VM-Series on ESXi System Limitations

The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations:
  • Do not use the VMware snapshots functionality on the VM-Series on ESXi. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See the VMware best practice recommendation for using snapshots.
    If you need configuration backups, use Panorama, or from the firewall, use
    Export named configuration snapshot
    (Device > Set up > Operations). Using
    Export named configuration snapshot
    exports the firewall’s active configuration (
    running-config.xml
    ) and allows you to save it to any network location.
  • Dedicated CPU cores are recommended.
  • High Availability (HA) Link Monitoring is not supported on VM-Series firewalls on ESXi. Use Path Monitoring to verify connectivity to a target IP address or to the next hop IP address.
  • Up to 10 total ports can be configured; this is a VMware limitation. One port is used for management traffic and up to 9 can be used for data traffic.
  • Only the vmxnet3 driver is supported.
  • Virtual systems are not supported.
  • vMotion of the VM-Series firewall is not supported. However, the VM-Series firewall can secure guest virtual machines that have migrated to a new destination host, if the source and destination hosts are members of all vSphere Distributed Switches that the guest virtual machine used for networking.
  • Forged transmit and promiscuous mode must be enabled on the ESXi vSwitch port groups connected to Layer 2 and vwire interfaces on the VM-Series firewall.
  • To use PCI devices with the VM-Series firewall on ESXi, memory mapped I/O (MMIO) must be below 4GB. You can disable MMIO above 4GB in your server’s BIOS. This is an ESXi limitation.

Recommended For You