Perform Initial Configuration on the VM-Series on ESXi

Use the virtual appliance console on the ESXi server to set up network access to the VM-Series firewall. By default, the VM-Series firewall uses DHCP to obtain an IP address for the management interface, but, you can also assign a static IP address. After completing the initial configuration, access the web interface to complete further configuration tasks. If you have Panorama for central management, refer to the Panorama Administrator’s Guide for information on managing the device using Panorama.
If you are using bootstrapping to perform the configuration of your VM-Series firewall on ESXi, refer to Bootstrap the VM-Series Firewall on ESXi.
For general information about bootstrapping, see Bootstrap the VM-Series Firewall.
  1. Gather the required information from your network administrator.
    • IP address for MGT port
    • Netmask
    • Default gateway
    • DNS server IP address
  2. Access the console of the VM-Series firewall.
    1. Select the
      Console
      tab on the ESXi server for the VM-Series firewall, or right click the VM-Series firewall and select
      Open Console
      .
    2. Press Enter to access the login screen.
    3. Enter the default username/password (admin/admin) to log in.
    4. Enter
      configure
      to switch to configuration mode.
  3. Configure the network access settings for the management interface.
    Enter the following commands:
    set deviceconfig system type static
    set deviceconfig system ip-address
    <Firewall-IP>
    netmask
    <netmask>
    default-gateway
    <gateway-IP>
    dns-setting servers primary
    <DNS-IP>
  4. Commit your changes and exit the configuration mode.
    Enter
    commit
    .
    Enter
    exit
    .
  5. Verify network access to external services required for firewall management, such as the Palo Alto Networks Update Server.
    1. Use the ping utility to verify network connectivity to the Palo Alto Networks Update server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update server (the Update server does not respond to ping requests.) After verifying DNS resolution, press Ctrl+C to stop the ping request.
      admin@PA-220 >
      ping host updates.paloaltonetworks.com
      PING updates.paloaltonetworks.com (10.101.16.13) 56(84) bytes of data. From 192.168.1.1 icmp_seq=1 Destination Host Unreachable From 192.168.1.1 icmp_seq=2 Destination Host Unreachable From 192.168.1.1 icmp_seq=3 Destination Host Unreachable From 192.168.1.1 icmp_seq=4 Destination Host Unreachable
    2. Use the following CLI command to retrieve information on the support entitlement for the firewall from the Palo Alto Networks update server: request support check If you have connectivity, the update server responds with the support status for your firewall.
  6. Apply the capacity auth code and retrieve a license before you begin testing the VM-Series firewall.
    An unlicensed VM-Series firewall can process up to approximately 1230 concurrent sessions. Depending on the environment, the session limit can be reached very quickly, causing unpredictable results.

Related Documentation