Many of the troubleshooting steps for the VM-Series firewall are very similar to the hardware versions of PAN-OS. When problems occur, you should check interface counters, system log files, and if necessary, use debug to create captures. For more details on PAN-OS troubleshooting, refer to the article on
Packet Based Troubleshooting.
For information in the vSphere client go to
Home > Inventory > VMs and Templates, select the VM-Series firewall instance and click the
Resources, check the statistics for consumed memory, CPU and storage. For resource history, click the
tab and monitor resource consumption over time.
The VM-Series is delivered as a file in the Open Virtualization Alliance (OVA) format. The OVA image is downloaded as a zip archive that is expanded into three files. If you are having trouble deploying the OVA image, make sure the three files are unpacked and present and, if necessary, download and extract the OVA image again.
The virtual disk in the OVA image is large for the VM-Series; this file is nearly 900MB and must be present on the computer running the vSphere client or must be accessible as a URL for the OVA image. Make sure the network connection is sufficient between the vSphere client computer and the target ESXi host. Any firewalls in the path will need to allow TCP ports 902 and 443 from the vSphere client to the ESXi host(s).There needs to be sufficient bandwidth and low latency on the connection otherwise the OVA deployment can take hours or timeout and fail.
To fix this issue, you must either modify the base image file (see
How do I modify the base image file for the VM-1000-HV license?) or edit the settings on the ESXi host or the vCenter server before you power on the VM-Series firewall.
VMware assigns a unique UUID to each virtual machine including the VM-Series firewall.So, when a VM-Series firewall is cloned, a new UUID is assigned to it. Because the serial number and license for each instance of the VM-Series firewall is tied to the UUID, cloning a licensed VM-Series firewall will result in a new firewall with an invalid license. You will need a new auth-code to activate the license on the newly deployed firewall. You must apply the capacity auth-code and a new support license in order to obtain full functionality, support, and software upgrades on the VM-Series firewall.