>
    Strata Copilot
    Prepare to Set Up the VM-Series Firewall on OCI
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Oracle Cloud Infrastructure
    4. Prepare to Set Up the VM-Series Firewall on OCI
    Download PDF
    VM-Series

    Prepare to Set Up the VM-Series Firewall on OCI

    Table of Contents

    Prepare to Set Up the VM-Series Firewall on OCI

    Explore the prerequisites needed to deploy the VM-Series on OCI.
    Where Can I Use This?What Do I Need?
    • Oracle Cloud Infrastructure (OCI) instance
    • VM-Series License (BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for OCI
    The process to deploy the VM-Series firewall on Oracle Cloud Infrastructure requires the completion of preparation tasks.

    Virtual Cloud Networks

    A virtual cloud network (VCN) is a virtual private network that you set up in your OCI environment. To deploy the VM-Series firewall in OCI, your VCN must have at least three virtual network interface cards (VNICs) for the management interface and two data interfaces.
    OCI uses a series of route tables to send traffic out of your VCN and one route table is added to each subnet. A subnet is a division of your VCN. If you don't specify a route table, the subnet uses the VCN’s default route table.Each route table rule specifies a destination CIDR block and a next hop (target) for any traffic that matches the CIDR. OCI only uses a subnet’s route table if the destination IP address is outside the VCN’s specified CIDR block; route rules are not required to enable traffic within the VCN. And, if traffic has overlapping rules, OCI use the most specific rule in the route table to route traffic.
    If there is no route rule that matches the traffic that’s attempting to leave the VCN, the traffic is dropped.
    Each subnet requires a route table and once you have added a route table to a subnet, you can't change it. However, you can add, remove, or edit rules in a route table after it is created.

    SSH Keys

    You must create an SSH key pair to login to the firewall for the first time. You can't use the default username and password to access the firewall for the first time. After the firewall boots up for the first time, you must access the firewall through the CLI and create a new username and password.
    1. Create an SSH key pair and store the SSH Key pair in the default location for your operating system.
      • On Linux or macOS, use ssh-keygen to create the key pair in your .ssh directory.
      • On Windows, use PuTTYgen to create the key pair.
        The content of the Key comment field does not matter to the VM-Series firewall; you can accept the default (the key creation date) or enter a comment that helps you remember the name of the key pair. Use the Save private key button to store the private key in your .ssh directory.
    2. Select the full public key.
      • Linux or macOS:
        Open your public key in a text editor and copy the public key.
      • Windows: You must use the PuTTY Key Generator to view the public key. Launch PuTTYgen, click Load, and browse to private key you saved in your .ssh directory.
        In PuTTYgen, scroll down to ensure you select the entire key, right click, and choose Copy.

    Initial Configuration User Data

    Use the following bootstrapping parameters when setting up the VM-Series firewall instance. OCI uses this information to perform the initial configuration of the firewall, which provides the firewall with a hostname and license and connects the firewall to Panorama, if applicable.
    The vm-auth-key parameter is only required if your VM-Series firewall can connect to the Palo Alto Networks licensing servers.
    The Panorama-related fields are required only if you have a Panorama appliance and want to use Panorama to manage your VM-Series firewall.
    Field
    Description
    hostname=
    Host name for the firewall.
    vm-auth-key=
    Virtual machine authentication key for registering the firewall with Panorama.
    panorama-server=
    IPv4 or IPv6 address of the primary Panorama server. This field isn't required but recommended for centrally managing your firewalls.
    panorama-server-2=
    IPv4 or IPv6 address of the secondary Panorama server. This field isn't required but recommended.
    tplname=
    Panorama template stack name. If you add a Panorama server IP address, as a best practice, assign the firewall to a template stack on Panorama and enter the template stack name in this field so that you can centrally manage and push configuration settings to the firewall.
    dgname=
    Panorama device group name. If you add a Panorama server IP address, as a best practice, create a device group on Panorama and enter the device group name in this field so that you can group the firewalls logically and push policy rules to the firewall.
    authcodes=Used to license the VM-Series firewall with the Palo Alto Networks licensing server.
    op-command-modes=jumbo-frameUsed to enable jumbo frame mode on the VM-Series firewall. Because OCI deploys VM instances in jumbo mode by default, it's recommended that you launch the VM-Series firewall in jumbo mode to achieve the best throughput.
    Paste the bootstrapping parameters into the OCI console in the following format.
    hostname=<fw-hostname>
    vm-auth-key=<auth-key>
    panorama-server=<panorama-ip>
    panorama-server-2=<panorama2-ip>
    tplname=<template-stack-name>
    dgname=<device-group-name>
    authcodes=<firewall-authcode>
    op-command-modes=jumbo-frame

    © 2026 Palo Alto Networks, Inc. All rights reserved.