Provision the VM-Series Firewall on an ESXi Server
- Download the OVA file.Register your VM-Series firewall and obtain the OVA file from the Palo Alto Networks Customer Support web site.The OVA file contains the base installation. After the base installation is complete, you must download and install the latest PAN-OS version from the support portal. This ensures that you have the latest fixes implemented since the base image was created. For instructions, see Upgrade the PAN-OS Software Version (Standalone Version).
- Before deploying the OVA file, set up virtual standard switch(es) or virtual distributed switch(es) that you need for the VM-Series firewall.If you are deploying the VM-Series firewall with Layer 3 interfaces, your firewall uses Hypervisor Assigned MAC Addresses by default. If you choose to disable hypervisor assigned MAC address, or if you are deploying the firewall with Layer 2, virtual wire, or tap interfaces, you must configure (set toAccept) any virtual switch attached to the VM-Series firewall to allow the following modes: promiscuous mode, MAC address changes, and Forged transmits.Configure a virtual standard switch or a virtual distributed switch to receive frames for the VM-Series firewall.Virtual Standard Switch
Virtual Distributed Switch
- Navigate toand select a host.HomeHosts and Clusters
- Click theConfiguretab and viewVirtual Switches. For each VM-Series firewall attached a virtual switch, click onProperties.
- Highlight a port group corresponding to a virtual switch and clickEdit Settings. In the vSwitch properties, click theSecuritytab and setPromiscuous Mode, MAC Address ChangesandForged TransmitstoAcceptand then clickOK. This change propagates to all port groups on the virtual switch.
- Select. Select your virtual distributed switch and highlight theHomeNetworkingDistributed Port Groupyou want to edit.
- ClickEdit Settings, select, and setPoliciesSecurityPromiscuous Mode, MAC Address ChangesandForged TransmitstoAcceptand clickOK.
- Deploy the OVA.If you add additional interfaces (vNICs) to the VM-Series firewall, you must reboot (because new interfaces are detected during the boot cycle). To minimize the need to reboot the firewall, activate the interfaces at initial deployment or during a maintenance window.To view the progress of the installation, monitor theRecent Taskslist.
- Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed.
- From the vSphere web client, go toHosts and Clusters, right-click your host, and selectDeploy OVF Template.
- Browse to the OVA file that you downloaded in 1 Select the file, and clickNext. Review the template’s details and clickNext.
- Name the VM-Series firewall instance, and in theInventory Locationwindow, select a Data Center and Folder, and clickNext.
- Select an ESXi host for the VM-Series firewall, and clickNext.
- Select the datastore to use for the VM-Series firewall, and clickNext.
- Leave the default settings for the datastore provisioning, and clickNext. The default isThick Provision Lazy Zeroed.Do not configure CPU affinity for the VM-Series firewall. The vCenter/ESXi server optimizes the CPU placement for the VM-Series and the firewall performs best when you do not modify the non-uniform memory access (NUMA) configuration.
- Select the networks to use for the two initial vNICs. The first vNIC is used for the management interface and the second vNIC for the first data port. Make sure that theSource Networksmap to the correctDestination Networks.
- Review the details, selectPower on after deployment, and clickNext.
- When the deployment is complete, click theSummarytab to review the current status.
VM-Series on ESXi System Limitations
VM-Series on ESXi System Limitations The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations: Dedicated ...
VM-Series on ESXi System Requirements
VM-Series on ESXi System Requirements You can create and deploy multiple instances of the VM-Series firewall on an ESXi server. Because each instance of the ...
About the VM-Series Firewall on vCloud Air
About the VM-Series Firewall on vCloud Air You can deploy the VM-Series firewall in a virtual data center (vDC) on VMware vCloud Air using the ...
Set Up a VM-Series Firewall on an ESXi Server
Set Up a VM-Series Firewall on an ESXi Server The VM-Series firewall is distributed in the Open Virtualization Alliance (OVA) format, which is a standard ...
Hypervisor Assigned MAC Addresses
Hypervisor Assigned MAC Addresses By default, the VM-Series firewall uses the MAC address assigned to the physical interface by the host/hypervisor and use that MAC ...
VM-Series Firewall for NSX Deployment Checklist
VM-Series Firewall for NSX-V Deployment Checklist To deploy the VM-Series firewall for NSX-V, use the following workflow: Step 1: Set up the Components —To deploy ...
Deploy the VM-Series Firewall on vCloud Air
Deploy the VM-Series Firewall on vCloud Air Use the instructions in this section to deploy your VM-Series firewall in an on-demand or dedicated vDC on ...
Install a VM-Series firewall on VMware vSphere Hypervisor (...
Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) To install a VM-Series firewall you must have access to the Open Virtualization Alliance format (OVA) ...
VM-Series on ESXi System Requirements and Limitations
VM-Series on ESXi System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on VMware vSphere Hypervisor (ESXi). To deploy the ...