM to power on automatically.
      3. Click Next.
    7. In the Additional settings window:
      1. Enter the details of your Management Interface Configuration:
        1. Hostname
        2. Type of management IP - DHCP or static
        3. IPv4 address
        4. IPv4 netmask
        5. IPv4 default gateway
        6. Primary DNS server
        7. Secondary DNS server
      2. Enter the details of your Panorama Configuration:
        1. Primary Panorama
        2. Secondary Panorama
        3. Template Stack name
        4. Device Group name
        5. VM Authkey
      3. Enter the details of your Device registration:
        1. Authcodes
        2. Device certificate PIN ID
        3. Device certificate PIN value
      4. Advance Options: Advance options are currently unavailable for simplified onboarding. Click Next.
    8. Click Ready to complete, to review your settings and click Finish. The ESXi server will now create the VM.
      • Use vSphere client to deploy simplified onboarding on multiple ESXi servers.
      • For terraform or orchestrator deployments, ensure that you use the parameters in vApp properties to bootstrap the VM.

    Default Behaviour

    While creating a virtual machine, if you do not configure any of the UI elements listed above, then a virtual machine will be created with the host name as PA-VM and the management interface will attempt to obtain an IP address via DHCP.
    If an authorization code (auth-code) is included, the VM-Series firewall will automatically retrieve and activate its license. If no auth-code is provided, the firewall must be manually licensed through the GUI or CLI. All the remaining configuration follows the standard bootstrap process, and can be customized later as needed.

    © 2025 Palo Alto Networks, Inc. All rights reserved.