VM-Series on ESXi System Requirements

You can create and deploy multiple instances of the VM-Series firewall on an ESXi server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—on the ESXi server, make sure to conform to the specifications below to ensure optimal performance.
The VM-Series firewall has the following requirements:
  • The host CPU must be a x86-based Intel or AMD CPU with virtualization extension.
  • VMware ESXi with vSphere 5.5, 6.0, 6.5, and 6.7 for VM-Series running PAN-OS 9.0. PAN-OS 9.0 ESXi OVA supports VMware virtual machine hardware version vmx-10. The support for the vmx version is based on the OVA that you use to deploy the VM-Series firewall, and you cannot modify this version. Upgrading or downgrading the VM-Series software version does not change the vmx version that was enabled at launch.
  • See VM-Series System Requirements for the minimum hardware requirements for your VM-Series model.
  • Minimum of two network interfaces (vNICs). One is a dedicated vNIC for the management interface and one is for the data interface. You can then add up to eight more vNICs for data traffic. For additional interfaces, use VLAN Guest Tagging (VGT) on the ESXi server or configure subinterfaces on the firewall.
    Hypervisor assigned MAC address are enabled by default. vSphere assigns a unique vNIC MAC address to each dataplane interface of the VM-Series firewall. If you disable hypervisor assigned MAC addresses, the VM-Series firewall assigns each interface a MAC address from its own pool. Because this causes the MAC addresses on each interface to differ, you must enable promiscuous mode on the port group of the virtual switch to which the firewall’s dataplane interfaces are attached; this allows the firewall to receive frames (see Provision the VM-Series Firewall on an ESXi Server). If neither promiscuous mode nor hypervisor assigned MAC address is enabled, the firewall does not receive any traffic. This is because vSphere does not forward frames to a virtual machine when the frame’s destination MAC address and the vNIC MAC address do not match.
  • Data Plane Development Kit (DPDK) is enabled by default on VM-Series firewalls on ESXi. For more information about DPDK, see Enable DPDK on ESXi.
  • To achieve the best performance out of the VM-Series firewall, you can make the following adjustments to the host before deploying the VM-Series firewall. See Performance Tuning of the VM-Series for ESXi for more information.
    • Enable DPDK
      . DPDK allows the host to process packets faster by bypassing the Linux kernel. Instead, interactions with the NIC are performed using drivers and the DPDK libraries.
    • Enable SR-IOV
      . Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest.
      Do not configure a vSwitch on the physical port on which you enable SR-IOV. To communicate with the host or other virtual machines on the network, the VM-Series firewall must have exclusive access to the physical port and associated virtual functions (VFs) on that interface.
    • Enable multi-queue support for NICs
      . Multi-queue allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues.
      Do not use the VMware snapshots functionality on the VM-Series on ESXi. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See the VMware best practice recommendation for using snapshots.
      If you need configuration backups, use Panorama, or from the firewall, use
      Export named configuration snapshot
      (Device > Set up > Operations). Using
      Export named configuration snapshot
      exports the firewall’s active configuration (
      running-config.xml
      ) and allows you to save it to any network location.

Related Documentation