Provision the VM-Series Firewall on an ESXi Server
Use these instruction to deploy the VM-Series firewall on a (standalone) ESXi server. For deploying the VM-Series NSX edition firewall, see Set Up the VM-Series Firewall on VMware NSX.
- Download the OVA file.Register your VM-Series firewall and obtain the OVA file from the Palo Alto Networks Customer Support web site.The file contains the base installation. After the base installation is complete, you will need to download and install the latest PAN-OS version from the support portal. This will ensure that you have the latest fixes that were implemented since the base image was created. For instructions, see Upgrade the PAN-OS Software Version (Standalone Version).
deploying the OVA file, set up virtual standard switch(es) and virtual
distributed switch(es) that you will need for the VM-Series firewall.If you are deploying the VM-Series firewall with Layer 3 interfaces, your firewall will use Hypervisor Assigned MAC Addresses by default. If you choose to disable the use of hypervisor assigned MAC address, you must configure (set to Accept) any virtual switch attached to the VM-Series firewall to allow the following modes:
If you are deploying the firewall with Layer 2, virtual wire, or tap interfaces, you must configure any virtual switch attached to the VM-Series firewall to allow (set to Accept) the modes listed above.To configure a virtual standard switch to receive frames for the VM-Series firewall:
- Promiscuous mode
- MAC address changes
- Forged transmits
To configure a virtual distributed switch to receive frames for the VM-Series firewall:
- Configure a virtual standard switch from the vSphere Client by navigating to HomeInventoryHosts and Clusters.
- Click the Configuration tab and under Hardware click Networking. For each VM-Series firewall attached virtual switch, click on Properties.
- Highlight the virtual switch and click Edit. In the vSwitch properties, click the Security tab and set Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept and then click OK. This change will propagate to all port groups on the virtual switch.
- Select HomeInventoryNetworking. Highlight the Distributed Port Group you want to edit and select the Summary tab.
- Click Edit Settings and select PoliciesSecurity and set Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept and then click OK.
- Deploy the OVA.If you add additional interfaces (vmNICs) to the VM-Series firewall, a reboot is required because new interfaces are detected during the boot cycle. To avoid the need to reboot the firewall, make sure to add the interfaces at initial deployment or during a maintenance window so that you can reboot the firewall.To view the progress of the installation, monitor the Recent Tasks list.
- Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed.
- From the vSphere client, select FileDeploy OVF Template.
- Browse to the OVA file that you downloaded in 1, select the file and then click Next. Review the templates details window and then click Next again.
- Name the VM-Series firewall instance and in the Inventory Location window, select a Data Center and Folder and click Next
- Select an ESXi host for the VM-Series firewall and click Next.
- Select the datastore to use for the VM-Series firewall and click Next.
- Leave the default settings for the datastore provisioning
and click Next. The default is Thick
Provision Lazy Zeroed.Do not configure CPU affinity for the VM-Series firewall. The vCenter/ESXi server optimizes the CPU placement for the VM-Series and the firewall performs best when you do not modify the non-uniform memory access (NUMA) configuration.
- Select the networks to use for the two initial vmNICs. The first vmNIC will be used for the management interface and the second vmNIC for the first data port. Make sure that the Source Networks maps to the correct Destination Networks.
- Review the details window, select the Power on after deployment check box and then click Next.
- When the deployment is complete, click the Summary tab to review the current status.
About the VM-Series Firewall on vCloud Air
About the VM-Series Firewall on vCloud Air You can deploy the VM-Series firewall in a virtual data center (vDC) on VMware vCloud Air using the ...
VM-Series on ESXi System Limitations
VM-Series on ESXi System Limitations The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations: Dedicated ...
VM-Series on ESXi System Requirements
VM-Series on ESXi System Requirements You can create and deploy multiple instances of the VM-Series firewall on an ESXi server. Because each instance of the ...
Bootstrap the VM-Series Firewall on ESXi with an ISO
Bootstrap the VM-Series Firewall on ESXi with an ISO Use these instructions to bootstrap the VM-Series firewall on an ESXi server using an ISO. Create ...
DHCP on Management Interfaces and Hypervisor-Assigned MACs
DHCP on Management Interfaces and Hypervisor-Assigned MACs To aid in the deployment of large quantities of VM-Series firewalls, the VM-Series now has DHCP on management ...
Hypervisor Assigned MAC Addresses
Hypervisor Assigned MAC Addresses By default, the VM-Series firewall uses the MAC address assigned to the physical interface by the host/hypervisor and use that MAC ...
Deploy the VM-Series Firewall on vCloud Air
Deploy the VM-Series Firewall on vCloud Air Use the instructions in this section to deploy your VM-Series firewall in an on-demand or dedicated vDC on ...
Install a VM-Series firewall on VMware vSphere Hypervisor (...
Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) To install a VM-Series firewall you must have access to the Open Virtualization Alliance format (OVA) ...
Bootstrap the VM-Series Firewall
Bootstrap the VM-Series Firewall Bootstrapping allows you to create a repeatable and streamlined process of deploying new VM-Series firewalls on your network because it allows ...