Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
VM-Series
VM-Series Deployment Guide
Set Up the VM-Series Firewall on Hyper-V
Supported Deployments on Hyper-V
Secure Traffic on a Single Hyper-V Host

Last Updated:

Fri May 01 17:26:24 PDT 2020

Current Version:

8.0 (EoL)

Version 10.2
Version 10.1
Version 10.0 (EoL)
Version 9.1
Version 9.0 (EoL)
Version 8.1 (EoL)
Version 8.0 (EoL)

End-of-Life (EoL)

Table of Contents

Search the Table of Contents

About the VM-Series Firewall

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-Series Deployments

VM-Series in High Availability

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series for NSX by Changing the OVF URL

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

License the VM-Series Firewall

License Types—VM-Series Firewalls

VM-Series Firewall for NSX Licenses

VM-Series Firewall in Amazon Web Services (AWS) and Azure L...

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Serial Number and CPU ID Format for the VM-Series Firewall

Create a Support Account

Register the VM-Series Firewall

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall in...

Switch Between the BYOL and the PAYG Licenses

Renew VM-Series Firewall License Bundles

Activate the License

Activate the License for the VM-Series Firewall (Standalone...

Activate the License for the VM-Series Firewall for VMware ...

Activate Licenses on VM-Series Firewalls on NSX When Panora...

Activate Licenses on VM-Series Firewalls on NSX When Panora...

Troubleshoot License Activation Issues

Deactivate the License(s)

Install a License Deactivation API Key

Deactivate a Feature License or Subscription Using the CLI

Deactivate VM

Licensing API

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Fir...

Add End-Customer Information for a Registered VM-Series Fir...

Add End-Customer Information for a Registered VM-Series Fir...

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (...

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vClo...

Troubleshoot ESXi Deployments

Basic Troubleshooting

Installation Issues

Issues with deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM-1000-HV lice...

Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM-Series firewall not have a valid lice...

Will moving the VM-Series firewall cause license invalidati...

Connectivity Issues

Why is the VM-Series firewall not receiving any network tra...

Performance Tuning of the VM-Series for ESXi

Install the NIC Driver on ESXi

Enable DPDK on ESXi

Enable SR-IOV on ESXi

Enable Multi-Queue Support for NICs on ESXi

Set Up the VM-Series Firewall on vCloud Air

About the VM-Series Firewall on vCloud Air

Deployments Supported on vCloud Air

Deploy the VM-Series Firewall on vCloud Air

Set Up a VM-Series Firewall on the Citrix SDX Server

About the VM-Series Firewall on the SDX Server

VM-Series on SDX System Requirements and Limitations

VM-Series on SDX System Requirements

VM-Series on SDX System Limitations

Supported Deployments—VM Series Firewall on Citrix SDX

Scenario 1—Secure North-South Traffic

VM-Series Firewall with L3 Interfaces Between the NetScaler...

VM-Series Firewall with L2 or Virtual Wire Interfaces Betwe...

VM-Series Firewall Before the NetScaler VPX

Scenario 2—Secure East-West Traffic (VM-Series Firewall o...

Install the VM-Series Firewall on the SDX Server

Upload the Image to the SDX Server

Provision the VM-Series Firewall on the SDX Server

Secure North-South Traffic with the VM-Series Firewall

Deploy the VM-Series Firewall Using L3 Interfaces

Deploy the VM-Series Firewall Using Layer 2 (L2) or Virtual...

Deploy the VM-Series Firewall Before the NetScaler VPX

Secure East-West Traffic with the VM-Series Firewall

Set Up the VM-Series Firewall on VMware NSX

VM-Series for NSX Firewall Overview

What are the Components of the VM-Series for NSX Solution?

vCenter Server

NSX Manager

Panorama

VM-Series Firewall for NSX

Ports/Protocols used Network Communication

How do the Components in the VM-Series Firewall for NSX Sol...

Integrated Policy Rules

Policy Enforcement using Dynamic Address Groups

What are the Benefits of the NSX VM-Series firewall for NSX...

What is Multi-Tenant Support on the VM-Series Firewall for ...

VM-Series Firewall for NSX Deployment Checklist

Install the VMware NSX Plugin

Register the VM-Series Firewall as a Service on the NSX Man...

Enable Communication Between the NSX Manager and Panorama

Create Template(s) and Device Group(s) on Panorama

Create the Service Definitions on Panorama

Deploy the VM-Series Firewall

Define an IP Address Pool

Prepare the ESXi Host for the VM-Series Firewall

Deploy the Palo Alto Networks NGFW Service

Enable Large Receive Offload

Create Security Groups and Steering Rules

Create Security Groups and Steering Rules in a Security Centric Deployment

Set Up Dynamic Address Groups on Panorama

Create Steering Rules on Panorama

Create Security Groups and Steering Rules in an Operations Centric Deployment

Set Up Security Groups on the NSX Manager

Create Steering Rules on NSX Manager

Apply Policies to the VM-Series Firewall

Steer Traffic from Guests that are not Running VMware Tools

What is Multi-NSX Manager Support on theVM-Series for NSX?

Plan Your Multi-NSX Deployment

Deploy the VM-Series Firewall in a Multi-NSX ManagerEnvironment

Dynamically Quarantine Infected Guests

Migrate Panorama 7.1 Configuration toPanorama 8.0 Configuration

Use Case: Shared Compute Infrastructure and Shared Security...

Use Case: Shared Security Policies on Dedicated Compute Inf...

Dynamic Address Groups—Information Relay from NSX Manager...

Set Up the VM-Series Firewall on AWS

About the VM-Series Firewall on AWS

AWS Instance Types

VM-Series Firewall on AWS GovCloud

VM-Series Firewall on AWS China

AWS Terminology

Management Interface Mapping for Use with Amazon ELB Servic...

Deployments Supported on AWS

Deploy the VM-Series Firewall on AWS

Obtain the AMI

AMI in the Public AWS Cloud

AMI on AWS GovCloud

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall on AWS

Use the VM-Series Firewall CLI to Swap the Management Inter...

Enable CloudWatch Monitoring on the VM-Series Firewall on A...

High Availability for VM-Series Firewall on AWS

Overview of HA on AWS

IAM Roles for HA

HA Links

Heartbeat Polling and Hello Messages

Device Priority and Preemption

HA Timers

Configure Active/Passive HA on AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Inst...

Use Case: Deploy the VM-Series Firewalls to Secure Highly A...

Solution Overview—Secure Highly Available Internet-Facing...

Deploy the Solution Components for Highly Available Interne...

Set Up the VPC

Deploy the VM-Series Firewalls in the VPC

Launch the VM-Series Firewalls and the NetScaler VPX

Configure the VM-Series Firewall for Securing Outbound Acce...

Configure the Firewalls that Secure the Web Farm

Configure the Firewall that Secures the RDS

Deploy the Web Farm in the VPC

Set Up the Amazon Relational Database Service (RDS)

Configure the Citrix NetScaler VPX

Set up Amazon Route 53

Verify Traffic Enforcement

Port Translation for Service Objects

Use Case: VM-Series Firewalls as GlobalProtect Gateways on ...

Components of the GlobalProtect Infrastructure

Deploy GlobalProtect Gateways on AWS

Auto Scale VM-Series Firewalls with the Amazon ELB Service

VM-Series Auto Scale Template for AWS Version 2.0

What Components Does the VM-Series Auto Scaling Template fo...

How Does the VM-Series Auto Scaling Template for AWS (v 2.0...

Plan the VM-Series Auto Scaling Template for AWS (v 2.0)

Customize the Firewall Template Before Launch (v2.0)

Launch the VM-Series Auto Scaling Template for AWS (v2.0)

Customize the Bootstrap.xml File

Create a new Bootstrap File from Scratch

Use the GitHub Bootstrap Files as Seed

Message Format for the Amazon SQS URL

Stack Update with VM-Series Auto Scaling Template for AWS

Modify Administrative Account and Update Stack

Auto Scale Template Version 1.2 (and earlier)

What Components Does the VM-Series Auto Scaling Template fo...

How Does the VM-Series Auto Scaling Template for AWS Enable...

Plan the VM-Series Auto Scaling Template for AWS (Version 1...

VM-Series Auto Scaling Template for AWS Version 1.2

VM-Series Auto Scaling Template for AWS Version 1.1

Launch the VM-Series Auto Scaling Template for AWS (v1.2 an...

Launch the VM-Series Auto Scaling Template for AWS (v1.2)

Launch the VM-Series Auto Scaling Template for AWS (v1.1)

Customize the Bootstrap.xml File

Use the GitHub Bootstrap Files as Seed

Create a new Bootstrap File from Scratch

NAT Policy Rule and Address Objects in the Auto Scaling Tem...

Stack Update with VM-Series Auto Scaling Template for AWS (...

Modify Administrative Account and Update Stack

Troubleshoot the VM-Series Auto Scaling Template for AWS

List of Attributes Monitored on the AWS VPC

IAM Permissions Required for Monitoring the AWS VPC

Set Up the VM-Series Firewall on KVM

VM-Series on KVM—Requirements and Prerequisites

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall

Supported Deployments on KVM

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts

Install the VM-Series Firewall on KVM

Provision the VM-Series Firewall on a KVM Host

Perform Initial Configuration of the VM-Series Firewall on ...

Enable the Use of a SCSI Controller

Verify PCI-ID for Ordering of Network Interfaces on the VM-...

Use an ISO File to Deploy the VM-Series Firewall

Sample XML file for the VM-Series Firewall

Performance Tuning of the VM-Series for KVM

Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS

Enable Open vSwitch on KVM

Integrate Open vSwitch with DPDK

Install QEMU, DPDK, and OVS on Ubuntu

Configure OVS and DPDK on the Host

Edit the VM-Series Firewall Configuration File

Enable SR-IOV on KVM

Enable Multi-Queue Support for NICs on KVM

Isolate CPU Resources in a NUMA Node on KVM

Set Up the VM-Series Firewall on Hyper-V

Supported Deployments on Hyper-V

Secure Traffic on a Single Hyper-V Host

Secure Traffic Across Multiple Hyper-V Hosts

System Requirements on Hyper-V

Linux Integration Services

Install the VM-Series Firewall on Hyper-V

Before You Begin

Virtual Switch Types

MAC Address Spoofing

Performance Tuning of the VM-Series Firewall on Hyper-V

Disable Virtual Machine Queues

Isolate CPU Resources in a NUMA Node

Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager

Provision the VM-Series Firewall on a Hyper-V host with PowerShell

Perform Initial Configuration on the VM-Series Firewall

Set up the VM-Series Firewall on Azure

About the VM-Series Firewall on Azure

Azure Networking and VM-Series

VM-Series Firewall Templates on Azure

Minimum System Requirements for the VM-Series on Azure

Support for High Availability on VM-Series on Azure

Deployments Supported on Azure

Deploy the VM-Series Firewall from the Azure Marketplace (S...

Deploy the VM-Series Firewall from the Azure China Marketpl...

Use the ARM Template to Deploy the VM-Series Firewall

VM Monitoring on Azure

About VM Monitoring on Azure

Gather the Resources Required for VM Monitoring on Azure

Set Up VM Monitoring on Azure

Attributes Monitored on Azure

Deploy the VM-Series and Azure Application Gateway Template

VM-Series and Azure Application Gateway Template

Start Using the VM-Series & Azure Application Gateway Templ...

Deploy the Template to Azure

VM-Series and Azure Application Gateway Template Parameters

Sample Configuration File

Adapt the Template

Set Up the VM-Series Firewall on OpenStack

VM-Series Firewall for OpenStack

Basic Gateway

Service Chaining and Service Scaling

Components of the VM-Series for OpenStack Solution

Heat Template for a Basic GatewayDeployment

Heat Templates for Service Chaining andService Scaling

Virtual Network

Virtual Machine

Service Template

Service Instance

IPAM

Service Policy

Alarm

Install the VM-Series Firewall in OpenStack

Install the VM-Series Firewall with ServiceChaining or Scaling

Set Up a Firewall in Cisco ACI

Cisco ACI Integration Models

Palo Alto Firewall Integration with Cisco ACI Overview

Service Graph Templates

High Availability in Cisco ACI

Multi-Context Deployments

Firewall Policy Based on Endpoint Group, Tenant, or Application

Prepare Your ACI Environment for Integration

Integrate the Firewall with Cisco ACI in Network Policy Mode

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Create a Virtual Router and Security Zone

Configure the Network Interfaces

Configure a Static Default Route

Create Address Objects for the EPGs

Create Security Policy Rules

Create a VLAN Pool and Domain

Configure an Interface Policy for LLDP and LACP for East-West Traffic

Establish the Connection Between the Firewall and ACI Fabric

Create a VRF and Bridge Domain

Create an L4-L7 Device

Create a Policy-Based Redirect

Create and Apply a Service Graph Template

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Create a VLAN Pool and External Routed Domain

Configure an Interface Policy for LLDP and LACP for North-South Traffic

Create an External Routed Network

Configure Subnets to Advertise to the External Firewall

Create an Outbound Contract

Create an Inbound Web Contract

Apply Outbound and Inbound Contracts to the EPGs

Create a Virtual Router and Security Zone for North-South Traffic

Configure the Network Interfaces

Configure Route Redistribution and OSPF

Configure NAT for External Connections

Integrate a Palo Alto Networks Firewall with Cisco ACI in Service Manager Mode

Components of Cisco ACI Integration in Service Manager Mode

Create a Tenant and Application Profile

Create an L4-L7 Service

Create and Deploy a Service Graph Template

Bootstrap the VM-Series Firewall

VM-Series Firewall Bootstrap Workflow

Bootstrap Package

Bootstrap Configuration Files

Generate the VM Auth Key on Panorama

Create the init-cfg.txt File

init-cfg.txt File Components

Sample init-cfg.txt File

Create the bootstrap.xml File

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM-Series Firewall on ESXi

Bootstrap the VM-Series Firewall on ESXi with an ISO

Bootstrap the VM-Series Firewall on ESXi with a Block Storage Device

Bootstrap the VM-Series Firewall on Hyper-V

Bootstrap the VM-Series Firewall on Hyper-V with an ISO

Bootstrap the VM-Series Firewall on Hyper-V with a Block Storage Device

Bootstrap the VM-Series Firewall on KVM

Bootstrap the VM-Series Firewall on KVM with an ISO

Bootstrap the VM-Series Firewall on KVM With a Block Storage Device

Bootstrap the VM-Series Firewall on KVM in OpenStack

Bootstrap the VM-Series Firewall in AWS

Bootstrap the VM-Series Firewall in Azure

Verify Bootstrap Completion

Bootstrap Errors

About the VM-Series Firewall
License the VM-Series Firewall
Set Up a VM-Series Firewall on an ESXi Server
Set Up the VM-Series Firewall on vCloud Air
Set Up a VM-Series Firewall on the Citrix SDX Server
Set Up the VM-Series Firewall on VMware NSX
Set Up the VM-Series Firewall on AWS
Set Up the VM-Series Firewall on KVM
Set Up the VM-Series Firewall on Hyper-V
Set up the VM-Series Firewall on Azure
Set Up the VM-Series Firewall on OpenStack
Set Up a Firewall in Cisco ACI
Bootstrap the VM-Series Firewall

Document:VM-Series Deployment Guide

Secure Traffic on a Single Hyper-V Host

Last Updated:

Fri May 01 17:26:24 PDT 2020

Current Version:

8.0 (EoL)

Version 10.2
Version 10.1
Version 10.0 (EoL)
Version 9.1
Version 9.0 (EoL)
Version 8.1 (EoL)
Version 8.0 (EoL)

Table of Contents

Search the Table of Contents

About the VM-Series Firewall

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-Series Deployments

VM-Series in High Availability

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series for NSX by Changing the OVF URL

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

License the VM-Series Firewall

License Types—VM-Series Firewalls

VM-Series Firewall for NSX Licenses

VM-Series Firewall in Amazon Web Services (AWS) and Azure L...

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Serial Number and CPU ID Format for the VM-Series Firewall

Create a Support Account

Register the VM-Series Firewall

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall in...

Switch Between the BYOL and the PAYG Licenses

Renew VM-Series Firewall License Bundles

Activate the License

Activate the License for the VM-Series Firewall (Standalone...

Activate the License for the VM-Series Firewall for VMware ...

Activate Licenses on VM-Series Firewalls on NSX When Panora...

Activate Licenses on VM-Series Firewalls on NSX When Panora...

Troubleshoot License Activation Issues

Deactivate the License(s)

Install a License Deactivation API Key

Deactivate a Feature License or Subscription Using the CLI

Deactivate VM

Licensing API

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Fir...

Add End-Customer Information for a Registered VM-Series Fir...

Add End-Customer Information for a Registered VM-Series Fir...

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (...

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vClo...