VM-Series on ESXi System Requirements
You can create and deploy multiple instances of the VM-Series firewall on an ESXi server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—on the ESXi server, make sure to conform to the specifications below to ensure optimal performance.
The VM-Series firewall has the following requirements:
- The host CPU must be a x86-based Intel or AMD CPU with virtualization extension.
- VMware ESXi with vSphere 5.1, 5.5, 6.0, or 6.5 for VM-Series running PAN-OS 9.0. PAN-OS 9.0 ESXi OVA supports VMware virtual machine hardware version vmx-10. The support for the vmx version is based on the OVA that you use to deploy the VM-Series firewall, and you cannot modify this version. Upgrading or downgrading the VM-Series software version does not change the vmx version that was enabled at launch.
- See VM-Series System Requirements for the minimum hardware requirements for your VM-Series model.
- Minimum of two network interfaces (vNICs). One is a dedicated vNIC for the management interface and one is for the data interface. You can then add up to eight more vNICs for data traffic. For additional interfaces, use VLAN Guest Tagging (VGT) on the ESXi server or configure subinterfaces on the firewall.Hypervisor assigned MAC address are enabled by default. vSphere assigns a unique vNIC MAC address to each dataplane interface of the VM-Series firewall. If you disable hypervisor assigned MAC addresses, the VM-Series firewall assigns each interface a MAC address from its own pool. Because this causes the MAC addresses on each interface to differ, you must enable promiscuous mode on the port group of the virtual switch to which the firewall’s dataplane interfaces are attached; this allows the firewall to receive frames (see Provision the VM-Series Firewall on an ESXi Server). If neither promiscuous mode nor hypervisor assigned MAC address is enabled, the firewall does not receive any traffic. This is because vSphere does not forward frames to a virtual machine when the frame’s destination MAC address and the vNIC MAC address do not match.
- Data Plane Development Kit (DPDK) is enabled by default on VM-Series firewalls on ESXi. For more information about DPDK, see Enable DPDK on ESXi.
- To achieve the best performance out of the VM-Series firewall, you can make the following adjustments to the host before deploying the VM-Series firewall. See Performance Tuning of the VM-Series for ESXi for more information.
- Enable DPDK. DPDK allows the host to process packets faster by bypassing the Linux kernel. Instead, interactions with the NIC are performed using drivers and the DPDK libraries.
- Enable SR-IOV. Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest.Do not configure a vSwitch on the physical port on which you enable SR-IOV. To communicate with the host or other virtual machines on the network, the VM-Series firewall must have exclusive access to the physical port and associated virtual functions (VFs) on that interface.
- Enable multi-queue support for NICs. Multi-queue allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues.Do not use the VMware snapshots functionality on the VM-Series on ESXi. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See the VMware best practice recommendation for using snapshots.If you need configuration backups, use Panorama, or from the firewall, use Export named configuration snapshot (Device > Set up > Operations). Using Export named configuration snapshot exports the firewall’s active configuration (running-config.xml) and allows you to save it to any network location.
Performance Tuning of the VM-Series for ESXi
Performance Tuning of the VM-Series for ESXi The VM-Series firewall for ESXi is a high-performance appliance but may require tuning of the hypervisor to achieve ...
VM-Series on ESXi System Requirements and Limitations
VM-Series on ESXi System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on VMware vSphere Hypervisor (ESXi). To deploy the ...
Prepare the Linux Server
Prepare the Linux Server Check the Linux distribution version. For a list of supported versions, see VM-Series on KVM System Requirements . Verify that you ...
Set Up a VM-Series Firewall on an ESXi Server
Set Up a VM-Series Firewall on an ESXi Server The VM-Series firewall is distributed in the Open Virtualization Alliance (OVA) format, which is a standard ...
Provision the VM-Series Firewall on an ESXi Server
Provision the VM-Series Firewall on an ESXi Server Use these instructions to deploy the VM-Series firewall on a (standalone) ESXi server. For deploying the VM-Series ...
Supported Deployments on VMware vSphere Hypervisor (ESXi)
Supported Deployments on VMware vSphere Hypervisor (ESXi) You can deploy one or more instances of the VM-Series firewall on the ESXi server. Where you place ...
Plan the Interfaces for the VM-Series for ESXi
Plan the Interfaces for the VM-Series for ESXi By planning the mapping of VM-Series Firewall vNICs and interfaces, you can avoid reboots and configuration issues. ...
Performance Tuning of the VM-Series for KVM
Performance Tuning of the VM-Series for KVM The VM-Series firewall for KVM is a high-performance appliance but may require tuning of the hypervisor to achieve ...
VM-Series Firewall for NSX Deployment Checklist
VM-Series Firewall for NSX Deployment Checklist To deploy the VM-Series firewall for NSX, use the following workflow: Step 1: Set up the Components —To deploy ...