Panorama serves as the central point of administration for the VM-Series NSX edition firewalls and the license activation process is automated when Panorama has direct internet access. Panorama connects to the Palo Alto Networks update server to retrieve the licenses, and when a new VM-Series NSX edition firewall is deployed, it communicates with Panorama to obtain the license. If Panorama is not connected to the internet, you need to manually license each instance of the VM-Series firewall so that the firewall can connect to Panorama. For an overview of the components and requirements for deploying the VM-Series NSX edition firewall, see VM-Series NSX Edition Firewall Overview.
For this integrated solution, the auth code (for example, PAN-VM-1000-HV-SUB-BND-NSX2) includes licenses for threat prevention, URL filtering and WildFire subscriptions and premium support for the requested period.
In order to activate the license, you must have completed the following tasks:
Registered the auth code to the support account. If you don’t register the auth code, the licensing server will fail to create a license. Entered the auth code in the Service Definition on Panorama. On Panorama, select VMWare Service Manager to add the Authorization Code to the VMware Service Definition.
If you have purchased an evaluation auth code, you can license up to 5 VM-Series firewalls with the VM-1000-HV capacity license for a period of 30 or 60 days. Because this solution allows you to deploy one VM-Series firewall per ESXi host, the ESXi cluster can include a maximum of 5 ESXi hosts when using an evaluation license.
The following process of activating the licenses is manual. If you have a custom script or an orchestration service, you can use the Licensing API to automate the process of retrieving the licenses for the VM-Series firewalls.
Activate the Licenses on the VM-Series NSX Edition Firewall
When Panorama has internet access (Online)
Verify that the VM-Series firewall is connected to Panorama. Log in to Panorama. Select Panorama > Managed Devices and check that the firewall displays as Connected.
Verify that each firewall is licensed. Select Panorama > Device Deployment > Licenses and verify that Panorama has matched the auth code and applied the licenses to each firewall. If you do not see the licenses, click Refresh. Select the VM-Series firewalls for which to retrieve subscription licenses and click OK.
When Panorama does not have internet access (Offline)
Locate the CPU ID and UUID of the VM-Series firewall. From the vCenter server obtain the IP address of the firewall. Log into the web interface and select Dashboard. Get the CPU ID and the UUID for the firewall from the General Information widget.
Activate the auth code and generate the license keys. Log in to the Palo Alto Networks Customer Support web site with your account credentials. If you need a new account, see Create a Support Account. Select Assets > VM-Series Auth Codes, click Add VM-Series Auth Codes to enter the auth code. Select Register VM in the row that corresponds to the auth code that you just registered, enter the CPU ID and the UUID of the firewall and click Submit. The portal will generate a serial number for the firewall. Select Assets > Devices and search for the serial number. Click the link the Actions column to download each key locally to your laptop. In addition to the subscription license key, you must get the capacity license and the support license keys.
Upload the keys to the firewall. Log in to the firewall web interface. Select Device > Licenses, and select Manually upload license key. Browse to select a key and click OK to install the license on the firewall. Install the capacity license key file (pa-vm.key) first. When you apply the capacity license key, the VM-Series firewall will reboot. On reboot, the firewall will have a serial number that you can use to register the firewall as a managed device on Panorama. Repeat the process to install each key on the firewall. Select Dashboard and verify that you can see the Serial # in the General Information widget.
Add the serial number of the firewall on Panorama. Select Panorama > Managed Devices and click Add to enter the serial number for the VM-Series NSX edition firewall. The firewall should now be able to connect with Panorama so that it can obtain its configuration and policy rules.

Related Documentation