>
    Strata Copilot
    VM-Series Firewall on KVM
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on KVM
    Download PDF
    VM-Series

    VM-Series Firewall on KVM

    Table of Contents

    VM-Series Firewall on KVM

    Set up the VM-Series firewall on KVM.
    Where Can I Use This?What Do I Need?
    • KVM
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    Kernel-based Virtual Machine (KVM) is an open-source virtualization module for servers running Linux distributions. The VM-Series firewall can be deployed on a Linux server that’s running the KVM hypervisor.
    This guide assumes that you have an existing IT infrastructure that uses Linux and have the foundation for using Linux tools. The instructions only pertain to deploying the VM-Series firewall on KVM.
    You can deploy a single instance of the VM-Series firewall per Linux host (single tenant) or multiple instances of the VM-Series firewalls on a Linux host. The VM-Series firewall can be deployed with virtual wire, Layer 2, or Layer 3 interfaces. If you plan on using SR-IOV capable interfaces on the VM-Series firewall, you can only configure the interfaces as Layer 3 interfaces.

    Secure Traffic on a Single Host

    To secure east west traffic across guests on a Linux server, the VM-Series firewall can be deployed with virtual wire, Layer 2, or Layer 3 interfaces. The illustration below shows the firewall with Layer 3 interfaces, where the firewall and the other guests on the server are connected using Linux bridges. In this deployment, all traffic between the web servers and the database servers is routed through the firewall; traffic across the database servers only or across the web servers only is processed by the bridge and isn’t routed through the firewall.

    Secure Traffic Across Linux Hosts

    To secure your workloads, more than one instance of the VM-Series firewalls can be deployed on a Linux host. If, for example, you want to isolate traffic for separate departments or customers, you can use VLAN tags.
    To logically isolate network traffic and route it to the appropriate VM-Series firewall. In the following example, one Linux host hosts the VM-Series firewalls for two customers, Customer A and Customer B, and the workload for Customer B is spread across two servers. To isolate traffic and direct it to the VM-Series firewall configured for each customer, VLANs are used.
    In another variation of this deployment, a pair of VM-Series firewalls are deployed in a high availability setup. The VM-Series firewalls in the following illustration are deployed on a Linux server with SR-IOV capable adapters. With SR-IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. Each virtual function attached to the VM-Series firewall is configured as a Layer 3 interface. The active peer in the HA pair secures traffic that is routed to it from guests that are deployed on a different Linux server.

    Options for Attaching the VM-Series on the Network

    • With a Linux bridge or OVS, data traffic uses the software bridge to connect guests on the same host. For external connectivity, data traffic uses the physical interface to which the bridge is attached.
    • With PCI pass-through, data traffic is passed directly between the guest and the physical interface to which it is attached. When the interface is attached to a guest, it is not available to the host or to other guests on the host.
    • With SR-IOV, data traffic is passed directly between the guest and the virtual function to which it is attached.

    © 2026 Palo Alto Networks, Inc. All rights reserved.