VM-Series on ESXi System Limitations

The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations:
  • Dedicated CPU cores are recommended.
  • High Availability (HA) Link Monitoring is not supported on VM-Series firewalls on ESXi. Use Path Monitoring to verify connectivity to a target IP address or to the next hop IP address.
  • Up to 10 total ports can be configured; this is a VMware limitation. One port is used for management traffic and up to 9 can be used for data traffic.
  • Only the vmxnet3 driver is supported.
  • Virtual systems are not supported.
  • vMotion of the VM-Series firewall is not supported. However, the VM-Series firewall can secure guest virtual machines that have migrated to a new destination host, if the source and destination hosts are members of all vSphere Distributed Switches that the guest virtual machine used for networking.
  • Forged transmit and promiscuous mode must be enabled on the ESXi vSwitch port groups connected to Layer 2 and vwire interfaces on the VM-Series firewall.
  • To use PCI devices with the VM-Series firewall on ESXi, memory mapped I/O (MMIO) must be below 4GB. You can disable MMIO above 4GB in your server’s BIOS. This is an ESXi limitation.

Related Documentation