Provision the VM-Series Firewall on an ESXi Server

Use these instructions to deploy the VM-Series firewall on a (standalone) ESXi server. For deploying the VM-Series NSX edition firewall, see Set Up the VM-Series Firewall on VMware NSX.
  1. Download the OVA file.
    Register your VM-Series firewall and obtain the OVA file from the Palo Alto Networks Customer Support web site.
    The OVA file contains the base installation. After the base installation is complete, you must download and install the latest PAN-OS version from the support portal. This ensures that you have the latest fixes implemented since the base image was created. For instructions, see Upgrade the PAN-OS Software Version (Standalone Version).
  2. Before deploying the OVA file, set up virtual standard switch(es) or virtual distributed switch(es) that you need for the VM-Series firewall.
    If you are deploying the VM-Series firewall with Layer 3 interfaces, your firewall uses Hypervisor Assigned MAC Addresses by default. If you choose to disable hypervisor assigned MAC address, or if you are deploying the firewall with Layer 2, virtual wire, or tap interfaces, you must configure (set to
    Accept
    ) any virtual switch attached to the VM-Series firewall to allow the following modes: promiscuous mode, MAC address changes, and Forged transmits.
    Configure a virtual standard switch or a virtual distributed switch to receive frames for the VM-Series firewall.
    Virtual Standard Switch
    1. Navigate to
      Home
      Hosts and Clusters
      and select a host.
    2. Click the
      Configure
      tab and view
      Virtual Switches
      . For each VM-Series firewall attached a virtual switch, click on
      Properties
      .
    3. Highlight a port group corresponding to a virtual switch and click
      Edit Settings
      . In the vSwitch properties, click the
      Security
      tab and set
      Promiscuous Mode, MAC Address Changes
      and
      Forged Transmits
      to
      Accept
      and then click
      OK
      . This change propagates to all port groups on the virtual switch.
    Virtual Distributed Switch
    1. Select
      Home
      Networking
      . Select your virtual distributed switch and highlight the
      Distributed Port Group
      you want to edit.
    2. Click
      Edit Settings
      , select
      Policies
      Security
      , and set
      Promiscuous Mode, MAC Address Changes
      and
      Forged Transmits
      to
      Accept
      and click
      OK
      .
  3. Deploy the OVA.
    If you add additional interfaces (vNICs) to the VM-Series firewall, you must reboot (because new interfaces are detected during the boot cycle). To minimize the need to reboot the firewall, activate the interfaces at initial deployment or during a maintenance window.
    To view the progress of the installation, monitor the
    Recent Tasks
    list.
    1. Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed.
    2. From the vSphere web client, go to
      Hosts and Clusters
      , right-click your host, and select
      Deploy OVF Template
      .
    3. Browse to the OVA file that you downloaded in 1 Select the file, and click
      Next
      . Review the template’s details and click
      Next
      .
    4. Name the VM-Series firewall instance, and in the
      Inventory Location
      window, select a Data Center and Folder, and click
      Next
      .
    5. Select an ESXi host for the VM-Series firewall, and click
      Next
      .
    6. Select the datastore to use for the VM-Series firewall, and click
      Next
      .
    7. Leave the default settings for the datastore provisioning, and click
      Next
      . The default is
      Thick Provision Lazy Zeroed
      .
      vm-series-firewall-deploy.PNG
      Do not configure CPU affinity for the VM-Series firewall. The vCenter/ESXi server optimizes the CPU placement for the VM-Series and the firewall performs best when you do not modify the non-uniform memory access (NUMA) configuration.
    8. Select the networks to use for the two initial vNICs. The first vNIC is used for the management interface and the second vNIC for the first data port. Make sure that the
      Source Networks
      map to the correct
      Destination Networks
      .
      vm-series-firewall-deploy-3.PNG
    9. Review the details, select
      Power on after deployment
      , and click
      Next
      .
      vm-series-firewall-deploy-2.PNG
    10. When the deployment is complete, click the
      Summary
      tab to review the current status.

Related Documentation