>
    Strata Copilot
    Install the VM-Series Firewall Using an ISO
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on KVM
    4. Install the VM-Series Firewall on KVM
    5. Install the VM-Series Firewall Using an ISO
    Download PDF
    VM-Series

    Install the VM-Series Firewall Using an ISO

    Table of Contents

    Install the VM-Series Firewall Using an ISO

    Learn to deploy the VM-Series on KVM using an ISO.
    Where Can I Use This?What Do I Need?
    • KVM
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    Manually create the XML definition of the VM-Series firewall, then use virsh to import the definition as an ISO. Virsh is the most powerful tool that allows for full administration of the virtual machine.

    Use an ISO File to Deploy the VM-Series Firewall

    If you want to pass a script to the VM-Series firewall at boot time, you can mount a CD-ROM with an ISO file. The ISO file allows you to define a bootstrap XML file that includes the initial configuration parameters for the management port of the firewall. The VM-Series firewall on first boot checks for the bootstrap-networkconfig.xml file, and uses the values defined in it.
    If a single error is encountered in parsing the bootstrap file, the VM-Series firewall will reject all the configuration in this file and boot with default values.
    1. Create the XML file and define it as a virtual machine instance.
      For a sample file, see Sample XML File for the VM-Series Firewall.
      In this example, the VM-Series firewall is called PAN_Firewall_DC1.
      For example:
      user-PowerEdge-R510:~/kvm_script$ sudo vi /etc/libvirt/qemu/PAN_Firewall_DC1.xml 
user-PowerEdge-R510:~/kvm_script$ sudo virsh define/etc/libvirt/qemu/PAN_Firewall_DC1.xml 
Domain PAN_Firewall_DC1_bootstp defined from /etc/libvirt/qemu/PAN_Firewall_DC1.xml 
user-PowerEdge-R510:~/kvm_script$ sudo virsh -q attach-interface PAN_Firewall_DC1_bootstp bridge br1 --model=virtio --persistent 
user-PowerEdge-R510:~/kvm_script$ virsh list --all 
 Id    Name                         State 
--------------------------------------------- 
 -   PAN_Firewall_DC1_bootstp     shut off
    2. Create the bootstrap XML file.
      You can define the initial configuration parameters in this file and name it bootstrap-networkconfig.
      If you do not want to include a parameter –- for example, panorama-server-secondary. delete the entire line from the file. If you leave the IP address field empty, the file will not be parsed successfully.
      Use the following example as a template for the bootstrap-networkconfig file. The bootstrap-networkconfig file can include the following parameters only:
      <vm-initcfg> 
<hostname>VM_ABC_Company</hostname> 
<ip-address>10.5.132.162</ip-address> 
<netmask>255.255.254.0</netmask> 
<default-gateway>10.5.132.1</default-gateway> 
<dns-primary>10.44.2.10</dns-primary> 
<dns-secondary>8.8.8.8</dns-secondary> 
<panorama-server-primary>10.5.133.4</panorama-server-primary> 
<panorama-server-secondary>10.5.133.5</panorama-server-secondary> 
</vm-initcfg>
    3. Create the ISO file. In this example, we use mkisofs.
      Save the ISO file in the images directory (/var/lib/libvirt/image) or the qemu directory (/etc/libvirt/qemu) to ensure that the firewall has read access to the ISO file.
      For example:
      # mkisofs -J -R -v -V "Bootstrap" -A "Bootstrap" -ldots -l -allow-lowercase -allow-multidot -o <iso-filename> bootstrap-networkconfig.xml
    4. Attach the ISO file to the CD-ROM.
      For example:
      # virsh -q attach-disk <vm-name> <iso-filename> sdc --type cdrom --mode readonly –persistent\

    Sample XML File for the VM-Series Firewall

    <?xml version="1.0"?> 
<domain type="kvm"> 
<name>PAN_Firewall_DC1</name> 
<memory>4194304</memory> 
<currentMemory>4194304</currentMemory> 
<vcpu placement="static">2</vcpu> 
<os> 
<type arch="x86_64">hvm</type> 
<boot dev="hd"/> 
</os> 
<features> 
<acpi/> 
<apic/> 
<pae/> 
</features> 
<clock offset="utc"/> 
<on_poweroff>destroy</on_poweroff> 
<on_reboot>restart</on_reboot> 
<on_crash>restart</on_crash> 
<devices> 
<emulator>/usr/libexec/qemu-kvm</emulator> 
<disk type="file" device="disk"> 
<driver type="qcow2" name="qemu"/> 
<source file="/var/lib/libvirt/images/panos-kvm.qcow2"/> 
<target dev="vda" bus="virtio"/> 
</disk> 
<controller type="usb" index="0"/> 
<controller type="ide" index="0"/> 
<controller type="scsi" index="0"/> 
<serial type="pty"> 
<source path="/dev/pts/1"/> 
<target port="0"/> 
<alias name="serial0"/> 
</serial> 
<console type="pty" tty="/dev/pts/1"> 
<source path="/dev/pts/1"/> 
<target type="serial" port="0"/> 
<alias name="serial0"/> 
</console> 
<input type="mouse" bus="ps2"/> 
<graphics type="vnc" port="5900" autoport="yes"/> 
</devices> 
</domain>
    To modify the number of vCPUs assigned on the VM-Series firewall, change the value 2 to 4 or 8 vCPUs in this line of the sample XML file:
    <vcpu placement="static">2</vcpu>

    © 2026 Palo Alto Networks, Inc. All rights reserved.