>
    Strata Copilot
    Activate the License for the VM-Series Firewall for VMware NSX
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Models
    4. Activate VM-Series Model Licenses
    5. Activate the License for the VM-Series Firewall for VMware NSX
    Download PDF
    VM-Series

    Activate the License for the VM-Series Firewall for VMware NSX

    Table of Contents

    Activate the License for the VM-Series Firewall for VMware NSX

    Activate a VMware NSX license for VM-Series firewall.
    Where Can I Use This?What Do I Need?
    • VM-Series deployment
    • VM-Series 10.x or above
    • Panorama running PAN-OS 10.1.x or above versions
    • Customer Support Portal (CSP) account with one of the following user roles:
      • Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
      • Superuser access to the VM-Series firewall
    Panorama serves as the central point of administration for the VM-Series firewalls for VMware NSX and the license activation process is automated when Panorama has direct internet access. Panorama connects to the Palo Alto Networks Update Server to retrieve the licenses, and when a new VM-Series firewall for NSX is deployed, it communicates with Panorama to obtain the license. If Panorama isn't connected to the internet, you need to manually license each instance of the VM-Series firewall so that the firewall can connect to Panorama.
    For this integrated solution, the auth code (for example, PAN-VM-1000-HV-SUB-BND-NSX2) includes licenses for threat prevention, URL filtering and WildFire subscriptions and Premium Support for the requested period.
    To activate the license, you must have completed the following tasks:
    • Registered the auth code to the support account. If you don't register the auth code, the licensing server will fail to create a license.
    • Entered the auth code in the Service Definition on Panorama. On Panorama, select VMware Service Manager to add the Authorization Code to the VMware Service Definition.
      If you have purchased an evaluation auth code, you can license up to 5 VM-Series firewalls with the VM-1000-HV capacity license for 30 or 60 days. Because this solution allows you to deploy one VM-Series firewall per ESXi host, the ESXi cluster can include a maximum of 5 ESXi hosts when using an evaluation license.
    The following processes for license activation are manual. If you have a custom script or an orchestration service, you can use the Model-Based Licensing API to automate the process of retrieving the licenses for the VM-Series firewalls.

    Activate Licenses on VM-Series Firewalls on NSX When Panorama Has Internet Access

    Complete the following procedure to activate the VM-Series firewall for NSX when Panorama has access to the internet.
    1. Verify that the VM-Series firewall is connected to Panorama.
      1. Log in to Panorama.
      2. Select PanoramaManaged Devices and check that the firewall displays as Connected.
    2. Verify that each firewall is licensed.
      Select PanoramaDevice DeploymentLicenses and verify that Panorama has matched the auth code and applied the licenses to each firewall.
      If you don't see the licenses, click Refresh. Select the VM-Series firewalls for which to retrieve subscription licenses and click OK.

    Activate Licenses on VM-Series Firewalls on NSX When Panorama Has No Internet Access

    Complete the following procedure to activate the VM-Series firewall for NSX when Panorama does not have access to the internet.
    1. Locate the CPU ID and UUID of the VM-Series firewall.
      1. From the vCenter server, obtain the IP address of the firewall.
      2. Log into the web interface and select Dashboard.
      3. Get the CPU ID and the UUID for the firewall from the General Information widget.
    2. Activate the auth code and generate the license keys.
      1. Log in to the Palo Alto Networks Customer Support website with your account credentials. If you need a new account, see Create a Support Account.
      2. Select ProductsVM-Series Auth Codes, click Add VM-Series Auth Codes to enter the auth code.
      3. Select Register VM in the row that corresponds to the auth code that you registered, enter the CPU ID and the UUID of the firewall and click Submit. The portal will generate a serial number for the firewall.
      4. Select ProductsAssetsNGFWs and search for the serial number.
      5. Click the link in the Actions column to download each key locally to your laptop. In addition to the subscription license key, you must get the capacity license and the support license keys.
    3. Upload the keys to the firewall.
      1. Log in to the firewall web interface.
      2. Select DeviceLicenses, and select Manually upload license key.
      3. Browse to select a key and click OK to install the license on the firewall.
        Install the capacity license key file (pa-vm.key) first. When you apply the capacity license key, the VM-Series firewall will reboot. On reboot, the firewall will have a serial number that you can use to register the firewall as a managed device on Panorama.
      4. Repeat the process to install each key on the firewall.
      5. Select Dashboard and verify that you can see the Serial # in the General Information widget.
    4. Add the serial number of the firewall on Panorama.
      Select PanoramaManaged Devices and click Add to enter the serial number for the VM-Series firewall for NSX. The firewall should now be able to connect with Panorama so that it can obtain its configuration and policy rules.

    © 2026 Palo Alto Networks, Inc. All rights reserved.