>
    Strata Copilot
    Prepare the Linux Server
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on KVM
    4. Prepare the Linux Server
    Download PDF
    VM-Series

    Prepare the Linux Server

    Table of Contents

    Prepare the Linux Server

    Perform the preparatory steps on your Linux server for the VM-Series.
    Where Can I Use This?What Do I Need?
    • KVM
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    • Panorama plugin for KVM
    Before you install the VM-Series firewall on KVM, verify that you have a working Linux environment and that your networking infrastructure supports the connectivity a that your chosen deployment requires.

    Verify Linux Support

    Verify that you have the correct environment to support your installation.
    • Check the Linux distribution version. For a list of supported versions, see VM-Series for KVM in the Compatibility Matrix.
    • Verify that you have installed and configured KVM tools and packages for creating and managing virtual machines, such as Libvirt.
    • If you want to use a SCSI disk controller to access the disk to which the VM-Series firewall stores data, you must use virsh to attach the virtio-scsi controller to the VM-Series firewall. You can then edit the XML template of the VM-Series firewall to enable the use of the virtio-scsi controller. For instructions, see Enable the Use of a SCSI Controller.
      KVM on Ubuntu 12.04 does not support the virtio-scsi controller.

    Verify the Networking Infrastructure

    Verify that you have set up the networking infrastructure for steering traffic between the guests and the VM-Series firewall and ensure you have connectivity to an external server or the internet. The VM-Series firewall can connect using a Linux bridge, the Open vSwitch, PCI pass-through, or SR-IOV capable network card.
    • Make sure that the link state for each interface you plan to use is Up—sometimes you have to manually bring up the interface.
    • If using a Linux bridge or OVS, verify that you have set up the bridges required to send or receive traffic to/from the firewall. If not, create bridges and verify that they are up before you begin installing the firewall.
    • If using SR-IOV or PCI-pass-through, verify the PCI ID of all the interfaces. To view the list, use the following command:
      Virsh nodedev-list –tree
      See Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall.
    • If using SR-IOV or PCI-pass-through, verify that the virtualization extensions (VT-d/IOMMU) are enabled in the BIOS. For example, to enable IOMMU, intel_iommu=on must be defined in /etc/grub.conf. Refer to the documentation provided by your system vendor for instructions.
    • If using PCI-pass-through, ensure that the VM-Series firewall has exclusive access to one or more interfaces that you plan to attach to it.
      To allow exclusive access, you must manually detach one or more interfaces from the Linux server.
      Virsh nodedev-detach <pci id of interface>
      For example:
      Virsh nodedev-detach pci_0000_07_10_0
      In some cases, you might need to edit /etc/libvirt/qemu.conf and uncomment relaxed_acs_check = 1.
    • If using SR-IOV, verify that the virtual function capability is enabled for each port that you plan to use on the network card. With SR-IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. A guest can be mapped to one or more virtual functions.
      Enable virtual functions as follows:
      1. Create a new file in this location: /etc/modprobe.d/
      2. Use vi to edit the file to make the functions persistent:
        vim /etc/modprobe.d/igb.conf
      3. Enable the number of virtual functions required:
        options igb max_vfs=4
        In the above example, after you save the changes and reboot the Linux server, each interface (or physical function) will have 4 virtual functions.
      Refer to the documentation provided by your network vendor for details on the actual number of virtual functions supported, and instructions to enable virtual functions.

    Install Mellanox Software Tools

    If you are using a Mellanox CX5 card, install the Mellanox software tools on the host. Before installing, verify Linux support and your networking infrastructure.
    1. From the host, download the package for Mellanox OpenFabric Enterprise Distribution for Linux (MLNX_OFED) for your OS version from the following link:
      https://www.mellanox.com/products/infiniband-drivers/linux/mlnx_ofed
    2. Run the installation command:
      mlnxofedinstall
      If you have all the prerequisite packages installed, the above command installs all the MLNX_OFED packages. Continue to Step 3.
      If your environment doesn’t have the required packages, the installer lists all the packages that you must install. After you install the packages, rerun the installation command and continue to Step 3.
    3. Reboot the host.
    4. Check the status of the Mellanox software tools.
      mst status
MST modules:	
------------------------------------------------------------------
  MST PCI module is not loaded
  MST PCI configuration module loaded

MST devices:
------------------------------------------------------------------
/dev/mst/mt4121_pciconf0     - PCI configuration cycles access.
        domain:bus:dev.fn=0000:3b:00.0 addr.reg=88 data.reg=92
        Chip revision is: 00
    5. Ensure Mellanox is updated on the PCI list:
      # lspci | grep Mellanox
3b:00.0 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex]
3b:00.1 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex]

    Enable Virtual Functions for Mellanox CX5 NICs on the VM-Series Firewall on KVM

    Install the Mellanox software tools before you enable virtual functions on Mellanox Cx5 NICs.
    1. Ensure Mellanox Software Tools (mst) are started.
    2. Enable the number of virtual functions required. For example: 
      mlxconfig -d /dev/mst/mt4121_pciconf0 set SRIOV_EN=1 NUM_OF_VFS=4
      After you save the changes and reboot the Linux server, each interface (or physical function) in the above example will have 4 virtual functions. Refer to the documentation provided by your network vendor for details on the actual number of virtual functions supported, and the instructions to enable virtual functions.
      You might see the following error message the first time you enable virtual functions on Mellanox Cx5 NICs:
      [ 1429.841162] mlx5_core 0000:3b:00.1: mlx5_port_module_event:1025:(pid 0): Port module event[error]: module 1, Cable error, One or more network ports have been powered down due to insufficient/unadvertised power on the PCIe slot. Please refer to the card's user manual for power specifications or contact Mellanox support
      To resolve the issue, enter the following command sequence on the Linux server:
      # mlxconfig -d <dev> set ADVANCED_POWER_SETTINGS=1
# mlxconfig -d <dev> set DISABLE_SLOT_POWER_LIMITER=1
# reboot
    3. Check the status of the virtual functions.
      # cat  /sys/class/net/enp59s0f1/device/sriov_numvfs
      (Optional) If the virtual functions are not set correctly (the status is 0 or empty), run the following command:
      # echo 4 > /sys/class/net/enp59s0f1/device/sriov_numvfs
    4. List the PCI devices to accurately match the number of virtual functions loaded on the respective physical function for Mellanox:
      # lspci | grep Mellanox
3b:00.0 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex]
3b:00.1 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex]
3b:00.2 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function]
3b:00.3 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function]
3b:00.4 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function]
3b:00.5 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function]
3b:00.6 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function]
3b:00.7 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function]
3b:01.0 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function]
3b:01.1 Ethernet controller: Mellanox Technologies MT28800 Family [ConnectX-5 Ex Virtual Function]

    Verify the Host Configuration

    Configure the host for maximum VM-Series performance.
    • Enable DPDK—DPDK allows the host to process packets faster by bypassing the Linux kernel. Instead, interactions with the NIC are performed using drivers and the DPDK libraries. Open vSwitch is required to use DPDK with the VM-Series firewall.
    • Enable SR-IOV—Single Root I/O Virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest.
    • Enable multi-queue support for NICs—Multiqueue virtio-net allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues.
    • Isolate CPU resources in a NUMA node—You can improve performance of VM-Series on KVM by isolating the CPU resources of the guest VM to a single nonuniform memory access (NUMA) node.

    © 2026 Palo Alto Networks, Inc. All rights reserved.