You can create and deploy multiple instances of the
VM-Series firewall on an ESXi server. Because each instance of the
firewall requires a minimum resource allocation—number of CPUs,
memory and disk space—on the ESXi server, make sure to conform to
the specifications below to ensure optimal performance.
The VM-Series firewall has the following requirements:
The host CPU must be a x86-based Intel or AMD CPU with
VMware ESXi with vSphere 5.1, 5.5, 6.0, or 6.5 for VM-Series
running PAN-OS 8.0. The VM-Series firewall on ESXi is deployed with
VMware virtual machine hardware version 9 (vmx-09); no other VMware
virtual machine hardware versions are supported.
Minimum of two network interfaces (vmNICs). One will be a
dedicated vmNIC for the management interface and one for the data
interface. You can then add up to eight more vmNICs for data traffic.
For additional interfaces, use VLAN Guest Tagging (VGT) on the ESXi
server or configure subinterfaces on the firewall.
of hypervisor assigned MAC address is enabled by default. vSphere
assigns a unique vmNIC MAC address to each dataplane interface of
the VM-Series firewall. If you disable the use hypervisor assigned
MAC addresses, the VM-Series firewall assigns each interface of
a MAC address from its own pool. Because this causes the MAC addresses
on each interface to differ, you must enable promiscuous mode on
the port group of the virtual switch to which the dataplane interfaces
of the firewall are attached to allow the firewall to receive frames.
If neither promiscuous mode nor hypervisor assigned MAC address
is enabled, the firewall will not receive any traffic. This is because vSphere
will not forward frames to a virtual machine when the destination
MAC address of the frame does not match the vmNIC MAC address.
Plane Development Kit (DPDK) is enabled by default on VM-Series
firewalls on ESXi. For more information about DPDK, see Enable
DPDK on ESXi.
To achieve the best performance out of the VM-Series firewall,
you can make the following adjustments to the host before deploying
the VM-Series firewall. See Performance
Tuning of the VM-Series for ESXi for more information.
Enable DPDK. DPDK allows the host to process packets faster
by bypassing the Linux kernel. Instead, interactions with the NIC
are performed using drivers and the DPDK libraries.
Enable SR-IOV. Single root I/O virtualization (SR-IOV) allows
a single PCIe physical device under a single root port to appear
to be multiple separate physical devices to the hypervisor or guest.
not configure a vSwitch on the physical port on which you enable
SR-IOV. To communicate with the host or other virtual machines on
the network, the VM-Series firewall must have exclusive access to
the physical port and associated virtual functions (VFs) on that
Enable multi-queue support for NICs. Multi-queue allows network
performance to scale with the number of vCPUs and allows for parallel
packet processing by creating multiple TX and RX queues.