End-of-Life (EoL)
This section lists requirements and limitations for the VM-Series firewall on VMware vSphere Hypervisor (ESXi). To deploy the VM-Series firewall, see Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi).
You can create and deploy multiple instances of the VM-Series firewall on an ESXi server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—on the ESXi server, make sure to conform to the specifications below to ensure optimal performance.
The VM-Series firewall has the following requirements:
The host CPU must be a x86-based Intel or AMD CPU with virtualization extension. VMware ESXi with vSphere 5.1, 5.5, 6.0, or 6.5 for VM-Series running PAN-OS 7.1. The VM-Series firewall on ESXi is deployed with VMware virtual machine hardware version 9 (vmx-09); no other VMware virtual machine hardware versions are supported.
Use of vSphere 6.5 requires PA-VM-ESX-7.1.0-u1.ova.
Minimum of two vCPUs per VM-Series firewall. One for the management plane and one for the dataplane.
You can assign 2 or 6 additional vCPUs to allocate a total of 2, 4 or 8 vCPUs to the firewall; the management plane only uses one vCPU and any additional vCPUs are assigned to the dataplane.
Minimum of two network interfaces (vmNICs). One will be a dedicated vmNIC for the management interface and one for the data interface. You can then add up to eight more vmNICs for data traffic. For additional interfaces, use VLAN Guest Tagging (VGT) on the ESXi server or configure subinterfaces on the firewall.
By default, the VM-Series firewall assigns a unique MAC address for each dataplane interface from its own pool. This causes the destination MAC addresses assigned by PAN-OS to be different from the vmNIC MAC addresses assigned by vSphere. Therefore based on your deployment, to allow the firewall to receive frames, you must either Enable Use of Hypervisor Assigned MAC Addresses on the VM-Series firewall or enable promiscuous mode (see Step 2) on the port group of the virtual switch to which the dataplane interfaces of the firewall are attached.
If neither promiscuous mode nor hypervisor assigned MAC address is enabled, the firewall will not receive any traffic. This is because vSphere will not forward frames to a virtual machine when the destination MAC address of the frame does not match the vmNIC MAC address.
Minimum of 4GB of memory for all models except the VM-1000-HV, which needs 5GB. Any additional memory will be used by the management plane only. If you are applying the VM-1000-HV license, see How do I modify the base image file for the VM-1000-HV license? Minimum of 40GB of virtual disk space. You can add additional disk space of 40GB to 2TB for logging purposes.
Do not use the VMware snapshots functionality on the VM-Series on ESXi. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See VMWare’s best practice recommendation with using snapshots . If you need configuration backups, use Panorama or Export named configuration snapshot from the firewall (Device > Set up > Operations). Using the Export named configuration snapshot exports the active configuration (running-config.xml) on the firewall and allows you to save it to any network location.
The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations:
Dedicated CPU cores are recommended. High Availability (HA) Link Monitoring is not supported on VM-Series firewalls on ESXi. Use Path Monitoring to verify connectivity to a target IP address or to the next hop IP address. Up to 10 total ports can be configured; this is a VMware limitation. One port will be used for management traffic and up to 9 can be used for data traffic. Only the vmxnet3 driver is supported. Virtual systems are not supported. vMotion of the VM-Series firewall is not supported. However, the VM-Series firewall can secure guest virtual machines that have migrated to a new destination host, if the source and destination hosts are members of all vSphere Distributed Switches that the guest virtual machine used for networking. VLAN trunking must be enabled on the ESXi vSwitch port-groups that are connected to the interfaces (if configured in vwire mode) on the VM-Series firewall.

Recommended For You