End-of-Life (EoL)
System Requirements
Requirements Description
Hardware Resources vCPU: 2, 4, 8 Memory: 4 GB; 5 GB for the VM-1000-HV Disk: 40GB Disk types supported: Virtio and SCSI for best performance; IDE Disk-controllers: virtio, virt-scsi, IDE The host CPU must be a x86-based Intel or AMD CPU with virtualization extension.
Software Versions Ubuntu 12.04 LTS (QEMU-KVM 1.0; libvirt 0.9.8; Open vSwitch: 1.9.3 with bridge compatibility mode) 14.04 LTS (QEMU-KVM 2.0.0; libvirt 1.2.2; Open vSwitch: 1.9.3, 2.3.1) 16.04 LTS (QEMU-KVM 2.5 0; libvirt 1.3.1; Open vSwitch: 2.5.0) CentOS/RedHat Enterprise Linux: 6.5 (QEMU-KVM 0.12; libvirt 0.10; Open vSwitch: 1.9.3 with bridge compatibility mode) 7.0 (QEMU-KVM 1.5.3; libvirt 1.2.8; Open vSwitch: 1.9.3, 2.3.1) 7.1 (QEMU-KVM 1.5.3; libvirt 1.2.8; Open vSwitch: 1.9.3, 2.3.1) 7.2 (QEMU-KVM 1.5.3; libvirt 2.0.0; Open vSwitch: 2.5.0)
Network Interfaces—Network Interface Cards and Software Bridges The VM-Series on KVM supports a total of 25 interfaces— 1 management interface and a maximum of 24 network interfaces for data traffic. VM-Series deployed on KVM supports software-based virtual switches such as the Linux bridge or the Open vSwitch bridge, and direct connectivity to PCI passthrough or an SR-IOV capable adapter. On the Linux bridge and OVS, the e1000 and virtio drivers are supported; the default driver rtl8139 is not supported. For PCI passthrough/SR-IOV support, the VM-Series firewall has been tested for the following network cards: Intel 82576 based 1G NIC: SR-IOV support on all supported Linux distributions; PCI-passthrough support on all except Ubuntu 12.04 LTS. Intel 82599 based 10G NIC: SR-IOV support on all supported Linux distributions; PCI-passthrough support on all except Ubuntu 12.04 LTS. Broadcom 57112 and 578xx based 10G NIC: SR-IOV support on all supported Linux distributions; No PCI-passthrough support. Drivers: igb; ixgbe; bnx2x Drivers: igbvf; ixgbevf; bnx2x SR-IOV capable interfaces assigned to the VM-Series firewall, must be configured as Layer 3 interfaces or as HA interfaces.
Options for Attaching the VM-Series on the Network
With a Linux bridge or OVS, data traffic uses the software bridge to connect guests on the same host. For external connectivity, data traffic uses the physical interface to which the bridge is attached. With PCI passthrough, data traffic is passed directly between the guest and the physical interface to which it is attached. When the interface is attached to a guest, it is not available to the host or to other guests on the host. With SR-IOV, data traffic is passed directly between the guest and the virtual function to which it is attached.
Prerequisites for VM-Series on KVM
Before you install the VM-Series firewall on the Linux server, review the following sections:
Prepare the Linux Server
Check the Linux distribution version. For a list of supported versions, see System Requirements. Verify that you have installed and configured KVM tools and packages that are required for creating and managing virtual machines, such as Libvirt. If you want to use a SCSI disk controller to access the disk to which the VM-Series firewall stores data, you must use virsh to attach the virtio-scsi controller to the VM-Series firewall. You can then edit the XML template of the VM-Series firewall to enable the use of the virtio-scsi controller. For instructions, see Enable the Use of a SCSI Controller.
KVM on Ubuntu 12.04 does not support the virtio-scsi controller.
Verify that you have set up the networking infrastructure for steering traffic between the guests and the VM-Series firewall and for connectivity to an external server or the Internet. The VM-Series firewall can connect using a Linux bridge, the Open vSwitch, PCI passthrough, or SR-IOV capable network card. Make sure that the link state for all interfaces you plan to use are up, sometimes you have to manually bring them up. Verify the PCI ID of all the interfaces. To view the list, use the command: Virsh nodedev-list –tree If using a Linux bridge or OVS, verify that you have set up the bridges required to send/receive traffic to/from the firewall. If not, create bridge(s) and verify that they are up before you begin installing the firewall. If using PCI-passthrough or SR-IOV, verify that the virtualization extensions (VT-d/IOMMU) are enabled in the BIOS. For example, to enable IOMMU, intel_iommu=on must be defined in /etc/grub.conf. Refer to the documentation provided by your system vendor for instructions. If using PCI-passthrough, ensure that the VM-Series firewall has exclusive access to the interface(s) that you plan to attach to it.
To allow exclusive access, you must manually detach the interface(s) from the Linux server; Refer to the documentation provided by your network card vendor for instructions.
To manually detach the interface(s) from the server., use the command:
Virsh nodedev-detach <pci id of interface>
For example, pci_0000_07_10_0
In some cases, in /etc/libvirt/qemu.conf, you may have to uncomment relaxed_acs_check = 1 .
If using SR-IOV, verify that the virtual function capability is enabled for each port that you plan to use on the network card. With SR-IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. A guest can be mapped to one or more virtual functions.
To enable virtual functions, you need to:
1. Create a new file in this location: /etc/modprobe.d/
2. Modify the file using the vi editor to make the functions persistent: vim /etc/modprobe.d/igb.conf
3. Enable the number of number of virtual functions required: options igb max_vfs=4
After you save the changes and reboot the Linux server, each interface (or physical function) in this example will have 4 virtual functions.
Refer to the documentation provided by your network vendor for details on the actual number of virtual functions supported and for instructions to enable it.
Prepare to Deploy the VM-Series Firewall
Purchase the VM-Series model and register the authorization code on the Palo Alto Networks Customer Support web site. See Create a Support Account and Register the VM-Series Firewall. Obtain the qcow2 image and save it on the Linux server. As a best practice, copy the image to the folder: /var/lib/libvirt/qemu/images.
If you plan to deploy more than one instance of the VM-Series firewall, make the required number of copies of the image. Because each instance of the VM-Series firewall maintains a link with the .qcow2 image that was used to deploy the firewall, to prevent any data corruption issues ensure that each image is independent and is used by a single instance of the firewall.

Recommended For You