>
    Strata Copilot
    Install the VM-Series Firewall Using Virt-Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on KVM
    4. Install the VM-Series Firewall on KVM
    5. Install the VM-Series Firewall Using Virt-Manager
    Download PDF
    VM-Series

    Install the VM-Series Firewall Using Virt-Manager

    Table of Contents

    Install the VM-Series Firewall Using Virt-Manager

    Learn how to install the VM-Series firewall using virt-manager.
    Where Can I Use This?What Do I Need?
    • KVM
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    Perform the following procedure using virt-manager to install the VM-Series firewall on a server running KVM on RHEL.

    Provision the VM-Series Firewall on a KVM Host

    Use the following instructions to provision the KVM host for the VM-Series firewall.
    1. Create a new virtual machine and add the VM-Series firewall for KVM image to virt-mgr.
      1. On the Virt-manager, select Create a new virtual machine.
      2. Add a descriptive Name for the VM-Series firewall.
      3. Select Import existing disk image, browse to the image, and set the OS Type: Linux and Version: Red Hat Enterprise Linux 6.
        If you prefer, you can leave the OS Type and Version as Generic.
      4. To add network adapters for the data interfaces:
    2. Configure the memory and CPU settings.
      1. Set the Memory to the minimum memory based on the VM-Series System Requirements of your VM-Series model.
      2. Set the CPU to the minimum CPUs based on the VM-Series System Requirements of your VM-Series model.
    3. Enable configuration customization and select the management interface bridge.
      1. Select Customize configuration before install.
      2. Under Advanced options, select the bridge for the management interface, and accept the default settings.
    4. Configure virtual disk settings.
      1. Select Disk, expand Advanced options and select Storage format — qcow2; Disk Bus—Virtio or IDE, based on your setup .
        If you want to use a SCSI disk bus, see Enable the Use of a SCSI Controller.
      2. Expand Performance options, and set Cache mode to writethrough. This setting improves installation time and execution speed on the VM-Series firewall.
    5. Configure network adapters.
      1. Select Add Hardware > Network if you are using a software bridge such as the Linux bridge or the Open vSwitch.
      2. For Host Device, enter the name of the bridge or select it from the drop down list.
      3. To specify the driver, set Device Model to e-1000 or Virtio. These are the only supported virtual interface types.
      4. Select Add Hardware > PCI Host Device for PCI-passthrough or an SR-IOV capable device.
      5. In the Host Device list, select the interface on the card or the virtual function.
      6. Click Apply or Finish.
    6. Click Begin Installation
      . Wait 5-7 minutes for the installation to complete.
      By default, the XML template for the VM-Series firewall is created and stored at etc/libvirt/qemu.
    7. (Optional) Bootstrap the VM-Series firewall.
      If you are using bootstrapping to perform the configuration of your VM-Series firewall on KVM, refer to Bootstrap the VM-Series Firewall on KVM. For more information about bootstrapping, see Bootstrap the VM-Series Firewall.
    8. Configure the network access settings for the management interface.
      1. Open a connection to the console.
      2. Log in to the firewall with username/password: admin/admin.
      3. Enter configuration mode with the following command:
        configure
      4. Use the following commands to configure the management interface:
        1. set deviceconfig system type static
        2. set deviceconfig system ip-address <Firewall-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>
          where <Firewall-IP> is the IP address you want to assign to the management interface, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the DNS server.
        3. commit
    9. Verify which ports on the host are mapped to the interfaces on the VM-Series firewall. To verify the order of interfaces on the Linux host, see Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall.
      To make sure that traffic is handled by the correct interface, use the following command to identify which ports on the host are mapped to the ports on the VM-Series firewall.
      admin@PAN-VM> debug show vm-series interfaces all 
Phoenix_interface    Base-OS_port       Base-OS_MAC PCI-ID 
 mgt                          eth0          52:54:00:d7:91:52 0000:00:03.0 
 Ethernet1/1             eth1          52:54:00:fe:8c:80 0000:00:06.0 
 Ethernet1/2             eth2          0e:c6:6b:b4:72:06 0000:00:07.0 
 Ethernet1/3             eth3          06:1b:a5:7e:a5:78 0000:00:08.0 
 Ethernet1/4             eth4          26:a9:26:54:27:a1 0000:00:09.0 
 Ethernet1/5             eth5          52:54:00:f4:62:13 0000:00:11.1
    10. Access the web interface of the VM-Series firewall and configure the interfaces and define security rules and NAT rules to safely enable the applications that you want to secure.
      Refer to the PAN-OS Administrator’s Guide.

    Perform Initial Configuration of the VM-Series Firewall on KVM

    Use the virtual appliance console on the KVM server to set up network access to the VM-Series firewall. By default, the VM-Series firewall uses DHCP to obtain an IP address for the management interface. However, you can assign a static IP address. After completing the initial configuration, access the web interface to complete further configurations tasks. If you have Panorama for central management, refer to the Panorama Administrator’s Guide for more information on managing the device using Panorama.
    If you are using bootstrapping to perform the configuration of your VM-Series firewall on KVM, refer to Bootstrap the VM-Series Firewall on KVM.
    For general information about bootstrapping, see Bootstrap the VM-Series Firewall.
    1. Gather the required information from your network administrator.
      • IP address for MGT port
      • Netmask
      • Default gateway
      • DNS server IP address
    2. Access the console of the VM-Series firewall.
      1. Select the Console tab on the KVM server for the VM-Series firewall, or right-click the VM-Series firewall and select Open Console.
      2. Press enter to access the login screen.
      3. Enter the default username/password (admin/admin) to login.
      4. Enter configure to switch to configuration mode.
    3. Configure the network access settings for the management interface.
      Enter the following commands: 
      set deviceconfig system type static
      set deviceconfig system ip-address <Firewall-IP> netmask <netmask> 
default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>
    4. Commit your changes and exit the configuration mode.
      Enter commit.
      Enter exit.

    © 2026 Palo Alto Networks, Inc. All rights reserved.