Palo Alto Firewall Virtualization

VMSeries
Deployment
Guide
Version8.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactsupport
AboutthisGuide
ThisguidedescribeshowtosetupandlicensetheVMSeriesfirewall;itisintendedforadministratorswhowantto
deploytheVMSeriesfirewall.
Formoreinformation,refertothefollowingsources:
Forinformationontheadditionalcapabilitiesofandinstructionsforconfiguringthefeaturesonyourfirewall,
refertohttps://www.paloaltonetworks.com/documentation.
Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOS8.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/80/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttps://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:June12,2017
2 VMSeries8.0DeploymentGuide PaloAltoNetworks,Inc.
TableofContents
AbouttheVMSeriesFirewall .......................................... 9
VMSeriesModels .................................................................10
VMSeriesSystemRequirements ................................................10
CPUOversubscription..........................................................11
VMSeriesDeployments ...........................................................13
VMSeriesinHighAvailability.......................................................15
UpgradetheVMSeriesFirewall.....................................................16
UpgradethePANOSSoftwareVersion(StandaloneVersion) .......................16
UpgradethePANOSSoftwareVersion(VMSeriesforNSX)........................17
UpgradetheVMSeriesModel ..................................................19
UpgradetheVMSeriesModelinanHAPair......................................21
UpgradePanorama7.1toPanorama8.0 ..........................................22
EnableJumboFramesontheVMSeriesFirewall ......................................23
HypervisorAssignedMACAddresses ................................................24
LicensetheVMSeriesFirewall........................................ 25
LicenseTypesVMSeriesFirewalls .................................................26
VMSeriesFirewallforNSXLicenses .............................................26
VMSeriesFirewallinAmazonWebServices(AWS)andAzureLicenses..............26
SerialNumberandCPUIDFormatfortheVMSeriesFirewall ..........................28
CreateaSupportAccount..........................................................29
RegistertheVMSeriesFirewall .....................................................30
RegistertheVMSeriesFirewall(withauthcode) ..................................30
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauth
code)31
SwitchBetweentheBYOLandthePAYGLicenses ....................................33
ActivatetheLicense...............................................................35
ActivatetheLicensefortheVMSeriesFirewall(StandaloneVersion).................35
ActivatetheLicensefortheVMSeriesFirewallforVMwareNSX....................36
DeactivatetheLicense(s) ...........................................................39
InstallaLicenseDeactivationAPIKey ............................................39
DeactivateaFeatureLicenseorSubscriptionUsingtheCLI.........................40
DeactivateVM................................................................41
LicensingAPI .....................................................................45
ManagetheLicensingAPIKey ..................................................45
UsetheLicensingAPI..........................................................46
LicensingAPIErrorCodes ......................................................49
LicensesforCloudSecurityServiceProviders(CSSPs)..................................50
GettheAuthCodesforCSSPLicensePackages ...................................50
RegistertheVMSeriesFirewallwithaCSSPAuthCode ............................51
AddEndCustomerInformationforaRegisteredVMSeriesFirewall .................52
PaloAltoNetworks,Inc. VMSeries8.0DeploymentGuide 3
TableofContents
SetUpaVMSeriesFirewallonanESXiServer ..........................55
SupportedDeploymentsonVMwarevSphereHypervisor(ESXi) ......................... 56
VMSeriesonESXiSystemRequirementsandLimitations............................... 57
Requirements ................................................................. 57
Limitations.................................................................... 58
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi) ....................... 59
PlantheInterfacesfortheVMSeriesforESXi ..................................... 59
ProvisiontheVMSeriesFirewallonanESXiServer ................................ 60
PerformInitialConfigurationontheVMSeriesonESXi ............................. 63
AddAdditionalDiskSpacetotheVMSeriesFirewall ............................... 64
UseVMwareToolsontheVMSeriesFirewallonESXiandvCloudAir ................ 65
TroubleshootESXiDeployments..................................................... 68
BasicTroubleshooting.......................................................... 68
InstallationIssues.............................................................. 68
LicensingIssues................................................................ 70
ConnectivityIssues............................................................. 71
PerformanceTuningoftheVMSeriesforESXi ........................................ 73
InstalltheNICDriveronESXi.................................................... 73
EnableDPDKonESXi .......................................................... 75
EnableSRIOVonESXi ......................................................... 75
EnableMultiQueueSupportforNICsonESXi ..................................... 76
SetUptheVMSeriesFirewallonvCloudAir ............................77
AbouttheVMSeriesFirewallonvCloudAir .......................................... 78
DeploymentsSupportedonvCloudAir ............................................... 79
DeploytheVMSeriesFirewallonvCloudAir ......................................... 80
SetUpaVMSeriesFirewallontheCitrixSDXServer....................87
AbouttheVMSeriesFirewallontheSDXServer...................................... 88
SystemRequirementsandLimitations ................................................ 89
Requirements ................................................................. 89
Limitations.................................................................... 89
SupportedDeploymentsVMSeriesFirewallonCitrixSDX ............................. 91
Scenario1SecureNorthSouthTraffic........................................... 91
Scenario2SecureEastWestTraffic(VMSeriesFirewallonCitrixSDX) ............. 94
InstalltheVMSeriesFirewallontheSDXServer ...................................... 95
UploadtheImagetotheSDXServer ............................................. 95
ProvisiontheVMSeriesFirewallontheSDXServer................................ 95
SecureNorthSouthTrafficwiththeVMSeriesFirewall ................................ 97
DeploytheVMSeriesFirewallUsingL3Interfaces ................................. 97
DeploytheVMSeriesFirewallUsingLayer2(L2)orVirtualWireInterfaces ..........101
DeploytheVMSeriesFirewallBeforetheNetScalerVPX ..........................103
SecureEastWestTrafficwiththeVMSeriesFirewall .................................106
TableofContents
SetUptheVMSeriesFirewallonVMwareNSX........................109
VMSeriesforNSXFirewallOverview .............................................. 110
WhataretheComponentsoftheVMSeriesforNSXSolution?..................... 110
HowDotheComponentsintheVMSeriesFirewallforNSXSolutionWorkTogether? 113
WhataretheBenefitsoftheNSXVMSeriesfirewallforNSXSolution?............. 118
WhatisMultiTenantSupportontheVMSeriesFirewallforNSX?.................. 119
VMSeriesFirewallforNSXDeploymentChecklist ................................... 121
InstalltheVMwareNSXPlugin ..................................................... 123
RegistertheVMSeriesFirewallasaServiceontheNSXManager ...................... 124
EnableCommunicationBetweentheNSXManagerandPanorama .................. 124
CreateTemplate(s)andDeviceGroup(s)onPanorama ............................. 126
CreatetheServiceDefinitionsonPanorama ..................................... 127
CreateSteeringRules ............................................................. 133
DeploytheVMSeriesFirewall ..................................................... 137
EnableSpoofGuard ........................................................... 137
DefineanIPAddressPool ..................................................... 138
PreparetheESXiHostfortheVMSeriesFirewall................................. 139
DeploythePaloAltoNetworksNGFWService ................................... 140
ApplyPoliciestotheVMSeriesFirewall ......................................... 145
EnableLargeReceiveOffload .................................................. 148
SteerTrafficfromGueststhatarenotRunningVMwareTools......................... 150
DynamicallyQuarantineInfectedGuests............................................ 151
UseCase:SharedComputeInfrastructureandSharedSecurityPolicies ................. 156
UseCase:SharedSecurityPoliciesonDedicatedComputeInfrastructure................ 161
DynamicAddressGroupsInformationRelayfromNSXManagertoPanorama .......... 168
SetUptheVMSeriesFirewallonAWS ................................175
AbouttheVMSeriesFirewallonAWS .............................................. 176
VMSeriesFirewallonAWSGovCloud .......................................... 176
AWSTerminology ............................................................ 176
ManagementInterfaceMappingforUsewithAmazonELB ........................ 178
DeploymentsSupportedonAWS................................................... 180
DeploytheVMSeriesFirewallonAWS ............................................. 183
ObtaintheAMI............................................................... 183
ReviewSystemRequirementsandLimitationsforVMSeriesonAWS ............... 185
PlanningWorksheetfortheVMSeriesintheAWSVPC ........................... 185
LaunchtheVMSeriesFirewallonAWS ......................................... 187
UsetheVMSeriesFirewallCLItoSwaptheManagementInterface................. 194
EnableCloudWatchMonitoringontheVMSeriesFirewall......................... 195
HighAvailabilityforVMSeriesFirewallonAWS..................................... 198
OverviewofHAonAWS...................................................... 198
IAMRolesforHA ............................................................. 199
HALinks..................................................................... 200
HeartbeatPollingandHelloMessages........................................... 200
DevicePriorityandPreemption ................................................ 201
HATimers................................................................... 201
TableofContents
ConfigureActive/PassiveHAonAWS ...........................................202
UseCase:SecuretheEC2InstancesintheAWSCloud................................207
UseCase:UseDynamicAddressGroupstoSecureNewEC2InstanceswithintheVPC....219
UseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailableInternetFacingApplica
tionsonAWS223
SolutionOverviewSecureHighlyAvailableInternetFacingApplications ............223
DeploytheSolutionComponentsforHighlyAvailableInternetFacingApplicationsonAWS
225
SetUptheVPC ...............................................................226
DeploytheVMSeriesFirewallsintheVPC.......................................228
LaunchtheVMSeriesFirewallsandtheNetScalerVPX ............................229
ConfiguretheVMSeriesFirewallforSecuringOutboundAccessfromtheVPC.......232
ConfiguretheFirewallsthatSecuretheWebFarm................................234
ConfiguretheFirewallthatSecurestheRDS......................................236
DeploytheWebFarmintheVPC ...............................................237
SetUptheAmazonRelationalDatabaseService(RDS) .............................239
ConfiguretheCitrixNetScalerVPX..............................................241
SetupAmazonRoute53.......................................................243
VerifyTrafficEnforcement .....................................................244
PortTranslationforServiceObjects .............................................245
UseCase:VMSeriesFirewallsasGlobalProtectGatewaysonAWS .....................247
ComponentsoftheGlobalProtectInfrastructure ..................................248
DeployGlobalProtectGatewaysonAWS ........................................248
AutoScaleVMSeriesFirewallswiththeAmazonELB .................................250
WhatComponentsDoestheVMSeriesAutoScalingTemplateforAWSDeploy? .....251
HowDoestheVMSeriesAutoScalingTemplateforAWSEnableDynamicScaling?...253
PlantheVMSeriesAutoScalingTemplateforAWS ...............................254
LaunchtheVMSeriesAutoScalingTemplateforAWS ............................261
CustomizetheBootstrap.xmlFile ...............................................275
UsetheGitHubBootstrapFilesasSeed..........................................275
CreateanewBootstrapFilefromScratch ........................................276
NATPolicyRuleandAddressObjectsintheAutoScalingTemplate .................278
StackUpdatewithVMSeriesAutoScalingTemplateforAWS(v1.2) ................279
ModifyAdministrativeAccountandUpdateStack.................................283
TroubleshoottheVMSeriesAutoScalingTemplateforAWS .......................283
ListofAttributesMonitoredontheAWSVPC........................................290
IAMPermissionsRequiredforMonitoringtheAWSVPC...........................290
SetUptheVMSeriesFirewallonKVM ............................... 293

VMSeriesonKVMRequirementsandPrerequisites.................................294
SystemRequirements .........................................................294
OptionsforAttachingtheVMSeriesontheNetwork .............................295
PrerequisitesforVMSeriesonKVM ............................................295
SupportedDeploymentsonKVM ...................................................298
SecureTrafficonaSingleHost .................................................298
SecureTrafficAcrossLinuxhosts ...............................................298
InstalltheVMSeriesFirewallonKVM ..............................................300
EnabletheUseofaSCSIController .............................................306
TableofContents
VerifyPCIIDforOrderingofNetworkInterfacesontheVMSeriesFirewall......... 306
UseanISOFiletoDeploytheVMSeriesFirewall................................. 307
PerformanceTuningoftheVMSeriesforKVM...................................... 311
InstallKVMandOpenvSwitchonUbuntu16.04.1LTS ............................ 311
EnableOpenvSwitchonKVM.................................................. 311
IntegrateOpenvSwitchwithDPDK ............................................. 312
EnableSRIOVonKVM ....................................................... 316
EnableMultiQueueSupportforNICsonKVM ................................... 317
IsolateCPUResourcesinaNUMANodeonKVM ................................ 317
SetUptheVMSeriesFirewallonHyperV.............................321
SupportedDeploymentsonHyperV ............................................... 322
SecureTrafficonaSingleHyperVHost ......................................... 322
SecureTrafficAcrossMultipleHyperVHosts .................................... 322
SystemRequirementsonHyperV .................................................. 324
LinuxIntegrationServices...................................................... 324
InstalltheVMSeriesFirewallonHyperV........................................... 325
BeforeYouBegin ............................................................. 325
PerformanceTuningoftheVMSeriesFirewallonHyperV........................ 326
ProvisiontheVMSeriesFirewallonaHyperVhostwithHyperVManager ......... 326
ProvisiontheVMSeriesFirewallonaHyperVhostwithPowerShell ............... 328
PerformInitialConfigurationontheVMSeriesFirewall ........................... 329
SetuptheVMSeriesFirewallonAzure ...............................333
AbouttheVMSeriesFirewallonAzure............................................. 334
AzureNetworkingandVMSeries............................................... 334
VMSeriesFirewallTemplatesonAzure ......................................... 335
MinimumSystemRequirementsfortheVMSeriesonAzure....................... 335
DeploymentsSupportedonAzure .................................................. 337
DeploytheVMSeriesFirewallfromtheAzureMarketplace(SolutionTemplate) ......... 338
UsetheARMTemplatetoDeploytheVMSeriesFirewall............................. 344
DeploytheVMSeriesandAzureApplicationGatewayTemplate ....................... 348
VMSeriesandAzureApplicationGatewayTemplate.............................. 349
StartUsingtheVMSeries&AzureApplicationGatewayTemplate.................. 350
DeploytheTemplatetoAzure.................................................. 350
VMSeriesandAzureApplicationGatewayTemplateParameters ................... 354
SampleConfigurationFile...................................................... 355
AdapttheTemplate ........................................................... 356
SetUptheVMSeriesFirewallonOpenStack ..........................357
VMSeriesFirewallforOpenStack .................................................. 358
ComponentsoftheVMSeriesforOpenStackSolution............................ 358
OrchestrationwiththeHeatTemplate .......................................... 359
VMSeriesFirewallonOpenStackDeploymentChecklist .............................. 362
InstalltheVMSeriesFirewallinOpenStack.......................................... 363
TableofContents
BootstraptheVMSeriesFirewall.................................... 367
VMSeriesFirewallBootstrapWorkflow .............................................368
BootstrapPackage ................................................................369
BootstrapConfigurationFiles ......................................................371
GeneratetheVMAuthKeyonPanorama ............................................372
Createtheinitcfg.txtFile..........................................................374
Createthebootstrap.xmlFile.......................................................377
PreparetheLicensesforBootstrapping ..............................................378
PreparetheBootstrapPackage .....................................................379
BootstraptheVMSeriesFirewallonESXi ...........................................380
BootstraptheVMSeriesFirewallonESXiwithanISO .............................380
BootstraptheVMSeriesFirewallonESXiwithaBlockStorageDevice..............380
BootstraptheVMSeriesFirewallonHyperV ........................................382
BootstraptheVMSeriesFirewallonHyperVwithanISO.........................382
BootstraptheVMSeriesFirewallonHyperVwithaBlockStorageDevice...........382
BootstraptheVMSeriesFirewallonKVM ...........................................384
BootstraptheVMSeriesFirewallonKVMwithanISO ............................384
BootstraptheVMSeriesFirewallonKVMWithaBlockStorageDevice.............385
BootstraptheVMSeriesFirewallonKVMinOpenStack ...........................385
BootstraptheVMSeriesFirewallinAWS............................................389
BootstraptheVMSeriesFirewallinAzure ...........................................391
VerifyBootstrapCompletion .......................................................393
BootstrapErrors ..................................................................394
AbouttheVMSeriesFirewall
ThePaloAltoNetworksVMSeriesfirewallisthevirtualizedformofthePaloAltoNetworksnextgeneration
firewall.Itispositionedforuseinavirtualizedorcloudenvironmentwhereitcanprotectandsecure
eastwestandnorthsouthtraffic.
VMSeriesModels
VMSeriesDeployments
VMSeriesinHighAvailability
UpgradetheVMSeriesFirewall
EnableJumboFramesontheVMSeriesFirewall
HypervisorAssignedMACAddresses
VMSeriesModels AbouttheVMSeriesFirewall
VMSeriesModels
TheVMSeriesfirewallisavailableinthefollowingmodelsVM50,VM100,VM200,VM300,VM500,
VM700,andVM1000HV.
AllmodelscanbedeployedasguestvirtualmachinesonVMwareESXiandvCloudAir,CitrixNetScalerSDX,
AmazonWebServices,KVMandKVMinOpenStack,andMicrosoftHyperVandAzure;onVMwareNSX,
onlytheVM100,VM200,VM300,VM500,andVM1000HVfirewallsaresupported.Thesoftware
package(.xva,.ova,or.vhdxfile)thatisusedtodeploytheVMSeriesfirewalliscommonacrossallmodels.
WhenyouapplythecapacitylicenseontheVMSeriesfirewall,themodelnumberandtheassociated
capacitiesareimplementedonthefirewall.Capacityisdefinedintermsofthenumberofsessions,rules,
securityzones,addressobjects,IPSecVPNtunnels,andSSLVPNtunnelsthattheVMSeriesfirewallis
optimizedtohandle.Tomakesurethatyoupurchasethecorrectmodelforyournetworkrequirements,use
thefollowingtabletounderstandthemaximumcapacityforeachmodelandthecapacitydifferencesby
model:
Model Sessions Security DynamicIP SecurityZones IPSecVPN SSLVPN

Rules Addresses Tunnels Tunnels
VM50 50,000 250 1,000 15 250 250
VM100 250,000 1,500 2,500 40 1,000 500

VM200
VM300 800,000 10,000 100,000 40 2,000 2,000
VM1000HV
VM500 2,000,000 10,000 100,000 200 4,000 6,000
VM700 10,000,000 20,000 100,000 200 8,000 12,000
ForinformationontheplatformsonwhichyoucandeploytheVMSeriesfirewall,seeVMSeries
Deployments.FormoreinformationabouttheVMSeriesfirewallmodels,seethePaloAltoNetworks
Firewallcomparisontool.YoucanalsoreviewgeneralinformationAbouttheVMSeriesFirewall.
VMSeriesSystemRequirements
CPUOversubscription
VMSeriesSystemRequirements
EachinstanceoftheVMSeriesfirewallrequiresaminimumresourceallocationnumberofCPUs,memory,
anddiskspace,onitshostserver.Usethetablebelowtoverifythatyouallocatethenecessaryhardware
resourcesforyourVMSeriesmodel.
Whenupgradingto8.0ortheVMSeriesmodellicense,youmayberequiredtoallocateadditionalhardware
resourcesbeforecompletingyourupgrade.
AbouttheVMSeriesFirewall VMSeriesModels
VMSeriesModel Supported SupportedvCPUs MinimumMemory MinimumHardDrive

Hypervisors
VM50 ESXi,KVM,HyperV 2 4.5GB 32GB(60GBatboot)
VM100 ESXi,KVM,HyperV, 2 6.5GB 60GB

VM200 AWS,Azure,NSX,SDX
VM300 ESXi,KVM,HyperV, 2,4 9GB 60GB

VM1000HV AWS,Azure,NSX,SDX
VM500 ESXi,KVM,HyperV, 2,4,8 16GB 60GB

AWS,Azure,NSX
VM700 ESXi,KVM,HyperV, 2,4,8,16 56GB 60GB

AWS,Azure
Toachievethebestperformance,alloftheneededcoresshouldbeavailableonasingleCPUsocket.
Foroperation,theVM50firewallrequiresminimum32GBofharddrivespace.However,becausetheVMSeries
baseimageiscommontoallmodels,youmustallocate60GBofharddrivespaceuntilyoulicensetheVM50.
ThenumberofvCPUsassignedtothemanagementplaneandthoseassignedtothedataplanediffers
dependingonthetotalnumberofvCPUsassignedtotheVMSeriesfirewall.IfyouassignmorevCPUsthan
thoseofficiallysupportedbythelicense,anyadditionalvCPUsareassignedtothemanagementplane.
TotalvCPUs ManagementPlanevCPUs DataplanevCPUs
2 1 1
4 2 2
8 2 6
16 4 12
CPUOversubscription
TheVMSeriesfirewallsupportsCPUoversubscriptiononallmodels.CPUoversubscriptionallowsyou
deployahigherdensityofVMSeriesfirewallsonhypervisorsrunningonx86architecture.Youcandeploy
two(2:1)tofive(5:1)VMSeriesfirewallsperrequiredallocationofCPUs.Whenplanningyourdeployment,
usethefollowingformulatocalculatethenumberofVMSeriesfirewallsyourhardwarecansupport.
(TotalCPUsxOversubRatio)/CPUsperfirewall=totalnumberofVMSeriesfirewalls
Forexample,ata5:1ratio,ahostmachinewith16physicalCPUandatleast180GBofmemory(404.5GB)
cansupportupto40instancestotheVM50.EachVM50requirestwovCPUsandfiveVM50scanbe
associatedtoeachpairofvCPUs.
(16CPUsx5)/2=40VM50firewalls
VMSeriesModels AbouttheVMSeriesFirewall
BeyondmeetingtheminimumVMSeriesSystemRequirements,noadditionalconfigurationisrequiredto
takeadvantageofoversubscription.DeployVMSeriesfirewallsnormallyandresourceoversubscription
occursautomatically.Whenplanningyourdeployment,considerotherfunctions,suchasvirtualswitches,
andguestmachinesonthehostthatrequirehardwareresourcesoftheirown.
AbouttheVMSeriesFirewall VMSeriesDeployments
VMSeriesDeployments
TheVMSeriesfirewallcanbedeployedonthefollowingplatforms:
VMSeriesforVMwarevSphereHypervisor(ESXi)andvCloudAir
YoucandeployanyVMSeriesmodelasaguestvirtualmachineonVMwareESXi;idealforcloudor
networkswherevirtualformfactorisrequired.
Fordetails,seeSetUpaVMSeriesFirewallonanESXiServerandSetUptheVMSeriesFirewallon
vCloudAir.
VMSeriesforVMwareNSX
TheVM100,VM200,VM300,VM500,orVM1000HVisdeployedasanetworkintrospection
servicewithVMwareNSX,andPanorama.Thisdeploymentisidealforeastwesttrafficinspection,and
italsocansecurenorthsouthtraffic.
Fordetails,seeSetUptheVMSeriesFirewallonVMwareNSX
VMSeriesforCitrixSDX
VM100,VM200,VM300,orVM1000HVisdeployedasguestvirtualmachineonCitrixNetScaler
SDX;consolidatesADCandsecurityservicesformultitenantandCitrixXenApp/XenDesktop
deployments.
VMSeriesDeployments AbouttheVMSeriesFirewall
Fordetails,seeSetUpaVMSeriesFirewallontheCitrixSDXServer
VMSeriesforAmazonWebServices(AWS)
YoucandeployanyVMSeriesmodel,excepttheVM50,onEC2instancesontheAWSCloud.
Fordetails,seeSetUptheVMSeriesFirewallonAWS.
VMSeriesforKernelVirtualizationModule(KVM)
YoucandeployanyVMSeriesmodelonaLinuxserverthatisrunningtheKVMhypervisor.Fordetails,
seeSetUptheVMSeriesFirewallonKVM.
VMSeriesforMicrosoftHyperV
YoucandeployanyVMSeriesmodelonaWindowsServer2012R2serverwiththeHyperVroleaddon
enabledorastandaloneHyperV2012R2server.Fordetails,seeSetUptheVMSeriesFirewallon
HyperV.
VMSeriesforMicrosoftAzure
YoucandeployanyVMSeriesmodel,excepttheVM50,ontheAzureVNet.
Fordetails,seeSetuptheVMSeriesFirewallonAzure.
VMSeriesforOpenStack
YoucandeployanyVMSeriesmodelonKVMinyourOpenStackenvironment.Fordetails,seeSetUp
theVMSeriesFirewallonOpenStack.
AbouttheVMSeriesFirewall VMSeriesinHighAvailability
VMSeriesinHighAvailability
Highavailability(HA)isaconfigurationinwhichtwofirewallsareplacedinagroupandtheirconfiguration
issynchronizedtopreventasinglepointoffailureonyournetwork.Aheartbeatconnectionbetweenthe
firewallpeersensuresseamlessfailoverintheeventthatapeergoesdown.Settingupthefirewallsina
twodeviceclusterprovidesredundancyandallowsyoutoensurebusinesscontinuity.InanHA
configurationontheVMSeriesfirewalls,bothpeersmustbedeployedonthesametypeofhypervisor,have
identicalhardwareresources(suchasCPUcores/networkinterfaces)assignedtothem,andhavetheset
sameoflicenses/subscriptions.ForgeneralinformationaboutHAonPaloAltoNetworksfirewalls,seeHigh
Availability.
TheVMSeriesfirewallssupportstatefulactive/passiveoractive/activehighavailabilitywithsessionand
configurationsynchronization.Theonlyexceptionsarethefollowing:
TheVMSeriesfirewallontheAmazonWebServices(AWS)cloudsupportsactive/passiveHAonly.For
details,seeHighAvailabilityforVMSeriesFirewallonAWS.
HAisnotrelevantfortheVMSeriesfirewallforVMwareNSX.
Theactive/activedeploymentissupportedinvirtualwireandLayer3deployments,andisonlyrecommendedfor
networkswithasymmetricrouting.
Features/LinksSupported ESX KVM SDX AWS NSX HyperV Azure
Active/PassiveHA Yes Yes Yes Yes No Yes No
Active/ActiveHA Yes Yes Yes No No Yes No
HA1 Yes Yes Yes Yes No Yes No
HA2(sessionsynchronizationand Yes Yes Yes Yes No Yes No

keepalive)
HA3 Yes Yes Yes No No Yes No
ForinstructionsonconfiguringtheVMSeriesfirewallasanHApair,seeConfigureActive/PassiveHAand
ConfigureActive/ActiveHA.
UpgradetheVMSeriesFirewall AbouttheVMSeriesFirewall
UpgradetheVMSeriesFirewall
UpgradethePANOSSoftwareVersion(StandaloneVersion)
UpgradethePANOSSoftwareVersion(VMSeriesforNSX)
UpgradetheVMSeriesModel
UpgradetheVMSeriesModelinanHAPair
UpgradePanorama7.1toPanorama8.0
ForinstructionsoninstallingyourVMSeriesfirewall,seeVMSeriesDeployments.
UpgradethePANOSSoftwareVersion(StandaloneVersion)
NowthattheVMSeriesfirewallhasnetworkconnectivityandthebasePANOSsoftwareisinstalled,
considerupgradingtothelatestversionofPANOS.Usethefollowinginstructionsforfirewallsthatarenot
deployedinahighavailability(HA)configuration.ForfirewallsdeployedinHA,refertothePANOS8.0New
FeaturesGuide.
UpgradePANOSVersion(StandaloneVersion)
Step1 VerifythatthereenoughhardwareresourcesavailabletotheVMSeriesfirewall.Refertothe
VMSeriesSystemRequirementstoseethenewresourcerequirementsforeachVMSeriesmodel.
Allocateadditionalhardwareresourcesbeforecontinuingtheupgradeprocess.Theprocessfor
assigningadditionalhardwareresourcesdiffersoneachhypervisor.
Step2 Fromthewebinterface,navigatetoDevice > LicensesandmakesureyouhavethecorrectVMSeries

firewalllicenseandthatthelicenseisactivated.
OntheVMSeriesfirewallstandaloneversion,navigatetoDevice > Supportandmakesurethatyou
haveactivatedthesupportlicense.
Step3 (Requiredforafirewallthatisinproduction)Saveabackupofthecurrentconfigurationfile.
1. SelectDevice > Setup > OperationsandclickExport named configuration snapshot.
2. SelecttheXMLfilethatcontainsyourrunningconfiguration(forexample,running-config.xml)and
clickOKtoexporttheconfigurationfile.
3. Savetheexportedfiletoalocationexternaltothefirewall.Youcanusethisbackuptorestorethe
configurationifyouhaveproblemswiththeupgrade.
Step4 ChecktheReleaseNotestoverifytheContentReleaseversionrequiredforthePANOSversion.The
firewallsyouplantoupgrademustberunningtheContentReleaseversionrequiredforthePANOS
version.
1. SelectDevice > Dynamic Updates.
2. ChecktheApplications and ThreatsorApplicationssectiontodeterminewhatupdateiscurrently
running.
3. Ifthefirewallisnotrunningtherequiredupdateorlater,clickCheck Nowtoretrievealistof
availableupdates.
4. LocatethedesiredupdateandclickDownload.
5. Afterthedownloadcompletes,clickInstall.
AbouttheVMSeriesFirewall UpgradetheVMSeriesFirewall
UpgradePANOSVersion(StandaloneVersion)
Step5 UpgradethePANOSversionontheVMSeriesfirewall.
1. SelectDevice > Software.
2. ClickRefreshtoviewthelatestsoftwarereleaseandalsoreviewtheRelease Notestoviewa
descriptionofthechangesinareleaseandtoviewthemigrationpathtoinstallthesoftware.
3. ClickDownloadtoretrievethesoftwarethenclickInstall.
Step6 IfyouareupgradingfromPANOS7.1toPANOS8.0,transitionyourVMSeriesfirewallfroma40GB
harddisktoa60GBharddisk.
1. Onyourhypervisor,attachanew60GBharddrivetotheVMSeriesfirewall.Thisnewdiskmustbe
60GB.Thefirewallwillreturnanerrorifanothervalueisassigned.
2. AccessthefirewallCLI.
3. UsethefollowingCLIcommandtocreateanewdiskpartitiontocopythedatafromtheoriginal
systemdisktothenewsystemdisk.
> request system clone-system-disk target sdb
4. ReturntoyourhypervisorandpowerofftheVMSeriesfirewall.
5. Removetheoriginalsystemdisk.
6. PowerontheVMSeriesfirewall.
UpgradethePANOSSoftwareVersion(VMSeriesforNSX)
FortheVMSeriesFirewallNSXedition,usePanoramatoupgradethesoftwareversiononthefirewalls.
UpgradeVMSeriesNSXEditionFirewallsUsingPanorama
Step1 Allocateadditionalhardwareresources Verifythatthereareenoughhardwareresourcesavailabletothe

toyourVMSeriesfirewall. VMSeriesfirewall.RefertotheVMSeriesSystemRequirements
toseethenewresourcerequirementsforeachVMSeriesmodel.
Allocateadditionalhardwareresourcesbeforecontinuingthe
upgradeprocess.Theprocessforassigningadditionalhardware
resourcesdiffersoneachhypervisor.
Step2 Saveabackupofthecurrent 1. SelectDevice > Setup > OperationsandclickExport

configurationfileoneachmanaged Panorama and devices config bundle.Thisoptionisusedto
firewallthatyouplantoupgrade. manuallygenerateandexportthelatestversionofthe
Althoughthefirewallwill configurationbackupofPanoramaandofeachmanaged
automaticallycreateabackupof device.
theconfiguration,itisabest 2. Savetheexportedfiletoalocationexternaltothefirewall.
practicetocreateabackupprior Youcanusethisbackuptorestoretheconfigurationifyou
toupgradeandstoreitexternally. haveproblemswiththeupgrade.
UpgradeVMSeriesNSXEditionFirewallsUsingPanorama(Continued)
Step3 ChecktheReleaseNotestoverifythe 1. SelectPanorama > Device Deployment > Dynamic Updates.

ContentReleaseversionrequiredforthe 2. Checkforthelatestupdates.ClickCheck Now (locatedinthe
PANOSversion. lowerlefthandcornerofthewindow)tocheckforthelatest
Thefirewallsyouplantoupgrademust updates.ThelinkintheAction columnindicateswhetheran
berunningtheContentReleaseversion updateisavailable.Ifaversionisavailable,theDownloadlink
requiredforthePANOSversion. displays.
3. ClickDownloadtodownloadaselectedversion.After
successfuldownload,thelinkintheAction columnchanges
fromDownload toInstall.
4. ClickInstall andselectthedevicesonwhichyouwantto
installtheupdate.Whentheinstallationcompletes,acheck
markdisplaysintheCurrently Installedcolumn.
Step4 Deploysoftwareupdatestoselected 1. SelectPanorama > Device Deployment > Software.

firewalls. 2. Checkforthelatestupdates.ClickCheck Now (locatedinthe
Ifyourfirewallsareconfiguredin lowerlefthandcornerofthewindow)tocheckforthelatest
HA,makesuretocleartheGroup updates.ThelinkintheAction columnindicateswhetheran
HA Peerscheckboxandupgrade updateisavailable.
oneHApeeratatime.
3. ReviewtheFile NameandclickDownload.Verifythatthe
softwareversionsthatyoudownloadmatchthefirewall
modelsdeployedonyournetwork.Aftersuccessful
download,thelinkintheAction columnchangesfrom
Download toInstall.
4. ClickInstallandselectthedevicesonwhichyouwantto
installthesoftwareversion.
5. SelectReboot device after install,andclickOK.
6. IfyouhavedevicesconfiguredinHA,cleartheGroup HA
PeerscheckboxandupgradeoneHApeeratatime.
Step5 VerifythesoftwareandContentRelease 1. SelectPanorama > Managed Devices.

versionrunningoneachmanageddevice. 2. Locatethedevice(s)andreviewthecontentandsoftware
versionsonthetable.
UpgradetheVMSeriesModel
ThelicensingprocessfortheVMSeriesfirewallusestheUUIDandtheCPUIDtogenerateauniqueserial
numberforeachVMSeriesfirewall.Hence,whenyougeneratealicense,thelicenseismappedtoaspecific
instanceoftheVMSeriesfirewallandcannotbemodified.
Usetheinstructionsinthissection,ifyouare:
Migratingfromanevaluationlicensetoaproductionlicense.
Upgradingthemodeltoallowforincreasedcapacity.ForexampleyouwanttoupgradefromtheVM100
totheVM300license.
UpgradetheVMSeriesCapacity
Step1 EnableautomaticVMSerieslicense BeforeupgradingyourVMSeriesfirewallcapacity,Installa

deactivation. LicenseDeactivationAPIKey.
UpgradetheVMSeriesCapacity(Continued)
Step2 UpgradethelicenseontheCustomer 1. LogintothePaloAltoNetworksCustomerSupportportal.

Supportportal. 2. SelectAssets > Devicesandsearchforyourfirewallbythe
Skipthisstepifyouareupgrading serialnumber.
thecapacitywithan
3. SelecttheActionicontoopentheDeviceLicenseswindow.
authorizationcode.
4. SelectActivate Upgrade Licenseandentertheauthorization
codeforthehighercapacityVM.
5. SelectAgree and Submit.

6. (Optional)IfyourVMSeriesfirewalldoesnothavedirect
internetaccess,downloadthecapacityupgradelicensekey.
a. SelectAssets > Devicesandsearchforyourfirewallbythe
serialnumber.
b. UndertheLicensecolumn,selectthedownloadiconnextto
PAVMtodownloadthelicensekey.
c. SavethelicensekeytoalocationtheVMSeriesfirewallcan
access.
Step3 Allocateadditionalhardwareresources Beforeinitiatingthecapacityupgrade,youmustverifythatenough

toyourVMSeriesfirewall. hardwareresourcesareavailabletotheVMSeriesfirewallto
supportthenewcapacity.Theprocessforassigningadditional
hardwareresourcesdiffersoneachhypervisor.
TocheckthehardwarerequirementsforyournewVMSeries
model,seeVMSeriesModels.
Althoughthecapacityupgradedoesnotrequirearebootofthe
VMSeriesfirewall,youneedtopowerdownthevirtualmachineto
changethehardwareallocation.
UpgradetheVMSeriesCapacity(Continued)
Step4 Upgradethecapacity. SelectDevice > Licenses > Upgrade Capacity andthenactivate

yourlicensesandsubscriptionsinoneofthefollowingways:
Retrieve license keys from license serverUsethisoptionif
youactivatedyourlicenseontheCustomerSupportportal.
Manually upload license keyUsethisoptionifyourfirewall
doesnothaveconnectivitytothePaloAltoNetworksCustomer
Supportwebsite.Inthiscase,youmustdownloadalicensekey
filefromthesupportsiteonanInternetconnectedcomputer
andthenuploadtothefirewall.
Use an authorization codeUsethisoptiontoupgradethe
VMSeriescapacityusinganauthorizationcodeforlicensesthat
havenotbeenpreviouslyactivatedonthesupportportal.When
prompted,entertheAuthorization CodeandthenclickOK.
Step5 Verifythatyourfirewallcapacitylicense OntheDevice > Licensespage,verifythatthelicensewas

upgradeissuccessful. successfullyactivated.
UpgradetheVMSeriesModelinanHAPair
Becausealicenseupgraderequiressomecriticalprocessestorestart,pairingfirewallsintoHAmodeis
recommendedtominimizetheimpacttoservice.ThisprocessissimilartothatofupgradingthePANOS
versionofanHApair.Duringtheupgradeprocess,sessionsynchronizationcontinues,ifyouhaveitenabled.
Configurationsyncisautomaticallydisabledwhenacapacitymismatchisdetectedandremainsdisableduntilthe
mismatchisresolved.Therefore,configurationchangesduringtheupgradeprocessarenotrecommended.
IfthefirewallsintheHApairhavedifferentmajorsoftwareversions(suchas7.1and8.0)anddifferentcapacities,
bothdeviceswillentertheSuspendstate.Therefore,itisrecommendedthatyoumakesurebothfirewallsare
runningthesameversionofPANOSbeforeupgradingthecapacity.
UpgradetheCapacityLicenseinanActivePassiveHAPair
Step1 Upgradethecapacitylicenseofthe FollowtheproceduretoUpgradetheVMSeriesCapacity.

passivefirewall. Aftercriticalprocessesrestartonpassivedevice,itwillbethenew
VMSeriesmodel.Thisupgradedfirewallentersthenonfunctional
stateduetothecapacitymismatchbetweenitandtheactive
firewall.
Step2 Upgradethecapacitylicenseofthe FollowtheproceduretoUpgradetheVMSeriesCapacity.

activefirewall. Whenthecapacityupgradeoftheactivefirewalliscomplete,the
passivefirewallthenbecomesactive.Afterthecriticalprocesses
restart,thepreviouslyactivefirewallenterstheinitialstateand
becomesthepassivepairmemberwithitsnewcapacity.
UpgradePanorama7.1toPanorama8.0
WhenyouupgradePanoramainyourVMwareNSXdeploymentfrom7.1to8.0,allyourexisting
configurationismaintained.However,thatconfigurationwillremaininpre8.0formatsandany
configurationyoucreateafterupgradingwillbeinpost8.0formats.Completethefollowingprocedureto
moveyourpre8.0configurationintopost8.0formats.
MovePre8.0ConfigurationtoPost8.0Configuration
Step1 UpgradePanorama. TheVMwareNSXpluginisautomaticallyinstalleduponupgradeto

8.0.
Step2 Updatethematchcriteriaformatinyour 1. SelectObjects > Address Groupsandclickthelinknamefor

dynamicaddressgroups. yourfirstdynamicaddressgroup.
2. Deletetheexistingmatchcriteriaentry.
3. Enterthenewmatchcriteriainthefollowingformat:
_nsx_<dynamicaddressgroupname>
4. ClickOK.
5. Repeatthisprocessforeachdynamicaddressgroup.
Step3 ChangesecuritypolicyusedasNSX 1. SelectPolicies > Security > Pre Rulesandclickthelinkname

steeringrulestointrazone. foryourfirstsecuritypolicyrule.
2. OntheGeneraltab,changetheRule Typetointrazone.
3. ClickOK.
4. Repeatthisprocessforeachsecuritypolicyrule.
Step4 Generatenewsteeringrules. 1. SelectPanorama > VMware NSX > Steering Rules.

2. ClickAuto-Generate Steering Rules.
Step5 Commityourchanges. Whenyoucommityourchanges,Panoramapushesupdatesto

NSXManager.
1. VerifythatNSXManagercreatednewsecuritygroups.
a. LogintovCenterandselectNetworking & Security >
Security Groups.
b. Thenewsecuritygroups(mappedtotheupdateddynamic
addressgroups)shouldappearinthefollowingformat:
<servicedefinitionname><dynamicaddressgroupname>
2. VerifythatNSXManagercreatednewsteeringrules.
a. SelectNetworking & Security > Firewall > Configuration >
Partner security services.
b. Thenewsteeringrules(mappedtothesecuritypolicyrules
youcreateonPanorama)arelistedabovetheoldsteering
rules.
Step6 Deletetheoldsteeringrulesfrom 1. SelectNetworking & Security > Firewall > Configuration >
vCenter. Partner security services.
2. Deletetheoldsteeringrules.
Step7 Deletetheoldsecuritygroupsfrom 1. SelectNetworking & Security > Security Groups.

vCenter. 2. Deletetheoldsecuritygroups.
AbouttheVMSeriesFirewall EnableJumboFramesontheVMSeriesFirewall
EnableJumboFramesontheVMSeriesFirewall
Bydefault,themaximumtransmissionunit(MTU)sizeforpacketssentonaLayer3interfaceis1500bytes.
Thissizecanbemanuallysettoanysizefrom512to1500bytesonaperinterfacebasis.Some
configurationsrequireEthernetframeswithanMTUvaluegreaterthan1500bytes.Thesearecalledjumbo
frames.
Tousejumboframesonafirewallyoumustspecificallyenablejumboframesatthegloballevel.Whenthis
isenabled,thedefaultMTUsizeforallLayer3interfacesissettoavalueof9192bytes.Thisdefaultvalue
canthenbesettoanyvalueintherangeof512to9216bytes.
AftersettingaglobaljumboframesizeitbecomesthedefaultvalueforallLayer3interfacesthathavenot
explicitlyhadanMTUvaluesetattheinterfaceconfigurationlevel.Thiscanbecomeaproblemifyouonly
wanttoexchangejumboframesonsomeinterfaces.Inthesesituations,youmustsettheMTUvalueatevery
Layer3interfacethatyoudonotwanttousethedefaultvalue.
Thefollowingproceduredescribeshowtoenablejumboframesonafirewall,setthedefaultMTUvaluefor
allLayer3interfacesandtothensetadifferentvalueforaspecificinterface.
EnableJumboFramesandSetMTUValues
Step1 Enablejumboframesand 1. SelectDevice > Setup > SessionandedittheSessionSettingssection.

setadefaultglobalMTU 2. SelectEnable Jumbo Frame.
value.
3. EnteravalueforGlobal MTU.
Thedefaultvalueis9192.Therangeofacceptablevaluesis:5129216.
4. ClickOK.
AmessageisdisplayedthatinformsyouthatenablingordisablingJumbo
FramemoderequiresarebootandthatLayer3interfacesinherittheGlobal
MTUvalue.
5. ClickYes.
AmessageisdisplayedtoinformyouthatJumboFramesupporthasbeen
enabledandremindsyouthatadevicerebootisrequiredforthischangeto
beactivated.
6. ClickOK.
7. ClickCommit.
Step2 SettheMTUvaluefora 1. SelectNetwork > Interfaces.

Layer3interfaceand 2. SelectaninterfaceoftheLayer3Interface type.
rebootthefirewall.
3. SelectAdvanced > Other Info.
Thevaluesetfor
theinterface 4. EnteravalueforMTU.
overridesthe Thedefaultvalueis9192.Therangeofacceptablevaluesis:5129216.
globalMTUvalue.
5. ClickOK.
6. ClickCommit.
7. SelectDevice > Setup > OperationsandselectReboot Device.
HypervisorAssignedMACAddresses AbouttheVMSeriesFirewall
HypervisorAssignedMACAddresses
Bydefault,theVMSeriesfirewallusestheMACaddressassignedtothephysicalinterfacebythe
host/hypervisorandusethatMACaddressontheVMSeriesfirewalldeployedwithLayer3interfaces.The
firewallcanthenusethehypervisorassignedMACaddressinitsARPresponses.Thiscapabilityallows
nonlearningswitches,suchastheVMwarevSwitchtoforwardtraffictothedataplaneinterfaceonthe
firewallwithoutrequiringthatpromiscuousmodebeenabledonthevSwitch.Ifneitherpromiscuousmode
northeuseofhypervisorassignedMACaddressisenabled,thehostwilldroptheframewhenitdetectsa
mismatchbetweenthedestinationMACaddressforaninterfaceandthehostassignedMACaddress.
ThereisnooptiontoenableordisabletheuseofhypervisorassignedMACaddressesonAWSandAzure.Itis
enabledbydefaultforbothplatformsandcannotbedisabled.
IfyouaredeployingtheVMSeriesfirewallinLayer2,virtualwire,ortapinterfacemodes,youmustenable
promiscuousmodeonthevirtualswitchtowhichthefirewallisconnected.Theuseofhypervisorassigned
MACaddressisonlyrelevantforLayer3deploymentswherethefirewallistypicallythedefaultgatewayfor
theguestvirtualmachines.
WhenyouenablehypervisorassignedMACaddressfunctionalityontheVMSeriesfirewall,makenoteof
thefollowingrequirements:
IPv6AddressonanInterfaceInanactive/passiveHAconfiguration,Layer3interfacesusingIPv6
addressesmustnotusetheEUI64generatedaddressastheinterfaceidentifier(InterfaceID).Because
theEUI64usesthe48bitMACaddressoftheinterfacetoderivetheIPv6addressfortheinterface,the
IPaddressisnotstatic.ThisresultsinachangeintheIPaddressfortheHApeerwhenthehardware
hostingtheVMSeriesfirewallchangesonfailover,andleadstoanHAfailure.
LeaseonanIPAddressWhentheMACaddresschanges,DHCPclient,DHCPrelayandPPPoE
interfacesmightreleasetheIPaddressbecausetheoriginalIPaddressleasecouldterminate.
MACaddressandGratuitousARPVMSeriesfirewallswithhypervisorassignedMACaddressesina
highavailabilityconfigurationbehavedifferentlythanthehardwareapplianceswithrespecttoMAC
addressing.HardwarefirewallsuseselfgeneratedfloatingMACaddressesbetweendevicesinanHA
pair,andtheuniqueMACaddressusedoneachdataplaneinterface(sayeth1/1)isreplacedwithavirtual
MACaddressthatiscommontothedataplaneinterfaceonbothHApeers.Whenyouenabletheuseof
thehypervisorassignedMACaddressontheVMSeriesfirewallinHA,thevirtualMACaddressisnot
used.ThedataplaneinterfaceoneachHApeerisuniqueandasspecifiedbythehypervisor.
BecauseeachdataplaneinterfacehasauniqueMACaddress,whenafailoveroccurs,thenowactive
VMSeriesfirewallmustsendagratuitousARPsothatneighboringdevicescanlearntheupdated
MAC/IPaddresspairing.Hence,toenableastatefulfailover,theinternetworkingdevicesmustnotblock
orignoregratuitousARPs;makesuretodisabletheantiARPpoisoningfeatureontheinternetworking
devices,ifrequired.
DisableUseofHypervisorAssignedMACAddress
ToallowtheVMSeriesfirewalltousetheinterfaceMACaddressesprovidedbythehost/hypervisor:
Step1 SelectDevice > Management > Setup.
Step2 Disable(clear)theoptiontoUse Hypervisor Assigned MAC Address.
WhentheMACaddresschangeoccurs,thefirewallgeneratesasystemlogtorecordthistransitionandthe
interfacegeneratesagratuitousARP.
Step3 Committhechangeonthefirewall.Youdonotneedtorebootthefirewall.
LicensetheVMSeriesFirewall
BeforeyoucanstartusingyourVMSeriesfirewalltosecureeastwestandnorthsouthtrafficonyour
network,youmustactivatethelicensesfortheservicesyoupurchasedtosecureyournetwork.
IfyouareanauthorizedCSSPpartner,seeLicensesforCloudSecurityServiceProviders(CSSPs)for
informationthatpertainstoyou.
Fordetailsoncreatingasupportaccountandactivatingthelicenses:
LicenseTypesVMSeriesFirewalls
SerialNumberandCPUIDFormatfortheVMSeriesFirewall
CreateaSupportAccount
RegistertheVMSeriesFirewall
SwitchBetweentheBYOLandthePAYGLicenses
ActivatetheLicense
DeactivatetheLicense(s)(toreleasethelicensesattributedtoafirewall)
LicensingAPI
LicensesforCloudSecurityServiceProviders(CSSPs)
LicenseTypesVMSeriesFirewalls LicensetheVMSeriesFirewall
LicenseTypesVMSeriesFirewalls
ThefollowinglicensesandsubscriptionsareavailablefortheVMSeriesfirewall:
CapacityLicenseTheVMSeriesfirewallrequiresabaselicense,alsocalledacapacitylicense,toenable
themodelnumber(VM100,VM200,VM300,orVM1000HV)andtheassociatedcapacitiesonthe
firewall.Capacitylicensescanbeperpetualortermbased:
PerpetualLicenseAlicensewithnoexpirationdate,itallowsyoutousetheVMSeriesfirewallat
thelicensedcapacity,indefinitely.PerpetuallicensesareavailablefortheVMSeriescapacitylicense
only.
TermBasedLicenseAtermbasedlicenseallowsyoutousetheVMSeriesfirewallforaspecified
periodoftime.Ithasanexpirationdateandyouwillbepromptedtorenewthelicensebeforeit
expires.Termbasedlicensesareavailableforthecapacitylicenses,supportentitlements,and
subscriptions.
Further,capacitylicensesareavailableasanIndividualversionoranEnterpriseversion.TheIndividual
versionisinmultiplesof1.TheorderableSKU,forexamplePAVM300,includesanauthcodetolicense
oneinstanceoftheVMSeriesfirewall.TheEnterpriseversionisavailableinmultiplesof25.Forexample,
theorderableSKUPANVM100ENThasasingleauthcodethatallowsyoutoregister25instancesof
theVM100.
SupportInadditiontothecapacitylicense,youneedasupportentitlementthatprovidesaccessto
technicalsupportandsoftwareupdates.
SubscriptionsOptionally,youmaypurchaseoneormoresubscriptionlicensesforThreatPrevention,
PANDBURLFiltering,AutoFocus,GlobalProtect,andWildFire.Thesesubscriptionsallowyouto
enforcepoliciesthatsafelyenableapplicationsandcontentonthenetwork.Forexample,theThreat
Preventionsubscription,allowsyoutoobtaincontentupdatesthatincludethemostuptodatethreat
informationformalwaredetection.
VMSeriesFirewallforNSXLicenses
InordertoautomatetheprovisioningandlicensingoftheVMSeriesfirewallforNSXintheVMware
integratedNSXsolution,twolicensebundlesareavailable:
OnebundleincludestheVMSeriescapacitylicense(VM100,VM200,VM300,VM500,or
VM1000HVonly),ThreatPreventionlicenseandapremiumsupportentitlement.
AnotherbundleincludestheVMSeriescapacitylicense(VM100,VM200,VM300,VM500,or
VM1000HVonly)withthecompletesuiteoflicensesthatincludesThreatPrevention,GlobalProtect,
WildFire,PANDBURLFiltering,andapremiumsupportentitlement.
VMSeriesFirewallinAmazonWebServices(AWS)andAzureLicenses
YoucanlicensetheVMSeriesfirewallinAWSandAzureintwoways:
BringYourOwnLicense(BYOL)Alicensethatispurchasedfromapartner,reseller,ordirectlyfrom
PaloAltoNetworks.Capacitylicense,supportlicense,andsubscriptionlicensesaresupportedforBYOL.
Withthisoption,youmustapplythelicenseafteryoudeploytheVMSeriesfirewall.
LicensetheVMSeriesFirewall LicenseTypesVMSeriesFirewalls
UsageBasedLicenseAlsocalledapayperuseorpayasyougo(PAYG)license.Thistypeoflicensecan
bepurchasedfromtheAWSMarketplaceandtheAzurepublicMarketplace.Usagebasedlicensesare
notavailableontheAzureGovernmentCloudMarketplace.
AWSsupportshourlyandannualPAYGoptions;AzuresupportsthehourlyPAYGoptiononly.
Withtheusagebasedlicenses,thefirewallisprelicensedandreadyforuseassoonasyoudeployit;you
donotreceiveanauthcode.WhenthefirewallisstoppedorterminatedontheAWSorAzureconsole,
theusagebasedlicensesaresuspendedorterminated.
Usagebasedlicensesareavailableinthefollowingpricingbundles:
Bundle1:IncludestheVMSeriescapacitylicense(VM300only),ThreatPreventionlicensethat
includesIPS,AV,malwareprevention,andapremiumsupportentitlement.
Bundle2:IncludestheVMSeriescapacitylicense(VM300only),ThreatPrevention(includesIPS,
AV,malwareprevention),GlobalProtect,WildFire,PANDBURLFilteringlicenses,andapremium
supportentitlement.
IfyouhaveanevaluationcopyoftheVMSeriesfirewallandwouldliketoconvertittoafullylicensed(purchased)
copy,cloneyourVMSeriesfirewallandusetheinstructionstoregisterandlicensethepurchasedcopyofyour
VMSeriesfirewall.Forinstructions,seeUpgradetheVMSeriesFirewall.
YoucannotswitchbetweenthePAYGandtheBYOLlicenses.TomovefromPAYGtoBYOL,contactyour
PaloAltoNetworkschannelpartnerorsalesrepresentativetopurchaseaBYOLlicenseandgetaBYOLauth
codethatyoucanusetolicenseyourfirewall.Ifyouhavedeployedyourfirewallandwanttoswitchthe
license,seeSwitchBetweentheBYOLandthePAYGLicenses.
SerialNumberandCPUIDFormatfortheVMSeriesFirewall LicensetheVMSeriesFirewall
SerialNumberandCPUIDFormatfortheVMSeries
Firewall
WhenyoulaunchaninstanceoftheVMSeriesfirewall,eachinstanceofthefirewallisuniquelyidentified
usingtheCPUIDandserialnumberofthefirewall.TheformatoftheCPUIDandtheserialnumberinclude
informationonthehypervisorandthelicensetypeforeachinstanceoftheVMSeriesfirewall.
WiththeusagebasedlicensingmodeloftheVMSeriesfirewalls,atlaunchthefirewallgeneratesaserial
numberandCPUID,andyouusethesedetailstoRegistertheUsageBasedModeloftheVMSeries
FirewallinAWSandAzure(noauthcode).
WiththeBYOLmodel,youmustRegistertheVMSeriesFirewall(withauthcode)ontheCustomer
Supportportal(CSP).Forafirewallwithdirectinternetaccess,youcanapplytheauthcodeonthefirewall
togeneratealicensefilethatincludestheserialnumber.Forafirewallthatisoffline,youmustusethe
CSPtoinputtheCPUID,UUID,andtheauthcodetogeneratealicensefilethatincludestheserial
numberandinstallthelicenseonthefirewall.
LicenseType SerialNumber CPUID
BYOL 15digits,allnumeric <Hypervisor>:<ActualCPUID>

Example:007151345678909 Example:ESX:12345678
PAYG 15digits,alphanumeric <Hypervisor>:<InstanceID>:<CloudProductCode>:<

Example:4DE0YTAYOGMYYTN CloudRegion>
Example:
AWSMP:1234567890abcdef0:6kxdw3bbmdeda3o6i
1ggqt4km:uswest1
LicensetheVMSeriesFirewall CreateaSupportAccount
Asupportaccountisrequiredtoaccesssoftwareupdatesandtogettechnicalsupportoropenacasewith
PaloAltoNetworkstechnicalsupport.
ForalllicensingoptionsexceptforusagebasedlicensesthatarecurrentlyonlyavailableinAWS,yourequire
asupportaccountsothatyoucandownloadthesoftwarepackagerequiredtoinstalltheVMSeriesfirewall.
Thesupportaccountalsoallowsyoutoviewandmanageallassetsappliances,licenses,andsubscriptions
thatyouhaveregisteredwithPaloAltoNetworks.
Ifyouhaveanexistingsupportaccount,continuewithRegistertheVMSeriesFirewall.
Step1 Gotohttps://www.paloaltonetworks.com/support/tabs/overview.html.
Step2 ClicktheRegisterlink(bottomofthepage),andenterthecorporateemailaddresstoassociatewiththe
supportaccount.
Step3 Pickoneofthefollowingoptionsandfillinthedetailsintheuserregistrationform:
(FortheusagebasedlicenseinAWS)
1. ClickRegister your Amazon Web Services VM-Series Instance
2. OntheAWSManagementConsole,findtheAWSInstanceID,AWSProductCode,andtheAWSZonein
whichyoudeployedthefirewall.
3. Fillintheotherdetails.
(Forallotherlicenses)
1. Click Register device using Serial Number or Authorization Code
2. EnterthecapacityauthcodeandthesalesordernumberorcustomerID.
3. Fillintheotherdetails.
Step4 Submittheform.Youwillreceiveanemailwithalinktoactivatetheuseraccount;completethestepsto
activatetheaccount.
Afteryouraccountisverifiedandtheregistrationiscomplete,youcanlogintothesupportportal.
RegistertheVMSeriesFirewall LicensetheVMSeriesFirewall
RegistertheVMSeriesFirewall
WhenyoupurchaseaVMSeriesfirewall,youreceiveanemailthatincludesanauthcodeforacapacity
licensefortheVMSeriesmodel,asupportentitlementauthcode(forexample,PANSVCPREMVM100
SKU),andoneormoreauthcodesforthesubscriptionlicenses.Tousetheauthcode(s),youmustregister
thecodetothesupportaccountonthePaloAltoNetworksCustomerSupportwebsite.Inthecaseofthe
VMwareintegratedNSXsolution,theemailcontainsasingleauthorizationcodethatbundlesthecapacity
licenseforoneormoreinstancesoftheVM1000HVmodel,thesupportentitlement,andoneormore
subscriptionlicenses.
FortheusagebasedlicensesinAWS,youdonotreceiveanauthcode.However,inordertoactivateyour
premiumsupportentitlementwithPaloAltoNetworks,youmustcreateasupportaccountandregisterthe
VMSeriesfirewallonthePaloAltoNetworksCustomerSupportwebsite.
Usetheinstructionsinthissectiontoregisterthecapacityauthcodeorfirewallwithyoursupportaccount:
RegistertheVMSeriesFirewall(withauthcode)
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauthcode)
Step1 LogintothePaloAltoNetworksCustomerSupportwebsitewithyouraccountcredentials.Ifyouneeda
newaccount,seeCreateaSupportAccount.
Step2 SelectAssets andclickAdd VM-Series Auth-Codes.
LicensetheVMSeriesFirewall RegistertheVMSeriesFirewall
Step3 IntheAdd VM-Series Auth-Codefield,enterthecapacityauthcodeyoureceivedbyemail,andclickthe

checkmarkonthefarrighttosaveyourinput.Thepagewilldisplaythelistofauthcodesregisteredtoyour
supportaccount.
YoucantrackthenumberofVMSeriesfirewallsthathavebeendeployedandthenumberoflicensesthatare
stillavailableforuseagainsteachauthcode.Whenalltheavailablelicensesareused,theauthcodedoesnot
displayontheVMSeriesAuthCodespage.Toviewalltheassetsthataredeployed,selectAssets > Devices.
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSand
Azure(noauthcode)
Beforeyoubegintheregistrationprocess,logintotheVMSeriesfirewallandjotdowntheserialnumber
andtheCPUID(UUIDisoptional)fromthedashboard.
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauthcode)
Step1 OntheAssetstab(afteryoulogintothePaloAltoNetworksCustomerSupportwebsite),clickRegister
New Device.
Step2 SelectRegister usage-based VM-Series models (hourly/annual) purchased from public cloud
Marketplace.
Step3 SelectyourCloud Marketplace vendorandSubmit.
RegistertheVMSeriesFirewall LicensetheVMSeriesFirewall
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauthcode)(Continued)
Step4 EntertheSerial #,theCPU ID,andthe UUID oftheVMSeriesfirewall.

Forexample,fromtheDashboardoftheVMSeriesfirewallonAzureyouwillseethefollowing
information.
Ifyouplantousethefirewalloffline,pleaseselecttheOfflinecheckboxandenterthePANOS
versionyouplantouse.
Step5 Agree and SubmittoaccepttheEULAandregisterthefirewall.
Step6 VerifythatthedetailsonthelicensesyoupurchasedaredisplayedontheAssetspageofthesupport
portal.
LicensetheVMSeriesFirewall SwitchBetweentheBYOLandthePAYGLicenses
SwitchBetweentheBYOLandthePAYGLicenses
ThereisnomigrationpathbetweentheBYOLandPAYGlicensingoptions.Ifyouhavealreadydeployedand
configuredaVMSeriesfirewallwiththePAYGorBYOLoptioninAWSorAzure,andnowwanttoswitch
totheotheroption,usethefollowinginstructionstosaveandexporttheconfigurationonyourexisting
firewall,deployanewfirewall,andthenrestoretheconfigurationonthenewfirewall.
SwitchBetweenthePAYGLicenseandtheBYOLLicense
Step1 Saveabackupofthecurrent 1. SelectDevice > Setup > Operationsand

configurationfileandstoreittoan Export named configuration snapshot.
externalserver. 2. SelecttheXMLfilethatcontainsyourrunning
configuration(forexample,
runningconfig.xml)andclickOKtoexport
theconfigurationfile.
3. Savetheexportedfiletoalocationexternal
tothefirewall.
Step2 Deployanewfirewallandregisteror ForanewPAYGinstance:

activatethelicense,asappropriate. 1. IntheAWSorAzureMarketplace,selectthe
softwareimageforthePAYGlicensing
bundleyouwanttodeploy.
2. DeployanewVMSeriesfirewallintheAWS
orAzurepubliccloud.SeeSetUpthe
VMSeriesFirewallonAWSorSetupthe
VMSeriesFirewallonAzure.
3. RegistertheUsageBasedModelofthe
VMSeriesFirewallinAWSandAzure(no
authcode).
ForanewBYOLinstance:
1. Contactyoursalesrepresentativeorreseller
topurchaseaBYOLlicense,andgetaBYOL
authcodethatyoucanusetolicenseyour
firewall.
2. RegistertheVMSeriesFirewall(withauth
code).
3. DeployanewVMSeriesfirewallintheAWS
orAzurepubliccloud.SeeSetUpthe
VMSeriesFirewallonAWSorSetupthe
VMSeriesFirewallonAzure.
4. ActivatetheLicensefortheVMSeries
Firewall(StandaloneVersion).
SwitchBetweentheBYOLandthePAYGLicenses LicensetheVMSeriesFirewall
SwitchBetweenthePAYGLicenseandtheBYOLLicense
Step3 Onthenewlydeployedfirewall,restore 1. Accessthewebinterfaceofthenewly

theconfigurationthatyouexported. deployedfirewall.
2. SelectDevice > Setup > Operations,click
Import named configuration snapshot,
Browsetotheconfigurationfileonthe
externalhost,andclickOK.
3. ClickLoad named configuration snapshot,
selecttheNameoftheconfigurationfileyou
justimported,andclickOK.
4. ClickCommittooverwritetherunning
configurationwiththesnapshotyoujust
imported.
5. Verifythattheconfigurationonthenew
firewallmatchesthefirewallthatyouare
replacing,beforeyoudeletethefirewallor
deactivatethelicensesonthereplaced
firewall.
LicensetheVMSeriesFirewall ActivatetheLicense
ActivatetheLicense
ToactivatethelicenseonyourVMSeriesfirewall,youmusthavedeployedtheVMSeriesfirewalland
completedinitialconfiguration.Todeploythefirewall,seeVMSeriesDeployments.
UsetheinstructionsinthissectionforalltheBYOLmodelsincludingAWSandAzure;forusagebased
licensinginAWSandAzure,youdonotneedtoactivatethelicense.Fortheusagebasedlicenses,youmust
RegistertheUsageBasedModeloftheVMSeriesFirewallinAWSandAzure(noauthcode)inorderto
activateyourpremiumsupportentitlement.
ForusagebasedmodelsoftheVMSeriesfirewallintheAWSMarketplace,instanceswithshortandlongAWS
instanceIDsaresupported.
UntilyouactivatethelicenseontheVMSeriesfirewall,thefirewalldoesnothaveaserialnumber,theMAC
addressofthedataplaneinterfacesarenotunique,andonlyaminimalnumberofsessionsaresupported.
BecausetheMACaddressesarenotuniqueuntilthefirewallislicensed,topreventissuescausedby
overlappingMACaddresses,makesurethatyoudonothavemultiple,unlicensedVMSeriesfirewalls.
Whenyouactivatethelicense,thelicensingserverusestheUUIDandtheCPUIDofthevirtualmachineto
generateauniqueserialnumberfortheVMSeriesfirewall.Thecapacityauthcodeinconjunctionwiththe
serialnumberisusedtovalidateyourentitlement.
AfteryoulicenseaVMSeriesfirewall,ifyouneedtodeleteandredeploytheVMSeriesfirewall,makesureto
DeactivatetheLicense(s)onthefirewall.Deactivatingthelicenseallowsyoutotransfertheactivelicensestoanew
instanceoftheVMSeriesfirewallwithouthelpfromtechnicalsupport.
ActivatetheLicensefortheVMSeriesFirewall(StandaloneVersion)
ActivatetheLicensefortheVMSeriesFirewallforVMwareNSX
ActivatetheLicensefortheVMSeriesFirewall(StandaloneVersion)
completedinitialconfiguration.
ActivatetheLicense
IfyourVMSeriesfirewallhasdirectinternet 1. SelectDevice >LicensesandselecttheActivate feature using

access. authentication codelink.
Toactivatethelicense,thefirewallmustbe 2. Enterthecapacityauthcodethatyouregisteredonthe
configuredwithanIPaddress,netmask,default supportportal.Thefirewallwillconnecttotheupdateserver
gateway,andDNSserverIPaddress. (updates.paloaltonetworks.com),anddownloadthelicense
andrebootautomatically.
3. Logbackintothewebinterfaceandconfirmthatthe
Dashboarddisplaysavalidserialnumber.IfthetermUnknown
displays,itmeansthedeviceisnotlicensed.
4. OnDevice > Licenses,verifythatPA-VMlicenseisaddedto
thedevice.
ActivatetheLicense LicensetheVMSeriesFirewall
ActivatetheLicense(Continued)
IfyourVMSeriesfirewalldoesnothave 1. SelectDevice > LicensesandclicktheActivate Feature using

internetaccess. Auth Codelink.
2. ClickDownload Authorization File,anddownloadthe
authorizationfile.txtontheclientmachine.
3. Copytheauthorizationfile.txttoacomputerthathasaccessto
theinternetandlogintothesupportportal.ClickMy
VM-Series Auth-Codeslinkandselecttheapplicableauth
codefromthelistandclicktheRegister VMlink.
4. OntheRegister Virtual Machine tabuploadtheauthorization
file.SelectthePANOSversionandthehypervisoronwhich
youhavedeployedthefirewall,tocompletetheregistration
process.TheserialnumberofyourVMSeriesfirewallwillbe
attachedtoyouraccountrecords.
5. NavigatetoAssets >My DevicesandsearchfortheVMSeries

devicejustregisteredandclickthePA-VMlink.Thiswill
downloadtheVMSerieslicensekeytotheclientmachine.
6. Copythelicensekeytothemachinethatcanaccesstheweb
interfaceoftheVMSeriesfirewallandnavigatetoDevice >
Licenses.
7. ClickManually Upload Licenselinkandenterthelicensekey.
Whenthecapacitylicenseisactivatedonthefirewall,areboot
occurs.
8. LogintothedeviceandconfirmthattheDashboarddisplaysa
validserialnumberandthatthePA-VMlicensedisplaysinthe
Device > Licensestab.
ActivatetheLicensefortheVMSeriesFirewallforVMwareNSX
PanoramaservesasthecentralpointofadministrationfortheVMSeriesfirewallsforVMwareNSXandthe
licenseactivationprocessisautomatedwhenPanoramahasdirectinternetaccess.Panoramaconnectsto
thePaloAltoNetworksupdateservertoretrievethelicenses,andwhenanewVMSeriesfirewallforNSX
isdeployed,itcommunicateswithPanoramatoobtainthelicense.IfPanoramaisnotconnectedtothe
internet,youneedtomanuallylicenseeachinstanceoftheVMSeriesfirewallsothatthefirewallcan
connecttoPanorama.ForanoverviewofthecomponentsandrequirementsfordeployingtheVMSeries
firewallforNSX,seeVMSeriesforNSXFirewallOverview.
LicensetheVMSeriesFirewall ActivatetheLicense
Forthisintegratedsolution,theauthcode(forexample,PANVM1000HVSUBBNDNSX2)includes
licensesforthreatprevention,URLfilteringandWildFiresubscriptionsandpremiumsupportforthe
requestedperiod.
Inordertoactivatethelicense,youmusthavecompletedthefollowingtasks:
Registeredtheauthcodetothesupportaccount.Ifyoudontregistertheauthcode,thelicensingserver
willfailtocreatealicense.
EnteredtheauthcodeintheServiceDefinitiononPanorama.OnPanorama,selectVMware Service
Manager toaddtheAuthorization Code totheVMware Service Definition.
Ifyouhavepurchasedanevaluationauthcode,youcanlicenseupto5VMSeriesfirewallswith
theVM1000HVcapacitylicenseforaperiodof30or60days.Becausethissolutionallowsyou
todeployoneVMSeriesfirewallperESXihost,theESXiclustercanincludeamaximumof5ESXi
hostswhenusinganevaluationlicense.
Thefollowingprocessofactivatingthelicensesismanual.Ifyouhaveacustomscriptoranorchestration
service,youcanusetheLicensingAPItoautomatetheprocessofretrievingthelicensesfortheVMSeries
firewalls.
ActivatetheLicensesontheVMSeriesFirewallforNSX
WhenPanoramahasinternetaccess(Online)
Step1 VerifythattheVMSeriesfirewallis 1. LogintoPanorama.
connectedtoPanorama. 2. SelectPanorama > Managed Devicesandcheckthatthe
firewalldisplaysasConnected.
Step2 Verifythateachfirewallislicensed. SelectPanorama > Device Deployment > Licensesandverifythat

Panoramahasmatchedtheauthcodeandappliedthelicensesto
eachfirewall.
Ifyoudonotseethelicenses,clickRefresh. SelecttheVMSeries
firewallsforwhichtoretrievesubscriptionlicensesandclickOK.
WhenPanoramadoesnothaveinternetaccess(Offline)
Step1 LocatetheCPUIDandUUIDofthe 1. FromthevCenterserverobtaintheIPaddressofthe
VMSeriesfirewall. firewall.
2. LogintothewebinterfaceandselectDashboard.
3. GettheCPU IDandtheUUIDforthefirewallfromtheGeneral
Informationwidget.
Step2 Activatetheauthcodeandgeneratethe 1. LogintothePaloAltoNetworksCustomerSupportwebsite

licensekeys. withyouraccountcredentials.Ifyouneedanewaccount,see
CreateaSupportAccount.
1. SelectAssets > VM-Series Auth Codes,clickAddVM-Series
Auth Codes toentertheauthcode.
2. SelectRegister VMintherowthatcorrespondstotheauth
codethatyoujustregistered,entertheCPUIDandtheUUID
ofthefirewallandclickSubmit.Theportalwillgeneratea
serialnumberforthefirewall.
3. SelectAssets > Devicesandsearchfortheserialnumber.
4. ClickthelinktheActionscolumntodownloadeachkeylocally
toyourlaptop.Inadditiontothesubscriptionlicensekey,you
mustgetthecapacitylicenseandthesupportlicensekeys.
ActivatetheLicense LicensetheVMSeriesFirewall
ActivatetheLicensesontheVMSeriesFirewallforNSX
Step3 Uploadthekeystothefirewall. 1. Logintothefirewallwebinterface.

2. SelectDevice > Licenses,andselectManually upload license
key.
3. BrowsetoselectakeyandclickOKtoinstallthelicenseonthe
firewall.
Installthecapacitylicensekeyfile(pavm.key)first.
Whenyouapplythecapacitylicensekey,the
VMSeriesfirewallwillreboot.Onreboot,thefirewall
willhaveaserialnumberthatyoucanusetoregister
thefirewallasamanageddeviceonPanorama.
4. Repeattheprocesstoinstalleachkeyonthefirewall.
5. SelectDashboardandverifythatyoucanseetheSerial #in
theGeneralInformationwidget.
Step4 Addtheserialnumberofthefirewallon SelectPanorama > Managed DevicesandclickAddtoenterthe

Panorama. serialnumberfortheVMSeriesfirewallforNSX.Thefirewall
shouldnowbeabletoconnectwithPanoramasothatitcanobtain
itsconfigurationandpolicyrules.
LicensetheVMSeriesFirewall DeactivatetheLicense(s)
DeactivatetheLicense(s)
Thelicensedeactivationprocessenablesyoutoselfmanagelicenses.Whetheryouwanttoremoveoneor
moreactivelicensesorsubscriptionsattributedtoafirewall(hardwarebasedorVMSeriesfirewall)oryou
wanttodeactivatetheVMSeriesfirewallandunassignallactivelicensesandsubscriptions,beginthe
deactivationprocessonthefirewallorPanorama(notonthePaloAltoNetworksCustomerSupportweb
site).
Tosuccessfullydeactivatealicense,youmustinstallalicensedeactivationAPIkeyandenableverification
oftheupdateserveridentity(enabledbydefault).PANOSusesthisdeactivationAPIkeytoauthenticate
withallupdatealicenseservices.ThedeactivationAPIiskeyisnotrequiredformanuallicensedeactivation,
wherethereisnotconnectivitybetweenthefirewallandlicenseserver.
Ifthefirewall/PanoramahasinternetaccessandcancommunicatewiththePaloAltoNetworksLicensing
servers,thelicenseremovalprocesscompletesautomaticallywithaclickofabutton.Ifthe
firewall/Panoramadoesnothaveinternetaccess,youmustcompletetheprocessmanuallyinatwostep
process.Inthefirststep,fromthefirewallorPanorama,yougenerateandexportalicensetokenfilethat
includesinformationonthedeactivatedkeys.Inthesecondstep,whileloggedintothePaloAltoNetworks
CustomerSupportwebsite,uploadthetokenfiletodissociatethelicensekeysfromthefirewall.
InstallaLicenseDeactivationAPIKey
DeactivateaFeatureLicenseorSubscriptionUsingtheCLI
DeactivateVM
InstallaLicenseDeactivationAPIKey
RetrieveyourlicenseAPIkeyfromtheCustomerSupportPortalandinstallitusingtheCLIonthefirewall
andPanorama.YoumusthavesuperuserprivilegesonthefirewallorPanoramatoinstallthelicenseAPIkey.
WhenyouinstallalicenseAPIkeyonPanorama,PanoramapushestheAPIkeytoitsmanageddevices.Ifthe
manageddevicehasanAPIkeyinstalled,PanoramaoverwritestheoldAPIkeywiththenewone.
InstalltheAPIKey
Step1 RetrievethelicensedeactivationAPIkeyfromtheCustomerSupportPortal.
1. LogintotheCustomerSupportPortal.
2. FromtheGoTodropdown,selectLicense API.
3. CopytheAPIkey.
DeactivatetheLicense(s) LicensetheVMSeriesFirewall
InstalltheAPIKey
Step2 UsetheCLItoinstalltheAPIkeycopiedinthepreviousstep.
request license api-key set key <key>
Step3 AfterinstallingthelicensedeactivationAPIkey,DeactivateVMasnormal.
DeactivatingaVMSerieslicenserequiresasoftwarerestart.
IfyouneedtoreplaceanlicensedeactivationAPIkey,usethefollowingCLIcommandtodeleteaninstalledAPIkey.
request license api-key delete
TodeactivateaVMSeriesfirewallafterdeletingtheAPIkey,youmustinstallanewone.
Ifyouaccidentallyinstalledalicense/subscriptiononafirewallandneedtoreassignthelicensetoanother
firewall,youcandeactivateanindividuallicenseandreusethesameauthorizationcodeonanotherfirewall
withouthelpfromTechnicalSupport.ThiscapabilityissupportedontheCLIonly;thisprocessissupported
bothonthehardwarebasedfirewallsandontheVMSeriesfirewall.
Step1 LogintotheCLIonthefirewall.
Ifyourfirewallhasdirectinternetaccess,usethefollowingcommands:
Step2 Viewthenameofthelicensekeyfileforthefeatureyouwanttodeactivate.
request license deactivate key features ?
Step3 Deactivatethelicenseorsubscription.
request license deactivate key features <name> mode auto
where,nameisthefullnameforthelicensekeyfile.
Forexample:
admin@vmPAN2> request license deactivate key features
WildFire_License_2015_01_28_I5820573.key mode auto
007200002599 WildFire License Success
Successfully removed license keys
Ifyourfirewalldoesnothavedirectinternetaccess,usethefollowingcommands:
Step4 Viewthenameofthelicensekeyfileforthefeatureyouwanttodeactivate.
request license deactivate key features
Step5 Deactivatethelicensemanually.
requestlicensedeactivatekeyfeatures<name>modemanual
Forexample:
admin@PA-VM> request license deactivate key features
PAN_DB_URL_Filtering_2015_01_28_I6134084.key mode manual
Successfully removed license keys

dact_lic.01282015.100502.tok
Thetokenfileusestheformatdact_lic.timestamp.tok,wherethetimestampisinthe
dmmyyyy.hrminsecformat.
DeactivateaFeatureLicenseorSubscriptionUsingtheCLI(Continued)
Step6 Verifythatthetokenfilewasgenerated.
showlicensetokenfiles
Step7 ExportthetokenfiletoanSCPorTFTPserverandsaveittoyourcomputer.
scpexportlicensetokenfileto<username@serverIP>from<token_filename>
Forexample:
scp export license-token-file to admin@10.1.10.55:/tmp/ from
dact_lic.01282015.100502.tok
Step8 LogintothePaloAltoNetworksCustomerSupportwebsite.
Step9 ClicktheDeactivate License(s) linkontheAssetstab.
Step10 WhileloggedintothePaloAltoNetworksCustomerSupportwebsite,uploadthetokenfiletocompletethe
deactivation.
DeactivateVM
WhenyounolongerneedaninstanceoftheVMSeriesfirewall,youcanfreeupallactivelicenses
subscriptionlicenses,VMCapacitylicenses,andsupportentitlementsusingthewebinterface,CLI,orthe
XMLAPIonthefirewallorPanorama.Thelicensesarecreditedbacktoyouraccountandyoucanusethe
sameauthorizationcodesonadifferentinstanceoftheVMSeriesfirewall.
DeactivatingaVMremovesallthelicenses/entitlementsandplacestheVMSeriesfirewallinanunlicensed
state;thefirewallwillnothaveaserialnumberandcansupportonlyaminimalnumberofsessions.Because
theconfigurationonthefirewallisleftintact,youcanreapplyasetoflicensesandrestorecomplete
functionalityonthefirewall,ifneeded.
MakesuretodeactivatelicensesbeforeyoudeletetheVMSeriesfirewall.Ifyoudeletethefirewallbefore
deactivatingthelicensesyouhavetwooptions:
IfthedevicewasmanagedbyPanorama,youcandeactivatethelicensefromPanorama.
IfthedevicewasnotmanagedbyPanorama,youmustcontactPaloAltoNetworksCustomerSupport.
DeactivateVM
Fromthefirewall 1. LogintothewebinterfaceandselectDevice > Licenses.

2. SelectDeactivate VMintheLicenseManagementsection.
3. Verifythelistoflicenses/entitlementsthatwillbedeactivated
onthefirewall.
4. PickoneofthefollowingoptionstostartdeactivatingtheVM:
ClickContinue,ifthefirewallcancommunicatedirectly
withthePaloAltoNetworksLicensingserver.Youwill
bepromptedtorebootthefirewall;onrebootthelicenses
aredeactivated.
ClickComplete Manually,ifthefirewalldoesnothave
internetaccess.ClicktheExport license tokenlinktosave
thetokenfiletoyourlocalcomputer.Forexample,the
tokenfilenameis
20150128_1307_dact_lic.01282015.130737.tok.Youwill
bepromptedtorebootthefirewall;onrebootthelicenses
aredeactivated.
5. (Forthemanualprocessonly)Completethefollowingtasksto
registerthechangeswiththeLicensingserver:
a. LogintothePaloAltoNetworksCustomerSupportweb
site.
b. ClicktheDeactivateLicense(s)linkontheAssetstab.
c. WhileloggedintothePaloAltoNetworksCustomer
Supportwebsite,uploadthetokenfiletocompletethe
deactivation.
DeactivateVM(Continued)
FromPanorama 1. LogintothePanoramawebinterfaceandselectPanorama >

Device Deployment > Licenses.
2. ClickDeactivate VMs,andselecttheVMSeriesfirewallthat
youwanttodeactivate.
3. PickoneofthefollowingoptionstodeactivatetheVM:
ClickContinue,ifPanoramacancommunicatedirectlywith
thePaloAltoNetworksLicensingserversandcanregister
thechanges.Toverifythatthelicenseshavebeen
deactivatedonthefirewall,clickRefreshonPanorama >
Device Deployment > Licenses.Thefirewallis
automaticallyrebooted.
ClickComplete Manually,ifPanoramadoesnothave
internetaccess.Panoramageneratesatokenfile.Clickthe
Export license tokenlinktosavethetokenfiletoyourlocal
computer.Thesuccessfulcompletionmessageisdisplayed
onscreen,andthefirewallwillbeautomaticallyrebooted.
4. (Forthemanualprocessonly)Tousethetokenfileregisterthe
changeswiththelicensingserver,seestep5above.
DeactivateVM(Continued)
5. RemovethedeactivatedVMSeriesfirewallasamanaged
deviceonPanorama.
a. SelectPanorama > Managed Devices.
b. Selectthefirewallthatyoudeactivatedfromthelistof
manageddevices,andclickDelete.
Insteadofdeletingthefirewalls,ifyouprefer,youcan
createaseparatedevicegroupandassignthe
deactivatedVMSeriesfirewallstothisdevicegroup.
LicensetheVMSeriesFirewall LicensingAPI
LicensingAPI
Tosuccessfullylicensefirewallsthatdonothavedirectinternetaccess,PaloAltoNetworksprovidesa
licensingAPI.YoucanusethisAPIwithacustomscriptoranorchestrationservicetoregisterauthcodes,
retrievelicensesattachedtoanauthcode,renewlicenses,andtodeactivatealllicensesonaVMSeries
firewall(DeactivateVM).
TheAPIalsoallowsyoutoviewthedetailsofanauthcodesothatyoucantrackthenumberofunused
licensesattachedtoanauthcodeorauthcodebundlethatenablesyoutolicensemorethanoneinstance
ofthefirewall.AnauthcodebundleincludestheVMSeriesmodel,subscriptionsandsupportinasingle,
easytoorderformat;youcanusethisbundlemultipletimestolicenseVMSeriesfirewallsasyoudeploy
them.
TousetheAPI,eachsupportaccountisassignedauniquekey.EachAPIcallisaPOSTrequest,andthe
requestmustincludetheAPIkeytoauthenticatetherequesttothelicensingserver.Whenauthenticated,
thelicensingserversendstheresponseinjson(contenttypeapplication/json).
ManagetheLicensingAPIKey
UsetheLicensingAPI
LicensingAPIErrorCodes
TogettheAPIkeyrequiredtousethelicensingAPI,youraccountmusthavesuperuserprivilegesonthesupportportal.
LicensingAPI LicensetheVMSeriesFirewall
Step1 GetyourLicensingAPIkey. 1. LogintothePaloAltoNetworksSupportportalwithan

accountthathassuperuserprivileges.
2. SelectLicensing APIfromtheGo Todropdown.
3. ClickEnabletoviewyourkeyandcopyitforuse.Onceyou
generateakey,thekeyisenableduntilyouregenerateor
disableit.
Step2 RegenerateorrevoketheAPIkey. 1. YoucangenerateanewAPIkeyorrevoketheuseofthekey.

ClickRegeneratetogenerateanewkey.Ifyoususpectthat
anAPIkeymaybecompromised,youcangenerateanew
key,whichprocessautomaticallyinvalidatestheoldkey.
SelectDisableifyounolongerplantousethekey.
DisablingtheAPIkeyrevokesit.
UsetheLicensingAPI
ThebaseURIforaccessingthelicensingAPIishttps://api.paloaltonetworks.com/api/license;basedonthe
taskyouwanttoperform,forexampleactivatelicenses,deactivatelicenses,ortracklicenseusetheURL
willchange.
AnAPIrequestmustusetheHTTPPOSTmethod,andyoumustincludetheAPIkeyintheapikeyHTTP
requestheaderandpasstherequestparametersasURLencodedformdatawithcontenttype
application/xwwwformurlencoded.
TheAPIVersionisoptionalandcanincludethefollowingvalues0or1.Ifspecified,itmustbeincludedin
theversionHTTPrequestheader.ThecurrentAPIversionis1;ifyoudonotspecifyaversion,orspecify
version0,therequestusesthecurrentAPIversion.
AllAPIresponsesarerepresentedinjson.
UsetheLicensingAPI
Step1 GetyourLicensingAPIkey.
Step2 Selectthetaskyouwanttoperform.
ActivateLicenses
DeactivateLicenses
TrackLicenseUsage
UsetheLicensingAPI(Continued)
ActivateLicenses
URL:https://api.paloaltonetworks.com/api/license/activate
Parameters:uuid,cpuid,authCode,andserialNumber.
Usetheseparameterstoaccomplishthefollowing:
Forfirsttimeorinitiallicenseactivation,providethecpuid,uuid,authcodeintheAPIrequest.
Ifyoudidnotsavethelicensekeysorhadanetworkconnectiontroubleduringinitiallicenseactivation,to
retrievethelicense(s)againforafirewallthatyouhavepreviouslyactivated,youcaneitherprovidethecpuid
anduuidintheAPIrequest,orprovidetheserialnumberofthefirewallintheAPIrequest.
Header:apikey
SamplerequestforinitiallicenseactivationusingCurl:
curl -i -H "apikey:$APIKEY" --data-urlencode cpuid=51060400FFFBAB1F
--data-urlencode uuid=564D0E5F-3F22-5FAD-DA58-47352C6229FF --data-urlencode
authCode=I7115398 https://api.paloaltonetworks.com/api/license/activate
SampleAPIresponse:
[{"lfidField":"13365773","partidField":"PAN-SVC-PREM-VM-300","featureField":"Premi
um","feature_descField":"24 x 7 phone support; advanced replacement hardware
service","keyField":"m4iZEL1t3n6Oa+6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAx
anB\nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw\nkRGR3cYG+j6
o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk\nluz47AUMXauuqwpMipouQYjk0ZL
7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI\n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQX
KvaThuR8YyHr1Pdw/lAjs\npyyIVFa6FufPacfB2RHApQ==\n","auth_codeField":"","errmsgFiel
d":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5
/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseFiel
d":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00
AM","PropertyChanged":null},{"lfidField":"13365774","partidField":"PAN-VM-300-TP",
"featureField":"Threat Prevention","feature_descField":"Threat
Prevention","keyField":"NqaXoaFG+9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K
2yXtrl\n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b\ndZBRH5AQ
jPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O\ndey1jmGoiBZ9wBkesvukg3dV
Z7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF\ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2
HGo1uo2eq1XMxL9mE5t025im\nblMnhL06smrCdtXmb4jjtg==\n","auth_codeField":"","errmsgF
ield":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField"
:"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseF
ield":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00 AM","PropertyChanged":null}
...<truncated>
Thefeature_FieldintheresponseindicatesthetypeofkeythatfollowsinthekeyField.Copyeachkeytoa
textfileandsaveitwiththe.keyextension.Becausethekeyisinjsonformat,itdoesnothavenewlines;
makesuretoconvertittonewlinesifneededforyourparser.Makesuretonameeachkeyappropriately
andsaveittothe/licensefolderofthebootstrappackage.Forexample,includetheauthcodewiththetype
ofkeytonameitasI3306691_1pavm.key(forthecapacitylicensekey),I3306691_1threat.key(forthe
ThreatPreventionlicensekey),I3306691_1wildfire.key(fortheWildFiresubscriptionlicensekey).
SampleAPIrequestforretrievingpreviouslyactivatedlicensesusingCurl:
curl -i -H "apikey:$APIKEY" --data-urlencode serialNumber=007200006142
https://api/paloaltonetworks.com/api/license/activate
LicensingAPI LicensetheVMSeriesFirewall
SampleAPIresponse:
[{"lfidField":"13365773","partidField":"PAN-SVC-PREM-VM-300","featureField":"Premi
um","feature_descField":"24 x 7 phone support; advanced replacement hardware
service","keyField":"m4iZEL1t3n6Oa+6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAx
anB\nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw\nkRGR3cYG+j6
o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk\nluz47AUMXauuqwpMipouQYjk0ZL
7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI\n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQX
KvaThuR8YyHr1Pdw/lAjs\npyyIVFa6FufPacfB2RHApQ==\n","auth_codeField":"","errmsgFiel
d":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5
/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseFiel
d":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00
AM","PropertyChanged":null},{"lfidField":"13365774","partidField":"PAN-VM-300-TP",
"featureField":"Threat Prevention","feature_descField":"Threat
Prevention","keyField":"NqaXoaFG+9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K
2yXtrl\n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b\ndZBRH5AQ
jPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O\ndey1jmGoiBZ9wBkesvukg3dV
Z7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF\ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2
HGo1uo2eq1XMxL9mE5t025im\nblMnhL06smrCdtXmb4jjtg==\n","auth_codeField":"","errmsgF
ield":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField"
:"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseF
ield":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00 AM","PropertyChanged":null}
...<truncated>
DeactivateLicenses
URL:https://api.paloaltonetworks.com/api/license/deactivate
Parameters:encryptedToken
Todeactivatethelicense(s)onafirewallthatdoesnothavedirectinternetaccess,youmustgeneratethelicense
tokenfilelocallyonthefirewallandthenusethistokenfileintheAPIrequest.Fordetailsongeneratingthelicense
tokenfile,seeDeactivateVMorDeactivateaFeatureLicenseorSubscriptionUsingtheCLI.
Header:apikey
Request:https://api.paloaltonetworks.com/api/license/deactivate?encryptedtoken@<token>
SampleAPIrequestforlicensedeactivationusingCurl:
curl -i -H "apikey:$APIKEY" --data-urlencode
encryptedtoken@dact_lic.05022016.100036.tok
https://api.paloaltonetworks.com/api/license/deactivate
SampleAPIresponse:
[{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","succe
ssField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"seri
alNumField":"007200006150","featureNameField":"","issueDateField":"","successField
":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumFi
eld":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","
errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"0
07200006150","featureNameField":"","issueDateField":"","successField":"Y","errorFi
eld":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"00720000
6150","featureNameField":"","issueDateField":"","successField":"Y","errorField":nu
ll,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"007200006150","
featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isB
undleField":null,"PropertyChanged":null}]$
TrackLicenseUsage
URL:https://api.paloaltonetworks.com/api/license/get
Parameters:authCode
Header:apikey
Request:https://api.paloaltonetworks.com/api/license/get?authCode=<authcode>
SampleAPIrequestfortrackinglicenseusageusingCurl:
curl -i -H "apikey:$APIKEY" --data-urlencode authcode=I9875031
https://api.paloaltonetworks.com/api/license/get
SampleAPIresponse:
HTTP/1.1 200 OK
Date: Thu, 05 May 2016 20:07:16 GMT
Content-Length: 182
{"AuthCode":"I9875031","UsedCount":4,"TotalVMCount":10,"UsedDeviceDetails":[{"UUID
":"420006BD-113D-081B-F500-2E7811BE80C
9","CPUID":"D7060200FFFBAB1F","SerialNumber":"007200006142"}]}.....
LicensingAPIErrorCodes
TheHTTPErrorCodesthatthelicensingserverreturnsareasfollows:
200Success
400Error
401InvalidAPIKey
500ServerError
LicensesforCloudSecurityServiceProviders(CSSPs) LicensetheVMSeriesFirewall
LicensesforCloudSecurityServiceProviders(CSSPs)
ThePaloAltoNetworksCSSPpartnersprogramallowsserviceproviderstoprovidesecurityasaserviceor
asahostedapplicationtotheirendcustomers.ThelicenseofferingsthatPaloAltoNetworksprovidesfor
authorizedCloudSecurityServiceProvider(CSSP)partnersisdifferentfromtheofferingsforenterprise
users.
ForCSSPpartners,PaloAltoNetworkssupportsausagebasedmodelfortheVMSeriesfirewallsbundled
withsubscriptionsandsupport.ForCSSPpartners,youcancombineatermbasedcapacitylicenseforthe
VMSeriesModelsalongwithachoiceofsubscriptionlicensesforThreatPrevention,URLFiltering,
AutoFocus,GlobalProtect,andWildFire,andsupportentitlementsthatprovideaccesstotechnicalsupport
andsoftwareupdates.Forcosteffectiveness,youcanalsooptforahighavailability(HA)option,ifyouplan
ondeployingthefirewallsinanHAconfiguration.
GettheAuthCodesforCSSPLicensePackages
RegistertheVMSeriesFirewallwithaCSSPAuthCode
AddEndCustomerInformationforaRegisteredVMSeriesFirewall
GettheAuthCodesforCSSPLicensePackages
TobeaCSSPPartner,youhavetoenrollinthePaloAltoNetworksCSSPpartnersprogram.Forinformation
onenrollingintheCSSPprogram,contactyourPaloAltoNetworksChannelBusinessManager.Ifyouare
enrolled,thePaloAltoNetworkSupportportalprovidestoolsthatallowyoutoselectalicensepackage,
tracklicenseusage,andapplylicenseentitlements.
Alicensepackageisacombinationofthefollowingoptions:
UsagetermThepayperuseoptionsarehourly,monthly,1year,and3years.
VMSeriesfirewallmodelTheVM100,VM200,VM300,andVM1000HVthatgiveyouthemodel
numberandthecapacitiesassociatedwitheachmodel.
SubscriptionbundleThethreeoptionsarebasic,bundle1,andbundle2.Thebasicoptiondoesnot
includeanysubscriptions;bundle1hastheThreatPreventionlicensethatincludesIPS,AV,malware
prevention;bundle2hastheThreatPrevention(includesIPS,AV,malwareprevention),GlobalProtect,
WildFire,andPANDBURLFilteringlicenses.
LevelofsupportPremiumsupportorbacklinesupport.
RedundantfirewallsTheoptionareeitherhighavailability(HA)orwithoutHA.Thisoptionisa
costeffectiveoptionifyouplantodeployapairofredundantfirewalls.
TheofferingPANVM300SPPREMBND1YU,forexample,isaoneyeartermpackagethatincludesthe
VM300withpremiumsupportandthesubscriptionbundle1.Eachpackagesupportsuptoamaximumof
10,000instancesoftheVMSeriesfirewall.
Afteryouselectyourlicensepackage,youreceiveanemailwithyourauthcode;thefulfillmentprocesscan
takeupto48hours.
GettheAuthCodesfortheCSSPLicensePackages
LicensetheVMSeriesFirewall LicensesforCloudSecurityServiceProviders(CSSPs)
GettheAuthCodesfortheCSSPLicensePackages
Step2 SelectCSSP > Order History,toviewthelistofauthcodesregisteredtoyoursupportaccount.

Asyoudeployfirewalls,youmustregistereachinstanceofthefirewallagainstanauthcode.
RegistertheVMSeriesFirewallwithaCSSPAuthCode
completedinitialconfiguration.AsaCSSPpartner,youcanchoosefromthefollowingoptionstoregistera
firewall:
APIUsetheLicensingAPIifyouhaveacustomscriptoranorchestrationservice.Withthisoption,the
firewalldoesnotneeddirectinternetaccess.
BootstrapUsethisoptiontoautomaticallyconfigurethefirewallandlicenseitonfirstboot.See
BootstraptheVMSeriesFirewall.
FirewallwebinterfaceYoucanActivatetheLicensefortheVMSeriesFirewall(StandaloneVersion)
usingthefirewallwebinterface.Thisworkflowisbothforfirewallswithorwithoutinternetaccess.
CustomerSupportPortalUsethisoptiontomanuallyregisterthefirewallonthePaloAltoNetworks
CustomerSupportportal,asshownbelow.
RegistertheVMSeriesFirewallontheCustomerSupportPortalforCSSPs
Step2 SelectCSSP > Order History,toviewthelistofauthcodesregisteredtoyoursupportaccount.
Step3 SelectCSSP > VM Provisioning Auth Codes,selectanAuthorization CodeandclickRegister VM.
RegistertheVMSeriesFirewallontheCustomerSupportPortalforCSSPs
Step4 EntertheUUIDandCPUIDoftheVMinstanceandclickSubmit.Theportalwillgenerateaserialnumber
forthefirewall.
YoucantrackthenumberofVMSeriesfirewallsthathavebeendeployedandthenumberoflicensesthat
arestillavailableforuseagainsteachauthcode.Toviewallthetotalnumberoffirewallsregisteredagainsta
specificauthcode,selectCSSP > VM Provisioning Auth Codes, thenselectanAuthorization Codeandclick
Provisioned Devices.
AddEndCustomerInformationforaRegisteredVMSeriesFirewall
FortheCSSPlicenses,afteryouregisterthefirewall,youcanusethePaloAltoNetworksSupportportalto
linktheserialnumberoftheVMSeriesfirewallwiththecustomerforwhomyouprovisionedthefirewall.
AddEndCustomerInformationforaRegisteredVMSeriesFirewall(CustomerSupportPortal)
AddEndCustomerInformationforaRegisteredVMSeriesFirewall(API)
AddEndCustomerInformationforaRegisteredVMSeriesFirewall(CustomerSupport
Portal)
AddEndUserInformationforaRegisteredVMSeriesFirewall(CustomerSupportPortal)
Step1 LogintothePaloAltoNetworksCustomerSupportwebsitewithyouraccountcredentials.
Step2 SelectCSSP > Provisioned Devices.
LicensetheVMSeriesFirewall LicensesforCloudSecurityServiceProviders(CSSPs)
AddEndUserInformationforaRegisteredVMSeriesFirewall(CustomerSupportPortal)
Step3 SelecttheSerial NumberandclickAdd End User Info.
Step4 EntertheAccount InformationforthecustomerandclickSubmittosavethedetails.

Afteryouaddaccountinformation,youcanfindallfirewallsregisteredtoacustomer.InSearch
ExistingEndUser,enterthecustomerIDorcustomernameandclickSearchtofindallfirewalls
provisionedforthecustomer.
AddEndCustomerInformationforaRegisteredVMSeriesFirewall(API)
TheURLforaccessingtheAPIishttps://api.paloaltonetworks.com/api/license/ReportEndUserInfo.
AnAPIrequestmustusetheHTTPPOSTmethod,andyoumustincludeHTTPrequestsheadersthatinclude
theAPIkeyandspecifythecontenttypeasJSON.APIresponsesareinJSONformat.
AddEndUserInformationforaRegisteredVMSeriesFirewall(ReportEndUserInfoAPI)
Step1 GetyourLicensingAPIkey.
AddEndUserInformationforaRegisteredVMSeriesFirewall(ReportEndUserInfoAPI)
Step2 UsetheReportEndUserInfoAPItoaddenduserinformationforaVMSeriesFirewallthatisregistered
toaCSSP.
URL:https://api.paloaltonetworks.com/api/license/ReportEndUserInfo
Headers:
ContentType:application/json
apiKey:APIKey
Parameters:
SerialNumbers:Required,provideatleastonevalidfirewallserialnumber
CustomerAccountId:Required
CompanyName:Required,endusercompanyname
EndUserContactEmail:Required,enduseremailaddress
Address:Required,enduseraddress
Country:Required,2digitendusercountrycode,currentlyUSistheonlyvalidvalue
Region:Required,AWSregionoftheVMSeriesfirewalldeployment
City:Required,endusercityname
State:Required,2digitstatecode,currentlyCAistheonlyvalidvalue
PostalCode:Required,enduserpostalcode
DnBNumber:DataUniversalNumberingSystem(DUNS)number
Industry:Enduserindustrytype,suchasnetworkingorconsultancy
PhoneNumber:Enduserphonenumber
WebSite:EnduserwebsiteURL
CreatedBy:Systemorpersonsubmittingthisinformation
SamplerequesttoaddenduserinformationforaregisteredVMSeriesfirewallusingCurl:
curl -X POST -H "Content-Type: application/json" -H
"apiKey:921d4450e988397138ca8a68vf2fc5d687870b3f11cb9439946a521dc4dc7cd8"
"http://api.paloaltonetworks.com/api/license/ReportEndUserInfo?serialNumbers=0001A
101234&CustomerAccountId=12345&CompanyName=ExampleInc&DnBNumber=123456789&Address=
123 Main
St&Country=US&Region=CA&City=Sunnydale&State=CA&PostalCode=12345&Industry=Medical&
PhoneNumber=4081234567&WebSite=example.com&EndUserContactEmail=admin@example.com&C
reatedBy=Jane Doe"
SampleAPIresponse:
"{"Message": "End User Information Updated Successfully"}"
Ifyoureceiveanerror,seeLicensingAPIErrorCodes.
SetUpaVMSeriesFirewallonanESXi
Server
TheVMSeriesfirewallisdistributedusingtheOpenVirtualizationAlliance(OVA)format,whichisa
standardmethodofpackaginganddeployingvirtualmachines.Youcaninstallthissolutiononanyx86device
thatiscapableofrunningVMwareESXi.
InordertodeployaVMSeriesfirewallyoumustbefamiliarwithVMwareandvSphereincludingvSphere
networking,ESXihostsetupandconfiguration,andvirtualmachineguestdeployment.
IfyouwouldliketoautomatetheprocessofdeployingaVMSeriesfirewall,youcancreateagoldstandard
templatewiththeoptimalconfigurationandpolicies,andusethevSphereAPIandthePANOSXMLAPIto
rapidlydeploynewVMSeriesfirewallsinyournetwork.Formoreinformation,seethearticle:VMSeries
DataCenterAutomation.
Seethefollowingtopicsforinformationon:
SupportedDeploymentsonVMwarevSphereHypervisor(ESXi)
VMSeriesonESXiSystemRequirementsandLimitations
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi)
TroubleshootESXiDeployments
PerformanceTuningoftheVMSeriesforESXi
SupportedDeploymentsonVMwarevSphereHypervisor(ESXi) SetUpaVMSeriesFirewallonanESXiServer
SupportedDeploymentsonVMwarevSphereHypervisor
(ESXi)
YoucandeployoneormoreinstancesoftheVMSeriesfirewallontheESXiserver.Whereyouplacethe
VMSeriesfirewallonthenetworkdependsonyourtopology.Choosefromthefollowingoptions(for
environmentsthatarenotusingVMwareNSX):
OneVMSeriesfirewallperESXihostEveryVMserverontheESXihostpassesthroughthefirewall
beforeexitingthehostforthephysicalnetwork.VMserversattachtothefirewallviavirtualstandard
switches.Theguestservershavenoothernetworkconnectivityandthereforethefirewallhasvisibility
andcontroltoalltrafficleavingtheESXihost.Onevariationofthisusecaseistoalsorequirealltraffic
toflowthroughthefirewall,includingservertoserver(eastwesttraffic)onthesameESXihost.
OneVMSeriesfirewallpervirtualnetworkDeployaVMSeriesfirewallforeveryvirtualnetwork.If
youhavedesignedyournetworksuchthatoneormoreESXihostshasagroupofvirtualmachinesthat
belongtotheinternalnetwork,agroupthatbelongstotheexternalnetwork,andsomeotherstothe
DMZ,youcandeployaVMSeriesfirewalltosafeguardtheserversineachgroup.Ifagrouporvirtual
networkdoesnotshareavirtualswitchorportgroupwithanyothervirtualnetwork,itiscompletely
isolatedfromallothervirtualnetworkswithinoracrossthehost(s).Becausethereisnootherphysicalor
virtualpathtoanyothernetwork,theserversoneachvirtualnetwork,mustusethefirewalltotalktoany
othernetwork.Therefore,itallowsthefirewallvisibilityandcontroltoalltrafficleavingthevirtual
(standardordistributed)switchattachedtoeachvirtualnetwork.
HybridenvironmentBothphysicalandvirtualhostsareused,theVMSeriesfirewallcanbedeployed
inatraditionalaggregationlocationinplaceofaphysicalfirewallappliancetoachievethebenefitsofa
commonserverplatformforalldevicesandtounlinkhardwareandsoftwareupgradedependencies.
ContinuewithVMSeriesonESXiSystemRequirementsandLimitationsandInstallaVMSeriesfirewallon
VMwarevSphereHypervisor(ESXi).
SetUpaVMSeriesFirewallonanESXiServer VMSeriesonESXiSystemRequirementsandLimitations
VMSeriesonESXiSystemRequirementsandLimitations
ThissectionlistsrequirementsandlimitationsfortheVMSeriesfirewallonVMwarevSphereHypervisor
(ESXi).TodeploytheVMSeriesfirewall,seeInstallaVMSeriesfirewallonVMwarevSphereHypervisor
(ESXi).
Requirements
Limitations
Requirements
YoucancreateanddeploymultipleinstancesoftheVMSeriesfirewallonanESXiserver.Becauseeach
instanceofthefirewallrequiresaminimumresourceallocationnumberofCPUs,memoryanddiskspace
ontheESXiserver,makesuretoconformtothespecificationsbelowtoensureoptimalperformance.
TheVMSeriesfirewallhasthefollowingrequirements:
ThehostCPUmustbeax86basedIntelorAMDCPUwithvirtualizationextension.
VMwareESXiwithvSphere5.1,5.5,6.0,or6.5forVMSeriesrunningPANOS8.0.Notethatthe
minimumsupportedversionofthevirtualhardwarefamilytype(alsoknownastheVMwarevirtual
hardwareversion)ontheESXiserverisvmx09.
SeeVMSeriesSystemRequirementsfortheminimumhardwarerequirementsforyourVMSeries
model.
Minimumoftwonetworkinterfaces(vmNICs).OnewillbeadedicatedvmNICforthemanagement
interfaceandoneforthedatainterface.YoucanthenadduptoeightmorevmNICsfordatatraffic.For
additionalinterfaces,useVLANGuestTagging(VGT)ontheESXiserverorconfiguresubinterfaceson
thefirewall.
TheuseofhypervisorassignedMACaddressisenabledbydefault.vSphereassignsauniquevmNICMAC
addresstoeachdataplaneinterfaceoftheVMSeriesfirewall.Ifyoudisabletheusehypervisorassigned
MACaddresses,theVMSeriesfirewallassignseachinterfaceofaMACaddressfromitsownpool.
BecausethiscausestheMACaddressesoneachinterfacetodiffer,youmustenablepromiscuousmode
(seeStep 2)ontheportgroupofthevirtualswitchtowhichthedataplaneinterfacesofthefirewallare
attachedtoallowthefirewalltoreceiveframes.Ifneitherpromiscuousmodenorhypervisorassigned
MACaddressisenabled,thefirewallwillnotreceiveanytraffic.ThisisbecausevSpherewillnotforward
framestoavirtualmachinewhenthedestinationMACaddressoftheframedoesnotmatchthevmNIC
MACaddress.
DataPlaneDevelopmentKit(DPDK)isenabledbydefaultonVMSeriesfirewallsonESXi.Formore
informationaboutDPDK,seeEnableDPDKonESXi.
ToachievethebestperformanceoutoftheVMSeriesfirewall,youcanmakethefollowingadjustments
tothehostbeforedeployingtheVMSeriesfirewall.SeePerformanceTuningoftheVMSeriesforESXi
formoreinformation.
EnableDPDK.DPDKallowsthehosttoprocesspacketsfasterbybypassingtheLinuxkernel.
Instead,interactionswiththeNICareperformedusingdriversandtheDPDKlibraries.
EnableSRIOV.SinglerootI/Ovirtualization(SRIOV)allowsasinglePCIephysicaldeviceundera
singlerootporttoappeartobemultipleseparatephysicaldevicestothehypervisororguest.
EnablemultiqueuesupportforNICs.Multiqueueallowsnetworkperformancetoscalewiththe
numberofvCPUsandallowsforparallelpacketprocessingbycreatingmultipleTXandRXqueues.
VMSeriesonESXiSystemRequirementsandLimitations SetUpaVMSeriesFirewallonanESXiServer
DonotusetheVMwaresnapshotsfunctionalityontheVMSeriesonESXi.Snapshotscanimpact
performanceandresultinintermittentandinconsistentpacketloss.SeeVMwaresbestpractice
recommendationwithusingsnapshots.
Ifyouneedconfigurationbackups,usePanoramaorExport named configuration snapshot
fromthefirewall(Device>Setup>Operations).UsingtheExportnamedconfigurationsnapshot
exportstheactiveconfiguration(runningconfig.xml)onthefirewallandallowsyoutosaveitto
anynetworklocation.
Limitations
TheVMSeriesfirewallfunctionalityisverysimilartothePaloAltoNetworkshardwarefirewalls,butwith
thefollowinglimitations:
DedicatedCPUcoresarerecommended.
HighAvailability(HA)LinkMonitoringisnotsupportedonVMSeriesfirewallsonESXi.UsePath
MonitoringtoverifyconnectivitytoatargetIPaddressortothenexthopIPaddress.
Upto10totalportscanbeconfigured;thisisaVMwarelimitation.Oneportwillbeusedformanagement
trafficandupto9canbeusedfordatatraffic.
Onlythevmxnet3driverissupported.
Virtualsystemsarenotsupported.
vMotionoftheVMSeriesfirewallisnotsupported.However,theVMSeriesfirewallcansecureguest
virtualmachinesthathavemigratedtoanewdestinationhost,ifthesourceanddestinationhostsare
membersofallvSphereDistributedSwitchesthattheguestvirtualmachineusedfornetworking.
VLANtrunkingmustbeenabledontheESXivSwitchportgroupsthatareconnectedtotheinterfaces(if
configuredinvwiremode)ontheVMSeriesfirewall.
TousePCIdeviceswiththeVMSeriesfirewallonESXi,memorymappedI/O(MMIO)mustbebelow
4GB.YoucandisableMMIOabove4GBinyourserversBIOS.ThisisanESXilimitation.
SetUpaVMSeriesFirewallonanESXiServer InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi)
InstallaVMSeriesfirewallonVMwarevSphereHypervisor
(ESXi)
ToinstallaVMSeriesfirewallyoumusthaveaccesstotheOpenVirtualizationAllianceformat(OVA)
template.UsetheauthcodeyoureceivedinyourorderfulfillmentemailtoregisteryourVMSeriesfirewall
andgainaccesstotheOVAtemplate.TheOVAisdownloadedasaziparchivethatisexpandedintothree
files:the.ovfextensionisfortheOVFdescriptorfilethatcontainsallmetadataaboutthepackageandits
contents;the.mfextensionisfortheOVFmanifestfilethatcontainstheSHA1digestsofindividualfilesin
thepackage;andthe.vmdkextensionisforthevirtualdiskimagefilethatcontainsthevirtualizedversionof
thefirewall.
PlantheInterfacesfortheVMSeriesforESXi
ProvisiontheVMSeriesFirewallonanESXiServer
PerformInitialConfigurationontheVMSeriesonESXi
(Optional)AddAdditionalDiskSpacetotheVMSeriesFirewall
UseVMwareToolsontheVMSeriesFirewallonESXiandvCloudAir
PlantheInterfacesfortheVMSeriesforESXi
ByplanningthemappingofVMSeriesFirewallvNICsandinterfaces,youcanavoidrebootsand
configurationissues.ThefollowingtabledescribesthedefaultmappingbetweenVMwarevNICsand
VMSeriesinterfaceswhenall10vNICsareenabledonESXi.
VMwarevNIC VMSeriesInterfaces
1 Ethernet1/0(mgmt)
2 Ethernet1/1(eth1)
3 Ethernet1/2(eth2)
4 Ethernet1/3(eth3)
5 Ethernet1/4(eth4)
6 Ethernet1/5(eth5)
7 Ethernet1/6(eth6)
8 Ethernet1/7(eth7)
9 Ethernet1/8(eth8)
10 Ethernet1/9(eth9)
ThemappingontheVMSeriesFirewallremainsthesamenomatterwhichvNICsyouaddonESXi.No
matterwhichinterfacesyouactivateonthefirewall,theyalwaystakethenextavailablevNIConESXi.Inthe
followingexample,eth3andeth4ontheVMSeriesFirewallarepairedtovNICs2and3onESXi
InstallaVMSeriesfirewallonVMwarevSphereHypervisor(ESXi) SetUpaVMSeriesFirewallonanESXiServer
respectively.Ifyouaddwanttoaddtwoadditionalinterfaces,youmustactivatevNICs4and5;doingthis
requiresyoutopowerdowntheVMSeriesfirewall.Ifyouactivateeth1andeth2ontheVMSeriesFirewall,
theinterfaceswillreorderthemselves.Thiscanresultinamappingmismatchandimpacttraffic.
Toavoidissueslikethosedescribedintheprecedingexample,youcandothefollowing:
ActivateallninevNICsbeyondthefirstwhenprovisioningyourESXihost.AddingallninevNICsas
placeholdersbeforepoweringontheVMSeriesFirewallallowsyoutouseanyVMSeriesinterfaces
regardlessoforder.
ByactivatingthevNICsbeforepoweringontheVMSeriesFirewall,addingadditionalinterfacesinthe
futurenolongerrequiresareboot.BecauseeachvNIConESXirequiresthatyouchooseanetwork,you
cancreateanemptyportgroupasanetworkplaceholder.
DonotremoveVMSeriesFirewallvNICstoavoidmappingmismatches.
ProvisiontheVMSeriesFirewallonanESXiServer
UsetheseinstructiontodeploytheVMSeriesfirewallona(standalone)ESXiserver.Fordeployingthe
VMSeriesNSXeditionfirewall,seeSetUptheVMSeriesFirewallonVMwareNSX.
ProvisionaVMSeriesFirewall
Step1 DownloadtheOVAfile. RegisteryourVMSeriesfirewallandobtaintheOVAfilefromthe

PaloAltoNetworksCustomerSupportwebsite:
https://www.paloaltonetworks.com/support/tabs/overview.html.
Thefilecontainsthebaseinstallation.Afterthebase
installationiscomplete,youwillneedtodownloadand
installthelatestPANOSversionfromthesupportportal.
Thiswillensurethatyouhavethelatestfixesthatwere
implementedsincethebaseimagewascreated.For
instructions,seeUpgradethePANOSSoftwareVersion
(StandaloneVersion).
ProvisionaVMSeriesFirewall(Continued)
Step2 BeforedeployingtheOVAfile,setup IfyouaredeployingtheVMSeriesfirewallwithLayer3interfaces,

virtualstandardswitch(es)andvirtual yourfirewallwilluseHypervisorAssignedMACAddressesby
distributedswitch(es)thatyouwillneed default.Ifyouchoosetodisabletheuseofhypervisorassigned
fortheVMSeriesfirewall. MACaddress,youmustconfigure(settoAccept)anyvirtualswitch
attachedtotheVMSeriesfirewalltoallowthefollowingmodes:
Promiscuousmode
MACaddresschanges
Forgedtransmits
IfyouaredeployingthefirewallwithLayer2,virtualwire,
ortapinterfaces,youmustconfigureanyvirtualswitch
attachedtotheVMSeriesfirewalltoallow(setto
Accept)themodeslistedabove.
Toconfigureavirtualstandardswitchtoreceiveframesforthe
VMSeriesfirewall:
1. ConfigureavirtualstandardswitchfromthevSphereClientby
navigatingtoHome > Inventory > Hosts and Clusters.
2. ClicktheConfigurationtabandunderHardwareclick
Networking.ForeachVMSeriesfirewallattachedvirtual
switch,clickonProperties.
3. HighlightthevirtualswitchandclickEdit.InthevSwitch
properties,clicktheSecuritytabandsetPromiscuous Mode,
MAC Address Changes and Forged Transmits toAcceptand
thenclickOK.Thischangewillpropagatetoallportgroupson
thevirtualswitch.
Toconfigureavirtualdistributedswitchtoreceiveframesforthe
VMSeriesfirewall:
1. SelectHome > Inventory > Networking.Highlightthe
Distributed Port Groupyouwanttoeditandselectthe
Summarytab.
2. ClickEdit Settings andselectPolicies > Securityandset
Promiscuous Mode, MAC Address Changes and Forged
Transmits toAcceptandthenclickOK.
ProvisionaVMSeriesFirewall(Continued)
Step3 DeploytheOVA. 1. LogintovCenterusingthevSphereclient.Youcanalsogo

Ifyouaddadditionalinterfaces directlytothetargetESXihostifneeded.
(vmNICs)totheVMSeries 2. FromthevSphereclient,selectFile > Deploy OVF Template.
firewall,arebootisrequired
3. BrowsetotheOVAfilethatyoudownloadedinStep 1,select
becausenewinterfacesare
thefileandthenclickNext.Reviewthetemplatesdetails
detectedduringthebootcycle.
windowandthenclickNextagain.
Toavoidtheneedtorebootthe
firewall,makesuretoaddthe 4. NametheVMSeriesfirewallinstanceandintheInventory
interfacesatinitialdeploymentor Locationwindow,selectaDataCenterandFolderandclick
duringamaintenancewindowso Next
thatyoucanrebootthefirewall. 5. SelectanESXihostfortheVMSeriesfirewallandclickNext.
6. SelectthedatastoretousefortheVMSeriesfirewallandclick
Next.
7. Leavethedefaultsettingsforthedatastoreprovisioningand
clickNext.ThedefaultisThick Provision Lazy Zeroed.
DonotconfigureCPUaffinityfortheVMSeries
firewall.ThevCenter/ESXiserveroptimizestheCPU
placementfortheVMSeriesandthefirewallperforms
bestwhenyoudonotmodifythenonuniformmemoryaccess
(NUMA)configuration.
8. SelectthenetworkstouseforthetwoinitialvmNICs.Thefirst
vmNICwillbeusedforthemanagementinterfaceandthe
secondvmNICforthefirstdataport.Makesurethatthe
Source NetworksmapstothecorrectDestination Networks.
Toviewtheprogressofthe
installation,monitortheRecent
Taskslist.
9. Reviewthedetailswindow,selectthePower on after
deploymentcheckboxandthenclickNext.
10. Whenthedeploymentiscomplete,clicktheSummarytabto
62 VMSeries8.0DeploymentGuide reviewthecurrentstatus. PaloAltoNetworks,Inc.
PerformInitialConfigurationontheVMSeriesonESXi
UsethevirtualapplianceconsoleontheESXiservertosetupnetworkaccesstotheVMSeriesfirewall.By
default,theVMSeriesfirewallusesDHCPtoobtainanIPaddressforthemanagementinterface.However,
youcanassignastaticIPaddress.Aftercompletingtheinitialconfiguration,accessthewebinterfaceto
completefurtherconfigurationstasks.IfyouhavePanoramaforcentralmanagement,refertothePanorama
AdministratorsGuideforinformationonmanagingthedeviceusingPanorama.
IfyouareusingbootstrappingtoperformtheconfigurationofyourVMSeriesfirewallonESXi,referto
BootstraptheVMSeriesFirewallonESXi.Formoreinformationaboutbootstrapping,seeBootstrapthe
VMSeriesFirewall.
ConfiguretheManagementInterfaceWithaStaticIPAddress
Step1 Gathertherequiredinformationfrom IPaddressforMGTport

yournetworkadministrator. Netmask
Defaultgateway
DNSserverIPaddress
Step2 AccesstheconsoleoftheVMSeries 1. SelecttheConsoletabontheESXiserverfortheVMSeries

firewall. firewall,orrightclicktheVMSeriesfirewallandselectOpen
Console.
2. Pressentertoaccesstheloginscreen.
3. Enterthedefaultusername/password(admin/admin)tologin.
4. Enterconfiguretoswitchtoconfigurationmode.
Step3 Configurethenetworkaccesssettings Enterthefollowingcommands:

forthemanagementinterface. set deviceconfig system type static
set deviceconfig system ip-address <Firewall-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where<Firewall-IP>istheIPaddressyouwanttoassigntothe
managementinterface,<netmask>isthesubnetmask,
<gateway-IP>istheIPaddressofthenetworkgateway,and
<DNS-IP>istheIPaddressoftheDNSserver.
Step4 Commityourchangesandexitthe Entercommit.

configurationmode. Enterexit.
ConfiguretheManagementInterfaceWithaStaticIPAddress
Step5 Verifynetworkaccesstoexternal 1. UsethepingutilitytoverifynetworkconnectivitytothePalo

servicesrequiredforfirewall AltoNetworksUpdateserverasshowninthefollowing
management,suchasthePaloAlto example.VerifythatDNSresolutionoccursandtheresponse
NetworksUpdateServer. includestheIPaddressfortheUpdateserver;theupdate
serverdoesnotrespondtoapingrequest.
admin@PA-200 > ping host
updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
Unreachable
Unreachable
Unreachable
AfterverifyingDNSresolution,pressCtrl+Ctostopthe
pingrequest.
2. UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.
AnunlicensedVMSeriesfirewallcanprocessuptoapproximately1230concurrentsessions.
Dependingontheenvironment,thesessionlimitcanbereachedveryquickly.Therefore,apply
thecapacityauthcodeandretrievealicensebeforeyoubegintestingtheVMSeriesfirewall;
otherwise,youmighthaveunpredictableresults,ifthereisothertrafficontheportgroup(s).
AddAdditionalDiskSpacetotheVMSeriesFirewall
TheVMSeriesfirewallrequiresavirtualdisk40GB,ofwhich17GBisusedforlogging.Forlarger
deployments,toaggregatedatafromallnextgenerationfirewallsandprovidevisibilityacrossallthetraffic
onyournetwork,usePanoramaforcentralizedloggingandreporting.Insmallerdeployments,whereyoudo
notusePanoramabutrequiremorelogstoragecapacity,usethefollowingproceduretoaddanewvirtual
diskthatcansupport40GBto2TBofstoragecapacityforlogs.
Whenconfiguredtouseavirtualdisk,thevirtualappliancedoesnotusethedefault17GBstorage
forlogging.Therefore,ifitlosesconnectivitytothevirtualdisk,logscouldbelostduringthe
failureinterval.
Toallowforredundancy,placethenewlycreatedvirtualdiskonadatastorethatprovidesRAID
redundancy.RAID10providesthebestwriteperformanceforapplicationswithhighlogging
characteristics.
AddaVirtualDisktotheVMSeriesFirewall
Step1 PowerofftheVMSeriesfirewall.
Step2 OntheESX(i)server,addthevirtualdisk 1. SelecttheVMSeriesfirewallontheESX(i)server.

tothefirewall. 2. ClickEdit Settings.
3. ClickAddtolaunchtheAddHardwarewizard,andselectthe
followingoptionswhenprompted:
a. SelectHard Diskforthehardwaretype.
b. SelectCreate a new virtual disk.
c. SelectSCSIasthevirtualdisktype.
d. SelecttheThick provisioningdiskformat.
e. Inthelocationfield,selectStore with the virtual machine
option.ThedatastoredoesnothavetoresideontheESX(i)
server.
f. Verifythatthesettingslookcorrectandclick Finishtoexit
thewizard.Thenewdiskisaddedtothelistofdevicesfor
thevirtualappliance.
Step3 Poweronthefirewall. Whenpoweredon,thevirtualdiskisinitializedforfirsttimeuse.

Thetimethattheinitializationprocesstakestocompletevariesby
thesizeofthenewvirtualdisk.
Whenthenewvirtualdiskisinitializedandready,alllogsfromthe
existingdiskwillbemovedovertothenewvirtualdisk.Newly
generatedlogentrieswillnowbewrittentothisnewvirtualdisk.
Asystemlogentrythatrecordsthenewdiskisalsogenerated.
Ifyoureuseavirtualdisk,thatisifthediskwaspreviously
usedforstoringPANOSlogs,alllogsfromtheexistingdisk
willnotbemovedovertothevirtualdisk.
Step4 Verifythesizeofthenewvirtualdisk. 1. SelectDevice > Setup > Management.

2. IntheLoggingandReportingSettingssection,verifythatthe
Log Storagecapacityaccuratelydisplaysthenewdisk
capacity.
VMwareToolsisautilitythatimprovestheabilitytomanagetheVMSeriesfirewallfromvCenterserverand
vCloudDirector.VMwareToolsisbundledwiththesoftwareimagefortheVMSeriesfirewallandall
updateswillbemadeavailablewithanewovfimage;youcannotmanuallyinstallorupgradeVMwareTools
usingthevCenterserverorvCloudDirector.
ViewtheIPaddress(es)onthemanagement IntheHostsandClustersectiononthevCenterserver,selectthe
interfaceandthesoftwareversiononthe firewallorPanoramaandviewtheSummarytabforinformationon
firewallandPanorama. theIPaddress(es)assignedtothemanagementinterfaceandthe
softwareversioncurrentlyinstalled.
Viewresourceutilizationmetricsonharddisk, IntheHostsandClustersectiononthevCenterserver,selectthe
memory,andCPU. firewallorPanoramaandviewtheMonitor > Utilizationtabfor
Usethesemetricstoenablealarmsonthe informationonharddisk,memory,andCPUusage.
vCenterserver. s
Gracefullyshutdownorrestartthefirewalland IntheHostsandClustersectiononthevCenterserver,selectthe
PanoramafromthevCenterserver. firewallorPanoramaandselecttheActions > Powerdropdown.
s
Createalarmdefinitionsforeventsyouwantto IntheHostsandClustersectiononthevCenterserver,selectthe
benotifiedon,orforwhichyouwanttospecify firewallorPanoramaandselecttheManage > Alarm Definitions to
anautomatedaction. addanewtriggerandspecifyanactionwhenathresholdismet.
RefertotheVMwaredocumentationfordetailson Forexample,missingheartbeatsforaspecifiedduration,orwhen
creatingalarmdefinitions. memoryresourceusageexceedsathreshold.Thefollowing
screenshotshowsyouhowtousenotificationsforheartbeat
monitoringonthefirewallorPanorama.
s
TroubleshootESXiDeployments SetUpaVMSeriesFirewallonanESXiServer
TroubleshootESXiDeployments
ManyofthetroubleshootingstepsfortheVMSeriesfirewallareverysimilartothehardwareversionsof
PANOS.Whenproblemsoccur,youshouldcheckinterfacecounters,systemlogfiles,andifnecessary,use
debugtocreatecaptures.FormoredetailsonPANOStroubleshooting,refertothearticleonPacketBased
Troubleshooting.
Thefollowingsectionsdescribehowtotroubleshootsomecommonproblems:
BasicTroubleshooting
InstallationIssues
LicensingIssues
ConnectivityIssues
BasicTroubleshooting
RecommendationforNetworkTroubleshootingTools
Itisusefultohaveaseparatetroubleshootingstationtocapturetrafficorinjecttestpacketsin
thevirtualizedenvironment.ItcanbehelpfultobuildafreshOSfromscratchwithcommon
troubleshootingtoolsinstalledsuchastcpdump,nmap,hping,traceroute,iperf,tcpedit,netcat,
etc.Thismachinecanthenbepowereddownandconvertedtoatemplate.Eachtimethetools
areneeded,thetroubleshootingclient(virtualmachine)canbequicklydeployedtothevirtual
switch(es)inquestionandusedtoisolatenetworkingproblems.Whenthetestingiscomplete,the
instancecansimplybediscardedandthetemplateusedagainthenexttimeitisrequired.
Forperformancerelatedissuesonthefirewall,firstchecktheDashboardfromthefirewallwebinterface.To
viewalertsorcreateatechsupportorstatsdumpfilesnavigatetoDevice > Support.
ForinformationinthevSphereclientgotoHome > Inventory > VMs and Templates,selecttheVMSeries
firewallinstanceandclicktheSummarytab.UnderResources,checkthestatisticsforconsumedmemory,
CPUandstorage.Forresourcehistory,clickthePerformancetabandmonitorresourceconsumptionover
time.
InstallationIssues
IssueswithdeployingtheOVA
Whydoesthefirewallbootintomaintenancemode?
HowdoImodifythebaseimagefilefortheVM1000HVlicense?
SetUpaVMSeriesFirewallonanESXiServer TroubleshootESXiDeployments
IssueswithdeployingtheOVA
TheVMSeriesisdeliveredasafileintheOpenVirtualizationAlliance(OVA)format.TheOVAimageis
downloadedasaziparchivethatisexpandedintothreefiles.IfyouarehavingtroubledeployingtheOVA
image,makesurethethreefilesareunpackedandpresentand,ifnecessary,downloadandextracttheOVA
imageagain.
TheovfextensionisfortheOVFdescriptorfilethatcontainsallmetadataaboutthepackageandits
contents.
ThemfextensionisfortheOVFmanifestfilethatcontainstheSHA1digestsofindividualfilesinthe
package.
Thevmdkextensionisforthevirtualdiskimagefile.
ThevirtualdiskintheOVAimageislargefortheVMSeries;thisfileisnearly900MBandmustbepresent
onthecomputerrunningthevSphereclientormustbeaccessibleasaURLfortheOVAimage.Makesure
thenetworkconnectionissufficientbetweenthevSphereclientcomputerandthetargetESXihost.Any
firewallsinthepathwillneedtoallowTCPports902and443fromthevSphereclienttotheESXi
host(s).ThereneedstobesufficientbandwidthandlowlatencyontheconnectionotherwisetheOVA
deploymentcantakehoursortimeoutandfail.
Whydoesthefirewallbootintomaintenancemode?
IfyouhavepurchasedtheVM1000HVlicenseandaredeployingtheVMSeriesfirewallinstandalone
modeonaVMwareESXiserveroronaCitrixSDXserver,youmustallocatetheminimummemoryrequiredby
youVMSeriesmodel.
Tofixthisissue,youmusteithermodifythebaseimagefile(seeHowdoImodifythebaseimagefileforthe
VM1000HVlicense?)oreditthesettingsontheESXihostorthevCenterserverbeforeyoupoweronthe
VMSeriesfirewall.
Also,verifythattheinterfaceisVMXnet3;settingtheinterfacetypetoanyotherformatwillcausethe
firewalltobootintomaintenancemode.
HowdoImodifythebaseimagefilefortheVM1000HVlicense?
IfyouhavepurchasedtheVM1000HVlicenseandaredeployingtheVMSeriesfirewallinstandalone
modeonaVMwareESXiserveroronaCitrixSDXserver,usetheseinstructionstomodifythefollowing
attributesthataredefinedinthebaseimagefile(.ovaor.xva)oftheVMSeriesfirewall.
Important:Modifyingthevaluesotherthanthoselistedhereunderwillinvalidatethebaseimagefile.
Modifythebaseimagefile(onlyifusingtheVM1000HVlicenseinstandalonemode)
Step1 Openthebaseimagefile,forexample7.0.0,withatexteditingtoolsuchasnotepad.
Modifythebaseimagefile(onlyifusingtheVM1000HVlicenseinstandalonemode)
Step2 Searchfor4096andchangethememoryallocatedto5012(thatis5GB)here:
<Item>
<rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
<rasd:Description>Memory Size</rasd:Description>
<rasd:ElementName>4096MB of memory</rasd:ElementName>
<rasd:InstanceID>2</rasd:InstanceID>
<rasd:ResourceType>4</rasd:ResourceType>
<rasd:VirtualQuantity>4096</rasd:VirtualQuantity>
<Item>
<rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
<rasd:Description>Memory Size</rasd:Description>
<rasd:ElementName>5120MB of memory</rasd:ElementName>
Step3 ChangethenumberofvirtualCPUcoresallottedfrom2to4or8asdesiredforyourdeployment:
<Item>
<rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
<rasd:Description>Number of Virtual CPUs</rasd:Description>
<rasd:ElementName>2 virtual CPU(s)</rasd:ElementName>
<vmw:CoresPerSocket ova:required="false">2</vmw:CoresPerSocket>
</Item>
<Item>
<rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
<rasd:Description>Number of Virtual CPUs</rasd:Description>
<rasd:ElementName>4 virtual CPU(s)</rasd:ElementName>
<vmw:CoresPerSocket ova:required="false">2</vmw:CoresPerSocket>
</Item>
AlternativelyyoucandeploythefirewallandbeforeyoupowerontheVMSeriesfirewall,editthememory
andvirtualCPUallocationdirectlyontheESXihostorthevCenterserver.
LicensingIssues
WhyamIunabletoapplythesupportorfeaturelicense?
WhydoesmyclonedVMSeriesfirewallnothaveavalidlicense?
WillmovingtheVMSeriesfirewallcauselicenseinvalidation?
SetUpaVMSeriesFirewallonanESXiServer TroubleshootESXiDeployments
WhyamIunabletoapplythesupportorfeaturelicense?
HaveyouappliedthecapacityauthcodeontheVMSeriesfirewall?Beforeyoucanactivatethesupportor
featurelicense,youmustapplythecapacityauthcodesothatthedevicecanobtainaserialnumber.This
serialnumberisrequiredtoactivatetheotherlicensesontheVMSeriesfirewall.
WhydoesmyclonedVMSeriesfirewallnothaveavalidlicense?
VMwareassignsauniqueUUIDtoeachvirtualmachineincludingtheVMSeriesfirewall.So,whena
VMSeriesfirewalliscloned,anewUUIDisassignedtoit.Becausetheserialnumberandlicenseforeach
instanceoftheVMSeriesfirewallistiedtotheUUID,cloningalicensedVMSeriesfirewallwillresultina
newfirewallwithaninvalidlicense.Youwillneedanewauthcodetoactivatethelicenseonthenewly
deployedfirewall.Youmustapplythecapacityauthcodeandanewsupportlicenseinordertoobtainfull
functionality,support,andsoftwareupgradesontheVMSeriesfirewall.
WillmovingtheVMSeriesfirewallcauselicenseinvalidation?
IfyouaremanuallymovingtheVMSeriesfirewallfromonehosttoanother,besuretoselecttheoption,
This guest was movedtopreventlicenseinvalidation.
ConnectivityIssues
WhyistheVMSeriesfirewallnotreceivinganynetworktraffic?
OntheVMSeriesfirewall.checkthetrafficlogs(Monitor > Logs).Ifthelogsareempty,usethefollowingCLI

commandtoviewthepacketsontheinterfacesoftheVMSeriesfirewall:
showcounterglobalfilterdeltayes
Global counters:
Elapsed time since last sampling: 594.544 seconds
--------------------------------------------------------------------------------
Total counters shown: 0
--------------------------------------------------------------------------------
InthevSphereenvironment,checkforthefollowingissues:
Checktheportgroupsandconfirmthatthefirewallandthevirtualmachine(s)areonthecorrectport
group
Makesurethattheinterfacesaremappedcorrectly.
Networkadapter1=management
Networkadapter2=Ethernet1/1
Networkadapter3=Ethernet1/2
Foreachvirtualmachine,checkthesettingstoverifytheinterfaceismappedtothecorrectportgroup.
Verifythateitherpromiscuousmodeisenabledforeachportgrouporfortheentireswitchorthatyou
haveconfiguredthefirewalltoHypervisorAssignedMACAddresses.
SincethedataplanePANOSMACaddressesaredifferentthantheVMNICMACaddressesassignedby
vSphere,theportgroup(ortheentirevSwitch)mustbeinpromiscuousmodeifnotenabledtousethe
hypervisorassignedMACaddress:
ChecktheVLANsettingsonvSphere.
TheuseoftheVLANsettingforthevSphereportgroupservestwopurposes:Itdetermineswhich
portgroupssharealayer2domain,anditdetermineswhethertheuplinkportsaretagged(802.1Q).
Checkthephysicalswitchportsettings
IfaVLANIDisspecifiedonaportgroupwithuplinkports,thenvSpherewilluse802.1Qtotag
outboundframes.Thetagmustmatchtheconfigurationonthephysicalswitchorthetrafficwillnot
pass.
Checktheportstatisticsifusingvirtualdistributedswitches(vDS);Standardswitchesdonotprovide
anyportstatistics
SetUpaVMSeriesFirewallonanESXiServer PerformanceTuningoftheVMSeriesforESXi
PerformanceTuningoftheVMSeriesforESXi
TheVMSeriesfirewallforESXiisahighperformanceappliancebutmayrequiretuningofthehypervisorto
achievethebestresults.Thissectiondescribessomebestpracticesandrecommendationsforfacilitatingthe
bestperformanceoftheVMSeriesfirewall.Forthebestperformance,ESXi6.0.0.0orlaterisrecommended.
InstalltheNICDriveronESXi
EnableDPDKonESXi
EnableSRIOVonESXi
EnableMultiQueueSupportforNICsonESXi
InstalltheNICDriveronESXi
Forthebestperformance,useSRIOVwithIntel10GBnetworkinterfaceswhichrequirestheixgbe4.4.1
drivertosupportmultiplequeuesforeachinterface.
VerifytheDriverVersion
Step1 Obtainalistofnetworkinterfaceson 1. LogintotheESXihostCLI.

theESXihost. 2. Usethefollowingcommandtoreturnalistofnetwork
interfaces:
$ esxcli network nic list
PerformanceTuningoftheVMSeriesforESXi SetUpaVMSeriesFirewallonanESXiServer
VerifytheDriverVersion
Step2 Determinethedriverversionfora Youcanuseeitherethtooloresxclitodeterminethe

particularinterface. currentlyinstalleddriverversion.Thefollowingexampleuses
vmnic4andreturnsdriverversion3.21.6.
ethtool:$ ethtool -l <nic-name>
$ ethtool -I vmnic4
driver: ixgbe
version: 3.21.6iov
firmware-version: 0x80000389
bus-info: 0000:04:00.0
esxcli:$ esxcli network nic get -n <nic-name>
$ esxcli network nic get -n vmnic4
Advertised Auto Negotiation: true
Advertised Link Modes:
Auto Negotiation: true
Cable Type:
Current Message Level: 7
Driver Info:
Bus Info: 0000:04:00.0
Driver: ixgbe
Firmware Version: 0x80000389
Version: 3.21.6iov
Link Detected: false
Link Status: Down
Name: vmnic4
PHYAddress: 0
Pause Autonegotiate: true
Pause RX: true
Pause TX: true
Supported Ports: FIBRE
Supports Auto Negotiation: true
Supports Pause: true
Supports Wakeon: false
Transceiver: external
Wakeon: None
Step3 Installthenewdriver. 1. Downloadthe4.4.1driverfromtheVMwarewebsite.

2. CopythefiletotheESXihostdatastore.
3. EnablemaintenancemodeontheESXihost.
4. Useoneofthefollowingcommandstoinstallthenewdriver.
$ esxcli software vib install -d <path to driver
.zip file>
$ esxcli software vib install -v <path to driver
.vib file>
SetUpaVMSeriesFirewallonanESXiServer PerformanceTuningoftheVMSeriesforESXi
EnableDPDKonESXi
DataPlaneDevelopmentKit(DPDK)enhancesVMSeriesperformancebyincreasingnetworkinterfacecard
(NIC)packetprocessingspeed.OntheVMSeriesfirewall,DPDKisenabledbydefaultonESXi.Ifyoudisable
DPDK,theNICusespacketmmapinsteadofDPDK.TotakeadvantageofDPDK,youmustuseaNICwith
oneofthefollowingdrivers:
AlldatainterfacesmustbeusingthesamedrivertosupportDPDK.
SupportedDrivers
VirtualDriver VMXNET3
IntelDriver ixgbe,ixgbevf,i40e,i40evf
YoucandisableDPDKusingthecommandset system setting dpdk-pkt-io off.
EnableSRIOVonESXi
SinglerootI/Ovirtualization(SRIOV)allowsasinglePCIephysicaldeviceunderasinglerootporttoappear
tobemultipleseparatephysicaldevicestothehypervisororguest.EnableSRIOVbyenablingvirtual
functiondevicesontheSRIOVNICandthemodifytheguestsettingsinvCenter.
SRIOVontheVMSeriesforESXirequiresoneofthefollowingIntelNICdrivers.
DriverFilename Version
ixgbe/ixgbe.ko 4.2.0.4.1
ixgbevf/ixgbevf.ko 2.14.2
i40e/i40e.ko 1.3.49
i49evf/i40evf.ko 1.2.25
CompletethefollowingproceduretoenableSRIOV.
PerformanceTuningoftheVMSeriesforESXi SetUpaVMSeriesFirewallonanESXiServer
EnableSRIOVontheGuestMachine
Step1 Enablevirtualfunctiondevicesonthe 1. LogintotheESXihostCLI.

SRIOVNIC. 2. Usethefollowingcommand:
$ esxcli system module parameters set -m
<nic_driver> -p max_vfs=<n>
Forexample,forixgbe,youcanspecify:
$ esxcli system module parameters set -m ixgbe -p
"max_vfs=8"
MaxVFs(max_vfs)isacommaseparatedlist,whereeach
numbercorrespondstoaseparateport/NIC.Ifyouhave
multiportNICormultipleNICsusingthesamedriver,you
mustspecifymultiplemax_vfsvalues,oneforeachport/NIC.
Step2 ModifytheguestsettingsinvCenter. 1. LogintovCenterandselectyourVMSeriesfirewallguest

machine.
2. Select Manage > Settings > VM HardwareandEditthe
hardwaresettings.
3. SelectVirtual Hardware.
4. ChoosePCI DevicefromtheNew devicedropdownandclick
Add.
5. EditthesettingsoftheaddedPCIdevice,selectthePCIID
correspondingtoanavailablevirtualfunctiondevice.
Step3 ReboottheESXihostforyourchangestotakeeffect.
EnableMultiQueueSupportforNICsonESXi
MultiqueueallowsnetworkperformancetoscalewiththenumberofvCPUsandallowsforparallelpacket
processingbycreatingmultipleTXandRXqueues.Modifythe.vmxfileoraccessAdvancedSettingsto
enablemultiqueue.
EnableMultiQueue
Step1 Enablemultiqueue. 1. Openthe.vmxfile.

2. Addthefollowingparameter:
ethernetX.pnicFeatures = 4
Step2 Enablereceivesidescaling(RSS). 1. LogintotheCLIontheESXihost.

2. Executethefollowingcommand:
$ vmkload_mod -u ixgbe
$ vmkload_mod ixgbe RSS=4,4,4,4,4,4
Step3 Forthebestperformance,allocate 1. Openthe.vmxfile.

additionalCPUthreadsper 2. Addthefollowingparameter:
ethernet/vSwitchdevice.Thisislimited
ethernetX.ctxPerDev = 1
bytheamountofspareCPUresources
availableontheESXihost.
SetUptheVMSeriesFirewallon
vCloudAir
TheVMSeriesfirewallcanbedeployedinavirtualdatacenter(vDC)onvCloudAirusingthevCloudAir
portal,fromthevCloudDirectorportalorusingthevCloudAirAPI.
AbouttheVMSeriesFirewallonvCloudAir
DeploymentsSupportedonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir
AbouttheVMSeriesFirewallonvCloudAir SetUptheVMSeriesFirewallonvCloudAir
AbouttheVMSeriesFirewallonvCloudAir
YoucandeploytheVMSeriesfirewallinavirtualdatacenter(vDC)onVMwarevCloudAirusingthevCloud
AirportalorfromthevCloudDirectorportal.AndtocentrallymanageallyourphysicalandVMSeries
firewalls,youcanuseanexistingPanoramaordeployanewPanoramaonpremiseoronvCloudAir.
TheVMSeriesfirewallonvCloudAirrequiresthefollowing:
ESXiversionofthesoftwareimage,anOpenVirtualizationAlliance(OVA)file,fromthePaloAlto
NetworksCustomerSupportwebsite.Currently,thevCloudAirMarketplacedoesnothostthesoftware
image.
InordertoefficientlydeploytheVMSeriesfirewall,includethefirewallsoftwareimageinavApp.A
vAppisacontainerforpreconfiguredvirtualappliances(virtualmachinesandoperatingsystemimages)
thatismanagedasasingleobject.Forexample,ifyourvAppincludesasetofmultitieredapplications
andtheVMSeriesfirewall,eachtimeyoudeploythevApp,theVMSeriesfirewallautomaticallysecures
thewebserveranddatabaseserverthatgetdeployedwiththevApp.
Licenseandsubscriptionspurchasedfromapartner,reseller,ordirectlyfromPaloAltoNetworks,inthe
BringYourOwnLicense(BYOL)model;theusagebasedlicensingfortheVMSeriesonvCloudAirisnot
available.
DuetothesecurityrestrictionsimposedonvCloudAir,theVMSeriesfirewallonvCloudAirisbest
deployedwithLayer3interfacesandtheinterfacesmustbeenabledtousethehypervisorassignedMAC
address.IfyoudonotenablehypervisorassignedMACaddress,theVMwarevSwitchcannotforward
traffictothedataplaneinterfacesontheVMSeriesfirewallbecausethevSwitchonvCloudAirdoesnot
supportpromiscuousmodeorMACforgedtransmits.TheVMSeriesfirewallcannotbedeployedwith
tapinterfaces,Layer2interfaces,orvirtualwireinterfaces.
TheVMSeriesfirewallonvCloudAircanbedeployedinanactive/passivehighavailabilityconfiguration.
However,theVMSeriesfirewallonvCloudAirdoesnotsupportVMMonitoringcapabilitiesforvirtual
machinesthatarehostedonvCloudAir.
TolearnallaboutvCloudAir,refertotheVMwarevCloudAirdocumentation
SetUptheVMSeriesFirewallonvCloudAir DeploymentsSupportedonvCloudAir
DeploymentsSupportedonvCloudAir
Toenableapplicationssafely,blockknownandunknownthreats,andtokeeppacewithchangesinyour
environment,youcandeploytheVMSeriesfirewallonvCloudAirwithLayer3interfacesinthefollowing
ways:
SecurethevirtualdatacenterperimeterDeploytheVMSeriesfirewallasavirtualmachinethat
connectsisolatedandroutednetworksonvCloudAir.Inthisdeploymentthefirewallsecuresall
northsouthtraffictraversingtheinfrastructureonvCloudAir.
SetupahybridcloudExtendyourdatacenterandprivatecloudintovCloudAiranduseaVPN
connectiontoenablecommunicationbetweenthecorporatenetworkandthedatacenter.Inthis
deployment,theVMSeriesfirewallusesIPSectoencrypttrafficandsecureusersaccessingthecloud.
SecuretrafficbetweenapplicationsubnetsinthevDCToimprovesecurity,segmentyournetworkand
isolatetrafficbycreatingapplicationtiers,andthendeploytheVMSeriesfirewalltoprotectagainst
lateralthreatsbetweensubnetsandapplicationtiers.
ThefollowingillustrationcombinesallthreedeploymentsscenariosandincludesPanorama.Panorama
streamlinespolicyupdates,centralizespolicymanagement,andprovidescentralizedloggingandreporting.
DeploytheVMSeriesFirewallonvCloudAir SetUptheVMSeriesFirewallonvCloudAir
UsetheinstructionsinthissectiontodeployyourVMSeriesfirewallinanondemandordedicatedvDCon
vCloudAir.ThisprocedureassumesthatyouhavesetupyourvDC,includingthegatewaysrequiredtoallow
trafficinandoutofthevDC,andthenetworksrequiredforroutingmanagementtrafficanddatatraffic
throughthevDC.
Step1 ObtaintheVMSeriesOVAimagefrom 1. Goto:

thePaloAltoNetworksCustomer www.paloaltonetworks.com/support/tabs/overview.html.
Supportwebsite;thevCloudAir 2. FilterbyPAN-OS for VM-Series Base Imagesanddownload
Marketplacedoesnothostthesoftware theOVAimage.Forexample,PAVMESX8.0.0.ova.
imagecurrently.
Step2 ExtracttheOpenVirtualizationFormat ForinstructionstoextracttheOVFfilefromtheOVAimage,refer

(OVF)filefromtheOVAimageand totheVMwaredocumentation:
importtheOVFfileintoyourvCloudAir http://www.vmware.com/go/ovf_guide#sthash.WUp55ZyE.dpuf
catalog. WhenyouimporttheOVFfile,thesoftwareimageforthe
WhenextractingfilesfromtheOVA VMSeriesfirewallislistedinMy Organizations Catalogs.
image,makesuretoplaceallthefiles
.mf,.ovf,and.vmdkwithinthesame
directory.
Step3 Chooseyourworkflow. IfyouwanttocreateanewvDCandanewvAppthatincludes

AvAppisacollectionoftemplatesfor theVMSeriesfirewall,gotoStep 4.
preconfiguredvirtualappliancesthat IfyouhavealreadydeployedavDCandhaveavAppandnow
containvirtualmachines,andoperating wanttoaddtheVMSeriesfirewalltothevApptosecuretraffic,
systemimages. gotoStep 5.
SetUptheVMSeriesFirewallonvCloudAir DeploytheVMSeriesFirewallonvCloudAir
DeploytheVMSeriesFirewallonvCloudAir(Continued)
Step4 CreateavDCandavAppthatincludes 1. LogintovCloudAir.

theVMSeriesfirewall. 2. SelectVPC OnDemandandselectthelocationinwhichyou
wanttodeploytheVMSeriesfirewall.
3. SelectVirtual Data Centers andclick + toaddanewVirtual

DataCenter.
4. SelectthevDC,rightclickandselectManage Catalogs in
vCloud Director.YouwillberedirectedtothevCloudDirector
webinterface.
5. CreateanewvAppthatcontainsoneormorevirtualmachines
includingtheVMSeriesfirewall:
a. Select My Cloud > vApps,andclickBuild New vApp.
b. SelectName and Location,andtheVirtual Datacenterin

whichthisvAppwillrun.Bydefault,Leasesforruntimeand
storageneverexpireandthevAppisnotautomatically
stopped.
c. Add Virtual Machines.ToaddtheVMSeriesfirewallimage
fromtheLook in:dropdown,selectMy Organizations
Catalog,selecttheimageandclickAdd.ClickNext
d. ConfigureResourcestospecifytheStoragePoliciesforthe
virtualmachineswhendeployed.TheVMSeriesfirewall
usestheStandardoption.
e. ConfiguretheVirtual Machines.Nameeachvirtual
machineandselectthenetworktowhichyouwantitto
connect.YoumustconnectNIC0(formanagementaccess)
tothedefaultroutednetwork;NIC1isusedfordatatraffic.
YoucanaddadditionalNICslater.
f. VerifythesettingsandclickFinish.
g. ContinuetoStep 6.
Step5 AddtheVMSeriesFirewallintoavApp. 1. LogintovCloudAir.

2. SelectyourexistingVirtual Data Centerfromtheleftpane,
rightclickandselectManage Catalogs in vCloud Director.You
willberedirectedtothevCloudDirectorwebinterface.
3. SelectMy Cloud > vApps andclicktheNameofthevAppin
whichtoincludetheVMSeriesfirewall.
4. OpenthevApp(doubleclickonthename),selectVirtual
Machinesandclick toaddavirtualmachine.
a. IntheLook in:dropdown,chooseMy Organizations
Catalog,selecttheVMSeriesfirewallimageandclickAdd.
ClickNext.
b. ClickNext to skipConfigureResources.TheVMSeries
firewallusestheStandardoptionandyoudonottomodify
theStoragePolicy.
c. EnteraNameforthefirewallandformanagementaccess
(NIC 0),selectthedefaultroutednetworkandthe IP
ModeStaticorDHCP.YoucanconfigureNIC1andadd
additionalNICsinStep 6.ClickNext.
d. VerifyhowthisvAppconnectstothevDCGateway
AddressandNetworkMaskforthevirtualmachinesinthis
vApp.
e. VerifythatyouhaveaddedtheVMSeriesfirewallandclick
Finish.
f. ContinuetoStep 6.
Step6 Connectthedatainterface(s)ofthe 1. InvCloudDirector,selectMy Cloud > vAppsandselectthe

VMSeriesfirewalltoanisolatedora vAppyoujustcreatedoredited.
routednetwork,asrequiredforyour 2. SelectVirtual MachinesandselecttheVMSeriesfirewall.
deployment. Then,rightclickandselectProperties.
3. SelectHardware,scrolltotheNICssectionandselectNIC 1.
4. AttachthedataplanenetworkinterfacetoavAppnetworkor
anorganizationalVDCnetworkbasedonyourconnectivity
needsfordatatraffictotheVMSeriesfirewall.Tocreatea
newnetwork:
a. IntheNetworkdropdown,clickAdd Network.
b. SelecttheNetwork TypeandgiveitanameandclickOK.
c. Verifythatthenewnetworkisattachedtotheinterface.
5. ToaddadditionalNICstothefirewall,clickAddandrepeat
step 4above.Youcanattachamaximumofsevendataplane
interfacestotheVMSeriesfirewall.
6. VerifythatthemanagementinterfaceoftheVMSeries
firewallisattachedtothedefaultroutedsubnetonthevDC
andatleastonedataplaneinterfaceisconnectedtoarouted
orisolatednetwork.
a. SelectMy Cloud > vAppsanddoubleclicktheNameofthe
vAppyoujustedited.
b. VerifynetworkconnectivityinthevApp Diagram.
Step7 (Optional)Editthehardwareresources 1. SelectMy Cloud > vAppsanddoubleclicktheNameofthe

allocatedfortheVMSeriesfirewall. vAppyoujustdeployed.
Requiredonlyifyouneedtoallot
additionalCPU,memory,orharddiskto
thefirewall.
2. SelectVirtual MachineandclickontheNameofthe
VMSeriesfirewalltoaccesstheVirtualMachineProperties.
3. AddadditionalHardwareresourcesfortheVMSeries
firewall:
SeeVMSeriesSystemRequirementsfortheminimum
vCPU,memory,anddiskrequirementsforyourVMSeries
model.
NICs:Onemanagementanduptosevendataplane
interfaces.
Step8 PowerontheVMSeriesfirewall.
Step9 ConfigureanIPaddressforthe PerformInitialConfigurationontheVMSeriesonESXi.

VMSeriesfirewallmanagement TheVMSeriesfirewallonvCloudAirsupportsVMwareTools,and
interface. youcanUseVMwareToolsontheVMSeriesFirewallonESXiand
vCloudAirtoviewthemanagementIPaddressoftheVMSeries
firewall.
Step10 DefineNATrulesonthevCloudAirEdge 1. SelectVirtual Data Centers > Gateways,selectthegateway

GatewaytoenableInternetaccessfor anddoubleclicktoaddNAT Rules.
theVMSeriesfirewall. 2. CreatetwoDNATrules.OneforallowingSSHaccessandone
forHTTPSaccesstothemanagementportsIPaddressonthe
VMSeriesfirewall.
3. CreateaSNATrulefortranslatingtheinternalsourceIP
addressforalltrafficinitiatedfromthemanagementporton
theVMSeriesfirewalltoanexternalIPaddress.
Tosendandreceivetrafficfromthedataplane
interfacesonthefirewall,youmustcreateadditional
DNATandSNATrulesonthevCloudAirEdge
Gateway.
Step11 Logintothewebinterfaceofthe Inthisexample,theURLforthewebinterfaceis

firewall. https://107.189.85.254
TheNATruleontheEdgeGatewaytranslatestheexternalIP
addressandport107.189.85.254:443totheprivateIPaddressand
port10.0.0.102:443.
Step12 Addtheauthcode(s)toactivatethe ActivatetheLicense.

licensesonthefirewall.
Step13 ConfiguretheVMSeriesfirewalltouse HypervisorAssignedMACAddresses

thehypervisorassignedMACaddress.
Step14 Configurethedataplaneinterfacesas 1. SelectNetwork > Interfaces > Ethernet.

Layer3interfaces. 2. Clickthelinkforethernet 1/1andconfigureasfollows:
Interface Type:Layer3
SelecttheConfig tab,assigntheinterfacetothedefault
router.
OntheConfig tab,selectNew Zone from theSecurity Zone
dropdown.Defineanewzone,forexampleuntrust,and
thenclickOK.
SelectIPv4,assignastaticIPaddress.
OnAdvanced > Other Info,expandtheManagement
Profiledropdown,andselectNew Management Profile.
EnteraNamefortheprofile,suchasallow_ping,andselect
PingfromthePermittedServiceslist,thenclickOK.
Tosavetheinterfaceconfiguration,clickOK.
3. Repeattheprocessforeachadditionalinterface.
4. ClickCommittosavethechanges.
SetUpaVMSeriesFirewallonthe
CitrixSDXServer
Toreduceyourcarbonfootprintandconsolidatekeyfunctionsonasingleserver,youcandeployoneor
moreinstancesoftheVMSeriesfirewallontheCitrixSDXserver.DeployingtheVMSeriesfirewallin
conjunctionwiththeNetScalerVPXsecuresapplicationdeliveryalongwithnetworksecurity,availability,
performance,andvisibility.
AbouttheVMSeriesFirewallontheSDXServer
SystemRequirementsandLimitations
SupportedDeploymentsVMSeriesFirewallonCitrixSDX
InstalltheVMSeriesFirewallontheSDXServer
SecureNorthSouthTrafficwiththeVMSeriesFirewall
SecureEastWestTrafficwiththeVMSeriesFirewall
AbouttheVMSeriesFirewallontheSDXServer SetUpaVMSeriesFirewallontheCitrixSDXServer
AbouttheVMSeriesFirewallontheSDXServer
OneormoreinstancesoftheVMSeriesfirewallcanbedeployedtosecureeastwestand/ornorthsouth
trafficonthenetwork;virtualwireinterfaces,Layer2interfaces,andLayer 3interfacesaresupported.To
deploythefirewall,seeInstalltheVMSeriesFirewallontheSDXServer.
OncedeployedtheVMSeriesfirewallworksharmoniouslywiththeNetScalerVPX(ifneeded),whichisa
virtualNetScalerappliancedeployedontheSDXserver.TheNetScalerVPXprovidesloadbalancingand
trafficmanagementfunctionalityandistypicallydeployedinfrontofaserverfarmtofacilitateefficient
accesstotheservers.ForacompleteoverviewofNetScalerfeature/functionality,referto
http:www.citrix.com/netscaler.WhentheVMSeriesispairedtoworkwiththeNetScalerVPX,the
complementarycapabilitiesenhanceyourtrafficmanagement,loadbalancing,andapplication/network
securityneeds.
ThisdocumentassumesthatyouarefamiliarwiththenetworkingandconfigurationontheNetScalerVPX.
Inordertoprovidecontextforthetermsusedinthissection,hereisabriefrefresherontheNetScaler
ownedIPaddressesthatarereferredtointhisdocument:
NetScalerIPaddress(NSIP):TheNSIPistheIPaddressformanagementandgeneralsystemaccessto
theNetScaleritself,andforHAcommunication.
MappedIPaddress(MIP):AMIPisusedforserversideconnections.ItisnottheIPaddressofthe
NetScaler.Inmostcases,whentheNetScalerreceivesapacket,itreplacesthesourceIPaddresswitha
MIPbeforesendingthepackettotheserver.Withtheserversabstractedfromtheclients,theNetScaler
managesconnectionsmoreefficiently.
VirtualserverIPaddress(VIP):AVIPistheIPaddressassociatedwithavserver.ItisthepublicIPaddress
towhichclientsconnect.ANetScalermanagingawiderangeoftrafficmayhavemanyVIPsconfigured.
SubnetIPaddress(SNIP):WhentheNetScalerisattachedtomultiplesubnets,SNIPscanbeconfigured
foruseasMIPsprovidingaccesstothosesubnets.SNIPsmaybeboundtospecificVLANsandinterfaces.
ForexamplesondeployingtheVMSeriesfirewallandtheNetScalerVPXtogether,seeSupported
DeploymentsVMSeriesFirewallonCitrixSDX.
SetUpaVMSeriesFirewallontheCitrixSDXServer SystemRequirementsandLimitations
SystemRequirementsandLimitations
ThissectionlistsrequirementsandlimitationsfortheVMSeriesfirewallontheCitrixSDXserver.
Requirements
Limitations
Requirements
YoucandeploymultipleinstancesoftheVMSeriesfirewallontheCitrixSDXserver.Becauseeachinstance
ofthefirewallrequiresaminimumresourceallocationnumberofCPUs,memoryanddiskspaceonthe
SDXserver,makesuretoconformtothespecificationsbelowtoensureoptimalperformance.
Requirement Details
SDXplatforms 11500,11515,11520,11530,11540,11542
13500,14500,16500,18500,20500
22040,22060,22080,22100,22120
24100,24150
17550,19550,20550,21550
SDXversion 10.1+
10.1isnotsupported;asoftwareversionhigherthan10.1.is
required.
CitrixXenServerversion 6.0.2orlater
MinimumSystemResources ThehostCPUmustbeax86basedIntelorAMDCPUwith
Planandallocatethetotalnumberofdata virtualizationextension.
interfacesthatyoumightrequireonthe Twonetworkinterfaces:onededicatedformanagementtraffic
VMSeriesfirewall.Thistaskisessential andonefordatatraffic.Formanagementtraffic,youcanusethe
duringinitialdeployment,becauseadding 0/xinterfacesonthemanagementplaneorthe10/xinterfaceson
orremovinginterfacestotheVMSeries thedataplane.Assignadditionalnetworkinterfacesfordata
firewallafterinitialdeploymentwillcause traffic,asrequiredforyournetworktopology.
thedatainterfaces(Eth1/1andEth1/2) SeeVMSeriesSystemRequirementsfortheminimumhardware
ontheVMSeriesfirewalltoremaptothe requirementsforyourVMSeriesmodel.
adaptersontheSDXserver.Eachdata
interfacesequentiallymapstotheadapter
withthelowestnumericalvalue,andthis
remappingcancauseaconfiguration
mismatchonthefirewall.
Limitations
TheVMSeriesfirewalldeployedontheCitrixSDXserverhasthefollowinglimitations:
Upto24totalportscanbeconfigured.Oneportwillbeusedformanagementtrafficandupto23can
beusedfordatatraffic.
SystemRequirementsandLimitations SetUpaVMSeriesFirewallontheCitrixSDXServer
Linkaggregationisnotsupported.
Forthesupporteddeployments,seeSupportedDeploymentsVMSeriesFirewallonCitrixSDX.
Todeploythefirewall,seeInstalltheVMSeriesFirewallontheSDXServer.
SetUpaVMSeriesFirewallontheCitrixSDXServer SupportedDeploymentsVMSeriesFirewallonCitrixSDX
SupportedDeploymentsVMSeriesFirewallonCitrixSDX
Inthefollowingscenarios,theVMSeriesfirewallsecurestrafficdestinedtotheserversonthenetwork.It
worksinconjunctionwiththeNetScalerVPXtomanagetrafficbeforeorafteritreachestheNetScalerVPX.
Scenario1SecureNorthSouthTraffic
Scenario2SecureEastWestTraffic(VMSeriesFirewallonCitrixSDX)
Scenario1SecureNorthSouthTraffic
TosecurenorthsouthtrafficusingaVMSeriesfirewallonanSDXserver,youhavethefollowingoptions:
VMSeriesFirewallBetweentheNetScalerVPXandtheServers
VMSeriesFirewallBeforetheNetScalerVPX
VMSeriesFirewallBetweentheNetScalerVPXandtheServers
Theperimeterfirewallgatesalltrafficintothenetwork.Alltrafficpermittedintothenetworkflowsthrough
theNetScalerVPXandthenthroughtheVMSeriesfirewallbeforetherequestisforwardedtotheservers.
Inthisscenario,theVMSeriesfirewallsecuresnorthsouthtrafficandcanbedeployedusingvirtualwire,
L2,orL3interfaces.
VMSeriesFirewallwithL3Interfaces
VMSeriesFirewallwithL2orVirtualWireInterfaces
SupportedDeploymentsVMSeriesFirewallonCitrixSDX SetUpaVMSeriesFirewallontheCitrixSDXServer
VMSeriesFirewallwithL3Interfaces
DeployingthefirewallwithL3interfacesallowsyoutoscalemoreeasilyasyoudeploynewserversand
newsubnets.Youcandeploymultipleinstancesofthefirewalltomanagetraffictoeachnewsubnetand
thenconfigurethefirewallsasahighavailabilitypair,ifneeded.
UsinganL3interfaceallowsyoumakeminimalchangestotheSDXserver/networkconfiguration
becausetheSNIPtoreachtheserversisremovedfromtheNetScalerVPXandisconfiguredonthe
VMSeriesfirewall.Withthisapproach,onlyonedatainterfaceisusedontheVMSeriesfirewall,hence
onlyonezonecanbedefined.Asaresult,whendefiningthepolicyrulesyoumustspecifythesourceand
destinationIPaddress/subnetsacrosswhichtoenforcesecurityrules.Fordetails,seeDeploythe
VMSeriesFirewallUsingL3Interfaces.
TopologyAfterAddingtheVMSeriesFirewallwithL3Interfaces
Inthisexample,thepublicIPaddressthattheclientsconnectto(VIPontheNetScalerVPX),is192.168.1.10.
Forprovidingaccesstotheserversonsubnet192.168.2.x,theconfigurationontheVPXreferencesthe
subnets(SNIP)192.168.1.1and192.168.2.1.Basedonyournetworkconfigurationanddefaultroutes,the
routingonserversmightneedtobechanged.
WhenyousetuptheVMSeriesfirewall,youmustaddadatainterface(forexampleeth1/1),andassigntwo
IPaddressestotheinterface.OneIPaddressmustbeonthesamesubnetastheVIPandtheothermustbe
onthesamesubnetastheservers.Inthisexample,theIPaddressesassignedtothedatainterfacesare
192.168.1.2and192.168.2.1.BecauseonlyonedatainterfaceisusedontheVMSeriesfirewall,alltraffic
belongstoasinglezone,andallintrazonetrafficisimplicitlyallowedinpolicy.Therefore,whendefiningthe
policyrulesyoumustspecifythesourceanddestinationIPaddress/subnetsacrosswhichtoenforcesecurity
rules.
EvenafteryouaddtheVMSeriesfirewallontheSDXserver,theIPaddressthattheclientscontinueto
connecttoistheVIPoftheNetScalerVPX(192.168.1.10).However,toroutealltrafficthroughthefirewall,
ontheNetScalerVPXyoumustdefinearoutetothesubnet192.168.2.x.Inthisexample,toaccessthe
serversthisroutemustreferencetheIPaddress192.168.1.2assignedtothedatainterfaceontheVMSeries
firewall.NowalltrafficdestinedfortheserversisroutedfromtheNetScalerVPXtothefirewallandthenon
totheservers.Thereturntrafficusestheinterface192.168.2.1ontheVMSeriesandusestheSNIP
192.168.1.1asitsnexthop.
SetUpaVMSeriesFirewallontheCitrixSDXServer SupportedDeploymentsVMSeriesFirewallonCitrixSDX
Forsecuritycompliance,ifUSIP(UseclientSourceIP)isenabledontheNetScalerVPX,thenthe
VMSeriesfirewallrequiresadefaultroutethatpointstotheSNIP192.168.1.1,inthisexample.
IfadefaultNAT(mapped/SNIP)IPaddressisused,thenyoudonotneedtodefineadefaultroute
ontheVMSeriesfirewall.
Forinstructions,seeDeploytheVMSeriesFirewallUsingL3Interfaces.
VMSeriesFirewallwithL2orVirtualWireInterfaces
DeployingtheVMSeriesfirewallusingL2interfacesorvirtualwireinterfacesrequiresreconfiguration
ontheNetScalerVPXtoremovedirectconnectiontotheservers.TheVMSeriesfirewallcanthenbe
cabledandconfiguredtotransparentlyinterceptandenforcepolicyontrafficdestinedtotheservers.In
thisapproachtwodatainterfacesarecreatedonthefirewallandeachbelongstoadistinctzone.The
securitypolicyisdefinedtoallowtrafficbetweenthesourceanddestinationzones.Fordetails,see
DeploytheVMSeriesFirewallUsingLayer2(L2)orVirtualWireInterfaces.
TopologyAfterAddingtheVMSeriesFirewallwithL2orVirtualWireInterfaces
VMSeriesFirewallBeforetheNetScalerVPX
Inthisscenario,theperimeterfirewallisreplacedwiththeVMSeriesfirewallthatcanbedeployedusingL3,
L2,orvirtualwireinterfaces.AlltrafficonyournetworkissecuredbytheVMSeriesfirewallbeforethe
requestreachestheNetScalerVPXandisforwardedtotheservers.Fordetails,seeDeploytheVMSeries
SupportedDeploymentsVMSeriesFirewallonCitrixSDX SetUpaVMSeriesFirewallontheCitrixSDXServer
FirewallBeforetheNetScalerVPX.
Scenario2SecureEastWestTraffic(VMSeriesFirewallonCitrixSDX)
TheVMSeriesfirewallisdeployedalongwithtwoNetScalerVPXsystemsthatservicedifferentserver
segmentsonyournetworkoroperateasterminationpointsforSSLtunnels.Inthisscenario,theperimeter
firewallsecuresincomingtraffic.Then,thetrafficdestinedtotheDMZserversflowstoaNetScalerVPXthat
loadbalancestherequest.Toaddanextralayerofsecuritytotheinternalnetwork,alleastwesttraffic
betweentheDMZandthecorporatenetworkareroutedthroughtheVMSeriesfirewall.Thefirewallcan
enforcenetworksecurityandvalidateaccessforthattraffic.Fordetails,seeSecureEastWestTrafficwith
theVMSeriesFirewall.
SetUpaVMSeriesFirewallontheCitrixSDXServer InstalltheVMSeriesFirewallontheSDXServer
InstalltheVMSeriesFirewallontheSDXServer
AsupportaccountandavalidVMSerieslicensearerequiredtoobtainthe.xvabaseimagefilethatis
requiredtoinstalltheVMSeriesfirewallontheSDXserver.Ifyouhavenotalreadyregisteredthecapacity
authcodethatyoureceivedwiththeorderfulfillmentemail,withyoursupportaccount,seeRegisterthe
VMSeriesFirewall.Afterregistrationiscompleted,continuetothefollowingtasks:
UploadtheImagetotheSDXServer
ProvisiontheVMSeriesFirewallontheSDXServer
UploadtheImagetotheSDXServer
ToprovisiontheVMSeriesfirewall,youneedtoobtainthe.xvaimagefileanduploadittotheSDXserver.
UploadtheXVAImagetotheSDXServer
Step1 Downloadandextractthebaseimage 1. Gotohttps://support.paloaltonetworks.com/anddownload

zipfiletoalocalcomputer. theVM-Series Citrix SDX Base Imagezipfile.
2. Unzipthebaseimagezipfile,andextractthe.xvafile.
This.xvafileisrequiredforinstallingtheVMSeriesfirewall.
Step2 Uploadtheimagefromthelocal 1. LaunchthewebbrowserandlogintotheSDXserver.

computerontotheCitrixSDXserver. 2. SelectConfiguration > Palo Alto VM-Series > Software
Images.
3. IntheActiondropdown,selectUpload...andBrowsetothe
locationofthesaved.xvaimagefile.
4. SelecttheimageandclickOpen.
5. UploadtheimagetotheSDXserver.
Step1 AccesstheSDXserver. LaunchthewebbrowserandconnecttotheSDXserver.
InstalltheVMSeriesFirewallontheSDXServer SetUpaVMSeriesFirewallontheCitrixSDXServer
Step2 CreatetheVMSeriesfirewall. 1. SelectConfiguration > Palo Alto VM-Series > Instances.

2. Click Add.
3. EnteranamefortheVMSeriesfirewall.
4. Selectthe.xvaimagethatyouuploadedearlier.Thisimageis
requiredtoprovisionthefirewall.
5. Allocatethememory,additionaldiskspace,andthevirtual
Allocatethetotalnumberofdata CPUsfortheVMSeriesfirewall.Toverifyresourceallocation
interfacesthatyoumightrequire recommendations,seeRequirements.
ontheVMSeriesfirewallduring
initialdeployment.Addingor 6. Selectthenetworkinterfaces:
removinginterfacestothe Usethemanagementinterfaces0/1or0/2andassignanIP
VMSeriesfirewallafterinitial address,netmask,andgatewayIPaddress.
deploymentwillcausethedata Ifneeded,youcanuseadatainterfaceontheSDX
interfaces(Eth1/1andEth1/2) serverformanagingthefirewall.
ontheVMSeriesfirewallto Selectthedatainterfacesthatwillbeusedfor
remaptotheadaptersonthe handlingtraffictoandfromthefirewall.
SDXserver.Eachdatainterface
IfyouplantodeploytheinterfacesasLayer2or
sequentiallymapstotheadapter
virtualwireinterfaces,selecttheAllowL2Mode
withthelowestnumericalvalue,
optionsothatthefirewallcanreceiveandforward
andcanthereforecausea
packetsforMACaddressesotherthanitsownMAC
configurationmismatchonthe
address.
firewall.
7. ReviewthesummaryandclickFinishtobegintheinstallation
process.Ittakes58minutestoprovisionthefirewall.When
completed,usethemanagementIPaddresstolaunchtheweb
interfaceofthefirewall.
ContinuewithActivatetheLicense.
SetUpaVMSeriesFirewallontheCitrixSDXServer SecureNorthSouthTrafficwiththeVMSeriesFirewall
SecureNorthSouthTrafficwiththeVMSeriesFirewall
ThissectionincludesinformationondeployingtheNetScalerVPXandtheVMSeriesfirewallontheCitrix
SDXserver:
DeploytheVMSeriesFirewallUsingL3Interfaces
DeploytheVMSeriesFirewallUsingLayer2(L2)orVirtualWireInterfaces
DeploytheVMSeriesFirewallBeforetheNetScalerVPX(UsingVirtualWireInterfaces)
DeploytheVMSeriesFirewallUsingL3Interfaces
Tosecurenorthsouthtraffic,thisscenarioshowsyouhowtodeploytheVMSeriesfirewallasaL3
deployment;theVMSeriesfirewallisplacedtosecuretrafficbetweentheNetScalerVPXandtheservers
onyournetwork.
TopologyBeforeAddingtheVMSeriesFirewall
SecureNorthSouthTrafficwiththeVMSeriesFirewall SetUpaVMSeriesFirewallontheCitrixSDXServer
TopologyAfterAddingtheVMSeriesFirewall
ThefollowingtableincludesthetasksyoumustperformtodeploytheVMSeriesfirewall.Forfirewall
configurationinstructionsrefertothePANOSDocumentation.Theworkflowandconfigurationonthe
NetScalerVPXisbeyondthescopeofthisdocument;fordetailsonconfiguringtheNetScalerVPX,referto
theCitrixdocumentation.
SetuptheVMSeriesFirewalltoProcessNorthSouthTrafficUsingL3interfaces
Step1 InstalltheVMSeriesFirewallonthe WhenprovisioningtheVMSeriesfirewallontheSDXserver,you

SDXServer. mustensurethatyouselectthedatainterfaceaccuratelysothat
thefirewallcanaccesstheserver(s).
Step2 Configurethedatainterfaceonthe 1. SelectNetwork > Virtual Routerandthenselectthedefault

firewall. linktoopentheVirtualRouterdialogandAddtheinterfaceto
thevirtualrouter.
2. (RequiredonlyiftheUSIPoptionisenabledontheNetScaler
VPX)OntheStatic Routestabonthevirtualrouter,selectthe
interfaceandaddtheNetScalerSNIP(192.68.1.1inthis
example)astheNext Hop.Thestaticroutedefinedherewillbe
usedtoroutetrafficfromthefirewalltotheNetScalerVPX.
3. SelectNetwork > Interfaces> Ethernetandthenselectthe
interfaceyouwanttoconfigure.
4. SelecttheInterface Type.Althoughyourchoiceheredepends
onyournetworktopology,thisexampleusesLayer3.
5. OntheConfigtab,intheVirtual Routerdropdown,select
default.
6. SelectNew ZonefromtheSecurity Zonedropdown.Inthe
Zonedialog,defineaNamefornewzone,forexampledefault,
andthenclickOK.
7. SelecttheIPv4 or IPv6 tab,clickAddintheIPsection,and
entertwoIPaddressesandnetworkmasktotheinterface
oneforeachsubnetthatisbeingserviced.Forexample,
192.168.1.2and192.168.2.1.
8. (Optional)ToenableyoutopingorSSHintotheinterface,
selectAdvanced > Other Info,expandtheManagement Profile
dropdown,andselectNew Management Profile.Entera
Namefortheprofile,selectPingandSSHandthenclickOK.
9. Tosavetheinterfaceconfiguration,clickOK.
10. ClickCommittosaveyourchangestothefirewall.
SetuptheVMSeriesFirewalltoProcessNorthSouthTrafficUsingL3interfaces(Continued)
Step3 Createabasicpolicytoallowtraffic 1. SelectPolicies > Security,andclickAdd.

betweentheNetScalerVPXandtheweb 2. GivetheruleadescriptivenameintheGeneraltab.
servers.
3. IntheSourcetab,selectAddintheSourceAddresssectionand
Inthisexample,becausewehavesetup
selecttheNewAddresslink.
onlyonedatainterface,wespecifythe
sourceanddestinationIPaddressto 4. CreateanewaddressobjectthatspecifiestheSNIPonthe
allowtrafficbetweentheNetScalerVPX NetScalerVPX.Inthisexample,thisIPaddressisthesourcefor
andtheservers. allrequeststotheservers.
5. IntheDestinationtab,selectAddintheDestinationAddress
sectionandselecttheNewAddresslink.
6. Createanewaddressobjectthatspecifiesthesubnetofthe
webservers.Inthisexample,thissubnethostsalltheweb
serversthatservicetherequests.
7. IntheApplication tab,selectwebbrowsing.
8. IntheActionstab,completethesetasks:
a. SettheAction SettingtoAllow.
b. Attachthedefaultprofilesforantivirus,antispyware,and
vulnerabilityprotection,underProfile Setting.
9. Verifythatloggingisenabledattheendofasessionunder
Options.Onlytrafficthatmatchesasecurityrulewillbe
logged.
10. Createanotherruletodenyallothertrafficfromanysource
andanydestinationIPaddressonthenetwork.
Becauseallintrazonetrafficisallowedbydefault,inorderto
denytrafficotherthatwebbrowsing,youmustcreateadeny
rulethatexplicitlyblocksallothertraffic.
GobacktoSecureNorthSouthTrafficwiththeVMSeriesFirewall,orseeSecureEastWestTrafficwith
Foranoverviewofthedeployments,seeSupportedDeploymentsVMSeriesFirewallonCitrixSDX.

DeploytheVMSeriesFirewallUsingLayer2(L2)orVirtualWireInterfaces
Tosecurenorthsouthtraffic,thisscenarioshowsyouhowtodeploytheVMSeriesfirewallinaL2ora
virtualwiredeployment.TheVMSeriesfirewallsecurestrafficdestinedtotheservers.Therequestarrives
attheVIPaddressoftheNetScalerVPXandisprocessedbytheVMSeriesfirewallbeforeitreachesthe
servers.Onthereturnpath,thetrafficisdirectedtotheSNIPontheNetScalerVPXandisprocessedbythe
VMSeriesfirewallbeforeitissentbacktotheclient.
ForthetopologybeforeaddingtheVMSeriesfirewall,seeTopologyBeforeAddingtheVMSeriesFirewall.
TopologyAfterAddingtheVMSeriesFirewall
ThefollowingtableincludesthebasicconfigurationtasksyoumustperformtodeploytheVMSeries
firewall.ForfirewallconfigurationinstructionsrefertothePANOSdocumentation.Theworkflowand
configurationontheNetScalerVPXisbeyondthescopeofthisdocument;fordetailsonconfiguringthe
NetScalerVPX,refertotheCitrixdocumentation.
SetuptheVMSeriesFirewalltoProcessNorthSouthTrafficUsingL2orVirtualWireInterfaces
Step1 InstalltheVMSeriesFirewallonthe OntheSDXserver,makesuretoenableAllow L2 Modeoneach

SDXServer. datainterface.Thissettingallowsthefirewalltobridgepacketsthat
aredestinedfortheVIPoftheNetScalerVPX.
Step2 Recabletheserversideinterface IfyouhavealreadydeployedaNetScalerVPXandarenowadding

assignedtotheNetScalerVPX. theVMSeriesfirewallontheSDXserver,youhavetwoports
BecausetheNetScalerVPXwillreboot assignedtotheVPX.WhenyoudeploytheVMSeriesfirewall,the
whenrecabled,evaluatewhetheryou NetScalerVPXwillnowonlyrequireoneportforhandling
wouldliketoperformthistaskduringa clientsidetraffic.
maintenancewindow. Therefore,beforeyouconfigurethedatainterfacestheVMSeries,
youmustremovethecablefromtheinterfacethatconnectsthe
VPXtotheserverfarmandattachittothefirewallsothatalltraffic
totheserverfarmisprocessedbythefirewall.

SetuptheVMSeriesFirewalltoProcessNorthSouthTrafficUsingL2orVirtualWireInterfaces(Continued)
Step3 Configurethedatainterfaces. 1. Launchthewebinterfaceofthefirewall.

Thisexampleshowstheconfiguration 2. SelectNetwork > Interfaces> Ethernet.
forvirtualwireinterfaces.
3. Clickthelinkforaninterface(forexampleethernet1/1)and
selecttheInterface Type as Layer2orVirtual Wire.
VirtualWireConfiguration
Eachvirtualwireinterface(ethernet1/1andethernet1/2)mustbe
connectedtoasecurityzoneandavirtualwire.Toconfigurethese
settings,selecttheConfigtabandcompletethefollowingtasks:
a. IntheVirtualwiredropdownclickNew Virtual Wire,define
aNameandassignthetwodatainterfaces(ethernet1/1
andethernet1/2)toit,andthenclickOK.
Whenconfiguringethernet1/2,selectthisvirtualwire.
b. SelectNew ZonefromtheSecurity Zonedropdown,define
aNamefornewzone,forexampleclient,andthenclickOK.
Layer2Configuration
ForeachLayer2interface,yourequireasecurityzone.Selectthe
Configtabandcompletethefollowingtasks:
a. SelectNew ZonefromtheSecurity Zonedropdown,define
4. Repeatsteps2and3abovefortheotherinterface.
5. ClickCommittosavechangestothefirewall.
Step4 Createabasicpolicyruletoallowtraffic 1. SelectPolicies > Security,andclickAdd.

throughthefirewall. 2. GivetheruleadescriptivenameintheGeneraltab.
Thisexampleshowshowtoenabletraffic
3. IntheSourcetab,settheSource Zonetotheclientsidezone
betweentheNetScalerVPXandtheweb
youdefined.Inthisexample,selectclient.
servers.
4. IntheDestinationtab,settheDestination Zonetothe
serversidezoneyoudefined.Inthisexample,selectserver.
5. IntheApplicationtab,clickAddtoselecttheapplicationsto
whichyouwanttoallowaccess.
b. Attachthedefaultprofilesforantivirus,antispyware,
vulnerabilityprotectionandURLfiltering,underProfile
Setting.
logged.

DeploytheVMSeriesFirewallBeforetheNetScalerVPX
ThefollowingexampleshowshowtodeploytheVMSeriesfirewalltoprocessandsecuretrafficbeforeit
reachestheNetScalerVPX.Inthisexample,theVMSeriesfirewallisdeployedwithvirtualwireinterfaces,
andtheclientconnectionrequestsaredestinedtotheVIPontheNetScalerVPX.Notethatyoucandeploy
theVMSeriesfirewallusingL2orL3interfaces,basedonyourspecificneeds.
TopologyafteraddingtheVMSeriesfirewall
ThefollowingtableincludesthebasicconfigurationtasksyoumustperformontheVMSeriesfirewall.For
firewallconfigurationinstructionsrefertothePANOSdocumentation.Theworkflowandconfigurationon
theNetScalerVPXisbeyondthescopeofthisdocument;fordetailsonconfiguringtheNetScalerVPX,refer
totheCitrixdocumentation.

SetuptheVMSeriesFirewallBeforetheNetScalerVPXwithVirtualWireInterfaces
Step1 InstalltheVMSeriesFirewallonthe OntheSDXserver,makesuretoenableAllow L2 Modeonthedata

SDXServer. interface.Thissettingallowsthefirewalltobridgepacketsthatare
destinedfortheVIPoftheNetScalerVPX.
Step2 Recabletheclientsideinterface IfyouhavealreadydeployedaNetScalerVPXandarenowadding

assignedtotheNetScalerVPX. theVMSeriesfirewallontheSDXserver,youhavetwoports
BecausetheNetScalerVPXwillreboot assignedtotheVPX.WhenyoudeploytheVMSeriesfirewall,the
whenrecabled,evaluatewhetheryou NetScalerVPXwillnowonlyrequireoneportthatconnectsittothe
wouldliketoperformthistaskduringa serverfarm.
maintenancewindow. Therefore,beforeyouconfigurethedatainterfacestheVMSeries,
youmustremovethecablefromtheinterfacethatconnectsthe
VPXtotheclientsidetrafficandattachittothefirewallsothatall
incomingtrafficisprocessedbythefirewall.
Step3 Configurethedatainterfaces. 1. Launchthewebinterfaceofthefirewall.

2. SelectNetwork > Interfaces> Ethernet.
3. Clickthelinkforaninterface,forexampleethernet1/1,and
selecttheInterface TypeasVirtual Wire.
4. ClickthelinkfortheotherinterfaceandselecttheInterface
TypeasVirtual Wire.
5. Eachvirtualwireinterfacemustbeconnectedtoasecurity
zoneandavirtualwire.Toconfigurethesesettings,selectthe
Configtabandcompletethefollowingtasks:
IntheVirtualwiredropdownclickNew Virtual Wire,define
aNameandassignthetwodatainterfaces(ethernet1/1
andethernet1/2)toit,andthenclickOK.
Whenconfiguringethernet1/2,selectthisvirtualwire.
SelectNew ZonefromtheSecurity Zonedropdown,define
6. Repeatstep5fortheotherinterface.
7. ClickCommittosavechangestothefirewall.
Step4 Createabasicpolicyruletoallowtraffic 1. SelectPolicies > Security,andclickAdd.

throughthefirewall. 2. GivetheruleadescriptivenameintheGeneraltab.
Thisexampleshowshowtoenabletraffic
3. IntheSourcetab,settheSource Zonetotheclientsidezone
betweentheNetScalerVPXandtheweb
youdefined.Inthisexample,selectclient.
servers.
4. IntheDestinationtab,settheDestination Zonetothe
serversidezoneyoudefined.Inthisexample,selectserver.
5. IntheApplicationtab,clickAddtoselecttheapplicationsto
whichyouwanttoallowaccess.
b. Attachthedefaultprofilesforantivirus,antispyware,
vulnerabilityprotectionandURLfiltering,underProfile
Setting.
logged.


SecureEastWestTrafficwiththeVMSeriesFirewall SetUpaVMSeriesFirewallontheCitrixSDXServer
SecureEastWestTrafficwiththeVMSeriesFirewall
ThefollowingexampleshowsyouhowtodeployyourVMSeriesfirewalltosecuretheapplicationor
databaseserversonyournetwork.ThisscenarioisrelevanttoyouifyouhavetwoNetScalerVPXinstances,
whereoneinstanceauthenticatesusersandterminatesSSLconnectionsandthenloadbalancesrequeststo
theDMZserversandtheotherVPXinstanceloadbalancesconnectionstothecorporateserversthathost
theapplicationanddatabaseserversonyournetwork.
ThecommunicationbetweentheserversintheDMZandtheserversinthecorporatedatacenteris
processedbybothinstancesoftheNetScalerVPX.Forcontentthatresidesinthecorporatedatacenter,a
newrequestinhandedofftotheotherinstanceoftheNetScalerVPXwhichforwardstherequesttothe
appropriateserver.
WhentheVMSeriesfirewallisdeployed(thisexampleusesL3interfaces),theflowoftrafficisasfollows:
AllincomingrequestsareauthenticatedandtheSSLconnectionisterminatedonthefirstinstanceofthe
NetScalerVPX.ForcontentthatresidesintheDMZ,theNetScalerVPXinitiatesanewconnectiontothe
servertofetchtherequestedcontent.Notethatthenorthsouthtrafficdestinedtothecorporate
datacenterortotheserversintheDMZarehandledbytheedgefirewallandnotbytheVMSeries
firewall.
Forexample,whenauser(sourceIP1.1.1.1)requestscontentfromaserverontheDMZ,thedestination
IPis20.5.5.1(VIPoftheNetScalerVPX).TheNetScalerVPXthenreplacesthedestinationIPaddress,
basedontheprotocoltotheinternalserverIPaddress,say192.168.10.10.Thereturntrafficfromthe
serverissentbacktotheNetScalerVPXat20.5.5.1andsenttotheuserwithIPaddress1.1.1.1.
AllrequestsbetweentheDMZserversandtheCorporatedatacenterareprocessedbytheVMSeries
firewall.Forcontentthatresidesinthecorporatedatacenter,therequestistransparentlyprocessed(if
deployedusingL2orvirtualwireinterfaces)orrouted(usingLayer3interfaces)bytheVMSeriesfirewall.

SetUpaVMSeriesFirewallontheCitrixSDXServer SecureEastWestTrafficwiththeVMSeriesFirewall
ItisthenhandedofftothesecondinstanceoftheNetScalerVPX.ThisinstanceoftheNetScalerVPX
loadbalancestherequestacrosstheserversinthecorporatedatacenterandservicestherequest.The
returntrafficusesthesamepathastheincomingrequest.
Forexample,whenaserverontheDMZ(say192.168.10.10)needscontentfromaserverinthe
corporatedatacenter(say172.16.10.20),thedestinationIPaddressis172.168.10.3(theVIPonthe
secondNetScaler).TherequestissenttotheVMSeriesfirewallat192.168.10.2,wherethefirewall
performsapolicylookupandroutestherequestto172.168.10.3.ThesecondNetScalerVPXreplaces
thedestinationIPaddress,basedonprotocol,totheinternalserverIPaddress172.16.10.20.Thereturn
trafficfrom172.168.10.20isthensenttotheNetScalerVPXat172.168.10.3,andthesourceIPaddress
fortherequestissetas172.168.10.3andisroutedtotheVMSeriesfirewallat172.168.10.2.Onthe
VMSeriesfirewall,apolicylookupisagainperformedandthetrafficisroutedtotheserverintheDMZ
(192.168.10.10).
Inordertofilterandreportonuseractivityonyournetwork,becauseallrequestsareinitiated
fromtheNetScalerVPX,youmustenableHTTP Header insertion ortheTCP Option for IP
Insertion onthefirstinstanceoftheNetScalerVPX.
.
SetuptheVMSeriesFirewalltoSecureEastWestTraffic
Step1 InstalltheVMSeriesFirewallonthe IfyouplantodeploytheVMSeriesfirewallusingvirtualwireorL2

SDXServer interfaces,makesuretoenableL2Modeoneachdatainterfaceon
theSDXserver.
Step2 Recabletheinterfacesassignedtothe BecausetheNetScalerVPXwillrebootwhenrecabled,evaluate

NetScalerVPX. whetheryouwouldliketoperformthistaskduringamaintenance
window.
Step3 Configurethedatainterfaces. SelectNetwork > Interfaces andassigntheinterfacesastype

Layer3(seeStep 2,Layer2(seeStep 3)orvirtualwire(seeStep 3).
Step4 Createsecuritypolicytoallow 1. ClickAddin thePolicies > Securitysection.

applicationtrafficbetweentheDMZand 2. GivetheruleadescriptivenameintheGeneraltab.
thecorporatedatacenter.
3. IntheSourcetab,settheSource Zone toDMZandSource
Zone:DMZtoCorporate
Addressto192.168.10.0/24.
Notethattheimplicitdenyrulewilldeny
allinterzonetrafficexceptwhatis 4. IntheDestination tab,settheDestination ZonetoCorporate
explicitlyallowedbysecuritypolicy. andtheDestination Addressto172.168.10.0/24
5. IntheApplicationtab,selecttheapplicationsthatyouwantto
allow.Forexample,Oracle.
6. SettheServicetoapplication-default
7. IntheActionstab,settheAction Setting toAllow.
8. Leavealltheotheroptionsatthedefaultvalues.
9. ClickCommittosaveyourchanges.
Forsecuringnorthsouthtraffic,seeSecureNorthSouthTrafficwiththeVMSeriesFirewall.

SecureEastWestTrafficwiththeVMSeriesFirewall SetUpaVMSeriesFirewallontheCitrixSDXServer

VMwareNSX
TheVMSeriesfirewallforVMwareNSXisjointlydevelopedbyPaloAltoNetworksandVMware.This
solutionusestheNetXAPItointegratethePaloAltoNetworksnextgenerationfirewallsandPanoramawith
VMwareESXiserverstoprovidecomprehensivevisibilityandsafeapplicationenablementofalldatacenter
trafficincludingintrahostvirtualmachinecommunications.
ThefollowingtopicsprovideinformationabouttheVMSeriesforNSX:
VMSeriesforNSXFirewallOverview
VMSeriesFirewallforNSXDeploymentChecklist
InstalltheVMwareNSXPlugin
RegistertheVMSeriesFirewallasaServiceontheNSXManager
CreateSteeringRules
DeploytheVMSeriesFirewall
SteerTrafficfromGueststhatarenotRunningVMwareTools
DynamicallyQuarantineInfectedGuests
UseCase:SharedComputeInfrastructureandSharedSecurityPolicies
UseCase:SharedSecurityPoliciesonDedicatedComputeInfrastructure
DynamicAddressGroupsInformationRelayfromNSXManagertoPanorama

VMSeriesforNSXFirewallOverview SetUptheVMSeriesFirewallonVMwareNSX
VMSeriesforNSXFirewallOverview
NSX,VMware'sNetworkingandSecurityplatformdesignedforthesoftwaredefineddatacenter(SDDC),
offerstheabilitytodeploythePaloAltoNetworksfirewallasaserviceonaclusterofESXiservers.Theterm
SDDCisaVMwaretermthatreferstoadatacenterwhereinfrastructurecomputeresources,networkand
storageisvirtualizedusingVMwareNSX.
TokeeppacewiththechangesintheagileSDDC,theVMSeriesfirewallforNSXsimplifiestheprocessof
deployingaPaloAltoNetworksnextgenerationfirewallandcontinuallyenforcingsecurityandcompliance
fortheeastwesttrafficintheSDDC.FordetailsontheVMSeriesforNSX,seethefollowingtopics:
WhataretheComponentsoftheVMSeriesforNSXSolution?
HowDotheComponentsintheVMSeriesFirewallforNSXSolutionWorkTogether?
WhataretheBenefitsoftheNSXVMSeriesfirewallforNSXSolution?
WhatisMultiTenantSupportontheVMSeriesFirewallforNSX?
WhataretheComponentsoftheVMSeriesforNSXSolution?
Table:VMwareComponentsandTable:PaloAltoNetworksComponentsshowthecomponentsofthisjoint
PaloAltoNetworksandVMwaresolution.Thefollowingtopicsdescribeeachcomponentinmoredetail:
vCenterServer
NSXManager
Panorama
VMSeriesFirewallforNSX
Ports/ProtocolsusedNetworkCommunication
Table:VMwareComponents
Component Description
vCenterServer ThevCenterserveristhecentralizedmanagementtoolforthevSpheresuite.
NSXManager VMware'sNetworkingandSecurityplatformmustbeinstalledandregisteredwiththe
vCenterserver.TheNSXManagerisrequiredtodeploytheVMSeriesfirewallonthe
ESXihostswithinaESXicluster.
ESXiServer ESXiisahypervisorthatenablescomputevirtualization.
Table:PaloAltoNetworksComponents
PANOS TheVMSeriesbaseimage(PAVMNSX8.0.zip)isusedfordeployingtheVMSeries
firewallforNSXwithPANOS8.0.
TheminimumsystemrequirementfordeployingtheVMSeriesfirewallforNSXonthe
ESXiserverdependsonyourVMSeriesmodel.SeeVMSeriesSystemRequirementsfor
theminimumhardwarerequirementsforyourVMSeriesmodel.

SetUptheVMSeriesFirewallonVMwareNSX VMSeriesforNSXFirewallOverview
Panorama PanoramaisthecentralizedmanagementtoolforthePaloAltoNetworks
Panoramamustberunning nextgenerationfirewalls.Inthissolution,PanoramaworkswiththeNSXManagerto
thesamereleaseversionor deploy,license,andcentrallyadministerconfigurationandpoliciesontheVMSeries
laterversionthatthe firewallforNSX.
firewallsthatitwillmanage. PanoramamustbeabletoconnecttotheNSXManager,thevCenterserver,the
VMSeriesfirewallsandthe PaloAltoNetworksupdateserver.
TheresourcesrequiredbyPanoramadependonthemodePanoramawillrunin:Legacy
orPanorama(recommended).New8.0PanoramainstallationsruninPanoramamode
whileaPanoramaupgradedto8.0runsinLegacymode.Formoreinformationaboutthe
modesandtherequirementsassociatedwitheachmode,seeSetUpthePanorama
VirtualAppliance.
InPanoramaMode,setthememory,numberofCPUs,andstoragebasedonthelog
storagecapacityofPanorama:
2TBstorage8CPUsand16GBmemory
4TBstorage8CPUsand32GBmemory
6to8TBstorage12CPUsand32GBmemory
SystemDiskSpace:81GB
LogStorageCapacity:2TBto24TB
InLegacyMode,setthememoryandthenumberofcoresbasedonthenumberof
firewallsthatPanoramawillmanage:
1to10firewalls:4coresand4GBmemory
11to50firewalls:8coresand8GBmemory
51to1,000firewalls:8coresand16GBmemory
SystemDiskSpace:52GB
LogStorageCapacity:11GB(defaultlogstorageonthesystemdisk)to8TB(ifyouadd
avirtualloggingdisk)
VMSeriesFirewallforNSX TheVM100,VM200,VM300,VM500,andVM1000HVsupportNSX.
Table:VersionsSupported
Component VersionsSupported
vCenterServer 5.5
6.0(recommended)
ESXiServer 5.5
6.0
6.5a(requiresPanoramaVMwareNSXPlugin1.0.1)
NSXManager 6.1
6.2
6.3(requiresPanoramaVMwareNSXPlugin1.0.1)

vCenterServer
ThevCenterserverisrequiredtomanagetheNSXManagerandtheESXihostsinyourdatacenter.Thisjoint
solutionrequiresthattheESXihostsbeorganizedintooneormoreclustersonthevCenterserverandmust
beconnectedtoadistributedvirtualswitch.
Forinformationonclusters,distributedvirtualswitch,DRS,andthevCenterserver,refertoyourVMware
documentation:http://www.vmware.com/support/vcenterserver.html.
NSXManager
NSXisVMwaresnetworkvirtualizationplatformthatiscompletelyintegratedwithvSphere.TheNSX
FirewallandtheServiceComposerarekeyfeaturesoftheNSXManager.TheNSXfirewallisalogicalfirewall
thatallowsyoutoattachnetworkandsecurityservicestothevirtualmachines,andtheServiceComposer
allowsyoutogroupvirtualmachinesandcreatepolicytoredirecttraffictotheVMSeriesfirewall(calledthe
PaloAltoNetworksNGFWserviceontheNSXManager).
Panorama
PanoramaisusedtoregistertheVMSeriesfirewallforNSXasthePaloAltoNetworksNGFWserviceonthe
NSXManager.RegisteringthePaloAltoNetworksNGFWserviceontheNSXManagerallowstheNSX
ManagertodeploytheVMSeriesfirewallforNSXoneachESXihostintheESXicluster.
PanoramaservesasthecentralpointofadministrationfortheVMSeriesfirewallsrunningonNSX.Whena
newVMSeriesfirewallisdeployedinNSX,itcommunicateswithPanoramatoobtainthelicenseand
receivesitsconfiguration/policiesfromPanorama.Allconfigurationelements,policies,anddynamicaddress
groupsontheVMSeriesfirewallscanbecentrallymanagedonPanoramausingDeviceGroupsand
Templates.TheRESTbasedXMLAPIintegrationinthissolution,enablesPanoramatosynchronizewiththe
NSXManagerandtheVMSeriesfirewallstoallowtheuseofdynamicaddressgroupsandsharecontext
betweenthevirtualizedenvironmentandsecurityenforcement.Formoreinformation,seePolicy
EnforcementusingDynamicAddressGroups.
VMSeriesFirewallforNSX
TheVMSeriesfirewallforNSXistheVMSeriesfirewallthatisdeployedontheESXihypervisor.The
integrationwiththeNetXAPImakesitpossibletoautomatetheprocessofinstallingtheVMSeriesfirewall
directlyontheESXihypervisor,andallowsthehypervisortoforwardtraffictotheVMSeriesfirewall
withoutusingthevSwitchconfiguration;ittherefore,requiresnochangetothevirtualnetworktopology.
TheVMSeriesfirewallforNSXonlysupportsvirtualwireinterfaces.Onthisfirewall,ethernet 1/1and
ethernet 1/2areboundtogetherthroughavirtualwireandusetheNetXdataplaneAPItocommunicate
withthehypervisor.Layer2orLayer3interfacesareneitherrequirednorsupportedontheVMSeries
firewallforNSX,andthereforenoswitchingorroutingactionscanbeperformedbythefirewall.Forenabling
trafficseparationinamultitenancyenvironment,youcancreateadditionalzonesthatinternallymaptoa
pairofvirtualwiresubinterfacesontheparentvirtualwireinterfaces,ethernet 1/1andethernet 1/2.

Ports/ProtocolsusedNetworkCommunication
InordertoenablethenetworkcommunicationrequiredtodeploytheVMSeriesfirewallforNSX,youmust
allowtheuseofthefollowingprotocols/portsandapplications.
PanoramaToobtainsoftwareupdatesanddynamicupdates,PanoramausesSSLtoaccess
updates.paloaltonetworks.comonTCP/443;thisURLleveragestheCDNinfrastructure.Ifyouneeda
singleIPaddress,usestaticupdates.paloaltonetworks.com.TheAppIDforupdatesispaloaltoupdates.
TheNSXManagerandPanoramauseSSLtocommunicateonTCP/443.
VMSeriesFirewallforNSXIfyouplantouseWildFire,theVMSeriesfirewallsmustbeabletoaccess
wildfire.paloaltonetworks.comonport443.ThisisanSSLconnectionandtheAppIDis
paloaltowildfirecloud.
ThemanagementinterfaceontheVMSeriesfirewallusesSSLtocommunicatewithPanoramaover
TCP/3789.
vCenterServerThevCenterServermustbeabletoreachthedeploymentwebserverthatishostingthe
VMSeriesOVA.TheportisTCP/80bydefaultorAppIDwebbrowsing.
HowDotheComponentsintheVMSeriesFirewallforNSXSolutionWork
Together?
Tomeetthesecuritychallengesinthesoftwaredefineddatacenter,theNSXManager,ESXiserversand
PanoramaworkharmoniouslytoautomatethedeploymentoftheVMSeriesfirewall.

1.RegisterthePaloAltoNetworksNGFWserviceThefirststepistoregisterthePaloAltoNetworks
NGFWasaserviceontheNSXManager.TheregistrationprocessusestheNetXmanagementplaneAPIto
enablebidirectionalcommunicationbetweenPanoramaandtheNSXManager.Panoramaisconfigured
withtheIPaddressandaccesscredentialstoinitiateaconnectionandregisterthePaloAltoNetworks
NGFWserviceontheNSXManager.TheservicedefinitionincludestheURLforaccessingtheVMSeries
baseimagethatisrequiredtodeploytheVMSeriesfirewallforNSX,theauthorizationcodeforretrieving
thelicenseandthedevicegroupandtemplatetowhichtheVMSeriesfirewallswillbelong.TheNSX
managerusesthismanagementplaneconnectiontoshareupdatesonthechangesinthevirtualenvironment
withPanorama.
2.DeploytheVMSeriesautomaticallyfromNSXTheNSXManagercollectstheVMSeriesbaseimage
fromtheURLspecifiedduringregistrationandinstallsaninstanceoftheVMSeriesfirewalloneachESXi
hostintheESXicluster.FromastaticmanagementIPpooloraDHCPservice(thatyoudefineontheNSX
Manager),amanagementIPaddressisassignedtotheVMSeriesfirewallandthePanoramaIPaddressis
providedtothefirewall.Whenthefirewallbootsup,theNetXdataplaneintegrationAPIconnectsthe
VMSeriesfirewalltothehypervisorsothatitcanreceivetrafficfromthevSwitch.

3.EstablishcommunicationbetweentheVMSeriesfirewallandPanorama:TheVMSeriesfirewallthen
initiatesaconnectiontoPanoramatoobtainitslicense.Panoramaretrievesthelicensefromtheupdate
serverandpushesittothefirewall.TheVMSeriesfirewallreceivesthelicenseandrebootswithavalidserial
number.
IfyourPanoramaisoffline,whichmeansthatitdoesnothavedirectInternetaccesstoretrieve
thelicensesandpushthemtothefirewalls,youmustmanuallylicenseeachfirewall.When
Panoramadoesnothaveinternetaccess(Offline),youmustaddtheserialnumberofthefirewall
toPanoramasothatitisregisteredasamanageddevice,sothatyoucanpushtheappropriate
templateanddevicegroupsettingsfromPanorama.
4.Installconfiguration/policyfromPanoramatotheVMSeriesfirewall:TheVMSeriesfirewallreconnects
withPanoramaandprovidesitsserialnumber.Panoramanowaddsthefirewalltothedevicegroupand
templatethatwasdefinedintheservicedefinitionandpushestheconfigurationandpolicyrulestothe
firewall.TheVMSeriesfirewallisnowavailableasasecurityvirtualmachinethatcanbefurtherconfigured
tosafelyenableapplicationsonthenetwork.
5.PushtrafficredirectionrulestoNSXManager:OnPanorama,createsecuritygroupsanddefinenetwork
introspectionrulesthatspecifytheguestsfromwhichtrafficwillbesteeredtotheVMSeriesfirewall.See
IntegratedPolicyRulesfordetails.
ToensurethattrafficfromtheguestsissteeredtotheVMSeriesfirewall,youmusthave
VMwareToolsinstalledoneachguest.IfVMwareToolsisnotinstalled,theNSXManagerdoes
notknowtheIPaddressoftheguestandtherefore,thetrafficcannotbesteeredtotheVMSeries
firewall.Formoreinformation,seeSteerTrafficfromGueststhatarenotRunningVMwareTools.
6.ReceiverealtimeupdatesfromNSXManager:TheNSXManagersendsrealtimeupdatesonthechanges
inthevirtualenvironmenttoPanorama.TheseupdatesincludeinformationonthesecuritygroupsandIP
addressesofgueststhatarepartofthesecuritygroupfromwhichtrafficisredirectedtotheVMSeries
firewall.SeeIntegratedPolicyRulesfordetails.
7.UsedynamicaddressgroupsinpolicyandpushdynamicupdatesfromPanoramatotheVMSeries
firewalls:OnPanorama,usetherealtimeupdatesonsecuritygroupstocreatedynamicaddressgroups,bind
themtosecuritypoliciesandthenpushthesepoliciestotheVMSeriesfirewalls.EveryVMSeriesfirewall
inthedevicegroupwillhavethesamesetofpoliciesandisnowcompletelymarshaledtosecuretheSDDC.
SeePolicyEnforcementusingDynamicAddressGroupsfordetails.

IntegratedPolicyRules
PanoramaservesasthesinglepointofconfigurationthatprovidestheNSXManagerwiththecontextual
informationrequiredtoredirecttrafficfromtheguestvirtualmachinestotheVMSeriesfirewall.Thetraffic
steeringrulesaredefinedonPanoramaandpushedtoNSXManager;thesedeterminewhattrafficfrom
whichguestsintheclusteraresteeredtothePaloAltoNetworksNGFWservice.Securityenforcementrules
arealsodefinedonPanoramaandpushedtotheVMSeriesfirewallsforthetrafficthatissteeredtothePalo
AltoNetworksNGFWservice.
SteeringRulesTherulesfordirectingtrafficfromtheguestsoneachESXihostaredefinedonPanorama
andappliedbyNSXManageraspartnersecurityservicesrules.
FortrafficthatneedstobeinspectedandsecuredbytheVMSeriesfirewall,thesteeringrulescreated
onPanoramaallowyoutoredirectthetraffictothePaloAltoNetworksNGFWservice.Thistrafficisthen
steeredtotheVMSeriesfirewallandisfirstprocessedbytheVMSeriesfirewallbeforeitgoestothe
virtualswitch.
TrafficthatdoesnotneedtobeinspectedbytheVMSeriesfirewall,forexamplenetworkdatabackup
ortraffictoaninternaldomaincontroller,doesnotneedtoberedirectedtotheVMSeriesfirewalland
canbesenttothevirtualswitchforonwardprocessing.
RulescentrallymanagedonPanoramaandappliedbytheVMSeriesfirewallThenextgeneration
firewallrulesareappliedbytheVMSeriesfirewall.Theserulesarecentrallydefinedandmanagedon
PanoramausingtemplatesanddevicegroupsandpushedtotheVMSeriesfirewalls.TheVMSeries
firewallthenenforcessecuritypolicybymatchingonsourceordestinationIPaddresstheuseof
dynamicaddressgroupsallowsthefirewalltopopulatethemembersofthegroupsinrealtimeand
forwardsthetraffictothefiltersontheNSXFirewall.
TounderstandhowtheNSXManagerandPanoramastaysynchronizedwiththechangesintheSDDC
andensurethattheVMSeriesfirewallconsistentlyenforcespolicy,seePolicyEnforcementusing
DynamicAddressGroups.

PolicyEnforcementusingDynamicAddressGroups
UnliketheotherversionsoftheVMSeriesfirewall,becausebothvirtualwireinterfaces(andsubinterfaces)
belongtothesamezone,theVMSeriesfirewallforNSXusesdynamicaddressgroupsasthetraffic
segmentationmechanism.AsecuritypolicyruleontheVMSeriesfirewallforNSXmusthavethesame
sourceanddestinationzone,thereforetoimplementdifferenttreatmentoftraffic,youusedynamicaddress
groupsassourceordestinationobjectsinsecuritypolicyrules.
Dynamicaddressgroupsofferawaytoautomatetheprocessofreferencingsourceand/ordestination
addresseswithinsecuritypoliciesbecauseIPaddressesareconstantlychanginginadatacenter
environment.Unlikestaticaddressobjectsthatmustbemanuallyupdatedinconfigurationandcommitted
wheneverthereisanaddresschange(addition,deletion,ormove),dynamicaddressgroupsautomatically
adapttochanges.
AnydynamicaddressgroupscreatedinadevicegroupbelongingtoNSXconfigurationandconfiguredwith
thematchcriterion_nsx_<dynamicaddressgroupname>triggerthecreationoncorrespondingsecurity
groupsontheNSXManager.InanESXiclusterwithmultiplecustomersortenants,theabilitytofilter
securitygroupsforaserviceprofile(zoneonPanorama)ontheNSXManagerallowsyoutoenforcepolicy
whenyouhaveoverlappingIPaddressesacrossdifferentsecuritygroupsinyourvirtualenvironment.
If,forexample,youhaveamultitierarchitectureforwebapplications,onPanoramayoucreatethree
dynamicaddressgroupsfortheWebFrontEndservers,ApplicationserversandtheDatabaseservers.When
youcommitthesechangesonPanorama,ittriggersthecreationofthreecorrespondingsecuritygroupson
NSXManager.
OnNSXManager,youcanthenaddguestVMstotheappropriatesecuritygroups.Then,insecuritypolicy
youcanusethedynamicaddressgroupsassourceordestinationobjects,definetheapplicationsthatare
permittedtotraversetheseservers,andpushtherulestotheVMSeriesfirewalls.
EachtimeaguestisaddedormodifiedintheESXiclusterorasecuritygroupisupdatedorcreated,theNSX
ManagerusesthePANOSRESTbasedXMLAPItoupdatePanoramawiththeIPaddress,andthesecurity
grouptowhichtheguestbelongs.Totracetheflowofinformation,seeDynamicAddressGroups
InformationRelayfromNSXManagertoPanorama.

Toensurethatthenameofeachsecuritygroupisunique,thevCenterserverassignsaManaged
ObjectReference(MOB)IDtothenameyoudefineforthesecuritygroup.Thesyntaxusedto
displaythenameofasecuritygrouponPanoramais
serviceprofileidspecified_namesecuritygroupnumber;forexample,
serviceprofile13WebFrontEndsecuritygroup47.
WhenPanoramareceivestheAPInotification,itverifies/updatestheIPaddressofeachguestandthe
securitygroupandtheserviceprofiletowhichthatguestbelongs.Then,Panoramapushestheserealtime
updatestoallthefirewallsthatareincludedinthedevicegroupandnotifiesdevicegroupsintheservice
managerconfigurationonPanorama.
Oneachfirewall,allpolicyrulesthatreferencethesedynamicaddressgroupsareupdatedatruntime.
Becausethefirewallmatchesonthesecuritygrouptagtodeterminethemembersofadynamicaddress
group,youdonotneedtomodifyorupdatethepolicywhenyoumakechangesinthevirtualenvironment.
Thefirewallmatchesthetagstofindthecurrentmembersofeachdynamicaddressgroupandappliesthe
securitypolicytothesource/destinationIPaddressthatareincludedinthegroup.
WhataretheBenefitsoftheNSXVMSeriesfirewallforNSXSolution?
TheVMSeriesfirewallforVMwareNSXisfocusedonsecuringeastwestcommunicationinthe
softwaredefineddatacenter.Deployingthefirewallhasthefollowingbenefits:
SturdierCentralizedManagementThefirewallsdeployedusingthissolutionarelicensedandmanaged
byPanorama,thePaloAltoNetworkscentralmanagementtool.Panoramaservesasasinglepointof
configurationforintegrationwithNSX.ItgivestheNSXManagertheinformationisitneedstosteer
redirecttraffictotheVMSeriesfirewallforinspectionandenforcement.UsingPanoramatomanage
boththeperimeteranddatacenterfirewalls(thehardwarebasedandvirtualfirewalls)allowsyouto
centralizepolicymanagementandmaintainagilityandconsistencyinpolicyenforcementthroughoutthe
network.
AutomatedDeploymentTheNSXManagerautomatestheprocessofdeliveringnextgeneration
firewallsecurityservicesandtheVMSeriesfirewallallowsfortransparentsecurityenforcement.When
anewESXihostisaddedtoacluster,anewVMSeriesfirewallisautomaticallydeployed,provisioned
andavailableforimmediatepolicyenforcementwithoutanymanualintervention.Theautomated
workflowallowsyoutokeeppacewiththevirtualmachinedeploymentsinyourdatacenter.The
hypervisormodeonthefirewallremovestheneedtoreconfiguretheports/vswitches/network
topology;becauseeachESXihosthasaninstanceofthefirewall,thetrafficdoesnotneedtotraversethe
networkorbebackhauledforinspectionandconsistentenforcementofpolicies.
EaseinAdministeringTenantsinSharedandDedicatedComputeInfrastructureThisintegration
providestheflexibilityinconfiguringthefirewalltohandlemultiplezonesfortrafficsegmentation,
definingsharedorspecificpolicysetsforeachtenantorsubtenant,andincludessupportforoverlapping

IPaddressesacrosstenantsorsubtenants.Whetheryouhaveasharedclusterandneedtodefinetenant
specificpoliciesandlogicallyisolatetrafficforeachtenant(orsubtenant),oryouhaveadedicated
clusterforeachtenant,thissolutionenablesyoutoconfigurethefirewallforyourneeds.Andifyouneed
adedicatedinstanceoftheVMSeriesfirewallforeachtenantinaclusterthathoststheworkloadsfor
multipletenants,youcandeploymultipleinstancesoftheVMSeriesfirewalloneachhostinanESXi
cluster.Formoreinformation,seeWhatisMultiTenantSupportontheVMSeriesFirewallforNSX?
TighterIntegrationBetweenVirtualEnvironmentandSecurityEnforcementforDynamicSecurity
Dynamicaddressgroupsmaintainawarenessofchangesinthevirtualmachines/applicationsandensure
thatsecuritypolicystaysintandemwiththechangesinthenetwork.Thisawarenessprovidesvisibility
andprotectionofapplicationsinanagileenvironment.
Insummary,thissolutionensuresthatthedynamicnatureofthevirtualnetworkissecuredwithminimal
administrativeoverhead.Youcansuccessfullydeployapplicationswithgreaterspeed,efficiency,and
security.
WhatisMultiTenantSupportontheVMSeriesFirewallforNSX?
MultitenancyontheVMSeriesfirewallenablesyoutosecuremorethanonetenantormorethanone
subtenant.AtenantisacustomeroranorganizationsuchasPaloAltoNetworks.Asubtenantisa
departmentorbusinessunitwithintheorganizationsuchasMarketing,Accounting,orHumanResources.
Toallowyoutosecuremultipletenants,Panoramaprovidestheflexibilitytocreatemultiplesetsofsecurity
policyrulesforeachtenant,andmultiplezonestoisolatetrafficfromeachsubtenantandredirecttrafficto
theappropriatelyconfiguredVMSeriesfirewall.Youcanalsodeploymorethanoneinstanceofthe
VMSeriesfirewalloneachhostwithinanESXicluster.
PanoramaandtheVMSeriesfirewallsmustberunningPANOS7.1orgreatertosupportmultitenancy.
Todeployamultitenantsolution,createoneormoreservicedefinition(s)andserviceprofilezone(s)on
Panorama.AservicedefinitiononPanoramaspecifiestheconfigurationoftheVMSeriesfirewallusingone
devicegroupandonetemplate.ThismeansthateachinstanceoftheVMSeriesfirewallsthatisdeployed
usingaservicedefinitionhasonecommonsetofpolicyrulesforsecuringthetenantsandsubtenantsinthe
ESXicluster.
AserviceprofilezonewithinaPanoramatemplateisusedtosegmenttrafficfromeachsubtenantusing
virtualwiresubinterfaces.Whenyoucreateanewserviceprofilezone,Panoramapushesthezoneasapart
ofthetemplateconfigurationtothefirewall,andthefirewallautomaticallycreatesapairofvirtualwire
subinterfaces,forexampleethernet1/1.3andethernet1/2.3sothatthefirewallcanisolatetrafficfora
subtenant.Becauseatemplatesupportsupto32subinterfacepairs,youcanlogicallyisolatetrafficand
secureupto32subtenants.
PanoramaregisterseachservicedefinitionasaservicedefinitionontheNSXManagerandeachservice
profilezoneasaserviceprofilewithinthecorrespondingservicedefinition.And,whenyoudeploythe
servicedefinitionfromtheNSXManager,aninstanceoftheVMSeriesfirewallisdeployedoneachhostin
theESXicluster.AndyoucanusethesteeringrulesdefinedonPanoramaandappliedtotheNSXManager
tospecifywhattraffictoredirecttotheVMSeriesfirewallbasedonNSXsecuritygroups,andtowhich
tenantorsubtenantbasedontheserviceprofile.
Basedonyourrequirements,youcanchoosefromthefollowingmultitenancyoptions:

SharedclusterwithsharedVMSeriesfirewallsMultipletenantssharetheclusterandtheVMSeries
firewall.AsingleinstanceoftheVMSeriesfirewallisdeployedoneachhostinthecluster.Inorderto
separatetrafficfromeachtenant,youcreateazoneforeachtenant,andyoudefineasingle,commonset
ofpolicyrulestosecurethevirtualmachinesforalltenants.SeeUseCase:SharedCompute
InfrastructureandSharedSecurityPolicies.
DedicatedclusterwithdedicatedVMSeriesfirewallsAsingletenantoccupiesthecluster,andasingle
instanceoftheVMSeriesfirewallisdeployedoneachhostinthecluster.Inthisdeployment,thetenant
canhaveasinglezoneandasinglepolicyset,orthetenantcanhavemultiplezonesforsubtenantsthat
requiretrafficseparation(onezonepersubtenant)andasinglepolicysetwithzonebasedrulesto
securetrafficforeachsubtenant.UseCase:SharedSecurityPoliciesonDedicatedCompute
Infrastructure.
SharedclusterwithdedicatedVMSeriesfirewallsMultipletenantssharetheclusterandmultiple
instancesoftheVMSeriesfirewallsaredeployedoneachhostinaclustersothateachtenantcanhave
adedicatedinstanceoftheVMSeriesfirewall.Thisdeploymentprovidesscalabilityandbetter
performanceonsharedinfrastructureforeachtenant.Basedoneachtenantsneeds,youwilldefinetwo
ormoreservicedefinitionsforthecluster.
WhendeployingmultipleinstancesoftheVMSeriesfirewall,youmustensurethateachESXihosthas
thesufficientCPU,memoryandharddiskresourcesrequiredtosupporttheVMSeriesfirewallsandthe
othervirtualmachinesthatwillberunningonit.

SetUptheVMSeriesFirewallonVMwareNSX VMSeriesFirewallforNSXDeploymentChecklist
VMSeriesFirewallforNSXDeploymentChecklist
TodeploytheVMSeriesfirewallforNSX,usethefollowingworkflow:
Step1:SetuptheComponentsTodeploytheVMSeriesfirewallforNSX,setupthefollowing
components(seeWhataretheComponentsoftheVMSeriesforNSXSolution?):
SetupthevCenterserver,installandregistertheNSXManagerwiththevCenterserver.
Ifyouhavenotalreadysetupthevirtualswitch(es)andgroupedtheESXihostsintoclusters,refer
totheVMwaredocumentationforinstructionsonsettingupthevSphereenvironment.This
documentdoesnottakeyouthroughtheprocessofsettinguptheVMwarecomponentsofthis
solution.
Donotmodifythedefaultvalue(1500bytes)oftheMTUonthevirtualDistributedSwitch(vDS)inthevSphere
infrastructure.ModifyingtheMTUtoanyothervaluecausestheVMSeriesfirewallforNSXtodiscardpackets.
UpgradePanoramatoversion8.0.IfyouarenewtoPanorama,refertothePanorama
documentationforinstructionsonsettingupandupgradingPanorama.SeeUpgradePanorama7.1
toPanorama8.0forinformationaboutconvertingyour7.1configurationformatsto8.0
configurationformats.
InstalltheVMwareNSXPlugin.
InstallaLicenseDeactivationAPIKey.DeletingthePaloAltoNetworksServiceDeploymentonNSX
Managerautomaticallytriggerslicensedeactivation.AlicensedeactivationAPIkeyisrequiredto
successfullydeactivatetheVMSerieslicense.
DownloadandsavetheovftemplatefortheVMSeriesfirewallforNSXonawebserver.Theovf
templatemustmatchyourVMSeriesmodel.IfyouareusingtheVM200,selecttheVM100ovf
(PAVMNSX8.0.0.vm100.ovf).IfusingtheVM1000HV,selecttheVM300ovf
(PAVMNSX8.0.0.vm300.ovf)
TheNSXManagermusthavenetworkaccesstothiswebserversothatitcandeploytheVMSeries
firewallasneeded.YoucannothosttheovftemplateonPanorama.
Givetheovafilenameagenericnamethatdoesnotincludeaversionnumber.Usinga
genericnamingconvention,suchashttps://acme.com/software/PA-VM-NSX.ova allowsyouto
overwritetheovaeachtimeanewerversionbecomesavailable.
RegisterthecapacityauthcodefortheVMSeriesfirewallforNSXwithyoursupportaccounton
theSupportPortal.Fordetails,seeUpgradetheVMSeriesFirewall.
Step2:RegisterConfigurePanoramatoRegistertheVMSeriesFirewallasaServiceontheNSX
Manager.Whenregistered,theVMSeriesfirewallisaddedtothelistofnetworkservicesthatcanbe
transparentlydeployedasaservicebytheNSXManager.TheconnectionbetweenPanoramaandthe
NSXManagerisalsorequiredforlicensingandconfiguringthefirewall.
IfyouhadconfiguredPanoramatoregistertheVMSeriesfirewallasaserviceontheNSX
Managerinanearlierversion,seeChangestodefaultbehaviortolearnaboutthechangesupon
upgradetoversion8.0.
Step3:DeploytheFirewallsandCreatePoliciesOnPanorama,createtheservicedefinition(s)that
specifytheconfigurationfortheVMSeriesfirewallcreatepoliciestoredirecttraffictotheVMSeries
firewall.OntheNSXManager,installthePaloAltoNGFWservice.SeeDeploytheVMSeriesFirewall
andCreateSteeringRules.
(OnPanorama)Createtheservicedefinition.
Ifyouupgradefromanearlierversion,yourexistingservicedefinitionisautomaticallymigratedfor
you.Fordetails,seechangestodefaultbehavior.

VMSeriesFirewallforNSXDeploymentChecklist SetUptheVMSeriesFirewallonVMwareNSX
(OnPanorama)SetupthedynamicaddressgroupsthatmaptosecuritygroupsonNSXManager.A
securitygroupassemblesthespecifiedguests/applicationssothatyoucanapplypolicytothegroup.
(OnPanorama)CreatethesecuritypolicyrulestoredirecttraffictothePaloAltoNetworksservice
profile.
(OntheNSXManager)EnableSpoofGuardanddefinerulestoblocknonIPprotocols.
(OntheNSXManager)DefinetheIPaddresspool.AnIPaddressfromthedefinedrangeisassigned
tothemanagementinterfaceofeachinstanceoftheVMSeriesfirewall.
(OntheNSXManager)DeploytheVMSeriesfirewall.TheNSXManagerautomaticallydeploysan
instanceoftheVMSeriesfirewalloneachESXihostinthecluster.
TheNSXManagerusestheIPaddressasamatchcriteriontosteertraffictotheVMSeriesfirewall.IfVMwaretools
isnotinstalledontheguest,seeSteerTrafficfromGueststhatarenotRunningVMwareTools.
(OnPanorama)ApplypoliciestotheVMSeriesfirewall.FromPanorama,youdefine,push,and
administerpoliciescentrallyonalltheVMSeriesfirewalls.
Thiscentralizedadministrationmechanismallowsyoutosecureguests/applicationswithminimal
administrativeintervention.
Step4:MonitorandMaintainNetworkSecurityPanoramaprovidesacomprehensive,graphicalview
ofnetworktraffic.UsingthevisibilitytoolsonPanoramatheApplicationCommandCenter(ACC),logs,
andthereportgenerationcapabilitiesyoucancentrallyanalyze,investigateandreportonallnetwork
activity,identifyareaswithpotentialsecurityimpact,andtranslatethemintosecureapplication
enablementpolicies.RefertothePanoramaAdministratorsGuideformoreinformation.
Step5:UpgradethesoftwareversionWhenupgradingtheVMSeriesfirewallsforNSX,youmustfirst
upgradePanoramabeforeupgradingthefirewalls.Toupgradethefirewalls,seeUpgradethePANOS
SoftwareVersion(VMSeriesforNSX).
ForupgradingthePANOSversiononthefirewall,donotmodifytheVM-Series OVA URLinPanorama >

VMware Service Manager.
DonotusetheVMwaresnapshotsfunctionalityontheVMSeriesfirewallforNSX.Snapshotscanimpact
performanceandresultinintermittentandinconsistentpacketloss.SeeVMwaresbestpracticerecommendation
withusingsnapshots.
Ifyouneedconfigurationbackups,usePanoramaorExport named configuration snapshotfromthefirewall
(Device > Set up > Operations).UsingtheExportnamedconfigurationsnapshotexportstheactive
configuration(runningconfig.xml)onthefirewallandallowsyoutosaveittoanynetworklocation.
IfyouneedtoreinstallorremovetheVMSeriesfromyourNSXdeployment,seetheHowtoRemove
VMSeriesIntegrationfromVMwareNSXknowledgebasearticle.

SetUptheVMSeriesFirewallonVMwareNSX InstalltheVMwareNSXPlugin
TodeploytheVMSeriesforNSXsolution,youmustinstalltheVMwareNSXpluginonPanorama.Ifyouare
upgradingtoPANOS8.0andalreadyhaveintegratedVMwareNSXandthePaloAltoNetworksVMSeries
firewallsconfiguredinyourenvironment,thepluginwillbeinstalledautomaticallyandyourexisting
configurationismaintained.IfyouareconfiguringNSXintegrationforthefirsttime,completethefollowing
proceduretoinstalltheNSXplugin.
Ifanotherversionofthepluginiscurrentlyinstalled,selectingInstalluninstallremovesitandinstallstheselected
version.
Step1 DownloadtheVMwareNSXpluginfromthePaloAltoNetworksCustomerSupportwebsite.
Step2 SelectPanorama > Plugins.

1. SelectUpload.
2. SelectBrowseandlocatethepluginfileonyourmanagementdevice.
3. SelecttheversionofthepluginandclickInstallintheActioncolumntoinstalltheplugin.Panoramawill
alertyouwhentheinstallationiscomplete.
WheninstallingthepluginforthefirsttimeonPanoramasinanHApair,installthepluginonthepassivepeer
beforetheactivepeer.Afterinstallingthepluginonthepassivepeer,itwilltransitiontoanonfunctional
state.Installingthepluginontheactivepeerreturnsthepassivepeertoafunctionalstate.
Step3 IfyouareupgradingyourversionoftheNSXplugin,completeamanualconfigurationsync.
1. SelectPanorama > VMware NSX > Service Managers.
2. SelectNSX Config-SyncintheActioncolumn.
3. ClickYes.
4. Whenthesynciscomplete,clickOK.

RegistertheVMSeriesFirewallasaServiceontheNSXManager SetUptheVMSeriesFirewallonVMwareNSX
RegistertheVMSeriesFirewallasaServiceontheNSX
Manager
YouneedtoenablecommunicationbetweenPanoramaandtheNSXManagerandthenregisterthe
VMSeriesfirewallasaserviceontheNSXManager.Whenregistered,theVMSeriesfirewallisaddedto
thelistofnetworkservicesthatcanbetransparentlydeployedasaservicebytheNSXManager.
EnableCommunicationBetweentheNSXManagerandPanorama
CreateTemplate(s)andDeviceGroup(s)onPanorama
CreatetheServiceDefinitionsonPanorama
EnableCommunicationBetweentheNSXManagerandPanorama
ToautomatetheprovisioningoftheVMSeriesfirewallforNSX,enablecommunicationbetweentheNSX
ManagerandPanorama.Thisisaonetimesetup,andonlyneedstobemodifiediftheIPaddressoftheNSX
ManagerchangesorifthecapacitylicensefordeployingtheVMSeriesfirewallisexceeded.
UsePanoramatoRegistertheVMSeriesFirewallasaService
Step1 LogintothePanoramaweb Usingasecureconnection(https)fromawebbrowser,login

interface. usingtheIPaddressandpasswordyouassignedduringinitial
configuration(https://<IPaddress>).
Step2 SetupaccesstotheNSXManager. 1. SelectPanorama > VMware NSX > Service Managers and
clickAdd.
2. EntertheService Manager Name.
OntheNSXManager,thisnamedisplaysintheService
ManagercolumnonNetworking & Security > Service
Definitions > Service Managers.
3. (Optional)AddaDescriptionthatidentifiestheVMSeries
firewallasaservice.
4. EntertheNSX Manager URLIPaddressorFQDNat
whichtoaccesstheNSXManager.
5. EntertheNSX Manager Logincredentialsusernameand
password,sothatPanoramacanauthenticatetotheNSX
Manager.
Theampersand(&)specialcharacterisnotsupportedin
theNSXmanageraccountpassword.Ifapassword
includesanampersand,theconnectionbetween
PanoramaandNSXmanagerfails.
6. ClickOK.
Step3 CommityourchangestoPanorama. SelectCommitandCommitType:Panorama.

SetUptheVMSeriesFirewallonVMwareNSX RegistertheVMSeriesFirewallasaServiceontheNSXManager
UsePanoramatoRegistertheVMSeriesFirewallasaService(Continued)
Step4 Verifytheconnectionstatuson ToviewtheconnectionstatusbetweenPanoramaandthe

Panorama. NSXManager.
1. SelectPanorama > VMware NSX > Service Managers.
2. VerifythemessageintheStatuscolumn.
Whentheconnectionissuccessful,thestatusdisplaysas
Registered.ThisindicatesthatPanoramaandtheNSX
ManagerareinsyncandtheVMSeriesfirewallis
registeredasaserviceontheNSXManager.
Theunsuccessfulstatusmessagesare:
Not connected:Unabletoreach/establishanetwork
connectiontotheNSXManager.
Not authorized:Theaccesscredentials(username
and/orpassword)areincorrect.
Not registered:Theservice,servicemanager,or
serviceprofileisunavailableorwasdeletedontheNSX
Manager.
Out of sync:Theconfigurationsettingsdefinedon
Panoramaaredifferentfromwhatisdefinedonthe
NSXManager.Clickthelinkfordetailsonthereasons
forfailure.Forexample,NSXManagermayhavea
servicedefinitionwiththesamenameasdefinedon
Panorama.Tofixtheerror,usetheservicedefinition
namelistedintheerrormessagetovalidatetheservice
definitionontheNSXManager.Untiltheconfiguration
onPanoramaandtheNSXManagerissynchronized,
youcannotaddanewservicedefinitiononPanorama.
No service/ No service profile:Indicatesanincomplete
configurationontheNSXManager.
Ifyoumakeachangeandneedtomanuallysync,see
(Optional)Synchronizetheconfigurationbetween
PanoramaandtheNSXManager.

UsePanoramatoRegistertheVMSeriesFirewallasaService(Continued)
Step5 VerifythatthefirewallisregisteredasaserviceontheNSXManager.
1. OnthevSpherewebclient,selectNetworking & Security > Service Definitions > Service
Managers.
2. VerifythatPalo Alto Networks displaysasavendorinthelistofservicesavailableforinstallation.
CreateTemplate(s)andDeviceGroup(s)onPanorama
TomanagetheVMSeriesfirewallsforNSXusingPanorama,thefirewallsmustbelongtoadevicegroupand
atemplate.Devicegroupsallowyoutoassemblefirewallsthatneedsimilarpoliciesandobjectsasalogical
unit;theconfigurationisdefinedusingtheObjectsandPoliciestabsonPanorama.Usetemplatestoconfigure
thesettingsthatarerequiredfortheVMSeriesfirewallstooperateonthenetworkandassociate;the
configurationisdefinedusingtheDeviceandNetworktabsonPanorama.Andeachtemplatecontainingzones
usedinyourNSXconfigurationonPanoramamustbeassociatedwithaservicedefinition;ataminimum,you
mustcreateazonewithinthetemplatesothattheNSXManagercanredirecttraffictotheVMSeries
firewall.
EachvirtualwirezonebelongingtotheNSXrelatedtemplatebecomesavailableasaserviceprofileonthe
ServiceComposerontheNSXManager.WhenyoucreateNSXrelatedzoneonPanorama,Panorama
pushesthezoneasapartofthetemplateconfigurationtothefirewall,andthefirewallautomaticallycreates
apairofvirtualwiresubinterfaces,forexampleethernet1/1.3andethernet1/2.3,toisolatetrafficfora
tenantorsubtenant.Onthefirewall,youcanthenCreateSteeringRulestosecuretrafficthatarrivesonthe
virtualwiresubinterfacepairthatmapstothezone.
IfyouarenewtoPanorama,refertothePanoramaAdministratorsGuideforinstructionsonsettingup
Panorama.

CreateaDeviceGroupandaTemplateonPanorama
Step1 Addadevicegrouporadevicegroup 1. SelectPanorama > Device Groups,andclickAdd.Youcanalso

hierarchy. createadevicegrouphierarchy.
2. EnterauniqueNameandaDescriptiontoidentifythedevice
group.
3. ClickOK.
Afterthefirewallsaredeployedandprovisioned,theywill
displayunderPanorama > Managed Devicesandwillbelisted
inthedevicegroup.
4. ClickCommitandselectPanorama astheCommit Type to
savethechangestotherunningconfigurationonPanorama.
Step2 Addatemplateoratemplatestack. 1. SelectPanorama > Templates,andclickAdd.Youcanalso

configureatemplatestack.
2. EnterauniqueNameandaDescriptiontoidentifythe
template.
3. ClickOK.
4. ClickCommit,andselectPanorama astheCommit Type to
Step3 Createthezone(s)foreachtemplate. 1. SelectNetwork > Zones.

Eachzoneismappedtoaserviceprofile 2. SelectthecorrecttemplateintheTemplatedropdown.
onNSXManager.Toqualify,azonemust
3. SelectAdd andenterazone Name.
beofthevirtualwiretypeandina
templateormembertemplateofa 4. SettheinterfaceTypetoVirtual Wire.
templatestackassociatedwithaservice 5. ClickOK.
definition.
6. Verifythatthezonesareattachedtothecorrecttemplate.
Forasingletenantdeployment,
createonezone.Ifyouhave
multitenantdeployment,create
azoneforeachsubtenant.
Youcanaddupto32zonesin
eachtemplate.

PanoramacreatesacorrespondingserviceprofileonNSX
Managerforeachqualifiedzoneuponcommit.
CreatetheServiceDefinitionsonPanorama
AservicedefinitionspecifiestheconfigurationfortheVMSeriesfirewallsinstalledoneachhostinanESXi
cluster.Theservicedefinitionmustincludethedevicegroup,thelicenseauthcodesfordeployingthe
VMSeriesfirewalls,andatemplatewithoneormoreNSXserviceprofilezones.Typically,youcreatea

servicedefinitionfortheVMSeriesfirewallinanESXicluster.IfyouhavedifferentESXiclustersthathave
workloadsthatrequiretheVMSeriesfirewalltohandletrafficdifferently,youcancreatemultipleservice
definitionsonPanorama.
OnaPanoramacommit,eachservicedefinitionisregisteredontheNSXManager.Onregistrationwiththe
NSXManager,theNetXAPIimplementationmakeseachzone(definedwithinthetemplate)availablefor
redirectingtraffic.WhenyoudeploytheVMSeriesfirewalls,youcanselecttheprofilenameforthe
VMSeriesfirewall(s)towhichyouwanttoredirecttrafficfromtheobjectsinNSXsecuritygroups.The
appropriatelyconfiguredfirewallcantheninspectthetrafficandenforcepolicyfromthevirtualmachines
thatbelongtotheNSXsecuritygroups.
CreatetheServiceDefinitiononPanorama
Step1 (Optional)ConfigureaNotifyGroup 1. SelectPanorama > VMware NSX > Notify GroupandclickAdd.

Createanotifygroupbyspecifying 2. GiveyourNotifyGroupadescriptiveName.
devicesgroupsthatshouldbenotifiedof
3. Selecttheboxesofalldevicesgroupsthatshouldbenotified
changesinthevirtualenvironment.The
ofchangestothevirtualenvironment.Ifadevicegroupdoes
firewallsincludedinthespecifieddevice
nothaveacheckboxavailable,itmeansthatthedevicegroup
groupsreceivearealtimeupdateof
isautomaticallyincludedbyvirtueofthedevicegroup
securitygroupsandIPaddressesof
hierarchy.
guestVMsinthem.Thefirewallsusethis
updatetodeterminethemostcurrentlist 4. ClickOK.
ofmembersthatconstitutedynamic
addressgroupsreferencedinpolicy
Step2 Addanewservicedefinition. 1. SelectPanorama > VMware NSX > Service Definitions.

Youcancreateupto32service 2. SelectAddtocreateanewservicedefinition.Themaximum
definitionsonPanorama. numberofcharactersinaservicedefinitionnameis40.
OntheNSXManager,thisservicedefinitionnamedisplaysin
theServicescolumnonNetworking & Security > Service
Definitions > Services.
3. (Optional)AddaDescriptionthatidentifiesthefunctionor
purposefortheVMSeriesfirewallsthatwillbedeployed
usingthisservicedefinition.
Step3 Assignadevicegroupandatemplatefor Becausethefirewallsdeployedinthissolutionwillbecentrally

theservicedefinition. administeredfromPanorama,youmustspecifytheDevice Group
MakesuretoCreatethezone(s)foreach andthe Template thatthefirewallsbelongto.Allthefirewallsthat
template. aredeployedusingthisservicedefinitionbelongtothespecified
templateanddevicegroup.
1. Selectthedevicegroupordevicegrouphierarchyinthe
Device Groupdropdown.
2. SelectthetemplateorthetemplatestackintheTemplate
dropdown.
Youcannotreuseatemplateoradevicegroup
assignedtooneservicedefinitioninanotherservice
definition.

Step4 SpecifythelocationoftheOVFfile. InVM-Series OVF URL,addthelocationofthewebserverthat

Downloadthezipfile,unzipittoextract hoststheovffile.Bothhttpandhttpsaresupportedprotocols.For
andsavethe.ovf,mfand.vmdkfilesto example,enter
thesamedirectory.Boththefilesare https://acme.com/software/PA-VM-NSX.8.0.0.vm300.ovf
usedtodeployeachinstanceofthe SelecttheovffilethatmatchestheVMSeriesmodelyou
firewall. plantodeploy.FortheVM200,usevm100.ovf.Forthe
Ifneeded,modifythesecuritysettings VM1000HV,usevm300.ovf.
ontheserversothatyoucandownload Todeployamultitenantsolution,theovffilemustbe
thefiletypes.Forexample,ontheIIS PANOS8.0.0oralaterversion.
servermodifytheMimeTypes Youcanusethesameovfversionordifferentversions
configuration;onanApacheserveredit acrossservicedefinitions.Usingdifferentovfversions
the.htaccessfile. acrossservicedefinitionsallowsyoutovarythePANOS
versionontheVMSeriesfirewallsindifferentESXi
clusters.
Step5 (Optional)SelectaNotifyGroup. Tocreatecontextawarenessbetweenthevirtualandsecurity

environmentssothatpolicyisconsistentlyappliedtoalltraffic
steeredtothefirewalls,selectthedevicegroupstonotifywhen
therearechangesinthevirtualenvironment.
Selecteachdevicegrouptowhichyouwanttoenablenotifications
intheNotify Device Groupsdropdown.Ifadevicegroupdoesnot
haveacheckboxavailable,itmeansthatthedevicegroupis
automaticallyincludedbyvirtueofthedevicegrouphierarchy.
Thefirewallsincludedinthespecifieddevicegroupsreceivea
realtimeupdateofsecuritygroupsandIPaddresses.Thefirewalls
usethisupdatetodeterminethemostcurrentlistofmembersthat
constitutedynamicaddressgroupsreferencedinpolicy.
Step6 Savetheservicedefinitionandattachit 1. ClickOK.

totheservicemanager. 2. SelectPanorama > VMware NSX > Service Managerandclick
thelinkoftheservicemanagername.
3. UnderServiceDefinitions,clickAddandselectyourservice
definitionfromthedropdown.
4. ClickOK.
5. SelectCommitandCommitType:Panorama.
Committingthechangestriggerstheprocessofregistering
eachservicedefinitionasasecurityserviceontheNSX
Manager.

Step7 Addtheauthorizationcodetolicensethe 1. SelectPanorama > Device Groupsandchoosethedevice

firewalls. groupyouassociatedwiththeservicedefinitionyoujust
Theauthcodemustbeforthe created.
VMSeriesmodelNSXbundle; 2. UnderDynamicallyAddedDeviceProperties,addthe
forexample, authorizationcodeyourecievedwithyourorderfulfillment
PANVM300PERPBNDNSX emailandselectaPANOSsoftwareversionfromtheSW
Verifythattheorderquantity/ Versiondropdown.
capacityisadequatetosupport WhenanewfirewallisdeployedunderNSXandaddedtothe
thenumberoffirewallyouneed selecteddevicegroup,theauthorizationcodeisappliedand
todeployinyournetwork. thefirewallisupgradedtotheselectversionofPANOS.
Onthesupportportal,youcanviewthetotalnumberof
firewallsthatyouareauthorizedtodeployandtheratioofthe
numberoflicensesthathavebeenusedtothetotalnumberof
licensesenabledbyyourauthcode.
3. SynchronizetheconfigurationbetweenPanoramaandthe
NSXManager.
a. SelectPanorama > VMware NSX > Service Managers.
b. SelectNSX Config-SyncundertheActionscolumn.
c. ClickYestoconfirmthesync.

Step8 Verifythattheservicedefinitionandthe 1. OntheNSXManager,toverifythattheservicedefinitionis

NSXserviceprofilethatyoudefinedon available,selectNetworking & Security > Service Definitions
PanoramaareregisteredontheNSX > Services.TheservicedefinitionislistedasaServiceonthe
Manager. NSXManager.
2. ToverifythatthezonesareavailableontheNSXManager:
a. SelectNetworking and Security > Service Composer >
Security Policies,andclickCreate Security Policy.
b. SelectNetwork Introspection Services,andclick Add.
c. IntheService Namedropdown,selectaPaloAlto
Networksservicethatyouverifiedinthestepabove.
d. IntheProfiledropdown,verifythatyoucanviewallthe
zonesyoudefinedforthatservicedefinitiononPanorama.

Step9 (Optional)Synchronizetheconfiguration Ifyouaddorupdatetheservicedefinitionsconfiguredon

betweenPanoramaandtheNSX Panorama,selectNSX Config SyncintheActioncolumnunder
Manager. Panorama > VMware NSX > Service Managerstosynchronizethe
changesontheNSXManager.
Thislinkisnotavailable,ifyouhaveanypendingcommits
onPanorama.
Ifthesynchronizationfails,viewthedetailstoknow
whethertofixtheerroronPanoramaorontheNSX
Manager.Forexample,ifyoudeleteaservicedefinitionon
Panorama,buttheservicedefinitioncannotbedeleted
fromtheNSXManagerbecauseitisreferencedinaruleon
theNSXManager,thesynchronizationwillfailwithanerror
messagethatindicatesthereasonforfailure.

SetUptheVMSeriesFirewallonVMwareNSX CreateSteeringRules
CreateSteeringRules
ThefollowingtopicsdescribehowtocreatepoliciesonPanoramatosteertraffictotheVMSeriesfirewall.
InorderfortheVMSeriesfirewalltosecurethetraffic,youmustcompletethefollowingtasks:
SetUpDynamicAddressGroupsonPanorama
RedirectTraffictotheVMSeriesFirewall
SetUpDynamicAddressGroupsonPanorama
AsecuritygroupisalogicalcontainerthatassemblesguestsacrossmultipleESXihostsinthecluster.When
youcreateadynamicaddressgroupthatmeetstherightcriteriaandcommityourchanges,acorresponding
securitygroupiscreatedontheNSXManager.Creatingsecuritygroupsarerequiredtomanageandsecure
theguests;tounderstandhowsecuritygroupsenablepolicyenforcement,seePolicyEnforcementusing

CreateSteeringRules SetUptheVMSeriesFirewallonVMwareNSX
SetupDynamicAddressGroupsonPanorama
Step1 Configureadynamicaddressgroupfor 1. SelectObjects > Address Groups.

eachsecuritygrouprequiredforyour 2. Verifythatyouareconfiguringthedynamicaddressgroupsin
deployment. adevicegroupassociatedwithanNSXservicedefinition.
3. ClickAddandenteraNameandDescriptionfortheaddress
group.
4. SelectTypeasDynamic.
5. Definethematchcriteria.Forthedynamicaddressgroupto
becomeasecuritygroupinNSXManager,thematchcriteria
musthavetheprefix_nsx_followedbythedynamicaddress
groupname.Forexample,_nsx_PAN_APP_NSX.
6. Repeatthisprocessforeachsecuritygroupyourequire.
Step2 Verifythatthecorrespondingsecurity 1. SelectNetwork and Security > Service Composer > Security
groupsarecreatedontheNSXManager. Groups.
2. Verifythatyourdynamicaddressgroupsappearassecurity
groupsontheSecurityGroupslist.Eachsecuritygroupis
prefixedwithyourservicedefinitionfollowedbyan
underscoreandthedynamicaddressgroupname.

SetUptheVMSeriesFirewallonVMwareNSX CreateSteeringRules
RedirectTraffictotheVMSeriesFirewall
DonotapplythetrafficredirectionpoliciesunlessyouunderstandhowrulesworkontheNSXManageras
wellasontheVMSeriesfirewallandPanorama.ThedefaultpolicyontheVMSeriesfirewallissettodeny
alltraffic,whichmeansthatalltrafficredirectedtotheVMSeriesfirewallwillbedropped.Tocreatepolicies
onPanoramaandpushthemtotheVMSeriesfirewall,seeApplyPoliciestotheVMSeriesFirewall.
Createsecuritypolicyrulesintheassociateddevicegroup.Foreachsecurityruleselectonezoneinthe
associatedtemplate,makethesourceanddestinationzonesidentical,andselectthedynamicaddressgroups
asthesourceanddestination.CreatingaqualifyingsecuritypolicyinPanoramaresultsinthecreationofa
correspondingsteeringruleonNSXManageruponcommitinPanorama.
DefineSteeringRulestoRedirectTraffictotheVMSeriesFirewall
Step1 Createsecuritypolicy. 1. InPanorama,selectPolicies > Security > Pre Rules.

2. Verifythatyouareconfiguringthedynamicaddressgroupsin
adevicegroupassociatedwithanNSXservicedefinition.
3. ClickAddandenteraNameandDescriptionforyoursecurity
policyrule.
4. SettheRuleTypetointrazone (Devices with PAN-OS 6.1 or
later).
5. IntheSourcetab,setthesourcezonetothezoneyou
associatedwithyourNSXconfiguration.Thenselectadynamic
addressgroup(NSXsecuritygroup)youcreatedpreviouslyas
theSourceAddress.Donotaddanystaticaddressgroups,
IPranges,ornetmasksasaSourceAddress.
6. IntheDestinationtab,setthedestinationzonetothesame
zoneselectedontheSourcetab.Thenselectadynamic
addressgroup(NSXsecuritygroup)youcreatedpreviouslyas
theDestinationAddress.Donotaddanystaticaddress
groups,IPranges,ornetmasksasaDestinationAddress.
7. ClickOK.
8. Repeatsteps1through7foreachsteeringruleyourequire.
9. Commityourchanges.

CreateSteeringRules SetUptheVMSeriesFirewallonVMwareNSX
DefineSteeringRulestoRedirectTraffictotheVMSeriesFirewall(Continued)
Step2 Generatesteeringrules. 1. SelectPanorama > VMware NSX > Steering Rules.

Panoramageneratesasteeringrulefor 2. SelectAuto-Generate Steering Rules.
eachqualifyingsecuritypolicyrule. Panoramawillpopulatethelistofsteeringrulesbasedon
qualifiedsecuritypolicyrulesinthedevicegroupattachedin
theservicedefinition.
3. (Optional)ModifytheNSXTrafficDirectionandaddNSX
ServicestoaSteeringRule.
Bydefault,theNSXTrafficDirectionissettoinoutandnoNSX
Servicesareselected.
a. Selecttheautogeneratedsteeringtobemodified.
b. Tochangethetrafficdirection,selectthedirectionfromthe
NSX Traffic Directiondropdown.
c. ClickAddunderNSXServicesandchooseaservicefromthe
Servicesdropdown.Repeatthissteptoaddadditional
services.
d. ClickOK.
Step3 Verifythatthecorrespondingtraffic 1. SelectNetwork and Security > Firewall > Configuration >
steeringruleswerecreatedontheNSX Partner Security Services.
Manager. 2. Confirmthatthetrafficsteeringrulesyourcreatedon
Panoramaarelisted.

SetUptheVMSeriesFirewallonVMwareNSX DeploytheVMSeriesFirewall
DeploytheVMSeriesFirewall
AfterregisteringtheVMSeriesfirewallasaservice(PaloAltoNetworksNGFW)ontheNSXManager,
completethefollowingtasksontheNSXManager.
EnableSpoofGuard
DefineanIPAddressPool(RequiredonlyifthemanagementinterfaceisnotconfiguredforDHCP)
PreparetheESXiHostfortheVMSeriesFirewall
DeploythePaloAltoNetworksNGFWService
ApplyPoliciestotheVMSeriesFirewall
EnableLargeReceiveOffload
SupportforvMotionofguestvirtualmachinesinthevSphere/NSXEnvironment
WhenaguestVMisvMotionedfromonehosttoanotherwithinacluster,thetargethostNSXdistributedfirewall
willsteerallnewsessionstotheVMSeriesfirewallonthedestinationhost.Toensurethatallactive(existing
sessions)remainuninterruptedduringandaftertheguestvMotion,theNSXManagerpollstheVMSeries
firewallforexistingallowedsessionsandthensharesthesesessionswiththeNSXdistributedfirewallonthe
destinationhost.AllexistingsessionsthatwereallowedbytheoriginalVMSerieswillbeallowed bytheNSX
distributedfirewall(filteringmodule)onthedestinationhostwithoutsteeringtothetargethostVMSeries
firewalltopreventsessionloss.
TheVMSeriesfirewallrunsasaserviceoneachhostoftheclusterandthereforeisnevervMotioned.
EnableSpoofGuard
TheNSXdistributedfirewallcanonlyredirecttraffictotheVMseriesfirewallwhenitmatchesanIPaddress
thatisknowntothevCenterServer.ThismeansthatanynonIPL2traffic,orIPtrafficthatdoesnotmatch
theIPaddressesknowntothevCenterServer,willnotmatchtheredirectionrulesdefinedontheNSX
ManagerandbesteeredtotheVMSeriesfirewall.Therefore,toensurethatalltrafficiscorrectlyfiltered,
youneedtoperformthefollowingsteps:
EnableSpoofGuardtopreventunknownIPtrafficthatmightotherwisebypasstheVMseriesfirewall.
WhenSpoofGuardisenablediftheIPaddressofavirtualmachinechanges,trafficfromthevirtual
machinewillbeblockeduntilyouinspectandapprovethechangeinIPaddressintheNSXSpoofGaurd
interface.
ConfiguretheNSXfirewallrulestoblocknonIPL2trafficthatcannotbesteeredtotheVMSeries
firewall.
vCenterusesVMwareToolstolearntheIPaddress(es)ofeachguest. IfVMwareToolsisnot
installedonsomeofyourguests,seeSteerTrafficfromGueststhatarenotRunningVMware
Tools.

DeploytheVMSeriesFirewall SetUptheVMSeriesFirewallonVMwareNSX
EnableSpoofGuardandBlockNonIPL2Traffic
Step1 EnableSpoofGuardfortheportgroup(s)containingtheguests.
Whenenabled,foreachnetworkadapter,SpoofGuardinspectspacketsfortheprescribedMACandits
correspondingIPaddress.
1. SelectNetworking and Security > SpoofGuard.
2. ClickAddtocreateanewpolicy,andselectthefollowingoptions:
SpoofGuard:Enabled
OperationMode:Automatically trust IP assignments on their first use.
Allow local address as valid address in this namespace.
SelectNetworks:Selecttheportgroupstowhichtheguestsareconnected.
Step2 SelecttheIPprotocolstoallow.
1. SelectNetworking and Security > Firewall > Ethernet.
2. AddarulethatallowsARP,IPv4andIPv6traffic.
3. Addarulethatblockseverythingelse.
DefineanIPAddressPool
YoucanconfigurethemanagementinterfaceontheVMSeriesfirewalltouseanIPaddressfromastaticIP
poolortobeaDHCPclient.
IfyouopttouseanIPpool,whichisarangeof(static)IPaddressesthatarereservedforestablishing
managementaccesstotheVMSeriesfirewalls,whentheNSXManagerdeploysanewVMSeriesfirewall,
thefirstavailableIPaddressfromthisrangeisassignedtothemanagementinterfaceofthefirewall.
Step1 IntheNetworking & Security Inventory,selecttheNSX Manager,anddoubleclicktoopentheconfiguration

detailsoftheNSXManager.

Step2 SelectManage > Grouping Objects > IP Pools.
Step3 ClickAdd IP Pool andspecifythenetworkaccessdetailsrequestedinthescreenincludingtherangeofstatic

IPaddressesthatyouwanttouseforthePaloAltoNetworksNGFW.
PreparetheESXiHostfortheVMSeriesFirewall
BeforeyoudeploytheVMSeriesfirewall,eachhostintheclustermusthavethenecessaryNSXcomponents
thatallowtheNSXfirewallandtheVMSeriesfirewalltoworktogether.TheNSXManagerwillinstallthe
componentstheEthernetAdapterModule(.eam)andtheSDKrequiredtodeploytheVMSeriesfirewall.

PreparetheESXiHostsfortheVMSeriesFirewall
Step1 OntheNSXManager,selectNetworking and Security > Installation > Host Preparation.
Step2 ClickInstall andverifythattheinstallationstatusissuccessful.
AsnewESXihostsareaddedtoacluster,thisprocessisautomatedandthenecessaryNSX
componentsareautomaticallyinstalledoneachguestontheESXihost.
Step3 IftheInstallationStatusisnotreadyorawarningdisplaysonscreen,clicktheResolvelink.Tomonitorthe
progressofthereinstallationattempt,clicktheMore Taskslinkandlookforthesuccessfulcompletionof
thefollowingtasks:
UsethefollowingstepstoautomatetheprocessofdeployinganinstanceoftheVMSeriesfirewallforNSX
oneachESXihostinthespecifiedcluster.
Step1 SelectNetworking and Security > Installation > Service Deployments.

DeploythePaloAltoNetworksNGFWService(Continued)
Step2 ClickNew Service Deployment (greenplusicon),andselecttheservicedefinitionforthePaloAltoNetworks

nextgenerationfirewallyouwanttodeploy,Palo Alto Networks NGFWserviceinthisexample.ClickNext.
Step3 SelecttheDatacenterandthecluster(s)onwhichtheservicewillbedeployed.Oneinstanceofthefirewall
willbedeployedoneachhostintheselectedcluster(s).
Step4 Selectthedatastorefromwhichtoallocatediskspaceforthefirewall.Selectoneofthefollowingoptions
dependingonyourdeployment:
Ifyouhaveallocatedsharedstorageforthecluster,selectanavailableshareddatastore.
Ifyouhavenotallocatedsharedstorageforthecluster,selecttheSpecified-on-hostoption.Besureto
selectthestorageoneachESXihostinthecluster.Alsoselectthenetworkthatwillbeusedforthe
managementtrafficontheVMSeriesfirewall.
Step5 Selecttheportgroupthatprovidesmanagementnetworktrafficaccesstothefirewall.

Step6 SelecttheIPaddresspoolassignment.
Use IP Pool(DefineanIPAddressPool)fromwhichtoassignamanagementIPaddressforeachfirewall
whenitisbeingdeployed.
Use DHCPonthemanagementinterface.
IfyouuseanIPpool,ondeployment,thedisplaynamefortheVMSeriesfirewallonPanorama
includesthehostnameoftheESXihost.Forexample:PAVM:10.5.1.120.
IfyouuseDHCP,thedisplaynamefortheVMSeriesfirewalldoesnotincludethenameoftheESXi
host.
Step7 ReviewtheconfigurationandclickFinish.
Step8 VerifythattheNSXManagerreportstheInstallation StatusasSuccessful.Thisprocesscantakeawhile;click

theMore taskslinkonvCentertomonitortheprogressoftheinstallation.
IftheinstallationofVMSeriesfails,theerrormessageisdisplayedontheInstallationStatuscolumn.
YoucanalsousetheTaskstabandtheLog BrowserontheNSXManagertoviewthedetailsforthe
failureandrefertotheVMwaredocumentationfortroubleshootingsteps.

Step9 Verifythatthefirewallissuccessfullydeployed.
1. OnthevCenterserver,selectHosts and Clusterstocheckthateveryhostinthecluster(s)hasoneinstance
ofthefirewall.
2. ViewthemanagementIPaddress(es)andthePANOSversionrunningonthefirewalldirectlyfromvCenter
server.VMwareToolsisbundledwiththePANOSsoftwareimageandisautomaticallyenabledwhenyou
launchtheVMSeriesfirewall.
WithVMwareTools,youcanviewresourceutilizationmetricsonharddisk,memory,andCPU,anduse
thesemetricstoenablealarmsoractionsonthevCenterserver.Theheartbeatsallowyoutoverifythatthe
firewallisliveandtriggeractionstoensurehighavailability.Youcanalsoperformagracefulshutdownand
restartofthefirewallusingthepowerofffunctiononvCenter.
Step10 AccessthePanoramawebinterfacetomakesurethattheVMSeriesfirewallsareconnectedand
synchronizedwithPanorama.
1. SelectPanorama > Managed Devices toverifythatthefirewallsareconnectedandsynchronized.
IfthefirewallgetsitsIPaddressfromanIPPool,theDisplay Nameforthefirewallincludesthehostname
oftheESXiserveronwhichitisdeployed,forexamplePAVM:ESX1.Sydney.IfthefirewallgetsaDHCP
assignedIPaddress,thehostnameoftheESXiserverdoesnotdisplay.
2. ClickCommit,andselectCommitTypeasPanorama.
AperiodicPanoramacommitisrequiredtoensurethatPanoramasavesthedeviceserialnumbers
toconfiguration.IfyourebootPanoramawithoutcommittingthechanges,themanageddeviceswill
notconnectbacktoPanorama;althoughtheDeviceGroupwilldisplaythelistofdevices,the
deviceswillnotdisplayinPanorama > Managed Devices.

Step11 Verifythatthecapacitylicenseisappliedandapplyanyadditionallicensesthatyouhavepurchased.Ata
minimum,youmustactivatethesupportlicenseoneachfirewall.
WhenPanoramadoesnothaveinternetaccess(Offline),youmustmanuallylicenseeachfirewall,and
thenaddtheserialnumberofthefirewalltoPanoramasothatitisregisteredasamanageddevice,
andcanreceivethetemplateanddevicegroupsettingsfromPanorama.
1. SelectPanorama > Device Deployment > LicensestoverifythattheVMSeriescapacitylicenseisapplied.
2. ToapplyadditionallicensesontheVMSeriesfirewalls:
ClickActivateonPanorama > Device Deployment > Licenses.
Findorfilterforthefirewall,andintheAuth Code column,entertheauthorizationcodeforthelicense
toactivate.Onlyoneauthorizationcodecanbeenteredatatime,foreachfirewall.
3. ClickActivate,andverifythattheresultofthelicenseactivationwassuccessful.
Step12 (Optional)UpgradethePANOSversionontheVMSeriesfirewalls,seeUpgradethePANOSSoftware
Version(VMSeriesforNSX).

Step13 AddguestVMstotherightsecuritygroupsfortrafficfromthoseVMstoberedirectedtotheVMSeries
firewall.
1. LogintovCenter.
2. SelectNetworking & Security > Service Composer > Security Groups.
3. HighlightthesecuritygroupyouwanttowhichyouwanttoassignguestVMsandclicktheEdit Security
Groupicon.
4. SelectDefine dynamic membershipandclickthe+icon.
5. ClickAdd.
6. DefinethedynamicmembershipcriteriathattheguestVMsmustmeettobepartoftheselectedsecurity
group.Thecriteriayouusedependsonyournetworkdeployment.Forexample,youmightchoosetogroup
VMsbyanEntitysuchasLogicalSwitchorDistributedPortGroup.
7. ClickFinish.
8. RepeatthisprocedureforeachsecuritygroupthatshouldhaveitstrafficredirectedtotheVMSeries
firewall.
ApplyPoliciestotheVMSeriesFirewall
NowthatyouhavecreatedthesteeringrulesonPanoramaandpushedthemtotheNSXManager,youcan
nowusePanoramaforcentrallyadministeringpoliciesontheVMSeriesfirewalls.
Tomanagecentralizedpolicy,attachthedynamicaddressgroupasasourceordestinationaddressin
securitypolicyandpushittothefirewalls;thefirewallscandynamicallyretrievetheIPaddressesofthe
virtualmachinesthatareincludedineachsecuritygrouptoenforcecompliancefortrafficthatoriginates
fromorisdestinedtothevirtualmachinesinthespecifiedgroup.

DefinePolicyonPanorama
Step1 Createsecuritypolicyrules. 1. SelectPolicies > Security > Prerules.

2. SelecttheDevice Group thatyou
createdformanagingtheVMSeriesfirewallsforNSXin
RegistertheVMSeriesFirewallasaServiceontheNSX
Manager.
3. Click AddandenteraNameandaDescriptionfortherule.In
thisexample,thesecurityruleallowsalltrafficbetweenthe
WebFrontEndserversandtheApplicationservers.
4. SelecttheSource ZoneandDestination Zone.Thezonename
mustbethesameinbothcolumns.
5. FortheSource Address and Destination Address,selector
typeinanaddress,addressgrouporregion.Inthisexample,we
selectanaddressgroup,theDynamicaddressgroupyou
createdpreviously.
6. SelecttheApplicationtoallow.Inthisexample,wecreatean
Application Groupthatincludesastaticgroupofspecific
applicationsthataregroupedtogether.
a. ClickAdd andselect New Application Group.
b. ClickAddtoselecttheapplicationtoincludeinthegroup.In
thisexample,weselectthefollowing:
c. ClickOKtocreatetheapplicationgroup.
7. SpecifytheactionAlloworDenyforthetraffic,and
optionallyattachthedefaultsecurityprofilesforantivirus,
antispyware,andvulnerabilityprotection,underProfiles.
8. RepeatsSteps37abovetocreatethepertinentpolicyrules.
9. ClickCommit,selectCommitTypeasPanorama.ClickOK.

DefinePolicyonPanorama(Continued)
Step2 ApplythepoliciestotheVMSeries 1. ClickCommit,andselectCommitTypeDevice Groups.

firewallsforNSX. 2. Selectthedevicegroup,NSXDeviceGroupinthisexampleand
clickOK.
3. Verifythatthecommitissuccessful.
Step3 Validatethatthemembersofthe 1. FromPanorama,switchdevicecontexttolaunchtheweb

dynamicaddressgrouparepopulatedon interfaceofafirewalltowhichyoupushedpolicies.
theVMSeriesfirewall.
2. OntheVMSeriesfirewall,selectPolicies > Security,and

selectarule.
3. Selectthedropdownarrownexttotheaddressgrouplink,and
selectInspect.Youcanalsoverifythatthematchcriteriais
accurate.
4. ClickthemorelinkandverifythatthelistofregisteredIP
addressesisdisplayed.
PolicywillbeenforcedforallIPaddressesthatbelongtothis
addressgroup,andaredisplayedhere.
Step4 (Optional)Usetemplatetopushabase RefertothePanoramaAdministratorsGuideforinformationon

configurationfornetworkanddevice usingtemplates.
configurationsuchasDNSserver,NTP
server,Syslogserver,andloginbanner.

DefinePolicyonPanorama(Continued)
Step5 CreateaZoneProtectionprofileand 1. SelectyourTemplate.

attachittoazone. 2. SelectNetwork > Network Profiles > Zone Protectiontoadd
Azoneprotectionprofileprovidesflood andconfigureanewprofile.
protectionandhastheabilitytoprotect
3. SelectNetwork > Zones,clickthedefaultzonelistedand
againstportscanning,portsweepsand
selecttheprofileintheZone Protection Profiledropdown.
packetbasedattacks.Itallowsyouto
secureintratierandintertiertraffic
betweenvirtualmachineswithinyour
datacenterandtrafficfromtheInternet
thatisdestinedtothevirtualmachines
(workloads)inyourdatacenter.
Step6 CreateaDoSProtectionprofileand 1. SelectyourDevice Group.

attachittoDoSProtectionpolicyrule. 2. SelectObjects > Security Profiles > DoS Protection toaddand
configureanewprofile.
Aclassifiedprofileallowsthecreationofathresholdthat
appliestoasinglesourceIP.Forexample,youcanconfigure
amaxsessionrateforanIPaddressthatmatchedthepolicy,
andthenblockthatsingleIPaddressoncethethresholdis
triggered.
Anaggregateprofileallowsthecreationofamaxsession
rateforallpacketsmatchingthepolicy.Thethreshold
appliestonewsessionrateforallIPaddressescombined.
Oncethethresholdistriggereditaffectsalltrafficthat
matchesthepolicy.
3. CreateanewDoSProtectionpolicyruleinPolicy > DoS
Protection, andattachthenewprofiletoit.
EnableLargeReceiveOffload
Largereceiveoffload(LRO)isatechniqueforincreasingtheinboundthroughputonhighbandwidth
networkconnectionsbydecreasingCPUoverhead.WithoutLRO,thefirewalldropspacketslargerthanthe
configuredmaximumtransmissionunitMTU,whichisamaximumof9216byteswhenthefirewallisenabled
forjumboframes.WithLROenabled,thefirewallacceptspacketsupto64KBinsizeandthedoesnotdrop
packetslargerthantheconfiguredMTU.Instead,itsegmentsthelargerpacketsintosmallerchunksof9000
bytes.Forexample,iftheVM1sendsa64KBpackettoVM2andthepacketisdividedintoeightsegments.

LROisdisabledbydefaultonnewNSXdeploymentsandonupgradeto8.0.YoucanenableordisableLRO
andviewtheLROstatusonthroughtheCLI.EnablingLROontheVMSeriesfirewallautomaticallyenables
jumboframes.Additionally,LROandTCPSegmentationOffload(TSO)mustbeenabledonVMXNET3
networkadapterontheVMSeriesfirewallhostmachine.
EnableLROontheVMSeriesforNSX
Step1 Verifythatlargereceiveoffloadand 1. LogintovSphereandnavigatetoyourhostmachine.

TCPsegmentationoffloadisenabledon 2. SelectManage > Settings > System > Advanced System
thehost. Settings.
ForinformationaboutLROandTSOon
3. Locatethefollowingparametersandverifythattheirvalueis
thehostmachine,seetheVMware
set1.A1indicatesthattheparameterisenabledonthe
vSpheredocumentation.
VMXNET3adapter.
ForLRONet.Vmxnet3HwLRO
ForTSONet.UseHwTSOandNet.UseHwTSO6
Step2 EnableLROontheVMSeriesfirewall. 1. AccessthefirewallCLI.

2. UsethefollowingcommandtoenableLRO:
admin@PA-VM> set system setting lro enable
3. Rebootthefirewallusingthefollowingcommand:
> request restart system
4. VerifytheLROisenabledwiththefollowingcommand:
admin@PA-VM> show system setting lro
Device LRO mode: on
Current device mtu size: 9192
YoucandisableLROusingthecommandset system
setting lro disable.

SteerTrafficfromGueststhatarenotRunningVMwareTools SetUptheVMSeriesFirewallonVMwareNSX
SteerTrafficfromGueststhatarenotRunningVMware
Tools
VMwareToolscontainsautilitythatallowstheNSXManagertocollecttheIPaddress(es)ofeachguest
runninginthecluster.NSXManagerusestheIPaddressasamatchcriteriontosteertraffictotheVMSeries
firewall.IfyoudonothaveVMwaretoolsinstalledoneachguest,theIPaddress(es)oftheguestis
unavailabletotheNSXManagerandtrafficcannotbesteeredtotheVMSeriesfirewall.
ThefollowingstepsallowyoutomanuallyprovisionguestswithoutVMwareToolssothattrafficfromeach
oftheseguestscanbemanagedbytheVMSeriesfirewall.
SteerTrafficfromGueststhatarenotRunningVMwareTools
Step1 CreateanIPsetthatincludesthegueststhatneedtobesecuredbytheVMSeriesfirewall.ThisIPsetwillbe
usedasthesourceordestinationobjectinanNSXdistributedfirewallruleinStep 4below.
1. SelectNSX Managers > Manage > Grouping Objects > IP Sets.
2. ClickAddandentertheIPaddressofeachguestthatdoesnothaveVMwaretoolsinstalled,andneedsto
besecuredbytheVMSeriesfirewall.UsecommastoseparateindividualIPaddresses;IPrangesorsubnets
arenotvalid.
Step2 VerifythatSpoofGaurdisenabled.Ifnotenabled,seeEnableSpoofGuard.
Step3 ManuallyapprovetheIPaddress(es)foreachguestinSpoofGuard;thisvalidatesthattheapprovedIP
addressesistheaccurateaddressforthatnetworkadapter.ForamanuallyconfiguredIPaddress,makesure
toaddtheIPaddresstotheIPsetbeforeapprovingitinSpoofGuard.
1. SelectthenewSpoofGuardpolicyyoucreatedtoearlierandView: Inactive Virtual NICs.
2. SelecttheguestandaddtheIPaddressintheApprovedIPfieldandPublishchanges.
3. ReviewandapproveallpreviouslyapprovedIPaddressestoo.
Step4 AttachtheIPsetstotheSecurityGroupsonNSX,toenforcepolicy.
1. SelectNetworking and Security > Service Composer > Security Groups.
2. SelectSelect objects to include > IP Sets,addtheIPsetobjecttoinclude.

SetUptheVMSeriesFirewallonVMwareNSX DynamicallyQuarantineInfectedGuests
DynamicallyQuarantineInfectedGuests
ThreatandtrafficlogsinPANOSincludethesourceordestinationuniversallyuniqueidentifier(UUID)of
guestVMsinyourNSXdeployment.ThisallowstheVMSeriesforNSXtosupportthetaggingofguestVMs
withNSXsecuritytags.WiththeguestVMsUUIDnowincludedinthelogevents,thefirewall,basedonthe
filteredlogevents,cantagtheaffectedguestVMviaNSXManagerAPI.Thisallowsforautomaticlocation
ofcompromisedVMsintheNSXenvironments.NSXcanthenputallassociatedUUIDsunderpoliciesto
quarantinethoseVMsfromtherestofthenetwork.
PanoramaincludespredefinedpayloadformatsforthreatandtrafficlogsintheHTTPServerProfile.These
payloadformatscorrespondtopredefinedsecuritytagsinNSX.WhenaguestVMisfoundinthethreator
trafficlogs,PanoramamakesanAPIcalltoNSXManagertellingNSXManagertotagtheguestVMwiththe
tagspecifiedintheHTTPServerProfile.WhentheguestVMbecomestagged,NSXManagerdynamically
movesthetaggedguestVMintothequarantinesecuritygroup,whichplacestheguestVMintothe
quarantinedynamicaddressgroup.
ConfigurePanoramatoDynamicallyQuarantineInfectedGuests
Step1 Confirmthatyouhavecontentupdateversion636orlaterinstalledonPanorama.
Step2 Createadynamicaddresstobeyourquarantinedynamicaddressgroup.

DynamicallyQuarantineInfectedGuests SetUptheVMSeriesFirewallonVMwareNSX
Step3 CreateanHTTPServerProfiletosendAPIcallstoNSXManager.
1. SelectPanorama > Server Profiles > HTTPandAddanewHTTPServerProfile.
2. EnteradescriptiveName.
3. Select AddtoprovidethedetailsofNSXManager.
4. EnteraNameforNSXManager.
5. EntertheIPAddressofNSXManager.
6. SelecttheProtocol(HTTPorHTTPS).ThedefaultPortis80or443respectively.
7. SelectPUTundertheHTTPMethodcolumn.
8. EntertheusernameandpasswordforNSXManager.
9. SelectPayload FormatandchooseanNSXpayloadformatfromthePredefinedFormatsdropdown.This
populatestheURIFormat,HTTPHeaders,andPayloadfieldswiththecorrectinformationtosendthe
HTTPAPIcalltoNSXManager.Additionally,thechosenformatdetermineswhichsecuritytagNSX
ManagerappliestoinfectedguestVMs.Intheexamplebelow,NSXAntiVirusThreatHighisselected
whichcorrespondstotheANTI_VIRUS.VirusFound.threat=highsecuritytagonNSXManager.

Step4 DefinethematchcriteriaforwhenPanoramawillforwardlogstotheNSXManager,andattachtheHTTP
serverprofiletouse.
1. SelectPanorama > Log SettingsforThreatorTrafficlogs.
2. Enteradescriptivenameforthenewlogsettings.
3. (Optional)UnderFilter,youcanaddfilterssuchasseveritytonarrowthelogsthatareforwardedtoNSX
Manager.IfAllLogsisselected,allthreatortrafficlogsthatmeetthecriteriasetintheHTTPServerprofile
aresenttoNSXManager.
4. ClickAddunderHTTPandselecttheHTTPServerProfileconfiguredinStep 3.
5. ClickOK.
Step5 ConfigureanNSXservercertificateforPanoramatoforwardlogstoNSXmanager.
1. SelectPanorama > Certificate Management > Certificates.
2. CreatearootCAcertificatewithCN=IPaddressofPanorama.
3. CreateasignedcertificatewithCN=IPaddressofNSXManager.
4. ExporttherootCAcertificateinPEMformatwithoutaprivatekey.
5. ExportthesignedcertificateinPEMformatwithaprivatekey.
6. UsingatoolsuchasOpenSSL,concatenatetheexportedcertificatesintoasinglePEMfileforuploadto
NSXmanager.UsethefollowingcommandsinOpenSSLtocompletethisstep.
cat cert_NSX_Root_CA.crt cert_NSX_Signed1.pem > cert_NSX_cert_chain.pem
openssl pkcs12 -export -in cert_NSX_cert_chain.pem -out cert_NSX_cert.p12
7. LogintoNSXManagerandselectManage Appliance Settings > SSL Certificates > Upload PKC#12
Keystore.ClickChoose File,locatethep12fileyoucreatedinthepreviousstep,andclickImport.

DynamicallyQuarantineInfectedGuests SetUptheVMSeriesFirewallonVMwareNSX
Step6 AssociateasecuritygroupwithasecuritytaginvCenter.
1. LogintovCenter.
2. SelectNetworking & Security > Service Composer > Security Groups.
3. Selectasecuritygroupthatiscounterparttothequarantinedynamicaddressgroupyoucreatedpreviously
andclickEdit Security Group.
4. SelectDefinedynamicmembershipandclickthe+icon.
5. ClickAdd.
6. SetthecriteriadetailstoSecurityTagContainsandthenentertheNSXsecuritytagthatcorrespondsto
theNSXpayloadformatyouchoseinStep 3.EachofthepredefinedNSXpayloadformatscorrespondsto
anNSXsecuritytag.ToviewtheNSXsecuritytagsinNSX,selectNetworking & Security > NSX Managers
> NSX Manager IP > Manage > Security Tags.
Inthisexample,NSXAntiVirusThreatHighisusedintheHTTPServerProfileso
ANTI_VIRUS.VirusFound.threat=highistheNSXSecurityTagthatisusedhere.
7. ClickFinish.

Step7 AftertheguestVMisclearedforremovalfromquarantine,manuallyremovetheNSXsecuritytagfromthe
guestVMinNSX.
1. LogintovCenter.
2. SelectVMs and Templatesandchoosethequarantinedguest.
3. SelectSummary > Security Tags > Manage.
4. UncheckthesecuritytagusedbythequarantinesecuritygroupandclickOK.
5. RefreshthepageandthequarantinesecuritywillnolongerbelistedunderSummary > Security Group
Membership.
SourceanddestinationUUIDfieldsinthreatandtrafficlogsmaybeblankafteraguestVMisremovedfromquarantine.
ThiscanoccurwhenrunningNSX6.2.3orearlierorifNSXsteeringrulesdonotusetheinoutdirection.Youcanresolve
thisbyupgradingNSXto6.2.4orissueanNSXConfigsyncunderPanorama > VMware NSX > Service Manager and
rebootthePAVMtoresolvethisissue.

UseCase:SharedComputeInfrastructureandSharedSecurityPolicies SetUptheVMSeriesFirewallonVMwareNSX
UseCase:SharedComputeInfrastructureandShared
SecurityPolicies
ThisusecaseallowsyoutologicallyisolatetrafficfromtwotenantsthatshareanESXiclusterandhavea
commonsetofsecuritypolicies.Inordertoisolatetrafficfromeachtenantyouneedtocreateaservice
definitionwithatemplatethatincludestwozones.Zonebasedtrafficseparationmakesitpossibleto
distinguishtrafficbetweenvirtualmachinesthatbelongtoseparatetenants,whenittraversesthroughthe
firewall.Thefirewallisabletodistinguishtrafficbetweentenantvirtualmachinesbasedonaserviceprofiles
andsecuritygroupscreatedontheNSXManager,whichareavailableasmatchcriteriainDynamicAddress
Groupsonthefirewall.Therefore,evenwithoverlappingIPaddresses,youcansegregatetrafficfromeach
tenantandsecureeachtenantsvirtualmachinesusingzonebasepolicyrules(sourceanddestinationzones
mustbethesame)anddynamicaddressgroups.
VMSeriesFirewallforNSXPerTenantZonewithUnifiedSecurityPolicyonSharedInfrastructure
Step1 EnableCommunicationBetweenthe Thisisonetimetaskandisrequiredifyouhavenotenabledaccess

NSXManagerandPanorama. betweentheNSXManagerandPanorama.

SetUptheVMSeriesFirewallonVMwareNSX UseCase:SharedComputeInfrastructureandSharedSecurityPolicies
VMSeriesFirewallforNSXPerTenantZonewithUnifiedSecurityPolicyonSharedInfrastructure(Continued)
Step2 CreateTemplate(s)andDeviceGroup(s) 1. LogintothePanoramawebinterface.

onPanorama. 2. SelectPanorama > Templatestoaddatemplate.Thisusecase
hasatemplatenamedNSXTemplate.
3. SelectPanorama > Device Groupsandadddevicegroup.This
usecasehasadevicegroupnamedNSXDG.
4. CreatetwozoneswithintheTemplate.Toisolatetrafficfor
eachtenant,youneedtwozonesinthisusecase.
a. SelectNetwork > Zones.
b. SelectthecorrecttemplateintheTemplatedropdown.
c. SelectAdd andenterazone Name.Forexample,Tenant1.
d. SetstheinterfaceTypetoVirtual Wire.
e. ClickOK.
f. Repeatthestepstoaddanotherzone,forexample,
Tenant2.
g. Verifythatthezonesareattachedtothecorrecttemplate.
Step3 CreatetheServiceDefinitionson 1. SelectPanorama > VMware NSX > Service Definitions.

Panorama. 2. SelectAddandfillinthedetails.


Step4 CreateSteeringRules. 1. SelectObjects > Address GroupsandSetUpDynamic

AddressGroupsonPanoramaforeachtenantsvirtual
machines.Forexample,thisusecasehastwosecuritygroups
pertenant;onesecuritygroupforthewebserversandthe
othersecuritygroupfortheapplicationservers.
2. SelectPolicies > Security > Pre Rulestosetupsecuritypolicy
rulesforsendingtraffictotheVMSeriesfirewall.
3. SelectPanorama > VMware NSX > Steering Rulesandclick
Auto-Generate Steering Rules.
4. Commityourchanges
Step5 PreparetheESXiHostfortheVMSeries TheESXihostsintheclustermusthavethenecessaryNSX

Firewall componentsthatallowtheNSXfirewallandtheVMSeriesfirewall
toworktogether.TheNSXManagerwillinstallthecomponents
theEthernetAdapterModule(.eam)andtheSDKrequiredto
Step6 DeploythePaloAltoNetworksNGFW 1. SelectNetworking and Security > Installation > Service

Service Deployments.
2. ClickNew Service Deployment (greenplusicon),andselect
theservicedefinitionforthePaloAltoNetworksnext
generationfirewallyouwanttodeploy,Palo Alto Networks
NGFW Test 1 inthisexample,makeyourselectionsincluding
theappropriateESXiclustertowhichyouwanttodeploythe
firewallandclickFinish.
3. VerifythattheNSXManagerreportstheInstallation Status
asSuccessful.
4. VerifythattheVMSeriesfirewallissuccessfullydeployed.
a. OnthevCenterserver,selectHosts and Clusterstocheck
thateveryhostinthecluster(s)hasoneinstanceofthe
firewall.
b. ViewthemanagementIPaddress(es)andthePANOS
versionrunningonthefirewalldirectlyfromvCenter
server.VMwareToolsisbundledwiththePANOS
softwareimageandisautomaticallyenabledwhenyou

SetUptheVMSeriesFirewallonVMwareNSX UseCase:SharedComputeInfrastructureandSharedSecurityPolicies
Step7 ApplyPoliciestotheVMSeriesFirewall 1. CreateDynamicAddressgroupsforeachtenantonPanorama.

Thedynamicaddressgroup(s)thatmatchonthenameofthe
securitygroup(s)youdefinedontheNSXManager.
a. OnPanorama,selectObjects > Address Groups.
b. SelectthecorrectDevice Groupfromthedropdownand
clickAdd.
c. AddaNamefortheaddressgroupandsetTypeasDynamic
andAdd Match Criteria.Verifythatyouselectthecorrect
tagsforeachtenant,thetagincludestheserviceprofileID,
thesecuritygroupnameandthesecuritygroupID.For
example,forthisusecasetherearefourdynamicaddress
groups:
2. OnPanorama,createsecuritypolicyrulesandusethedynamic
addressgroupsassourceordestinationaddressobjectsin
securitypolicyrulesandpushittothefirewalls.
a. SelectPolicies > Security > PrerulesandclickAdd.
b. Createrulesforeachtenant.Thisusecasehasthefollowing
policyrules:
3. ClickCommit,andselectCommitTypeasDevice Groups.
Selectthedevicegroup,NSXDGinthisexampleandclickOK.

Step8 Verifythattrafficfromeachtenantis 1. LogintotheCLIonthefirewallandenterthefollowing

secured. commandtoviewthesubinterfacesonthefirewall:
show interface all
total configured hardware interfaces: 2
name id speed/duplex/state mac address
--------------------------------------------------------------
ethernet1/1 16 auto/auto/up d4:f4:be:c6:af:10
ethernet1/2 17 auto/auto/up d4:f4:be:c6:af:11
aggregation groups: 0
total configured logical interfaces: 6
name id vsys zone forwarding

------------------- ----- ---- -----------------
ethernet1/1 16 1 vwire:ethernet1/2
ethernet1/1.3 4099 1 TENANT-1 vwire:ethernet1/2.3
ethernet1/2 17 1 vwire:ethernet1/1
2. OnthewebinterfaceoftheVMSeriesfirewall,selectObjects
> Address GroupsandverifythatyoucanviewtheIPaddress
forthemembersofeachDynamicAddressGroup.The
followingisanexampleofduplicateIPaddressesindynamic
addressgroupsacrossbothtenants.
3. ViewtheACCandtheMonitor > Logs > Traffic. Filteronthe

zonenametoensurethattrafficfromthevirtualmachinesfor
eachtenantissecured.

SetUptheVMSeriesFirewallonVMwareNSX UseCase:SharedSecurityPoliciesonDedicatedComputeInfrastruc
ture
UseCase:SharedSecurityPoliciesonDedicatedCompute
Infrastructure
IfyouareaManagedServiceProviderwhoneedstosecurealargeenterprise(tenant)withmultiple
departments(subtenants),andeachtenantrequiresdedicatedcomputeinfrastructureandsecuritypolicy
rules,youneedtocreateaservicedefinitionforeachtenant.
Inthisusecase,eachtenantBMWandToyotahasadedicatedESXicluster.Andeachtenanthas
subtenantsDev,QA,andProdwhoseworkloadsaredeployedinthecluster.Youneedtodefinetwo
servicedefinitionstoallowtheVMSeriesfirewallsforeachtenanttohaveSecuritypoliciesfortheir
respectiveESXiclusters.Theservicedefinitionforeachtenantincludesmultiplezones(withcorresponding
virtualwiresubinterfacepairs)forisolatingtrafficfromeachsubtenant.Eachzoneismappedtoaservice
profileontheNSXManager,whichallowsthefirewalltodistinguishtrafficfromthevirtualmachinesfor
eachsubtenantandtoenforcezonebasedsecuritypolicyruleswithinthecommonsetofpolicyrulesfor
thetenant.ZonebasedpoliciesincombinationwiththeDynamicAddressgroupsalsoallowyoutosecure
subtenantswhomayhaveoverlappingnetworks,andhencehaveduplicateIPaddresses.Touniquely
identifyvirtualmachinesassignedtoeachsubtenantandsuccessfullyenforcepolicy,theNSXManager
providestheserviceprofileandsecuritygrouptowhichavirtualmachinebelongsasmatchcriteriain
dynamicaddressgroupsonPanorama.Formoreinformation,seePolicyEnforcementusingDynamic
AddressGroups.
YoucanalsoconfigurerolebasedaccesscontrolusingaccessdomainsonPanorama.Accessdomainsallow
youtocontroladministrativeaccesstospecificdevicegroups(tomanagepoliciesandobjects)andtemplates
(tomanagenetworkanddevicesettings),sothateachtenantadministratorcanmanagetheconfiguration
fortheirVMSeriesfirewalls.Rolebasedaccessalsoallowsyoutolimitlogvisibilityfortherespectivetenant
only.

UseCase:SharedSecurityPoliciesonDedicatedComputeInfrastructure SetUptheVMSeriesFirewallonVMware
NSX
VMSeriesFirewallforNSXPerTenantSecurityPolicyonDedicatedInfrastructure
Step1 EnableCommunicationBetweenthe Thisisonetimetaskandisrequiredifyouhavenotenabledaccess

NSXManagerandPanorama. betweentheNSXManagerandPanorama.
Step2 CreateTemplate(s)andDeviceGroup(s) 1. LogintothePanoramawebinterface.

onPanorama. 2. SelectPanorama > Templatestoaddtemplates.Thisusecase
hastwotemplatenamedNSXTemplateTOYOTAand
NSXTemplateBMW.
3. SelectPanorama > Device Groupsandadddevicegroups.This
usecasehastwodevicegroupsnamedNSXDGBMWand
NSXDGTOYOTA.
4. CreateNSXserviceprofilezoneswithineachtemplate.To
isolatetrafficforeachtenantinthisusecase,youneedthree
zonesforeachtenant.
a. SelectNetwork > Zones.
b. SelectthecorrecttemplateintheTemplatedropdown.
c. SelectAdd andenterazone Name.Forexample,Tenant1.
d. SetstheinterfaceTypetoVirtual Wire.
e. ClickOK.
f. Repeatthestepsaetoaddadditionalzonesforeach
subtenant.
g. Verifythatthezonesareattachedtothecorrecttemplate.
5. Repeatstep4fortheothertemplate.
Step3 CreatetheServiceDefinitionson 1. SelectPanorama > VMware NSX > Service Definitions.

Panorama. 2. SelectAdd.Fillinthedetailsfortheservicedefinitionforeach
tenant.Inthisexample,thetwoservicedefinitionsarePalo
AltoNetworksToyotaandPaloAltoNetworksBMW.


ture
VMSeriesFirewallforNSXPerTenantSecurityPolicyonDedicatedInfrastructure(Continued)
Step4 CreateSteeringRules. 1. SelectObjects > Address GroupsandSetUpDynamic

AddressGroupsonPanoramaforeachtenantsvirtual
machines.Forexample,thisusecasehastwosecuritygroups
pertenant;onesecuritygroupforthewebserversandthe
othersecuritygroupfortheapplicationservers.
2. SelectPolicies > Security > Pre Rulestosetupsecuritypolicy

rulesforsendingtraffictotheVMSeriesfirewall.
3. SelectPanorama > VMware NSX > Steering Rulesandclick
Auto-Generate Steering Rules.
4. Commityourchanges
Step5 PreparetheESXiHostfortheVMSeries TheESXihostsintheclustermusthavethenecessaryNSX

Firewall componentsthatallowtheNSXfirewallandtheVMSeriesfirewall
toworktogether.TheNSXManagerwillinstallthecomponents
theEthernetAdapterModule(.eam)andtheSDKrequiredto

NSX
Step6 DeploythePaloAltoNetworksNGFW 1. SelectNetworking and Security > Installation > Service

Service Deployments.
2. ClickNew Service Deployment (greenplusicon),andselect
theservicedefinitionforthePaloAltoNetworksnext
generationfirewallyouwanttodeploy,Palo Alto Networks
NGFW Test 1 inthisexample,makeyourselectionsandclick
Finish.
3. VerifythattheNSXManagerreportstheInstallation Status
asSuccessful.
4. VerifythattheVMSeriesfirewallissuccessfullydeployed.
a. OnthevCenterserver,selectHosts and Clusterstocheck
thateveryhostineachclusterhasoneinstanceofthe
firewall.
b. ViewthemanagementIPaddress(es)andthePANOS
versionrunningonthefirewalldirectlyfromvCenter
server.VMwareToolsisbundledwiththePANOS
softwareimageandisautomaticallyenabledwhenyou

ture
Step7 ApplyPoliciestotheVMSeriesFirewall 1. Createdynamicaddressgroupsforeachsubtenanton

Panorama.Thedynamicaddressgroup(s)matchonthename
ofthesecuritygroup(s)youdefinedontheNSXManager.
a. OnPanorama,selectObjects > Address Groups.
b. SelectaDevice GroupfromthedropdownandclickAdd.
c. AddaNamefortheaddressgroupandsetTypeasDynamic
andAdd Match Criteria.Foreaseofmanagingthese
groups,usethesamenameforthedynamicaddressgroup
asthatofthesecuritygroupontheNSXManager.
d. Createthedynamicaddressgroupsforthesubtenantsfor
theothertenant,BMWinthisexample.
2. OnPanorama,createSecuritypoliciesandusethedynamic
addressgroupsassourceordestinationaddressobjectsin
securitypolicyrulesandpushittothefirewalls.
a. SelectPolicies > Security > Pre Rules.
b. SelectaDevice GroupfromthedropdownandclickAdd.
c. Createrulesforeachsubtenant.Makesuretokeepthe
sourceanddestinationzonethesameinapolicyrule.To
ensurethatonlytheapplicationthatisrunningonthe
serverisallowed,allowtheserviceonthe
applicationdefaultportonly.
Thisusecasehasthefollowingpolicyrulesforthetenant
Toyota:

NSX
3. SelecttheotherDevice Groupfromthedropdownandcreate
theSecuritypoliciesfortheeachsubtenantfortheother
tenant,BMWinthisexample.
4. ClickCommit,andselectCommitTypeasDevice Groups.
Selectthedevicegroups,NSXDGBMWand
NSXDGTOYOTAinthisexampleandclickOK.
ThecommitpushestheSecuritypoliciestothefirewallsthat
belongtoeachdevicegroup,andtheycanenforcepolicyon
thetrafficredirectedbytheNSXManager.
Step8 Verifythattrafficfromeachtenantis 1. OnPanorama,gotoMonitor > Logs > Traffic and Monitor >
secured. Logs > Threat toviewtheTrafficlogsandThreatlogs.Select
thedevicegroupforatenantandsortontheZonenamefor
fullvisibilityintotrafficfromeachsubtenant.
2. OnPanorama,usetheACCforvisibilityintotrafficpatterns
andactionableinformationonthreats.Usethewidgetsand
filterstointeractwiththedataontheACC.
3. OntheVMSeriesfirewall,selectObjects > Address Groupsto
viewtheIPaddressforthemembersofeachDynamicAddress
Group.
Step9 (Optional)Enablerolebasedaccessfor 1. Createanaccessdomain.Anaccessdomainallowsyouto

tenantadministratorstomanagethe restrictadminaccesstoaspecificdevicegroupandtemplate.
configurationandpoliciesforthe Inthisexample,youcreatetwoaccessdomainsandrestrict
VMSeriesfirewalls. accesstothedevicegroupandtemplatefortherespective
tenant.
2. ConfigureanadminroleforDevice Group and Templaterole
andallowtheadministratortomanagetheaccessdomain.The
administratorcanonlymanagethefirewallsthatbelongtothe
accessdomain.
3. Createanadministrativeaccountandassociatetheaccess
domainandadminrolewiththeaccount.

ture

DynamicAddressGroupsInformationRelayfromNSXManagertoPanorama SetUptheVMSeriesFirewallonVM
wareNSX
DynamicAddressGroupsInformationRelayfromNSX
ManagertoPanorama
ToenforcesecuritypoliciesinaVMSeriesandNSXintegrateddatacenter,Panoramamustbeabletoobtain
informationonthechangesinthevirtuallandscape.Asnewvirtualmachinesaredeployed,changed,or
deleted,theNSXManagerinformsPanoramaofIPaddressesadded,removedfromsecuritygroupsonthe
NSXManager.Panoramainturnthen,pushesthisinformationtotheVMSeriesfirewalls.Dynamicaddress
groupsreferencedinfirewallpoliciesmatchagainstthisinformationtodeterminethemembersthatbelong
tothegroup.Thisprocessallowsthefirewalltoenforcecontextawaresecuritypolicy,whichsecurestraffic
toandfromthesevirtualmachines.Fordetailsondynamicaddressgroups,seePolicyEnforcementusing
ThefollowingdiagramillustrateshowtheinformationisrelayedfromtheNSXManagertoPanorama.
Tounderstandthisprocess,letstracetheinformationupdatesentfromtheNSXManagertoPanorama
whenanewserverisaddedtoasecuritygroup.Usetheelementshighlightedwithintheoutputineach
phaseofthisexample,totroubleshootwheretheprocessfailed.
InformationRelayfromtheNSXManagertoPanorama
Step1 Toviewtheupdatesinrealtime,login LogintotheCommandLineInterfaceonPanorama.

tothePanoramaCLI.

SetUptheVMSeriesFirewallonVMwareNSX DynamicAddressGroupsInformationRelayfromNSXManagerto
Panorama
InformationRelayfromtheNSXManagertoPanorama(Continued)
Step2 VerifythattherequestfromtheNSX TocheckthewebserverlogonPanoramaduringanNSXSecurity

Managerisroutedtothewebserveron Groupupdate,usethefollowingcommand:
Panorama. admin@Panorama> tail follow yes webserver-log cmsaccess.log
127.0.0.1 - - [Wed Dec 03 14:24:11 2014 PST] "POST
/unauth/php/RestApiAuthenticator.php HTTP/1.1" 200 433
127.0.0.1 - - [Wed Dec 03 14:24:11 2014 PST] "PUT
/api/index.php?client=wget&file-name=dummy&type=vmware/vmware/
2.0/si/serviceprofile/serviceprofile-1/containerset HTTP/1.0"
200 446
Ifyouroutputdoesnotincludetheelementsabove,check
forroutingissues.PingthePanoramafromtheNSX
ManagerandcheckforACLsorothernetworksecurity
devicesthatmightbeblockingthecommunication
betweentheNSXManagerandPanorama.

wareNSX
Step3 Verifythattherequestisparsedbythe 1. EnabledebugusingthefollowingURL:

PHPdaemononPanorama. https://<Panorama_IP>/php/utils/debug.php
2. FromtheCLI,enterthefollowingcommandtoviewthelogs
generatedbythePHPserver:
admin@Panorama> tailfollowyesmplogphp.debug.log
[2014/12/03 14:24:11]
<request cmd="op" cookie="0604879067249569"
refresh="no">
<operations xml="yes">
<show>
<cli>
...
<request>
<partner>
<vmware-service-manager>
<update>
<method>PUT</method>
<type>update</type>
<username>_vsm_admin</username>
<password>4006474760514053</password>
<url>/vmware/2.0/si/serviceprofile/serviceprofile-
1/containerset</url>
<data><![CDATA[
<containerSet><container><id>securitygroup10</id><name>Web
Servers</name><description></description><revision>8</revision
><type>IP</type><address>10.3.4.185</address><address>10.3.4.
186</address><address>15.0.0.203</address><address>15.0.0.20
2</address></container></containerSet>]]></data>
</update>
</vmware-service-manager>
</partner>
</request>
</operations>
</request>

Panorama
Step4 Theinformationisprocessedbythe 1. Enabledebuggingonthemanagementserverusingthe

ManagementserveronPanorama. followingcommand:
admin@Panorama> debug management-server on
debug
2. Enterthefollowingcommandtoviewthelogsgeneratedby
theconfigdlog:
admin@Panorama> tail follow yes mp-log
configd.log
3. IntheoutputcheckthattheupdatewasrelayedfromthePHP
daemontothemanagementserverdaemon.
2014-12-03 14:24:11.143 -0800 debug:
pan_job_progress_monitor(pan_job_mgr.c:3694):
job-monitor: updated 0 jobs

2014-12-03 14:24:11.641 -0800 debug:
recursive_add_params(pan_op_ctxt.c:158): >
'url'='/vmware/2.0/si/serviceprofile/serviceprofil
e-1/containerset'
2014-12-03 14:24:11.641 -0800 debug:
recursive_add_params(pan_op_ctxt.c:158): > 'data'='
<containerSet><container><id>securitygroup-10</id>
<name>WebServers</name><description></description>
<revision>8</revision><type>IP</type><address>10.3
.4.185</address><address>10.3.4.186</address><addr
ess>15.0.0.203</address><address>15.0.0.202</addre
ss></container></containerSet>'
2014-12-03 14:24:11.641 -0800 Received vshield
update: PUT
/vmware/2.0/si/serviceprofile/serviceprofile-1/con
tainerset
Received dynamic address update from VSM:
<request cmd='op' cookie='0604879067249569'
client="xmlapi"><operations xml='yes'><request>
<partner>
<vmware-service-manager>
<update>
<method>PUT</method>
<type>update</type>
<username>_vsm_admin</username>
<password>4006474760514053</password>
<url>/vmware/2.0/si/serviceprofile/serviceprofile-
1/containerset</url><data><![CDATA[
<containerSet><container><id>securitygroup10</id><nam
e>WebServers</name><description></description><revisio
n>8</revision><type>IP</type><address>10.3.4.185</addr
ess><address>10.3.4.186</address><address>15.0.0.203</
address><address>15.0.0.202</address></container></con
tainerSet>]]>
</data>
</update>

wareNSX
4. LookforthelistofIPaddressesandsecuritygrouptags
2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip:10.3.4.185
2014-12-03 14:24:11.646 -0800 debug:
n_cfg_mongo_tables.c:3738): tag:
WebServerssecuritygroup10
2014-12-03 14:24:11.646 -0800 debug:
2014-12-03 14:24:11.646 -0800 debug:
WebServerssecuritygroup10
DomainControllerssecuritygroup16
2014-12-03 14:24:11.647 -0800 debug:
2014-12-03 14:24:11.648 -0800 debug:
SQLServerssecuritygroup11
2014-12-03 14:24:11.665 -0800 debug:
SharePointServerssecuritygroup13
2014-12-03 14:24:11.665 -0800 debug:
2014-12-03 14:24:11.665 -0800 debug:
SharePointServerssecuritygroup13
...

Panorama
5. Finally,verifythattheupdatewasrelayedfromthe
managementserverdaemontothemanagedfirewalls.
Sendtodevice:007900002079[UNREG:0;REG:2]with
dynamicaddressupdate:<requestcmd='op'
cookie='0604879067249569'target
.
<register>
<entryip="15.0.0.203">
<tag>
<member>WebServerssecuritygroup10</member>
</tag>
</entry>
<entryip="10.3.4.186">
<tag>
<member>WebServerssecuritygroup10</member>
</tag>
</entry>
</register>

wareNSX

SetUptheVMSeriesFirewallonAWS
TheVMSeriesfirewallcanbedeployedinthepublicAmazonWebServices(AWS)cloudandAWS
GovCloud.ItcanthenbeconfiguredtosecureaccesstotheapplicationsthataredeployedonEC2instances
andplacedintoaVirtualPrivateCloud(VPC)onAWS.
AbouttheVMSeriesFirewallonAWS
DeploymentsSupportedonAWS
DeploytheVMSeriesFirewallonAWS
HighAvailabilityforVMSeriesFirewallonAWS
UseCase:SecuretheEC2InstancesintheAWSCloud
UseCase:UseDynamicAddressGroupstoSecureNewEC2InstanceswithintheVPC
UseCase:VMSeriesFirewallsasGlobalProtectGatewaysonAWS
UseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailableInternetFacingApplicationson
AWS
AutoScaleVMSeriesFirewallswiththeAmazonELB
ListofAttributesMonitoredontheAWSVPC

AbouttheVMSeriesFirewallonAWS SetUptheVMSeriesFirewallonAWS
AbouttheVMSeriesFirewallonAWS
TheAmazonWebService(AWS)isapubliccloudservicethatenablesyoutorunyourapplicationsona
sharedinfrastructuremanagedbyAmazon.Theseapplicationscanbedeployedonscalablecomputing
capacityorEC2instancesindifferentAWSregionsandaccessedbyusersovertheinternet.
FornetworkingconsistencyandeaseofmanagementofEC2instances,AmazonofferstheVirtualPrivate
Cloud(VPC).AVPCisapportionedfromtheAWSpubliccloud,andisassignedaCIDRblockfromtheprivate
networkspace(RFC1918).WithinaVPC,youcancarvepublic/privatesubnetsforyourneedsanddeploy
theapplicationsonEC2instanceswithinthosesubnets.Tothenenableaccesstotheapplicationswithinthe
VPC,youcandeploytheVMSeriesfirewallonanEC2instance.TheVMSeriesfirewallcanthenbe
configuredtosecuretraffictoandfromtheEC2instanceswithintheVPC.
TheVMSeriesfirewallisavailableinboththepublicAWScloudandonAWSGovCloud.TheVMSeries
firewallinpublicAWSsupportstheBringYourOwnLicense(BYOL)modelandthehourlyPayAsYouGo
(PAYG),theusagebasedlicensingmodelthatyoucanavailfromtheAWSMarketplace.BecausetheAWS
GovClouddoesnothaveaMarketplace,theVMSeriesfirewallisavailableinthebringyourownlicense
(BYOL)optiononAWSGovCloud;theusagebased(hourlyorannual)optionsarenotavailableonAWS
GovCloud.Forlicensingdetails,seeVMSeriesFirewallinAmazonWebServices(AWS)andAzureLicenses.
VMSeriesFirewallonAWSGovCloud
AWSTerminology
ManagementInterfaceMappingforUsewithAmazonELB
VMSeriesFirewallonAWSGovCloud
AWSGovCloudisanisolatedAWSregionthatmeetstheregulatoryandcompliancerequirementsoftheUS
governmentagenciesandcustomers.
TosecureyourworkloadsthatcontainallcategoriesofControlledUnclassifiedInformation(CUI)dataand
governmentoriented,publiclyavailabledataintheAWSGovCloud(US)Region,theVMSeriesfirewall
providesthesamerobustsecurityfeaturesinthestandardAWSpubliccloudandonAWSGovCloud.The
onlydifferenceishowyouobtaintheAMIonAWSGovCloudtoDeploytheVMSeriesFirewallonAWS.
BecausetheAWSGovClouddoesnothaveaMarketplace,theVMSeriesfirewallisavailableinthebring
yourownlicense(BYOL)optiononAWSGovCloud;theusagebased(hourlyorannual)optionsarenot
availableonAWSGovCloud.
AWSTerminology
ThisdocumentassumesthatyouarefamiliarwiththenetworkingandconfigurationoftheAWSVPC.In
ordertoprovidecontextforthetermsusedinthissection,hereisabriefrefresherontheAWSterms(some
definitionsaretakendirectlyfromtheAWSglossary)thatarereferredtointhisdocument:

SetUptheVMSeriesFirewallonAWS AbouttheVMSeriesFirewallonAWS
Term Description
EC2 ElasticComputeCloud
AwebservicethatenablesyoutolaunchandmanageLinux/UNIXandWindows
serverinstancesinAmazon'sdatacenters.
AMI AmazonMachineImage
AnAMIprovidestheinformationrequiredtolaunchaninstance,whichisavirtual
serverinthecloud.
TheVMSeriesAMIisanencryptedmachineimagethatincludestheoperating
systemrequiredtoinstantiatetheVMSeriesfirewallonanEC2instance.
ELB ElasticLoadBalancing
ELBisanAmazonwebservicethathelpsyouimprovetheavailabilityandscalability
ofyourapplicationsbyroutingtrafficacrossmultipleElasticComputeCloud(EC2)
instances.ELBdetectsunhealthyEC2instancesandreroutestraffictohealthy
instancesuntiltheunhealthyinstancesarerestored.ELBcansendtrafficonlytothe
primaryinterfaceofthenexthoploadbalancedEC2instance.So,touseELBwitha
VMSeriesfirewallonAWS,thefirewallmustbeabletousetheprimaryinterfacefor
dataplanetraffic.
ENI ElasticNetworkInterface
AnadditionalnetworkinterfacethatcanbeattachedtoanEC2instance.ENIscan
includeaprimaryprivateIPaddress,oneormoresecondaryprivateIPaddresses,a
publicIPaddress,anelasticIPaddress(optional),aMACaddress,membershipin
specifiedsecuritygroups,adescription,andasource/destinationcheckflag.
IPaddresstypesforEC2 AnEC2instancecanhavedifferenttypesofIPaddresses.
instances PublicIPaddress:AnIPaddressthatcanberoutedacrosstheinternet.
PrivateIPaddress:AIPaddressintheprivateIPaddressrangeasdefinedinthe
RFC1918.YoucanchoosetomanuallyassignanIPaddressortoautoassignan
IPaddresswithintherangeintheCIDRblockforthesubnetinwhichyoulaunch
theEC2instance.
IfyouaremanuallyassigninganIPaddress,Amazonreservesthefirstfour(4)IP
addressesandthelastone(1)IPaddressineverysubnetforIPnetworking
purposes.
ElasticIPaddress(EIP):AstaticIPaddressthatyouhaveallocatedinAmazonEC2
orAmazonVPCandthenattachedtoaninstance.ElasticIPaddressesare
associatedwithyouraccount,notwithaspecificinstance.Theyareelastic
becauseyoucaneasilyallocate,attach,detach,andfreethemasyourneeds
change.
AninstanceinapublicsubnetcanhaveaPrivateIPaddress,aPublicIPaddress,and
anElasticIPaddress(EIP);aninstanceinaprivatesubnetwillhaveaprivateIP
addressandoptionallyhaveanEIP.
Instancetype Amazondefinedspecificationsthatstipulatethememory,CPU,storagecapacity,and
hourlycostforaninstance.Someinstancetypesaredesignedforstandard
applications,whereasothersaredesignedforCPUintensive,memoryintensive
applications,andsoon.
VPC VirtualPrivateCloud
Anelasticnetworkpopulatedbyinfrastructure,platform,andapplicationservices
thatsharecommonsecurityandinterconnection.

AbouttheVMSeriesFirewallonAWS SetUptheVMSeriesFirewallonAWS
Term Description
IGW InternetgatewayprovidedbyAmazon.
Connectsanetworktotheinternet.YoucanroutetrafficforIPaddressesoutside
yourVPCtotheinternetgateway.
IAMRole IdentityandAccessManagement
RequiredforenablingHighAvailabilityfortheVMSeriesfirewallonAWS.TheIAM
roledefinestheAPIactionsandresourcestheapplicationcanuseafterassumingthe
role.Onfailover,theIAMRoleallowstheVMSeriesfirewalltosecurelymakeAPI
requeststoswitchthedataplaneinterfacesfromtheactivepeertothepassivepeer.
AnIAMroleisalsorequiredforVMMonitoring.SeeListofAttributesMonitoredon
theAWSVPC.
Subnets AsegmentoftheIPaddressrangeofaVPCtowhichEC2instancescanbeattached.
EC2instancesaregroupedintosubnetsbasedonyoursecurityandoperational
needs.
Therearetwotypesofsubnets:
Privatesubnet:TheEC2instancesinthissubnetcannotbereachedfromthe
internet.
Publicsubnet:Theinternetgatewayisattachedtothepublicsubnet,andtheEC2
instancesinthissubnetcanbereachedfromtheinternet.
Securitygroups AsecuritygroupisattachedtoanENIanditspecifiesthelistofprotocols,ports,and
IPaddressrangesthatareallowedtoestablishinbound/outboundconnectionson
theinterface.
IntheAWSVPC,securitygroupsandnetworkACLscontrolinboundand
outboundtraffic;securitygroupsregulateaccesstotheEC2instance,while
networkACLsregulateaccesstothesubnet.Becauseyouaredeployingthe
VMSeriesfirewall,setmorepermissiverulesinyoursecuritygroupsand
networkACLsandallowthefirewalltosafelyenableapplicationsintheVPC.
Routetables Asetofroutingrulesthatcontrolsthetrafficleavinganysubnetthatisassociated
withtheroutetable.Asubnetcanbeassociatedwithonlyoneroutetable.
Keypair Asetofsecuritycredentialsyouusetoproveyouridentityelectronically.Thekey
pairconsistsofaprivatekeyandapublickey.AttimeoflaunchingtheVMSeries
firewall,youmustgenerateakeypairorselectanexistingkeypairfortheVMSeries
firewall.Theprivatekeyisrequiredtoaccessthefirewallinmaintenancemode.
CloudWatch AmazonCloudWatchisamonitoringservicethatallowsyoutocollectandtrack
metricsfortheVMSeriesfirewallsonAWS.Whenenabled,thefirewallsuseAWS
APIstopublishnativePANOSmetricstoCloudWatch.
ManagementInterfaceMappingforUsewithAmazonELB
Bydefault,theelasticnetworkinterface(ENI)eth0mapstotheMGTinterfaceonthefirewallandENIeth1
mapstoethernet1/1onthefirewall.BecausetheELBcansendtrafficonlytotheprimaryinterfaceofthe
nexthoploadbalancedEC2instance,theVMSeriesfirewallmustbeabletousetheprimaryinterfacefor
dataplanetraffic.
Thefirewallcanreceivedataplanetrafficontheprimaryinterfaceinthefollowingscenarioswherethe
VMSeriesfirewallisbehindtheAmazonELB(foratopologydiagram,seeVMSerieswithELB):

SetUptheVMSeriesFirewallonAWS AbouttheVMSeriesFirewallonAWS
TheVMSeriesfirewall(s)issecuringtrafficoutbounddirectlytotheinternetwithouttheneedforusing
aVPNlinkoraDirectConnectlinkbacktothecorporatenetwork.
TheVMSeriesfirewallsecuresaninternetfacingapplicationwhenthereisexactlyonebackendserver,
suchasawebserver,foreachfirewall.TheVMSeriesfirewallsandwebserverscanscalelinearly,in
pairs,behindELB.
Atpresent,forusecasesthatrequireanELBsandwichtypedeploymenttoscaleoutfirewallsandapplication
layerEC2instances,swappingthemanagementinterfacewillnotallowyoutoseamlesslydeploytheELB
solution.TheabilitytoswapthemanagementinterfaceonlypartiallysolvestheintegrationwithELB.
Toallowthefirewalltosendandreceivedataplanetrafficoneth0insteadofeth1,youmustswapthe
mappingoftheENIswithinthefirewallsuchthatENIeth0mapstoethernet1/1andENIeth1mapstothe
MGTinterfaceonthefirewallasshownbelow.
SwappinghowtheinterfacesaremappedallowsELBtodistributeandroutetraffictohealthyinstancesof
theVMSeriesfirewalllocatedinthesameordifferentAvailabilityZonesonAWSforincreasedcapacityand
faulttolerance.
Toswaptheinterfaces,youhavethefollowingoptions:
AtlaunchWhenyoulaunchthefirewall,youcaneitherenterthe mgmt-interface-swap=enable
commandintheUser data fieldontheAWSmanagementconsole(seeLaunchtheVMSeriesFirewallon
AWS)orCLIoryoucanincludethenew mgmt-interface-swap operationalcommandinthebootstrap
configuration.
AfterlaunchAfteryoulaunchthefirewall,UsetheVMSeriesFirewallCLItoSwaptheManagement
Interface(set system setting mgmt-interface-swap enable yes operationalcommand)onthefirewall.
Pickonemethodtoconsistentlyspecifytheinterfaceswapsettinginthebootstrapconfiguration,fromtheCLIonthe
firewall,orusingtheAmazonEC2 User datafieldontheAWSconsoletopreventunpredictablebehavioronthe
firewall.
EnsurethatyouhaveaccesstotheAWSconsole(managementconsoleorCLI)toviewtheIPaddressoftheeth1
interface.Also,verifythattheAWSSecurityGrouprulesallowconnections(HTTPSandSSH)tothenewmanagement
interface.
Swapthemanagementinterfacebeforeyouconfigurethefirewallordefinepolicyrules.Ifyouhavealreadyconfigured
theVMSeriesfirewall,checkwhetheranyIPaddresschangesforeth0andeth1impactpolicyrules.

DeploymentsSupportedonAWS SetUptheVMSeriesFirewallonAWS
DeploymentsSupportedonAWS
TheVMSeriesfirewallsecuresinboundandoutboundtraffictoandfromEC2instanceswithintheAWS
VirtualPrivateCloud(VPC).BecausetheAWSVPConlysupportsanIPnetwork(Layer3networking
capabilities),theVMSeriesfirewallcanonlybedeployedwithLayer3interfaces.
DeploytheVMSeriesfirewalltosecuretheEC2instanceshostedintheAWSVirtualPrivateCloud.
IfyouhostyourapplicationsintheAWScloud,deploytheVMSeriesfirewalltoprotectandsafelyenable
applicationsforuserswhoaccesstheseapplicationsovertheinternet.Forexample,thefollowing
diagramshowstheVMSeriesfirewalldeployedintheEdgesubnettowhichtheinternetgatewayis
attached.Theapplication(s)aredeployedintheprivatesubnet,whichdoesnothavedirectaccesstothe
internet.
Whenusersneedtoaccesstheapplicationsintheprivatesubnet,thefirewallreceivestherequestand
directsittotheappropriateapplication,afterverifyingsecuritypolicyandperformingDestinationNAT.
Onthereturnpath,thefirewallreceivesthetraffic,appliessecuritypolicyandusesSourceNATtodeliver
thecontenttotheuser.SeeUseCase:SecuretheEC2InstancesintheAWSCloud.
VMSeriesforEC2Instances
DeploytheVMSeriesfirewallforVPNaccessbetweenthecorporatenetworkandtheEC2instances
withintheAWSVirtualPrivateCloud.
ToconnectyourcorporatenetworkwiththeapplicationsdeployedintheAWSCloud,youcanconfigure
thefirewallasaterminationpointforanIPSecVPNtunnel.ThisVPNtunnelallowsusersonyournetwork
tosecurelyaccesstheapplicationsinthecloud.
Forcentralizedmanagement,consistentenforcementofpolicyacrossyourentirenetwork,andfor
centralizedloggingandreporting,youcanalsodeployPanoramainyourcorporatenetwork.Ifyouneed
tosetupVPNaccesstomultipleVPCs,usingPanoramaallowsyoutogroupthefirewallsbyregionand
administerthemwithease.

SetUptheVMSeriesFirewallonAWS DeploymentsSupportedonAWS
VMSeriesforVPNAccess
DeploytheVMSeriesfirewallasaGlobalProtectgatewaytosecureaccessforremoteusersusing
laptops.TheGlobalProtectagentonthelaptopconnectstothegateway,andbasedontherequest,the
gatewayeithersetsupaVPNconnectiontothecorporatenetworkorroutestherequesttotheinternet.
Toenforcesecuritycomplianceforusersonmobiledevices(usingtheGlobalProtectApp),the
GlobalProtectgatewayisusedinconjunctionwiththeGlobalProtectMobileSecurityManager.The
GlobalProtectMobileSecurityManagerensuresthatmobiledevicesaremanagedandconfiguredwith
thedevicesettingsandaccountinformationforusewithcorporateapplicationsandnetworks.
Ineachoftheusecasesabove,youcandeploytheVMSeriesfirewallinanactive/passivehigh
availability(HA)pair.ForinformationonsettinguptheVMSeriesfirewallinHA,seeUseCase:
UseDynamicAddressGroupstoSecureNewEC2InstanceswithintheVPC.
DeploytheVMSeriesfirewallwiththeAmazonElasticLoadBalancing(ELB)service,wherebythe
firewallcanreceivedataplanetrafficontheprimaryinterfaceinthefollowingscenarioswherethe
VMSeriesfirewallisbehindtheAmazonELB:
TheVMSeriesfirewall(s)issecuringtrafficoutbounddirectlytotheinternetwithouttheneedfor
usingaVPNlinkoraDirectConnectlinkbacktothecorporatenetwork.
TheVMSeriesfirewallsecuresaninternetfacingapplicationwhenthereisexactlyonebackend
server,suchasawebserver,foreachfirewall.TheVMSeriesfirewallsandwebserverscanscale
linearly,inpairs,behindELB.
IfyouwanttoAutoScaleVMSeriesFirewallswiththeAmazonELB,usetheCloudFormationTemplate
availableintheGitHubrepositorytodeploytheVMSeriesinanELBsandwichtopologywithan
internetfacingclassicELBandaneitheraninternalclassicloadbalanceroraninternalapplicationload
balancer(internalELB).

DeploymentsSupportedonAWS SetUptheVMSeriesFirewallonAWS
VMSerieswithELB
Youcannotconfigurethefirewalltosendandreceivedataplanetrafficoneth0whenthefirewall
isinfrontofELB.TheVMSeriesfirewallmustbeplacedbehindtheAmazonELB.
YoucaneitherUsetheVMSeriesFirewallCLItoSwaptheManagementInterfaceorenableiton
bootstrap.Fordetails,seeManagementInterfaceMappingforUsewithAmazonELB.
Ifyouwanttodeployaloadbalancersandwichtopology,seeAutoScaleVMSeriesFirewallswith
theAmazonELB.

SetUptheVMSeriesFirewallonAWS DeploytheVMSeriesFirewallonAWS
DeploytheVMSeriesFirewallonAWS
ObtaintheAMI
ReviewSystemRequirementsandLimitationsforVMSeriesonAWS
PlanningWorksheetfortheVMSeriesintheAWSVPC
LaunchtheVMSeriesFirewallonAWS
UsetheVMSeriesFirewallCLItoSwaptheManagementInterface
EnableCloudWatchMonitoringontheVMSeriesFirewall
TheVMSeriesfirewallhasbeenoptimizedandexpandedtodeliverimprovedperformanceandexpanded
capacities,whichnecessitatesachangeinthenumberofcoresandmemoryallocatedtotheEC2instance.For
thenewresourcefootprint,youneedtomatchtheappropriateInstancesizesavailableonAWSbeforeyou
upgradeyourVMSeriesfirewallsonAWSrunningPANOS7.1orearlierversions.;Fordetails,referto
UpgradingtheVMSerieswithPANOS8.0onAWS.
ObtaintheAMI
BecausetheAWSGovClouddoesnothaveaMarketplace,theprocessofobtainingtheAMIisdifferentin
thepublicAWScloudandintheAWSGovCloud.
AMIinthePublicAWSCloud
AMIonAWSGovCloud
AMIinthePublicAWSCloud
TheAMIfortheVMSeriesfirewallisavailableintheAWSMarketplaceforboththeBringYourOwnLicense
(BYOL)andtheUsagebasedpricingoptions.

DeploytheVMSeriesFirewallonAWS SetUptheVMSeriesFirewallonAWS
ForpurchasinglicenseswiththeBYOLoption,contactyourPaloAltoNetworkssalesengineerorreseller.
AMIonAWSGovCloud
TheBringYourOwnLicense(BYOL)modeloftheVMSeriesfirewallisavailableasasharedAMIonAWS
GovCloud.
WithaGovCloudaccountyoucanfindtheAMIfortheVMSeriesfirewallontheEC2console(Instances >
Launch Instance > Community AMIs)usingtheAMIID(ami4add672b)orbysearchingforPaloAltoNetworks.
Alternatively,youcanalsousethelinktodirectlylaunchtheAMIinyourGovCloudaccount.Makesureto
reviewthesupportedEC2instancetypesbeforeyoulaunchthefirewall.Fordetails,seeLaunchthe
VMSeriesFirewallonAWS.

ReviewSystemRequirementsandLimitationsforVMSeriesonAWS
Requirement Details
EC2instancetypes TheEC2instancetypeyouselectmustmeettheVMSeriesSystemRequirementsfor
theVMSeriesfirewallmodel.IfyoudeploytheVMSeriesfirewallonanEC2
instancetypethatdoesnotmeettheserequirements,thefirewallwillbootinto
maintenancemode
TosupportVMMonitoringandhighavailabilityonAWS,theVMSeries
firewallmustbeabletodirectlyreachtheAWSAPIserviceendpoints
withoutanyproxyserversbetweenthefirewallmanagementinterfaceand
theAWSAPIendpoints(suchasec2.uswest2.amazonaws.com).
AmazonElasticBlock TheVMSeriesfirewallmustusetheAmazonElasticBlockStorage(EBS)volumefor
Storage(EBS) storage.EBSoptimizationprovidesanoptimizedconfigurationstackandadditional,
dedicatedcapacityforAmazonEBSI/O.
Networking BecausetheAWSonlysupportsLayer3networkingcapabilities,theVMSeries
firewallcanonlybedeployedwithLayer3interfaces.Layer2interfaces,virtualwire,
VLANs,andsubinterfacesarenotsupportedontheVMSeriesfirewalldeployedin
theAWSVPC.
Interfaces Supportforatotalofeightinterfacesisavailableonemanagementinterfaceanda
maximumofsevenElasticNetworkInterfaces(ENIs)fordatatraffic.TheVMSeries
firewalldoesnotsupporthotattachmentofENIs;todetecttheadditionorremoval
ofanENIyoumustrebootthefirewall.
YourEC2instancetypeselectiondeterminesthetotalnumberofENIsyou
canenable.Forexample,thec3.8xlargesupportseight(8)ENIs.
Supportentitlementand FortheBringYourOwnLicensemodel,asupportaccountandavalidVMSeries
Licenses licensearerequiredtoobtaintheAmazonMachineImage(AMI)file,whichisrequired
toinstalltheVMSeriesfirewallintheAWSVPC.Thelicensesrequiredforthe
VMSeriesfirewallcapacitylicense,supportlicense,andsubscriptionsforThreat
Prevention,URLFiltering,WildFire,etcmustbepurchasedfromPaloAlto
Networks.Topurchasethelicensesforyourdeployment,contactyoursales
representative.SeeVMSeriesFirewallinAmazonWebServices(AWS)andAzure
Licenses.
Fortheusagebasedlicensingmodel,hourlyandannualpricingbundlescanbe
purchasedandbilleddirectlytoAWS.Youmusthowever,registeryoursupport
entitlementwithPaloAltoNetworks.Fordetailssee,RegistertheUsageBased
ModeloftheVMSeriesFirewallinAWSandAzure(noauthcode).
PlanningWorksheetfortheVMSeriesintheAWSVPC
Foreaseofdeployment,planthesubnetswithintheVPCandtheEC2instancesthatyouwanttodeploy
withineachsubnet.Beforeyoubegin,usethefollowingtabletocollatethenetworkinformationrequiredto
deployandinserttheVMSeriesfirewallintothetrafficflowintheVPC:

ConfigurationItem Value
VPCCIDR
SecurityGroups
Subnet(public)CIDR
Subnet(private)CIDR
Subnet(public)RouteTable
Subnet(private)RouteTable
SecurityGroups
RulesforManagementAccessto
thefirewall(eth0/0)
Rulesforaccesstothedataplane
interfacesofthefirewall
Rulesforaccesstotheinterfaces
assignedtotheapplication
servers.
VMSeriesfirewallbehindELB
EC2Instance1(VMSeriesfirewall) Subnet:
Instancetype:
MgmtinterfaceIP:
MgmtinterfaceEIP:
AnEIPisonlyrequiredforthe Dataplaneinterfaceeth1/1
dataplaneinterfacethatis PrivateIP:
attachedtothepublicsubnet. EIP(ifrequired):
SecurityGroup:
Dataplaneinterfaceeth1/2
PrivateIP:
EIP(ifrequired):
SecurityGroup:
EC2Instance2(Applicationtobe Subnet:
secured) Instancetype:
Repeatthesesetofvaluesforadditional MgmtinterfaceIP:
application(s)beingdeployed. Defaultgateway:
Dataplaneinterface1
PrivateIP

ConfigurationItem Value
RequirementsforHA IfyouaredeployingtheVMSeriesfirewallsinahighavailability
(active/passive)configuration,youmustensurethefollowing:
CreateanIAMroleandassigntheroletotheVMSeriesfirewall
whenyouaredeployingtheinstance.SeeIAMRolesforHA.
DeploytheHApeersinthesameAWSavailabilityzone.
TheactivefirewallintheHApairmusthaveataminimumthreeENIs:
twodataplaneinterfacesandonemanagementinterface.
ThepassivefirewallintheHApair,musthaveoneENIfor
management,andoneENIthatfunctionsasdataplaneinterface;you
willconfigurethedataplaneinterfaceasanHA2interface.
Donotattachadditionaldataplaneinterfacestothepassive
firewallintheHApair.Onfailover,thedataplaneinterfaces
fromthepreviouslyactivefirewallaremoveddetachedand
thenattachedtothenowactive(previouslypassive)firewall.
LaunchtheVMSeriesFirewallonAWS
Ifyouhavenotalreadyregisteredthecapacityauthcodethatyoureceivedwiththeorderfulfillmentemail,
withyoursupportaccount,seeRegistertheVMSeriesFirewall.Afterregistering,deploytheVMSeries
firewallbylaunchingitintheAWSVPCasfollows:
LaunchtheVMSeriesFirewallintheAWSVPC
Step1 AccesstheAWSConsole. LogintotheAWSconsoleandselecttheEC2Dashboard.

LaunchtheVMSeriesFirewallintheAWSVPC(Continued)
Step2 SetuptheVPCforyournetworkneeds. 1. CreateanewVPCoruseanexistingVPC.RefertotheAWS

WhetheryoulaunchtheVMSeries GettingStarteddocumentation.
firewallinanexistingVPCoryoucreate 2. Verifythatthenetworkandsecuritycomponentsaredefined
anewVPC,theVMSeriesfirewallmust suitably.
beabletoreceivetrafficfromtheEC2 Enablecommunicationtotheinternet.ThedefaultVPC
instancesandperforminboundand includesaninternetgateway,andifyouinstallthe
outboundcommunicationbetweenthe VMSeriesfirewallinthedefaultsubnetithasaccesstothe
VPCandtheinternet. internet.
RefertotheAWSVPCdocumentation Createsubnets.SubnetsaresegmentsoftheIPaddress
forinstructionsoncreatingaVPCand rangeassignedtotheVPCinwhichyoucanlaunchtheEC2
settingitupforaccess. instances.TheVMSeriesfirewallmustbelongtothepublic
Foranexamplewithacomplete subnetsothatitcanbeconfiguredtoaccesstheinternet.
workflow,seeUseCase:SecuretheEC2 Createsecuritygroupsasneededtomanageinboundand
InstancesintheAWSCloud. outboundtrafficfromtheEC2instances/subnets.
Addroutestotheroutetableforaprivatesubnettoensure
thattrafficcanberoutedacrosssubnetsandsecurity
groupsintheVPC,asapplicable.
3. IfyouwanttodeployapairofVMSeriesfirewallsinHA,you
mustdefineIAMRolesforHAbeforeyoucanConfigure
Active/PassiveHAonAWS.
4. (Optional)Ifyouareusingbootstrappingtoperformthe
configurationofyourVMSeriesfirewall,refertoBootstrap
theVMSeriesFirewallinAWS.Formoreinformationabout
bootstrapping,seeBootstraptheVMSeriesFirewall.

Step3 LaunchtheVMSeriesfirewall. 1. OntheEC2Dashboard,clickLaunch Instance.

2. SelecttheVMSeriesAMI.TogettheAMI,seeObtaintheAMI.
3. LaunchtheVMSeriesfirewallonanEC2instance.
a. ChoosetheEC2 instance typeforallocatingtheresources
requiredforthefirewall,andclickNext.SeeVMSeries
SystemRequirements,forresourcerequirements.
b. SelecttheVPC.
c. SelectthepublicsubnettowhichtheVMSeries
managementinterfacewillattach.
d. SelectAutomatically assign a public IP address.This
allowsyoutoobtainapubliclyaccessibleIPaddressforthe
managementinterfaceoftheVMSeriesfirewall.
YoucanlaterattachanElasticIPaddresstothe
managementinterface;unlikethepublicIPaddressthatis
disassociatedfromthefirewallwhentheinstanceis
terminated,theElasticIPaddressprovidespersistenceand
canbereattachedtoanew(orreplacement)instanceofthe
VMSeriesfirewallwithouttheneedtoreconfiguretheIP
addresswhereveryoumighthavereferencedit.
Althoughyoucanaddadditional
e. SelectLaunch as an EBS-optimized instance.
networkinterfaces(ENIs)tothe
VMSeriesfirewallwhenyoulaunch, f. AddanothernetworkinterfacefordeploymentswithELBso
AWSreleasestheautoassignedPublic thatyoucanswapthemanagementanddatainterfaceson
IPaddressforthemanagement thefirewall.Swappinginterfacesrequiresaminimumoftwo
interfacewhenyourestartthefirewall. ENIs(eth0andeth1).
Hence,toensureconnectivitytothe ExpandtheNetworkInterfacessectionandclickAdd
managementinterfaceyoumustassign Devicetoaddanothernetworkinterface.
anElasticIPaddressforthe MakesurethatyourVPChasmorethanonesubnetso
managementinterface,before thatyoucanaddadditionalENIsatlaunch.
attachingadditionalinterfacestothe IfyoulaunchthefirewallwithonlyoneENI:
firewall.
Theinterfaceswapcommandwillcausethe
firewalltobootintomaintenancemode.
IfyouwanttoconserveEIPaddresses, Youmustrebootthefirewallwhenyouaddthe
youcanassignoneEIPaddresstothe secondENI.
eth 1/1interfaceandusethisinterface
ExpandtheAdvancedDetailssectionandintheUser
forbothmanagementtrafficanddata
datafieldentermgmt-interface-swap=enable as
traffic.Torestrictservicespermittedon
texttoperformtheinterfaceswapduringlaunch.
theinterfaceorlimitIPaddressesthat
canlogintheeth 1/1interface,attacha
managementprofiletotheinterface.
g. AcceptthedefaultStoragesettings.
h. (Optional)Tagging.Addoneormoretagstocreateyour
ownmetadatatoidentifyandgrouptheVMSeriesfirewall.
Forexample,addaNametagwithaValuethathelpsyou
rememberthattheENIinterfaceshavebeenswappedon
thisVMSeriesfirewall.
i. SelectanexistingSecurity Group orcreateanewone.This
securitygroupisforrestrictingaccesstothemanagement
interfaceofthefirewall.Ataminimumconsiderenabling
httpsandsshaccessforthemanagementinterface.
j. Ifprompted,selectanappropriateSSDoptionforyour
setup.
k. Select Review and Launch.Reviewthatyourselectionsare
accurateandclickLaunch.
Thiskeypairisrequiredforfirsttime
accesstothefirewall.Itisalsorequiredto l. Selectanexistingkeypairorcreateanewone,and
accessthefirewallinmaintenancemode. acknowledgethekeydisclaimer.
m.Downloadandsavetheprivatekeytoasafelocation;the
fileextensionis.pem.Youcannotregeneratethiskey,if
lost.
Ittakes57minutestolaunchtheVMSeriesfirewall.You
canviewtheprogressontheEC2Dashboard.Whenthe
processcompletes,theVMSeriesfirewalldisplaysonthe
InstancespageoftheEC2Dashboard.
Step4 Configureanewadministrative 1. UsethepublicIPaddresstoSSHintotheCommandLine

passwordforthefirewall. Interface(CLI)oftheVMSeriesfirewall.Youwillneedthe
OntheVMSeriesfirewallCLI,youmust privatekeythatyouusedorcreatedinStep 3ltoaccessthe
configureauniqueadministrative CLI.
passwordbeforeyoucanaccesstheweb IfyouaddedanadditionalENItosupportdeployments
interfaceofthefirewall.Tologintothe withELB,youmustfirstcreateandassignanElasticIP
CLI,yourequiretheprivatekeythatyou addresstotheENItoaccesstheCLI,seeStep 6.
usedtolaunchthefirewall. IfyouareusingPuTTYforSSHaccess,youmustconvertthe
.pemformattoa.ppkformat.See
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/p
utty.html
2. Enterthefollowingcommandtologintothefirewall:
ssh-i <private_key.pem>admin@<publicip_address>
3. Configureanewpassword,usingthefollowingcommandand
followtheonscreenprompts:
configure
setmgtconfigusersadminpassword
4. IfyouhaveaBYOLthatneedstobeactivated,settheDNS
serverIPaddresssothatthefirewallcanaceessthePaloAlto
Networkslicensingserver.Enterthefollowingcommandtoset
theDNSserverIPaddress:
setdeviceconfigsystemdnssettingserversprimary
<ip_address>
5. Commityourchangeswiththecommand:
commit
6. TerminatetheSSHsession.

Step5 ShutdowntheVMSeriesfirewall. 1. OntheEC2Dashboard,selectInstances.

2. Fromthelist,selecttheVMSeriesfirewallandclickActions >
Stop.
Step6 CreateandassignanElasticIPaddress 1. SelectElastic IPs and clickAllocate New Address.

(EIP)totheENIusedformanagement 2. SelectEC2-VPCandclickYes, Allocate.
accesstothefirewallandrebootthe
VMSeriesfirewall. 3. SelectthenewlyallocatedEIPandclickAssociate Address.
4. SelecttheNetwork InterfaceandthePrivate IP address
associatedwiththemanagementinterfaceandclickYes,
Associate.
Step7 Createvirtualnetworkinterface(s)and 1. OntheEC2Dashboard,selectNetwork Interfaces,andclick

attachtheinterface(s)totheVMSeries Create Network Interface.
firewall.Thevirtualnetworkinterfaces 2. Enteradescriptivenamefortheinterface.
arecalledElasticNetworkInterfaces
(ENIs)onAWS,andserveasthe 3. Selectthesubnet.UsethesubnetIDtomakesurethatyou
dataplanenetworkinterfacesonthe haveselectedthecorrectsubnet.YoucanonlyattachanENI
firewall.Theseinterfacesareusedfor toaninstanceinthesamesubnet.
handlingdatatrafficto/fromthefirewall. 4. EnterthePrivate IPaddresstoassigntotheinterfaceorselect
YouwillneedatleasttwoENIsthatallow Auto-assigntoautomaticallyassignanIPaddresswithinthe
inboundandoutboundtrafficto/from availableIPaddressesintheselectedsubnet.
thefirewall.Youcanadduptoseven 5. SelecttheSecurity group tocontrolaccesstothedataplane
ENIstohandledatatrafficonthe networkinterface.
VMSeriesfirewall;checkyourEC2
instancetypetoverifythemaximum 6. ClickYes, Create.
numbersupportedonit.
7. ToattachtheENItotheVMSeriesfirewall,selectthe
interfaceyoujustcreated,andclickAttach.
8. SelecttheInstance IDoftheVMSeriesfirewall,andclick
Attach.
9. Repeatthestepsaboveforcreatingandattachingatleastone
moreENItothefirewall.

Step8 (NotrequiredfortheUsagebased SeeActivatetheLicense.

licensingmodel)Activatethelicenseson
theVMSeriesfirewall.
Thistaskisnotperformedonthe
AWSmanagementconsole.
AccesstothePaloAltoNetworks
supportportalandtheweb
interfaceoftheVMSeries
firewallisrequiredforlicense
activation.
Step9 DisableSource/Destinationcheckon 1. OntheEC2Dashboard,selectthenetworkinterface,for

everyfirewalldataplanenetwork exampleeth1/1,intheNetwork Interfacestab.
interface(s).Disablingthisoptionallows 2. IntheActiondropdown,selectChange Source/Dest. Check.
theinterfacetohandlenetworktraffic
thatisnotdestinedtotheIPaddress
assignedtothenetworkinterface.
3. ClickDisabledandSaveyourchanges.
4. RepeatSteps13foreachfirewalldataplaneinterface.

Step10 Configurethedataplanenetwork 1. Usingasecureconnection(https)fromyourwebbrowser,log

interfacesasLayer3interfacesonthe inusingtheEIPaddressandpasswordyouassignedduring
firewall. initialconfiguration(https://<Elastic_IPaddress>).Youwillsee
Foranexampleconfiguration,see acertificatewarning;thatisokay.Continuetothewebpage.
Step 14throughStep 17inUseCase: 2. SelectNetwork > Interfaces > Ethernet.
SecuretheEC2InstancesintheAWS
3. Clickthelinkforethernet 1/1andconfigureasfollows:
Cloud.
OntheConfig tab,assigntheinterfacetothedefault
router.
OntheConfig tab,expandtheSecurity Zone dropdown
andselectNew Zone.Defineanewzone,forexample
VM_Series_untrust,andthenclickOK.
OntheIPv4 tab,selecteitherStatic or DHCP Client.
IfusingtheStatic option,clickAdd intheIPsection,and
entertheIPaddressandnetworkmaskfortheinterface,
OntheapplicationserverswithintheVPC, forexample10.0.0.10/24.
definethedataplanenetworkinterfaceof MakesurethattheIPaddressmatchestheENIIPaddress
thefirewallasthedefaultgateway. thatyouassignedearlier.
IfusingDHCP,selectDHCP Client;theprivateIPaddress
thatyouassignedtotheENIintheAWSmanagement
consolewillbeautomaticallyacquired.
4. Clickthelinkforethernet 1/2 andconfigureasfollows:
SecurityZone:VM_Series_trust
IP address:SelecttheStatic or DHCP Client radiobutton.
Forstatic,clickAdd intheIPsection,andentertheIP
addressandnetworkmaskfortheinterface.Makesure
thattheIPaddressmatchestheattachedENIIPaddress
thatyouassignedearlier.
5. ClickCommit.Verifythatthelinkstatefortheinterfacesare
up.
ForDHCP,cleartheAutomatically create default

route to default gateway provided by server
checkbox.Foraninterfacethatisattachedtothe
privatesubnetintheVPC,disablingthisoption
ensuresthattraffichandledbythisinterfacedoes
notflowdirectlytotheinternetgatewayonthe
VPC.

Step11 CreateNATrulestoallowinboundand 1. SelectPolicies > NATonthewebinterfaceofthefirewall.

outboundtrafficfromtheservers 2. CreateaNATruletoallowtrafficfromthedataplanenetwork
deployedwithintheVPC interfaceonthefirewalltothewebserverinterfaceintheVPC.
3. CreateaNATruletoallowoutboundaccessfortrafficfromthe
webservertotheinternet.
Step12 Createsecuritypoliciestoallow/deny 1. SelectPolicies > Securityonthewebinterfaceofthefirewall.

trafficto/fromtheserversdeployed 2. ClickAdd, andspecifythezones,applicationsandlogging
withintheVPC. optionsthatyouwouldliketoexecutetorestrictandaudit
traffictraversingthroughthenetwork.
Step13 Committhechangesonthefirewall. 1. ClickCommit.
Step14 VerifythattheVMSeriesfirewallis 1. SelectMonitor > Logs > Trafficonthewebinterfaceofthe

securingtrafficandthattheNATrules firewall.
areineffect. 2. Viewthelogstomakesurethattheapplicationstraversingthe
networkmatchthesecuritypoliciesyouimplemented.
UsetheVMSeriesFirewallCLItoSwaptheManagementInterface
Ifyoudidnotswapthemanagementinterface(MGT)withthedataplaneinterface(ethernet1/1)when
deployingthefirewall,youcanusetheCLItoenablethefirewalltoreceivedataplanetrafficontheprimary
interfaceafterlaunchingthefirewall.
ManagementInterfaceSwapUsingtheVMSeriesFirewallCLI
Step1 CompleteSteps1through7inLaunchtheVMSeriesFirewallonAWS.
Beforeyouproceed,verifythatthefirewallhasaminimumoftwoENIs(eth0andeth1).Ifyoulaunch
thefirewallwithonlyoneENI,theinterfaceswapcommandwillcausethefirewalltobootinto
maintenancemode.
Step2 OntheEC2Dashboard,viewtheIPaddressoftheeth1interfaceandverifythattheAWSSecurityGroup
rulesallowconnections(HTTPSandSSH)tothenewmanagementinterface(eth1).
Step3 LogintotheVMSeriesfirewallCLIandenterthefollowingcommand:
set system setting mgmt-interface-swap enable yes
Step4 Confirmthatyouwanttoswaptheinterfaceandusetheeth1dataplaneinterfaceasthemanagement
interface.
Step5 Rebootthefirewallfortheswaptotakeeffect.Usethefollowingcommand:
request restart system
Step6 Verifythattheinterfaceshavebeenswapped.Usethefollowingcommand:
debug show vm-series interfaces all
Phoenix_interface Base-OS_port Base-OS_MAC PCI-ID Driver
mgt(interface-swap) eth0 0e:53:96:91:ef:29 0000:00:04.0 ixgbevf
Ethernet1/1 eth1 0e:4d:84:5f:7f:4d 0000:00:03.0 ixgbevf

TheVMSeriesfirewallonAWScanpublishnativePANOSmetricstoAWSCloudWatch,whichyoucanuse
tomonitorthefirewalls.Thesemetricsallowyoutoassessperformanceandusagepatternsthatyoucanuse
totakeactionforlaunchingorterminatinginstancesoftheVMSeriesfirewalls.
ThefirewallsuseAWSAPIstopublishthemetrictoanamespaceonAWSataspecifiedtimeinterval.The
namespaceisthelocationtowhichCloudWatchcollectsandaggregatestheselectedmetricforallinstances
configuredtousethenamespace.YoucanthenmonitorthemetricinCloudWatchorcreateautoscaling
policiestotriggeralarmsandtakeanactiontomanuallydeployanewinstanceofthefirewallwhenthe
monitoredmetricreachesathresholdvalue.RefertotheAWSCloudWatchandAutoScalingGroups(ASG)
documentationonbestpracticesforsettingthealarmconditionsforascaleoutorscaleinaction.
TheVMSeriesfirewallcanpublishanyofthefollowingPANOSmetricstoCloudWatch:
Metric Description
DataplaneCPUUtilization MonitorsthedataplaneCPUusagetomeasurethetrafficloadonthefirewall.
(%)
DataplanePacketBuffer Monitorsthedataplanebufferusagetomeasurebufferutilization.Ifyouhavea
Utilization(%) suddenburstintraffic,monitoringbufferutilizationallowsyoutoensurethatthe
firewalldoesnotdepletethedataplanebufferandcausedroppedpackets.
SessionUtilization(%) MonitorsthesessionsarecurrentlyactiveforTCP,UDP,ICMPandSSLandthe
packetrate,newconnectionestablishrate,andthroughputonthefirewallto
determinesessionutilization.
SSLProxyUtilization(%) MonitorsthepercentageofSSLforwardproxysessionswithclientsforSSL/TLS
decryption.
GlobalProtectGateway MonitorstheactiveGlobalProtecttunnelssetuponagatewaytomeasuretunnel
TunnelUtilization(%) utilization.UsethismetriciftheVMSeriesfirewallisdeployedasaVPNgatewayon
AWStosecureremoteusers.
DeviceStatus Monitorstheoverallhealthstateofthedevice.
TotalActiveSessions Monitorsthetotalnumberofsessionsthatareactiveonthefirewall.Anactive
sessionisasessionthatisonthefirewallsflowlookuptableforwhich
packetswillbeinspectedandforwarded,asrequiredbypolicy.
GlobalProtectGateway MonitorsthenumberofactiveGlobalProtectsessionsonafirewalldeployedasa
ActiveTunnels GlobalProtectgateway.UsethismetriciftheVMSeriesfirewallisdeployedaVPN
gatewayonAWStosecureremoteusers;checkthedatasheetforthemaximum
numberofactivetunnelssupportedforyourfirewallmodel.

Step1 Assigntheappropriatepermissionsfor WhetheryoulaunchanewinstanceoftheVMSeriesfirewallor

theAWSIdentityandAccess upgradeanexistingVMSeriesfirewallonAWStoPANOS8.0,the
Management(IAM)userrolethatyou IAMroleassociatedwithyourinstance,musthavepermissionsto
usetodeploytheVMSeriesfirewallon publishmetricstoCloudWatch.
AWS. 1. OntheAWSconsole,selectIAM.
2. EdittheIAMroletograntthefollowingpermissions:
Step2 EnableCloudWatchontheVMSeries 1. LogintothewebinterfaceontheVMSeriesfirewall

firewallonAWS. 2. SelectDevice > Operations > AWS CloudWatch.
3. SelectEnable CloudWatch Monitoring.
4. EntertheCloudWatch Namespacetowhichthefirewallcan
publishmetrics.ThenamespacecannotbeginwithAWS.
5. SettheUpdate Interval toavaluebetween160minutes.This
isthefrequencyatwhichthefirewallpublishesthemetricsto
CloudWatch.Thedefaultis5minutes.
6. Committhechanges.
UntilthefirewallstartstopublishmetricstoCloudWatch,you
cannotconfigurealarmsforPANOSmetrics.
Step3 Verifythatyoucanseethemetricson 1. OntheAWSconsole,selectCloudWatch> Metrics,toview

CloudWatch. CloudWatchmetricsbycategory.
2. FromtheCustomMetricsdropdown,selectthenamespace.
3. VerifythatyoucanseePANOSmetricsintheviewinglist.

EnableCloudWatchMonitoringontheVMSeriesFirewall(Continued)
Step4 ConfigurealarmsandactionforPANOS RefertotheAWSdocumentation:

metricsonCloudWatch. http://docs.aws.amazon.com/AmazonCloudWatch/latest/monito
ring/AlarmThatSendsEmail.html
AVMSeriesfirewallwithbootstrapconfigurationwilltakeabout
79minutestobeavailableforservice.So,herearesomeexamples
onhowtosetalarmsthattriggerautoscalingfortheVMSeries
firewall:
Ifyouhavedeployed2instancesoftheVMSeriesfirewallsas
GlobalProtectGatewaysthatsecureremoteusers,usethe
GlobalProtectGatewayActiveTunnelsmetric.Youcan
configureanalarmforwhenthenumberofactivetunnelsis
greaterthan300for15minutes,youcandeploy2new
instancesoftheVMSeriesfirewall,whicharebootstrappedand
configuredtoserveasGlobalProtectGateways.
IfyouareusingthefirewalltosecureyourworkloadsinAWS,
usetheSessionUtilizationmetrictoscaleinorscaleoutthe
firewallbasedonresourceusage.Youcanconfigureanalarmfor
whenthesessionutilizationmetricisgreaterthan60%for15
minutes,todeployoneinstanceoftheVMSeriesinstance
firewall.Andconversely,ifSessionUtilizationislessthan50%
for30minutes,terminateaninstanceoftheVMSeriesfirewall.

HighAvailabilityforVMSeriesFirewallonAWS SetUptheVMSeriesFirewallonAWS
HighAvailabilityforVMSeriesFirewallonAWS
TheVMSeriesfirewallonAWSsupportsactive/passiveHAonly;ifitisdeployedwithAmazonElasticLoad
Balancing(ELB),itdoesnotsupportHA(inthiscaseELBprovidesthefailovercapabilities).
OverviewofHAonAWS
IAMRolesforHA
HALinks
HeartbeatPollingandHelloMessages
DevicePriorityandPreemption
HATimers
ConfigureActive/PassiveHAonAWS
OverviewofHAonAWS
Toensureredundancy,youcandeploytheVMSeriesfirewallsonAWSinanactive/passivehighavailability
(HA)configuration.Theactivepeercontinuouslysynchronizesitsconfigurationandsessioninformationwith
theidenticallyconfiguredpassivepeer.Aheartbeatconnectionbetweenthetwodevicesensuresfailoverif
theactivedevicegoesdown.WhenthepassivepeerdetectsthisfailureitbecomesactiveandtriggersAPI
callstotheAWSinfrastructuretomoveallthedataplaneinterfaces(ENIs)fromthefailedpeertoitself.The
failovertimecanvaryfrom20secondstooveraminutedependingontheresponsivenessfromtheAWS
infrastructure.

SetUptheVMSeriesFirewallonAWS HighAvailabilityforVMSeriesFirewallonAWS
IAMRolesforHA
AWSrequiresthatallAPIrequestsmustbecryptographicallysignedusingcredentialsissuedbythem.In
ordertoenableAPIpermissionsfortheVMSeriesfirewallsthatwillbedeployedasanHApair,youmust
createapolicyandattachthatpolicytoaroleintheAWSIdentityandAccessManagement(IAM)service.
TherolemustbeattachedtotheVMSeriesfirewallsatlaunch.ThepolicygivestheIAMrolepermissions
forinitiatingAPIactionsfordetachingandattachingnetworkinterfacesfromtheactivepeerinanHApair
tothepassivepeerwhenafailoveristriggered.
Fordetailedinstructionsoncreatingpolicy,refertotheAWSdocumentationonCreatingCustomer
ManagedPolices.FordetailedinstructionsoncreatinganIAMrole,definingwhichaccountsorAWSservices
canassumetherole,definingwhichAPIactionsandresourcestheapplicationcanuseuponassumingthe
role,refertotheAWSdocumentationonIAMRolesforAmazonEC2.
TheIAMpolicy,whichisconfiguredintheAWSconsole,musthavepermissionsforthefollowingactions
andresources(ataminimum):
AttachNetworkInterfaceForpermissiontoattachanENItoaninstance.
DescribeNetworkInterfaceForfetchingtheENIparametersinordertoattachaninterfacetothe
instance.
DetachNetworkInterfaceForpermissiontodetachtheENIfromtheEC2instance.
DescribeInstancesForpermissiontoobtaininformationontheEC2instancesintheVPC.
Wildcard(*)IntheAmazonResourceName(ARN)fieldusethe*asawildcard.
ThefollowingscreenshotshowstheaccessmanagementsettingsfortheIAMroledescribedabove:

HALinks
ThedevicesinanHApairuseHAlinkstosynchronizedataandmaintainstateinformation.onAWS,the
VMSeriesfirewallusesthefollowingports:
ControlLinkTheHA1linkisusedtoexchangehellos,heartbeats,andHAstateinformation,and
managementplanesyncforroutingandUserIDinformation.Thislinkisalsousedtosynchronize
configurationchangesoneithertheactiveorpassivedevicewithitspeer.
TheManagementportisusedforHA1.TCPport28769and28260forcleartextcommunication;port28
forencryptedcommunication(SSHoverTCP).
DataLinkTheHA2linkisusedtosynchronizesessions,forwardingtables,IPSecsecurityassociations
andARPtablesbetweendevicesinanHApair.DataflowontheHA2linkisalwaysunidirectional(except
fortheHA2keepalive);itflowsfromtheactivedevicetothepassivedevice.
Ethernet1/1mustbeassignedastheHA2link.TheHAdatalinkcanbeconfiguredtouseeitherIP
(protocolnumber99)orUDP(port29281)asthetransport.
TheVMSeriesonAWSdoesnotsupportbackuplinksforHA1orHA2.
HeartbeatPollingandHelloMessages
Thefirewallsusehellomessageandheartbeatstoverifythatthepeerdeviceisresponsiveandoperational.
HellomessagesaresentfromonepeertotheotherattheconfiguredHelloIntervaltoverifythestateofthe
device.TheheartbeatisanICMPpingtotheHApeeroverthecontrollink,andthepeerrespondstotheping
toestablishthatthedevicesareconnectedandresponsive.FordetailsontheHAtimersthattriggera

failover,seeHATimers.(TheHAtimersfortheVMSeriesfirewallarethesameasthatofthePA5000Series
firewalls).
DevicePriorityandPreemption
ThedevicesinanHApaircanbeassignedadevicepriorityvaluetoindicateapreferenceforwhichdevice
shouldassumetheactiveroleandmanagetrafficuponfailover.Ifyouneedtouseaspecificdeviceinthe
HApairforactivelysecuringtraffic,youmustenablethepreemptivebehavioronboththefirewallsand
assignadevicepriorityvalueforeachdevice.Thedevicewiththelowernumericalvalue,andtherefore
higherpriority,isdesignatedasactiveandmanagesalltrafficonthenetwork.Theotherdeviceisinapassive
state,andsynchronizesconfigurationandstateinformationwiththeactivedevicesothatitisreadyto
transitiontoanactivestateshouldafailureoccur.
Bydefault,preemptionisdisabledonthefirewallsandmustbeenabledonbothdevices.Whenenabled,the
preemptivebehaviorallowsthefirewallwiththehigherpriority(lowernumericalvalue)toresumeasactive
afteritrecoversfromafailure.Whenpreemptionoccurs,theeventisloggedinthesystemlogs.
HATimers
Highavailability(HA)timersareusedtodetectafirewallfailureandtriggerafailover.Toreducethe
complexityinconfiguringHAtimers,youcanselectfromthreeprofiles:Recommended,Aggressive,and
Advanced.TheseprofilesautopopulatetheoptimumHAtimervaluesforthespecificfirewallplatformto
enableaspeedierHAdeployment.
UsetheRecommendedprofilefortypicalfailovertimersettingsandtheAggressiveprofileforfasterfailover
timersettings.TheAdvancedprofileallowsyoutocustomizethetimervaluestosuityournetwork
requirements.
HATimerontheVMSeriesonAWS DefaultvaluesforRecommended/Aggressiveprofiles
Promotionholdtime 2000/500ms
Hellointerval 8000/8000ms
Heartbeatinterval 2000/1000ms
Maxnumberofflaps 3/3
Preemptionholdtime 1/1min
Monitorfailholduptime 0/0ms
Additionalmasterholduptime 500/500ms

Step1 Makesurethatyouhave FordeployingapairofVMSeriesfirewallsinHAintheAWScloud,

followedtheprerequisites. youmustensurethefollowing:
SelecttheIAMroleyoucreatedwhenlaunchingtheVMSeries
firewallonanEC2instance;youcannotassigntheroletoan
instancethatisalreadyrunning.SeeIAMRolesforHA.
FordetailedinstructionsoncreatinganIAMrole,definingwhich
accountsorAWSservicescanassumetherole,anddefiningwhich
APIactionsandresourcestheapplicationcanuseuponassuming
therole,refertotheAWSdocumentation.
TheactivefirewallintheHApairmusthaveataminimumthree
ENIs:twodataplaneinterfacesandonemanagementinterface.
ThepassivefirewallintheHApair,musthaveoneENIfor
management,andoneENIthatfunctionsasdataplaneinterface;
youwillconfigurethedataplaneinterfaceasanHA2interface.
Donotattachadditionaldataplaneinterfacestothe
passivefirewallintheHApair.Onfailover,thedataplane
interfacesfromthepreviouslyactivefirewallaremoved
detachedandthenattachedtothenowactive
(previouslypassive)firewall.
TheHApeersmustbedeployedinthesameAWSavailabilityzone.
Step2 LaunchtheVMSeries IMPORTANT:IfyouareusingthePANOS8.0AMItodeploythe

FirewallonAWS. VMSeriesfirewallonAWS,youmustupgradeto8.0.1beforeyou
configureHA.
1. SelectDevice > Software,andclickCheck Nowforlatest
updates.
2. DownloadPANOS8.0.1(orlater)versionandInstallthe
update.
3. Aftertheinstallationsuccessfullycompletes,rebootusingoneof
thefollowingmethods:
a. Ifyouarepromptedtoreboot,clickYes.
b. Ifyouarenotpromptedtoreboot,selectDevice > Setup >
OperationsandReboot Device(DeviceOperationssection).
Step3 EnableHA. 1. SelectDevice > High Availability > General,andedittheSetup

section.
2. SelectEnable HA.

ConfigureActive/PassiveHAonAWS(Continued)
Step4 Configureethernet1/1as 1. SelectNetwork > Interfaces.

anHAinterface.This 2. Confirmthatthelinkstateisuponethernet1/1.
interfacemustbeusedfor
HA2communication. 3. Clickthelinkforethernet1/1andsettheInterface Type toHA.
Step5 SetuptheControlLink 1. SelectDevice > High Availability > General,andedittheControl

(HA1)tousethe Link(HA1)section.
managementport.
2. (Optional)SelectEncryption Enabled,forsecureHA
communicationbetweenthepeers.Toenableencryption,you
mustexporttheHAkeyfromadeviceandimportitintothepeer
device.
a. SelectDevice > Certificate Management > Certificates.
b. SelectExport HA key. SavetheHAkeytoanetworklocation
thatthepeerdevicecanaccess.
c. Onthepeerdevice,navigateto Device > Certificate
Management > Certificates, andselectImport HA keyto
browsetothelocationthatyousavedthekeyandimportitin
tothepeerdevice.

Step6 SetuptheDataLink(HA2) 1. SelectDevice > High Availability > General,edittheDataLink

touseethernet1/1. (HA2)section.
2. SelectPortethernet1/1.
3. EntertheIPaddressforethernet1/1.ThisIPaddressmustbethe
samethatassignedtotheENIontheEC2Dashboard.
4. EntertheNetmask.
5. EnteraGatewayIPaddressiftheHA1interfacesareonseparate
subnets.
6. SelectIPorUDPforTransport.UseIPifyouneedLayer3
transport(IPprotocolnumber99).UseUDPifyouwantthe
firewalltocalculatethechecksumontheentirepacketrather
thanjusttheheader,asintheIPoption(UDPport29281).
7. (Optional)ModifytheThresholdforHA2 Keep-alivepackets.
Bydefault,HA2 Keep-aliveisenabledformonitoringtheHA2
datalinkbetweenthepeers.Ifafailureoccursandthisthreshold
(defaultis10000ms)isexceeded,thedefinedactionwilloccur.
AcriticalsystemlogmessageisgeneratedwhenanHA2
keepalivefailureoccurs.
YoucanconfiguretheHA2 keep-aliveoptiononboth
devices,orjustonedeviceintheHApair.Ifyouenable
thisoptionononedevice,onlythatdevicewillsendthe
keepalivemessages.

Step7 Setthedevicepriorityand 1. SelectDevice > High Availability > GeneralandedittheElection

enablepreemption. Settingssection.
Usethissettingifyouwant 2. SetthenumericalvalueinDevice Priority.Makesuretoseta
tomakesurethataspecific lowernumericalvalueonthedevicethatyouwanttoassigna
deviceisthepreferred higherpriorityto.
activedevice.For Ifbothfirewallshavethesamedevicepriorityvalue,the
information,seeDevice firewallwiththelowestMACaddressontheHA1
PriorityandPreemption. controllinkwillbecometheactivedevice.
3. SelectPreemptive.
Youmustenablepreemptiveonboththeactiveandthepassive
device.
4. Modifythefailovertimers.Bydefault,theHAtimerprofileisset
totheRecommendedprofileandissuitedformostHA
deployments.
Step8 (Optional)Modifythewait 1. SelectDevice > High Availability > Generalandeditthe

timebeforeafailoveris Active/PassiveSettings.
triggered. 2. ModifytheMonitor fail hold up time toavaluebetween160
minutes;defaultis1minute.Thisisthetimeintervalduring
whichthefirewallwillremainactivefollowingalinkfailure.Use
thissettingtoavoidanHAfailovertriggeredbytheoccasional
flappingofneighboringdevices.
Step9 ConfiguretheIPaddressof 1. SelectDevice > High Availability > General,andedittheSetup

theHApeer. section.
2. EntertheIPaddressoftheHA1portonthepeer.ThisistheIP
addressassignedtothemanagementinterface(ethernet0/0),
whichisalsotheHA1linkontheotherfirewall.
3. SettheGroup IDnumberbetween1and63.Althoughthisvalue
isnotusedontheVMSeriesfirewallonAWS,butcannotleave
thefieldblank.
Step10 Configuretheotherpeer. RepeatStep 3toStep 9ontheHApeer.
Step11 Afteryoufinishconfiguring 1. AccesstheDashboardonbothdevices,andviewtheHigh

bothdevices,verifythatthe Availabilitywidget.
devicesarepairedin 2. Ontheactivedevice,clicktheSync to peerlink.
active/passiveHA.
3. Confirmthatthedevicesarepairedandsynced,asshownbelow:

Onthepassivedevice:Thestateof Ontheactivedevice:Thestateofthelocaldeviceshoulddisplay
thelocaldeviceshoulddisplay active andtheconfigurationissynchronized.
passive andtheconfigurationis
synchronized.
Step12 Verifythatfailoveroccurs 1. ShutdowntheactiveHApeer.

properly. a. OntheEC2Dashboard,selectInstances.
b. Fromthelist,selecttheVMSeriesfirewallandclickActions
> Stop.
2. Checkthatthepassivepeerassumestheroleoftheactivepeer
andthatthedataplaneinterfaceshavemovedovertothenow
activeHApeer.

SetUptheVMSeriesFirewallonAWS UseCase:SecuretheEC2InstancesintheAWSCloud
UseCase:SecuretheEC2InstancesintheAWSCloud
Inthisexample,theVPCisdeployedinthe10.0.0.0/16networkwithtwo/24subnets:10.0.0.0/24and
10.0.1.0/24.TheVMSeriesfirewallwillbelaunchedinthe10.0.0.0/24subnettowhichtheinternet
gatewayisattached.The10.0.1.0/24subnetisaprivatesubnetthatwillhosttheEC2instancesthatneed
tobesecuredbytheVMSeriesfirewall;anyserveronthisprivatesubnetusesNATforaroutableIPaddress
(whichisanElasticIPaddress)toaccesstheinternet.UsethePlanningWorksheetfortheVMSeriesinthe
AWSVPCtoplanthedesignwithinyourVPC;recordingthesubnetranges,networkinterfacesandthe
associatedIPaddressesfortheEC2instances,andsecuritygroups,willmakethesetupprocesseasierand
moreefficient.
Thefollowingimagedepictsthelogicalflowoftrafficto/fromthewebservertotheinternet.Trafficto/from
thewebserverissenttothedatainterfaceoftheVMSeriesfirewallthatisattachedtotheprivatesubnet.
Thefirewallappliespolicyandprocessesincoming/outgoingtrafficfrom/totheinternetgatewayofthe
VPC.Theimagealsoshowsthesecuritygroupstowhichthedatainterfacesareattached.

UseCase:SecuretheEC2InstancesintheAWSCloud SetUptheVMSeriesFirewallonAWS
DeploytheVMSeriesFirewallonAWSasaCloudGateway
Step1 CreateanewVPCwithapublicsubnet 1. LogintotheAWSconsoleandselecttheVPCDashboard.

(orselectanexistingVPC). 2. Verifythatyouveselectedthecorrectgeographicarea(AWS
region).TheVPCwillbedeployedinthecurrentlyselected
region.
3. Select Start VPC Wizard,andselectVPC with a Single Public
Subnet.
Inthisexample,theIPCIDRblockfortheVPCis10.0.0.0/16,
theVPCnameisCloudDC,thepublicsubnetis10.0.0.0/24,
andthesubnetnameisCloudDCPublicsubnet.Youwillcreate
aprivatesubnetaftercreatingtheVPC.
4. ClickCreate VPC.

DeploytheVMSeriesFirewallonAWSasaCloudGateway(Continued)
Step2 Createaprivatesubnet. SelectSubnets,andclickCreate a Subnet.Fillintheinformation.

Inthisexample,theName tagforthesubnetisWeb/DBServer
Subnet,itiscreatedintheCloudDatacenterVPCandisassigneda
CIDRblockof10.0.1.0/24.
Step3 Createanewroutetableforeachsubnet. 1. SelectRoute Tables>Create Route Table.

Althoughamainroutetableis 2. AddaName,forexampleCloudDCpublicsubnetRT,select
automaticallycreatedonthe theVPCyoucreatedinStep 1,andclickYes, Create.
VPC,werecommendcreating
3. Selecttheroutetable,clickSubnet Associationsandselectthe
newroutetablesinsteadof
publicsubnet.
modifyingthedefaultroutetable.
Todirectoutboundtrafficfrom
eachsubnet,youwilladdroutes
totheroutetableassociatedwith
eachsubnet,laterinthis
workflow.
4. SelectCreate Route Table.

5. AddaName,forexampleCloudDCprivatesubnetRT,select
theVPCyoucreatedinStep 1,andclickYes, Create.
6. Selecttheroutetable,clickSubnet Associationsandselectthe
privatesubnet.

Step4 CreateSecurityGroupstorestrict SelectSecurity GroupsandclicktheCreate Security Groupbutton.

inbound/outboundinternetaccessto Inthisexample,wecreatethreesecuritygroupswiththefollowing
theEC2instancesintheVPC. rulesforinboundaccess:
Bydefault,AWSdisallows CloudDCManagementthatspecifiestheprotocolsand
communicationbetweeninterfacesthat sourceIPaddressesthatcanconnecttothemanagement
donotbelongtothesamesecurity interfaceoftheVMSeriesfirewall.Ataminimumyouneed
group. SSH,andHTTPS.Inthisexample,weenableSSH,ICMP,
HTTP,andHTTPSonthenetworkinterfacesthatare
attachedtothissecuritygroup.
Themanagementinterface(eth0/0)oftheVMSeries
firewallwillbeassignedtoCloudDCmanagementsg.
PublicServerCloudDCthatspecifiesthesourceIP
addressesthatcanconnectoverHTTP,FTP,SSHwithinthe
VPC.Thisgroupallowstrafficfromtheexternalnetworkto
thefirewall.
Thedataplaneinterfaceeth1/1oftheVMSeriesfirewall
willbeassignedtoPublicServerCloudDC.
PrivateServerCloudDCthathasverylimitedaccess.Itonly
allowsotherEC2instancesonthesamesubnetto
communicatewitheachother,andwiththeVMSeries
firewall.
Thedataplaneinterfaceeth1/2oftheVMSeriesfirewall
andtheapplicationintheprivatesubnetwillbeattachedto
thissecuritygroup.
Thefollowingscreenshotshowsthesecuritygroupsforthis
usecase.
Step5 DeploytheVMSeriesfirewall. SeeStep 3inLaunchtheVMSeriesFirewallonAWS.

Onlytheprimarynetworkinterface
thatwillserveasthemanagement
interfacewillbeattachedand
configuredforthefirewallduringthe
initiallaunch.Thenetworkinterfaces
requiredforhandlingdatatrafficwill
beaddedinStep 6.

Step6 Createandattachvirtualnetwork 1. OntheEC2Dashboard,selectNetwork Interfaces,andclick

interface(s),referredtoasElastic Create Network Interface.
NetworkInterfaces(ENIs),tothe 2. Enteradescriptivenamefortheinterface.
VMSeriesfirewall.TheseENIsareused
forhandlingdatatrafficto/fromthe 3. Selectthesubnet.UsethesubnetIDtomakesurethatyou
firewall. haveselectedthecorrectsubnet.YoucanonlyattachanENI
toaninstanceinthesamesubnet.
4. EnterthePrivate IPaddressthatyouwanttoassigntothe
interfaceorselectAuto-assigntoautomaticallyassignanIP
addresswithintheavailableIPaddressesintheselected
subnet.
5. SelecttheSecurity group tocontrolaccesstothenetwork
interface.
6. ClickYes, Create.
Inthisexample,wecreatetwointerfaceswiththefollowing
configuration:
ForEth1/1(VMSeriesUntrust)
Subnet:10.0.0.0/24
PrivateIP:10.0.0.10
Securitygroup:PublicServerCloudDC
ForEth1/2(VMSeriesTrust)
Subnet:10.0.1.0/24
PrivateIP:10.0.1.10
Securitygroup:PrivateServerCloudDC
7. ToattachtheENItotheVMSeriesfirewall,selectthe
interfaceyoujustcreated,andclickAttach.
8. SelecttheInstance IDoftheVMSeriesfirewall,andclick
Attach.
9. Repeatsteps7and8toattachtheothernetworkinterface.

Step7 CreateanElasticIPaddressandattachit 1. SelectElastic IPs and clickAllocate New Address.

tothefirewalldataplanenetwork 2. SelectEC2-VPCandclickYes, Allocate.
interfacethatrequiresdirectinternet
access. 3. SelectthenewlyallocatedEIPandclickAssociate Address.
Inthisexample,VMSeries_Untrustis 4. SelecttheNetwork InterfaceandthePrivate IP address
assignedanEIP.TheEIPassociatedwith associatedwiththeinterfaceandclickYes, Associate.
theinterfaceisthepubliclyaccessibleIP
addressforthewebserverintheprivate
subnet.
Inthisexample,theconfigurationis:
Step8 DisableSource/Destinationcheckon 1. SelectthenetworkinterfaceintheNetwork Interfacestab.

eachnetworkinterfaceattachedtothe 2. IntheActiondropdown,selectChange Source/Dest. Check.
VMSeriesfirewall.Disablingthis
attributeallowstheinterfacetohandle 3. ClickDisabled andSaveyourchanges.
networktrafficthatisnotdestinedtoits 4. Repeatsteps13foradditionalnetworkinterfaces,
IPaddress. firewall1/2inthisexample.
Step9 Intheroutetableassociatedwiththe 1. FromtheVPCDashboard,selectRoute Tablesandfindthe

publicsubnet(fromStep 3),addadefault routetableassociatedwiththepublicsubnet.
routetotheinternetgatewayforthe 2. Selecttheroutetable,selectRoutesandclickEdit.
VPC.
3. Addaroutetoforwardpacketsfromthissubnettotheinternet
gateway.Inthisexample,0.0.0.0.0indicatesthatalltraffic
from/tothissubnetwillusetheinternetgatewayattachedto
theVPC.

Step10 Intheroutetableassociatedwiththe 1. FromtheVPCDashboard,selectRoute Tablesandfindthe

privatesubnet,addadefaultrouteto routetableassociatedwiththeprivatesubnet.
sendtraffictotheVMSeriesfirewall. 2. Selecttheroutetable,selectRoutesandclickEdit.
Addingthisrouteenablestheforwarding
3. Addaroutetoforwardpacketsfromthissubnettothe
oftrafficfromtheEC2instancesinthis
VMSeriesfirewallnetworkinterfacethatresidesonthesame
privatesubnettotheVMSeriesfirewall.
subnet.Inthisexample,0.0.0.0/0indicatesthatalltraffic
from/tothissubnetwilluseeniabf355f2(ethernet1/2,which
isCloudDCVMSeriesTrust)ontheVMSeriesfirewall.
ForeachwebordatabaseserverdeployedonanEC2
instanceintheprivatesubnet,youmustdefineadefault
routetotheIPaddressoftheVMSeriesfirewallsothatthe
firewallisthedefaultgatewayfortheserver.
PerformStep 11throughStep 16onthe

VMSeriesfirewall
Step11 Configureanewadministrative 1. UsethepublicIPaddressyouconfiguredonthefirewall,to
passwordforthefirewall. SSHintotheCommandLineInterface(CLI)oftheVMSeries
AnSSHtoolsuchasPuTTYisrequiredto firewall.
accesstheCLIonthefirewallandchange Youwillneedtheprivatekeythatyouusedorcreatedin
thedefaultadministrativepassword.You LaunchtheVMSeriesfirewall.,Step 3ktoaccesstheCLI.
cannotaccessthewebinterfaceuntilyou 2. Enterthefollowingcommandtologintothefirewall:
SSHandchangethedefaultpassword.
ssh-i <private_key_name>admin@<publicip_address>
3. Configureanewpassword,usingthefollowingcommandand
followtheonscreenprompts:
setpassword
configure
commit
4. TerminatetheSSHsession.
Step12 Accessthewebinterfaceofthe OpenawebbrowserandentertheEIPofthemanagement

VMSeriesfirewall. interface.Forexample:https://54.183.85.163
Step13 ActivatethelicensesontheVMSeries SeeActivatetheLicense.

firewall.Thisstepisonlyrequiredforthe
BYOLlicense;theusagebasedlicenses
areautomaticallyactivated.

Step14 OntheVMSeriesfirewall,configurethe 1. SelectNetwork > Interfaces > Ethernet.

dataplanenetworkinterfacesonthe 2. Clickthelinkforethernet 1/1andconfigureasfollows:
firewallasLayer3interfaces.
router.
andselectNew Zone.Defineanewzone,forexample
untrust,andthenclickOK.
SelectIPv4,selectDHCP Client;theprivateIPaddressthat
youassignedtothenetworkinterfaceintheAWS
managementconsolewillbeacquiredautomatically.
OntheAdvanced > Other Info tab,expandtheManagement
Profiledropdown,andselectNew Management Profile.
EnteraNamefortheprofile,suchasallow_ping,andselect
PingfromthePermittedServiceslist,thenclickOK.
Tosavetheinterfaceconfiguration,clickOK.
3. Clickthelinkforethernet 1/2andconfigureasfollows:
router.
andselectNew Zone.Defineanewzone,forexampletrust,
andthenclickOK.
SelectIPv4,selectDHCP Client.
OntheIPv4 tab,cleartheAutomatically create default
route to default gateway provided by server checkbox.For
aninterfacethatisattachedtotheprivatesubnetinthe
VPC,disablingthisoptionensuresthattraffichandledby
thisinterfacedoesnotflowdirectlytotheIGWontheVPC.
OntheAdvanced > Other Info,expandtheManagement
Profiledropdown,andselecttheallow_pingprofileyou
createdearlier.
ClickOKtosavetheinterfaceconfiguration.
4. ClickCommittosavethechanges.VerifythattheLinkstatefor
theinterfaceisup. . Ifthelinkstateisnotup,rebootthe
firewall.

Step15 OntheVMSeriesfirewall,create 1. SelectPolicies > NAT.

DestinationNATandSourceNATrules 2. CreateaDestinationNATrulethatsteerstrafficfromthe
toallowinbound/outboundtraffic firewalltothewebserver.
to/fromtheapplicationsdeployedwithin
a. ClickAdd,andenteranamefortherule.Forexample,
theVPC.
NAT2WebServer.
b. IntheOriginal Packettab,makethefollowingselections:
Source Zone:untrust(wherethetrafficoriginates)
Destination Zone:untrust(thezoneforthefirewall
dataplaneinterfacewithwhichtheEIPforthewebserver
isassociated.)
Source Address:Any
Destination Address:10.0.0.10
IntheTranslated Packettab,selecttheDestination
AddressTranslationcheckboxandsettheTranslated
Address:to10.0.1.62,whichistheprivateIPaddressof
thewebserver.
c. ClickOK.
3. CreateaSourceNATruletoallowoutboundtrafficfromthe
webservertotheinternet.
a. ClickAdd,andenteranamefortherule.Forexample,
NAT2External.
b. IntheOriginal Packettab,makethefollowingselections:
Source Zone:trust(wherethetrafficoriginates)
Destination Zone:untrust(thezoneforthefirewall
dataplaneinterfacewithwhichtheEIPforthewebserver
isassociated.)
Source Address:Any
Destination Address:Any
c. IntheTranslated Packettab,makethefollowingselections
intheSourceAddressTranslationsection:
Translation Type:DynamicIPandPort
Address Type:TranslatedAddress
Translated Address:10.0.0.10(thefirewalldataplane
interfaceintheuntrustzone.)

d. ClickOK.
4. ClickCommittosavetheNATpolicies.
Step16 OntheVMSeriesfirewall,create 1. SelectPolicies > Security.

securitypoliciestomanagetraffic. Inthisexample,wehavefourrules.Arulethatallows
managementaccesstothefirewalltraffic,aruletoallow
inboundtraffictothewebserver,athirdruletoallowinternet
accesstothewebserver,andinthelastrulewemodifya
predefinedintrazonedefaultruletologalltrafficthatis
denied.
2. Createaruletoallowmanagementaccesstothefirewall.
a. ClickAddandenteraNamefortherule.VerifythattheRule
Typeisuniversal.
b. IntheSourcetab,adduntrustastheSource Zone.
c. IntheDestinationtab,addtrustastheDestination Zone.
d. IntheApplicationstab,Addpingandssh.
e. IntheActionstab,settheActiontoAllow.
f. ClickOK.
3. Createaruletoallowinboundtraffictothewebserver.
a. ClickAddandenteraNamefortheruleandverifythatthe
Rule Typeisuniversal.
b. IntheSourcetab,adduntrustastheSource Zone.
c. IntheDestinationtab,addtrustastheDestination Zone.
d. IntheApplicationstab,Addwebbrowsing.
e. IntheService/URL Categorytab,verifythattheserviceis
settoapplicationdefault.
f. IntheActionstab,settheActiontoAllow.
g. IntheProfileSettingssectionoftheActionstab,select
Profilesandthenattachthedefaultprofilesforantivirus,
antispyware,andvulnerabilityprotection.
h. ClickOK.

InsteadofenteringastaticIPaddressfor 4. Createaruletoallowinternetaccesstothewebserver.
thewebserver,useadynamicaddress a. ClickAddandenteraNamefortheruleandverifythatthe
group.Dynamicaddressgroupsallowyou RuleTypeisuniversal.
tocreatepolicythatautomaticallyadapts b. IntheSourcetab,addtrustastheSource Zone.
tochangessothatyoudonotneedto
c. IntheSourceAddresssectionoftheSourcetab,add
updatethepolicywhenyoulaunch
10.0.1.62,theIPaddressofthewebserver.
additionalwebserversinthesubnet.For
details,seeUseCase:UseDynamic d. IntheDestinationtab,adduntrustastheDestination Zone.
AddressGroupstoSecureNewEC2 e. IntheService/URL Categorytab,verifythattheserviceis
InstanceswithintheVPC. settoapplication-default.
f. IntheActionstab,settheActiontoAllow.
g. IntheProfileSettingssectionoftheActionstab,select
h. ClickOK.
5. Edittheinterzonedefaultruletologalltrafficthatisdenied.
Thispredefinedinterzoneruleisevaluatedwhennootherrule
isexplicitlydefinedtomatchtrafficacrossdifferentzones.
a. Selecttheinterzone-default ruleandclickOverride.
b. IntheActionstab,selectLog at session end.
c. ClickOK.
6. Reviewthecompletesetofsecurityrulesdefinedonthe
firewall.
7. ClickCommittosavethepolicies.

Step17 VerifythattheVMSeriesfirewallis 1. LaunchawebbrowserandentertheIPaddressfortheweb

securingtraffic. server.
2. LogintothewebinterfaceoftheVMSeriesfirewallandverify
thatyoucanseethetrafficlogsforthesessionsatMonitor >
Logs > Traffic.
Trafficinboundtothewebserver(arrivesatEC2instancein
theAWSVPC):
Trafficoutboundfromthewebserver(EC2instanceinthe
AWSVPC):
YouhavesuccessfullydeployedtheVMSeriesfirewallasacloudgateway!

SetUptheVMSeriesFirewallonAWS UseCase:UseDynamicAddressGroupstoSecureNewEC2Instanceswithin
theVPC
UseCase:UseDynamicAddressGroupstoSecureNewEC2
InstanceswithintheVPC
InadynamicenvironmentsuchastheAWSVPCwhereyoulaunchnewEC2instancesondemand,the
administrativeoverheadinmanagingsecuritypolicycanbecumbersome.UsingDynamicAddressGroupsin
securitypolicyallowsforagilityandpreventsdisruptioninservicesorgapsinprotection.
Inthisexample,weillustratehowyoucanmonitortheVPCanduseDynamicAddressGroupsinsecurity
policytodiscoverandsecureEC2instances.AsyouspinupEC2instances,theDynamicAddressGroup
collatestheIPaddressesofallinstancesthatmatchthecriteriadefinedforgroupmembership,andthen
securitypolicyisappliedforthegroup.Thesecuritypolicyinthisexampleallowsinternetaccesstoall
membersofthegroup.
ThisworkflowinthefollowingsectionassumesthatyouhavecreatedtheAWSVPCanddeployedthe
VMSeriesfirewallandsomeapplicationsonEC2instances.ForinstructionsonsettinguptheVPCforthe
VMSeries,seeUseCase:SecuretheEC2InstancesintheAWSCloud.

UseCase:UseDynamicAddressGroupstoSecureNewEC2InstanceswithintheVPC SetUptheVMSeriesFirewall
onAWS
UseDynamicAddressGroupsinPolicy
Step1 Configurethefirewalltomonitorthe 1. SelectDevice > VM Information Sources.

VPC. 2. ClickAddandenterthefollowinginformation:
a. A NametoidentifytheVPCthatyouwanttomonitor.For
example,VPCCloudDC.
b. SettheTypetoAWSVPC.
c. InSource,entertheURIfortheVPC.Thesyntaxis
ec2.<your_region>.amazonaws.com
d. Addthecredentialsrequiredforthefirewalltodigitallysign
APIcallsmadetotheAWSservices.Youneedthefollowing:
Access Key ID:Enterthealphanumerictextstringthat
uniquelyidentifiestheuserwhoownsorisauthorizedto
accesstheAWSaccount.
Secret Access Key:Enterthepasswordandconfirmyour
entry.
e. (Optional)ModifytheUpdate intervaltoavaluebetween
5600seconds.Bydefault,thefirewallpollsevery5
seconds.TheAPIcallsarequeuedandretrievedwithin
every60seconds,soupdatesmaytakeupto60seconds
plustheconfiguredpollinginterval.
f. EntertheVPC IDthatisdisplayedontheVPCDashboardin
theAWSmanagementconsole.
g. ClickOK,andCommitthechanges.
h. VerifythattheconnectionStatus displaysas connected

SetUptheVMSeriesFirewallonAWS UseCase:UseDynamicAddressGroupstoSecureNewEC2Instanceswithin
theVPC
UseDynamicAddressGroupsinPolicy(Continued)
Step2 TagtheEC2instancesintheVPC. Atagisanamevaluepair.YoucantagtheEC2instanceseitheron

ForalistoftagsthattheVMSeries theEC2DashboardontheAWSmanagementconsoleorusingthe
firewallcanmonitor,seeListof AWSAPIorAWSCLI.
AttributesMonitoredontheAWSVPC. Inthisexample,weusetheEC2Dashboardtoaddthetag:
Step3 Createadynamicaddressgrouponthe 3. SelectObject > Address Groups.

firewall. 4. Click AddandenteraNameandaDescriptionfortheaddress
Viewthetutorialtoseeabig group.
pictureviewofthefeature.
5. SelectType as Dynamic.
6. Definethematchcriteria.
a. ClickAdd Match Criteria,andselecttheAndoperator.
b. Selecttheattributestofilterforormatchagainst.Inthis
example,weselecttheExternalAccessAllowedtagthatyou
justcreatedandthesubnetIDfortheprivatesubnetofthe
VPC.
7. ClickOK.
8. ClickCommit.

UseCase:UseDynamicAddressGroupstoSecureNewEC2InstanceswithintheVPC SetUptheVMSeriesFirewall
onAWS
UseDynamicAddressGroupsinPolicy(Continued)
Step4 Usethedynamicaddressgroupina Tocreatearuletoallowinternetaccesstoanywebserverthat

securitypolicy. belongstothedynamicaddressgroupcalledExternalServerAccess.
1. SelectPolicies > Security.
2. ClickAddandenteraNamefortheruleandverifythatthe
Rule Typeisuniversal.
3. IntheSourcetab,addtrustastheSource Zone.
4. IntheSourceAddresssectionoftheSourcetab,Addthe
ExternalServerAccessgroupyoujustcreated.
5. IntheDestinationtab,adduntrustastheDestination Zone.
6. IntheService/URL Categorytab,verifythattheserviceisset
toapplication-default.
7. IntheActionstab,settheActiontoAllow.
8. IntheProfileSettingssectionoftheActionstab,select
9. ClickOK.
10. ClickCommit.
Step5 Verifythatmembersofthedynamic 1. SelectPolicies > Security,andselecttherule.

addressgrouparepopulatedonthe 2. Selectthedropdownarrownexttotheaddressgrouplink,and
firewall. selectInspect.Youcanalsoverifythatthematchcriteriais
PolicywillbeenforcedforallIP accurate.
addressesthatbelongtothisaddress
3. ClickthemorelinkandverifythatthelistofregisteredIP
group,andaredisplayedhere
addressesisdisplayed.


SetUptheVMSeriesFirewallonAWS UseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailableInter
netFacingApplicationsonAWS
UseCase:DeploytheVMSeriesFirewallstoSecureHighly
AvailableInternetFacingApplicationsonAWS
TheAWSinfrastructureandservicesprovideanarchitecturethatcanscaleandgrowwithyourbusiness.In
additiontoperformanceandapplicationavailabilitydemands,yourbusinessrequiresassuredsecurityand
applicationenablement.Inordertoreducetheattacksurfaceforthreatsandtoensurethatyour
businesscriticalservers,applications,anddataaresecure,yourequirethePaloAltoNetworksVMSeries
firewall.Together,AWSandtheVMSeriesfirewalldeliveroperationalefficiencywithincreasedagilityand
optimalsecurity.
SolutionOverviewSecureHighlyAvailableInternetFacingApplications
DeploytheSolutionComponentsforHighlyAvailableInternetFacingApplicationsonAWS
SolutionOverviewSecureHighlyAvailableInternetFacingApplications
Inthisusecase,weshowyouhowtosecurehighlyavailabletwotierapplicationsinAmazonWebServices
(AWS)thatareaccessedbyusersovertheinternet.ThissetupisonespecificexamplethatusesWordPress
andMySQLasthe2tierapplications.Itincludesarelationaldatabaseservice,aDNSbasedglobalload
balancingwebservice,CitrixNetScalerloadbalancers,andseveralVMSeriesfirewallstosecurenorthsouth
andeastwesttrafficflowstotheapplicationsintheAmazonVirtualPrivateCloud(VPC).Forhigh
availability,theVPCspanstwoAvailabilityZones(AZs)onAWS.Therearemanyotherapplicationsand
architecturesthatPaloAltoNetworksfirewallscansecure;thisusecaseisjustoneoption.

UseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailableInternetFacingApplicationsonAWS SetUpthe
VMSeriesFirewallonAWS
Thefollowingtableliststheelementsrequiredtodeploythesolutionforhighlyavailableinternetfacing
applicationsonAWS.
SolutionElements SolutionsComponents Description
InternetFacing AmazonElasticCompute Webapplicationsthatareaccessedbyusersover

Applications Cloud(EC2)Instances theinternet.Theseapplicationsaretypically
deployedinamultitierarchitectureonEC2
instancesinanAWSVPC.AWSprovidesthe
infrastructureforensuringuptime,scalability,
andperformancetomeetyourbusinessneeds.
LoadBalancers Examplesinclude:Citrix Theloadbalancermonitorstheavailabilityof

NetScalerVPX,F5Networks servers,thedatabaseservice,andthefirewallsto
BIGIPLocalTraffic ensureaseamlessfailoverwhenaninstancefails.
Manager(LTM),andNGINX ThisusecaseshowshowtousetheCitrix
Plus NetScalerVPXfordeployingahighlyavailable
webapplication,butyoucanuseadifferentload
balancer.

SolutionElements SolutionsComponents Description
Firewalls VMSeries MultipleinstancesoftheVMSeriesfirewallare

deployedtosecureallyourapplicationsand
databaseservers.Thefirewallssecureeach
subnetandrestrictaccessinawaythatmatches
thebusinessandtechnicalrequirementsofyour
multitierarchitecture.Thissegmentation
providesmultiplelayersofdefensetoensure
thatbusinesscriticalservicesanddataare
alwayssafe.
GlobalServerLoad AmazonRoute53 AmazonRoute53isaDNSbasedGSLBweb

Balancing(GSLB)Service servicethatprovidesDNSandmultiAvailability
Zone(AZ)/VPCredundancy.Route53allowsyou
tocreateandmanageDNSrecords,connectuser
requeststoaninfrastructure,suchasyourweb
serversandloadbalancersrunningonAWS,and
performhealthcheckstomonitorthehealthof
yourserversandroutetrafficappropriately.
DatabaseService AmazonRelationalDatabase TheAmazonRDSistightlyintegratedwithother

Service(RDS) AmazonWebServices.AmazonRDSoffersa
selectionofenginesforyourdatabaseinstances.
SeeDeploytheSolutionComponentsforHighlyAvailableInternetFacingApplicationsonAWSforthe
configurationdetails.
DeploytheSolutionComponentsforHighlyAvailableInternetFacing
ApplicationsonAWS
UsethesehighleveltaskstodeploythecomponentslistedintheSolutionOverviewSecureHighly
AvailableInternetFacingApplications.
SetUptheVPC
CreatetheVPCandaddthesubnets,securitygroups,internetgateway,andaroutetable.Youwillalso
createElasticNetworkInterfaces(ENIs)andallocateElasticIPAddressesforsomeinstancesintheVPC.
DuplicatethissetupinanotherAvailabilityZoneforredundancy.
DeploytheVMSeriesFirewallsintheVPC
DeployandconfigurefourVMSeriesfirewallsineachAvailabilityZoneapairoffirewallstosecurethe
webfarm,onetosecuretheRDS,andonefirewallforoutboundaccessfromtheVPC.Thefirewallthat
regulatesoutboundaccesstotheinternetalsosecuresallthemanagementtraffictoandfromthe
firewalls,servers,andservicesintheVPC.Thisusecasefocusesprimarilyonhowtosetupthefirewalls
forsecuringyourinternetfacingmultitieredapplication(s).Italsobrieflycoverstheprocessofdeploying
andconfiguringtheNetScalerVPXtoloadbalancetrafficacrosstheVMSeriesfirewalls.
DeploytheWebFarmintheVPC
SetUptheAmazonRelationalDatabaseService(RDS)
ConfiguretheCitrixNetScalerVPX
VerifyTrafficEnforcement
SetupAmazonRoute53

SetUptheVPC
SettinguptheVPCrequiresyoutoataminimumcreatetheVPC,addthesubnets,createthesecurity
groups,deployEC2instances,andattachENIswithprivateIPaddresses.Toallowexternalaccesstothe
serversintheVPC,youalsorequireaninternetgatewayandanElasticIPAddressforeachEC2instancethat
needsaccesstotheinternet.Forthisusecase,theVPCsetupisasfollows:
SetUptheVPC
Step1 CreatetheVPCandaddthesubnets. Inthisexample,wecreatefoursubnetswithinthe192.168.0.0/16

VPCasfollows:
192.168.0.0/24(Public:forexternalaccessandmanagement)
192.168.1.0/24(Firewall:forconnectingthefirewalls)
192.168.2.0/24(Web:forconnectingtothewebfarm)
192.168.3.0/24(DB:forconnectingtothedatabaseserver)

SetUptheVPC(Continued)
Step2 Setuptheotherbasiccomponentsinthe Setuptheinternetgatewayforincomingandoutgoingtraffic

VPC. to/fromtheVPCandattachtheinternetgatewaytotheVPC.
Setupthesecuritygroups.Thesegroupsareabasicformof
securitybasedonIPaddresses,ports,andprotocols.Security
groupsdonotprovidenextgenerationfeatureslikeAppIDor
threatprotectionbutthesegroupsarepartofacomplimentary
solutionthathelpssecuretheVPC.
Thisexamplehassixsecuritygroupsthatcontrolaccesstothe
subnetswithintheVPC:
PANOSMGMTAttachtothemanagementinterfaceof
Ensurethatthewebserversecurity eachVMSeriesfirewall.Theinboundaccessrulesforthis
groupallowsaccessonlytodestinations securitygroupallowSSHandHTTPStraffic.
thatareinthesamesubnet. PANOSDataplaneAttachtothedataplaneinterfacesof
eachVMSeriesfirewall.Theinboundaccessrulesforthis
securitygroupallowalltraffic.
WebserverAttachtotheinterfacesofeachwebserver.
Theinboundaccessrulesforthissecuritygroupallowall
trafficthatissourcedfromthePANOSDataplanesecurity
group.
NetScalerMGMTAttachtothemanagementinterfaceof
theCitrixNetScalerloadbalancer.Theinboundaccessrules
forthissecuritygroupallowSSHandHTTPStraffic.
NetScalerLoadbalancingAttachtotheotherinterfaceson
theCitrixNetScalerloadbalancerthatareusedtoload
balancetraffictothewebfarm.Theinboundaccessrulesfor
thissecuritygroupallowalltraffic.
AmazonRDSSGAttachtotheinterfacesontheRelational
DatabaseService.Theinboundaccessrulesforthissecurity
groupallowtrafficonport3306.
Forinstructions,refertotheAWSdocumentation.

SetUptheVPC(Continued)
AllocateElasticIPAddresses.FordetailsonassigningElasticIP
Addresses,refertotheAWSdocumentation.
AWShasadefaultmaximumnumberofElasticIP
Addresses;ifyourspecificarchitecturerequiresmore
thanthedefault,youcanrequestmoreElasticIP
AddressesthroughAWS.
ThisexampleusessevenElasticIPAddresses.SeeAllocateand
associateElasticIPAddressesforthefirewallandtheNetScaler
VPX.
Setuptheroutetables:
Renamethemainrouterwithadescriptivename(thisroute
tableisautomaticallycreatedwhenyoucreatetheVPC)and
attachtheinternetgatewaytothisroutetable.
Addanewroutetable.Thisroutetableisrequiredfor
routingtrafficfromthewebserverstotheVMSeries
firewall;thisroutetablealleviatestheneedtocreatea
defaultrouteoneachwebserverasyouhorizontallyscale
outyourwebfarm.
Step3 Createthesubnets,securitygroups,and Repeat

routesintheotherAvailabilityZone.
Forthecompleteworkflow,seeDeploytheSolutionComponentsforHighlyAvailableInternetFacing
ApplicationsonAWS
DeploytheVMSeriesFirewallsintheVPC
Youmustdeploythefirewalls,licensethefirewallsasappropriate,configurethenetworkinterfaces,and
createpoliciesthatlimitapplicationanddatatrafficflowsasappropriateforeachserverandapplication.

Inthisusecase,eachAvailabilityZonehasfourVMSeriesfirewalls:
MgmtFWAfirewallthatsecuresinboundandoutboundtrafficnecessaryformanagingandupdating
theinfrastructure.ItsecuresallinboundandoutboundmanagementtraffictoandfromtheEC2instances
andservicesintheVPC,includingdatabaseengineupdates,SSHandHTTPSaccesstotheEC2instances
andservices,andSNMP.SeeLaunchtheVMSeriesFirewallsandtheNetScalerVPXandConfigurethe
VMSeriesFirewallforSecuringOutboundAccessfromtheVPC
AZ1FW1andAZ1FW2ApairoffirewallsthatmanagetrafficfromtheNetScalerVPXtotheweb
farm.Intheeventthatafirewallfails,theloadbalancerusesservicemonitorstodetectthefailureand
redirecttrafficthroughtheotherfirewall.SeeLaunchtheVMSeriesFirewallsandtheNetScalerVPXand
ConfiguretheFirewallsthatSecuretheWebFarm
AZ1DBAfirewalltosegmentthewebfarmfromtheRelationalDatabaseService(RDS).This
architectureallowsyoutoaddalayerofsecurityandisolatethedatabaseserviceandlimittheexposure
offrontendserverstorisksandthreats.SeeLaunchtheVMSeriesFirewallsandtheNetScalerVPXand
ConfiguretheFirewallthatSecurestheRDS.
LaunchtheVMSeriesFirewallsandtheNetScalerVPX
OntheAWSmanagementconsole,launchthefirewalls,launchtheloadbalancer,andedittheroutetables
youaddedwhenyoucreatedtheVPC.

LaunchtheVMSeriesFirewalls
Step1 Launchthefirewallsandperforminitial 1. Launchthefirewalls.SeeDeploytheVMSeriesFirewallon

configuration. AWSforsystemrequirementsandstepbystepinstructions
forlaunchingthefirewallandperforminginitialconfiguration.
Forthisusecase,youdeployfourVMSeriesfirewallsoneach
AZ.
TheIPaddressassignedtothemanagementinterfaces(eth0)of
eachfirewallisasfollows:
MgmtFW192.168.0.10
AZ1FW1192.168.0.11
AZ1FW2192.168.0.12
AZ1DB192.168.0.13
2. EstablishanSSHconnectiontotheIPaddressassignedtothe
managementinterfaceandperforminitialconfigurationonthe
commandlineinterface(CLI)oftheVMSeriesfirewall.
3. CreateandattachtwoENIstoeachfirewall;theseinterfaces
willserveasthedataplaneinterfacesoneachfirewall.
ConnecteachENItotheappropriatesubnetandsecurity
group.
MgmtFWThedataplaneinterfaceIPaddressesare:
192.168.2.254(towebfarm)
192.168.0.254(externalconnectivityforinternetaccess)
AZ1FW1ThedataplaneinterfaceIPaddressesare:
192.168.1.11(toNetScaler)
192.168.2.11(towebfarm)
AZ1FW2ThedataplaneinterfaceIPaddressesare:
192.168.1.12(toNetScaler)
192.168.2.12(towebfarm)
AZ1DBThedataplaneinterfaceIPaddressesare:
192.168.2.13(towebfarm)
192.168.3.13(toRDS)

LaunchtheVMSeriesFirewalls(Continued)
Step2 LaunchtheNetScalerVPX. 1. ChoosetheAmazonMachineImage(AMI)fromtheAWS

RefertotheCitrixNetScaler MarketplaceandlaunchtheNetScalerVPX.Inthisexample,
documentationforinstructions. theNetScalerIPaddressusedformanagementaccessis
192.168.0.14.
TologintotheNetScalermanagementconsole,you
mustassignanElasticIPAddressonthemanagement
interface.
2. AttachtwoENIstotheNetScalerVPX.Laterinthisexample,
ConfiguretheCitrixNetScalerVPXinterfaceIPaddressesas:
192.168.0.50VirtualIPaddressthatwillbeusedfor
externalaccess
192.168.1.50SubnetIPaddressthatwillbeusedfor
connectingtothewebfarmwithintheVPC
Step3 AllocateandassociateElasticIP AssignElasticIPAddressestotheinterfacesthatprovideaccess

Addressesforthefirewallandthe fromtheinternet.Inthisexample,theElasticIPAddressesareas
NetScalerVPX. follows:
OneEIPaddressmapstothemanagementinterfaceofeach
ofthefourVMSeriesfirewalls.
WiththeexceptionoftheVMSeriesfirewallthat
securesmanagementaccess,theElasticIPaddress
thatmapstothemanagementinterfaceofeach
VMSeriesfirewallwillbeusedforoutofband
management.
OneEIPaddressmapstothepublicfacinginterfaceonthe
VMSeriesfirewallthatmanagesoutboundaccessfromthe
VPC.
TwoEIPaddressesmaptotheNetScalerVPX:oneis
associatedwiththeNetScalerIPaddressandtheotheris
boundtotheVirtualIPaddress.

LaunchtheVMSeriesFirewalls(Continued)
Step4 Edittheroutetables. 1. Addanewroutetable,ifyoudidnotaddonewhensettingup

theVPC.
2. Addanewroutethatdirectsalltrafficfromthewebfarmto
theENIthatisattachedtothewebserversubnetonthe
VMSeriesfirewall(MgmtFW).
3. Createandattachtheinternetgatewaytothemainrouteron
theVPCtoallowoutboundinternetaccessfromtheVPC.
ConfiguretheVMSeriesFirewallforSecuringOutboundAccessfromthe
VPC
TheMgmtFWinthisusecaseistheVMSeriesfirewallthatsecuresinboundmanagementtraffic,suchas
infrastructureupdatesthatincludeDNSandaptgetupdatesforallwebservers.Thisfirewallisalsothe
defaultgatewayforalloutboundtrafficfromthewebfarmtotheinternet.
ConfiguretheVMSeriesFirewallthatSecuresOutboundAccess
Step1 Launchthefirewallsandperforminitialconfiguration.
Step2 AllocateandassignElasticIPAddresses.
ThisusecaserequiresoneElasticIPAddressforthemanagementinterfaceoftheVMSeriesfirewallandone
forthedataplaneinterfacethatallowsinternetaccessfromtheVPC.SeeStep 3.
Step3 LogintothewebinterfaceoftheVMSeriesfirewallusingtheElasticIPAddressassignedtothemanagement
interface.

ConfiguretheVMSeriesFirewallthatSecuresOutboundAccess(Continued)
Step4 Configurethenetworkinterfaces.SelectNetwork > Interfaces > Ethernet andclickthelinkstoconfigure

ethernet1/1andethernet1/2.
1. ConfigureaDHCPclientoneachinterfaceandcreateandattachsecurityzonestoeachinterface.
2. Whenconfiguringtheinterfacethatisconnectedtothewebfarm(ethernet1/2inthisusecase),clearthe
checkboxtoAutomatically create default route to default gateway provided by server.Foraninterface
thatisattachedtotheprivatesubnetintheVPC,disablingthisoptionensuresthattraffichandledbythis
interfacedoesnotflowdirectlytotheinternetgatewayontheVPC.
Step5 Createserviceobjectsandaservicegroup.
Aserviceobjectallowsyoutospecifytheportnumberthatanapplicationscanuseifyouplantousea
nondefaultportforanapplication.YouusetheseobjectsinNATpolicy(Step 7)sothatthefirewallcan
performporttranslationtoroutetrafficproperly.
1. SelectObjects > ServicesandAddtheserviceobjectstoenableTCPaccesstothewebserversonports
10000,10001,10002,and10003.
2. Combinetheseserviceobjectsintoaservicegroup.SelectObjects > Service GroupsandAddaservice

groupnamedWebserver_ServicesandAddWeb1,Web2,Web3,andWeb4tothegroup.
Step6 Definesecuritypolicyforsanctionedapplications.
Forexample,allowSSHforinboundmanagementandallowapplicationandDNSupdatestothewebservers
intheVPC.BecausethisusecaseemploysnondefaultportsforSSHaccess,changetheServiceforSSH
ManagementfromapplicationdefaulttoWebserver_Services(theservicegroupcreatedinthelaststep)to
definetheportsthatprovideaccesstothewebservers.

ConfiguretheVMSeriesFirewallthatSecuresOutboundAccess(Continued)
Step7 DefineNATpolicyrules.TheserulesensurethatthefirewallperformsIPaddressandporttranslationand
securesallinboundandoutboundtrafficonthewebserverfarm.
1. CreateNATrulesforpermittinginboundaccesstoeachwebserver.Youneedtoenabledestination
translationtotheserviceobjectsyoudefinedearlierforeachwebserver.
2. CreateanoutboundNATrulethatallowsinternetaccessforthewebserversintheVPC.Thisruleallows
thefirewalltotranslatethesourceIPaddressasthepublicfacinginterfaceonthemanagementfirewall.
TheAWSinternetgatewaythentranslatestheprivateIPaddresstotheElasticIPAddressassociatedwith
theinterfaceforroutingthetraffictotheinternet.
SeePortTranslationforServiceObjectsfordetailsonhowthefirewallperformsIPaddressand
porttranslationtoproperlyroutetraffic.
Step8 Toensurethattrafficisroutedproperlytothefirewall,performthefollowingtasksontheAWSmanagement
console:
1. Createaroutetableforthewebfarmsubnetandaddanewroutethatdirectsalltrafficfromthewebfarm
totheENIthatisattachedtothewebserversubnetontheVMSeriesfirewall(MgmtFW).SeeStep 42.
2. Disablesourceanddestinationchecksonthedataplanenetworkinterface(s)assignedtothefirewall.
DisablingthisoptionallowstheinterfacetohandlenetworktrafficthatisnotdestinedtotheIPaddress
assignedtotheinterface.SelectthenetworkinterfaceintheNetwork InterfacestabontheEC2
Dashboard,forexampleeth1/1,andintheActiondropdown,selectChange Source/Dest. Check.Click
DisabledandSaveyourchanges.
ConfiguretheFirewallsthatSecuretheWebFarm
UsetheseinstructionstoconfiguretheredundantpairofVMSeriesfirewallsthatsecurethewebservers
withinanAvailabilityZone.
Foratopologyandsolutiondetailssee,UseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailable
InternetFacingApplicationsonAWSandSolutionOverviewSecureHighlyAvailableInternetFacing
Applications.
ConfiguretheVMSeriesFirewallsthatSecuretheWebFarm
Step2 AllocateandassignElasticIPAddresses.
ThisusecaserequiresoneElasticIPAddressforthemanagementinterfaceofeachVMSeriesfirewall.See
Step 3.
Step3 LogintothewebinterfaceoftheVMSeriesfirewallusingtheEIPaddressassignedtothemanagement
interface.

ConfiguretheVMSeriesFirewallsthatSecuretheWebFarm(Continued)

2. ClearthecheckboxtoAutomatically create default route to default gateway provided by serverto
ensurethatthewebserversdonotusethedefaultrouteprovidedbythefirewall.
Step5 Createasecuritypolicyruletoallowthesanctionedapplications.BecauseweusetheWordPressapplication
inthisexample,thepolicyruleallowsthewebbrowsingandblogpostingapplicationsforWordPress.
Step6 CreateaNATpolicyruletoensuresymmetricroutingoftrafficwhentheNetScalerVPXloadbalancestraffic
acrossthetwo(ormore)firewallsthatareprotectingthewebservers.ThisNATpolicyruleisrequiredto
translatetheprivateIPaddressestopublicIPaddressesthatcanberoutedtoexternalnetworks.Italso
ensuresthatthesamefirewallmanagestherequestandresponsetrafficforawebserverinthewebfarm.

ConfiguretheFirewallthatSecurestheRDS
ThistaskhelpsyousetuptheVMSeriesfirewallthatsecuresthedatabaseserviceonAWS.Forthetopology
andsolutiondetails,seeUseCase:DeploytheVMSeriesFirewallstoSecureHighlyAvailable
InternetFacingApplicationsonAWSandSolutionOverviewSecureHighlyAvailableInternetFacing
Applications.
ConfiguretheVMSeriesFirewallthatSecurestheRDS
Step2 AllocateandassignElasticIPAddressesforthemanagementinterfaceoftheVMSeriesfirewall.SeeStep 3.
Step3 LogintothewebinterfaceoftheVMSeriesfirewallusingtheElasticIPAddressassignedtothemanagement
interface.

2. ClearthecheckboxtoAutomatically create default route to default gateway provided by serverto
ensurethattheRDSdoesnotusethedefaultrouteprovidedbythefirewalltodirectlyaccesstheinternet.
Step5 Createthesecuritypolicyrulethatallowstraffictopassfromthewebserverstothedatabaseserver.
Step6 CreateaSourceNATpolicythatallowsoutboundtrafficinitiatedbythedatabaseservertoberoutedthrough
ethernet1/2interface(192.168.3.13)onthefirewalltothewebservers.
YoucannotconfigureroutingontheAmazonRDS.SourceNATpolicyonthefirewallisrequiredto
ensurethatthetrafficisroutedproperly.

ThisworkflowshowsyouhowtodeploythewebserverandconfiguretheWordPressapplication.These
instructionsareincludedsolelyforthepurposeoftakingyouthroughtheimplementationinthisusecase.
ForconceptsanddetailsondeployingWordPress,refertotheWordPressdocumentation.
Forthetopologyandsolutiondetails,seeUseCase:DeploytheVMSeriesFirewallstoSecureHighly
AvailableInternetFacingApplicationsonAWSandSolutionOverviewSecureHighlyAvailable
InternetFacingApplications.
Step1 LaunchthewebserverintheVPC. 1. LaunchanUbuntuinstance(version14.04)intheWebserver

subnet.
2. AddanENIandassignanIPaddress(forexample,
192.168.2.50).
3. LogintothewebserverusingtheVMSeriesfirewall
configuredformanagementaccess.
sshikeypair.pemp10000ubuntu@52.8.208.92
Step2 Configurethewebserverforaccess. 1. Createandediteth0.cfgfile.

sudovi/etc/network/interfaces.d/eth0.cfg
2. Configurethefilewithastaticnetworksettingtodirect
databasetraffictotheVMSeriesfirewallthatsecuresthe
databaseservice.Thefollowingsettingsarethesameforeach
webserver:
# The primary network interface
auto eth0
iface eth0 inet dhcp
#static route for database segment
up route add -net 192.168.3.0 netmask 255.255.255.0
gw 192.168.2.13 dev eth0
3. Reboottorestartthenetworkingonthewebserver.
sudo reboot now

DeploytheWebFarmintheVPC(Continued)
Step3 Connectthewebservertothedatabase 1. EstablishanSSHconnectiontotheserverafterthereboot.

service. 2. (Onetimetaskonlywhenyoudeploythefirstwebserver)
ConfigurethedatabaseEndpointname.ThisistheDNSname
andportforyourDBinstanceandisdisplayedontheRDS
instance.
3. Connecttothedatabase.Forexample:
mysql -u awsuser -h
myrdbinstances.cdfujxufuwlc.us-west-2.rds.amazonaw
s.com -p
4. CreatethedatabaseandaddWordPressusersand
permissions.Forexample:
CREATE DATABASE Ignite;
CREATE USER 'student'@'%' IDENTIFIED BY 'paloalto';
GRANT ALL PRIVILEGES ON Ignite.* TO 'student'@'%';
FLUSH PRIVILEGES;
Exit

DeploytheWebFarmintheVPC(Continued)
Step4 InstallandconfigureWordPress. 1. Installupdates,Apache,andWordPressoneachserver.

sudo apt-get update
sudo apt-get install apache2
sudo apt-get install wordpress
2. CreatetheWordPresspathinApache.
sudo ln -s /usr/share/wordpress
/var/www/html/wordpress
3. CreateaWordPressconfigurationfileandaddausernameand
passwordforanewuser.Forexample:
sudo gzip -d
/usr/share/doc/wordpress/examples/setup-mysql.gz
sudo bash
/usr/share/doc/wordpress/examples/setup-mysql -n
Ignite -u student -t
myrdbinstances.cdfujxufuwlc.us-west-2.rds.amazonaw
s.com 192.168.2.50
4. MovetheexistingWordPressconfigurationfiletoafilethat
willmatchthedomainname.
Sudo mv /etc/wordpress/config-192.168.2.50.php
/etc/wordpress/config-wordpress.ignite-aws-demo.co
m.php
Ifyouseetheerror config-<Route53>.php file is
inaccessible whenverifyingaccesstotheWordPress
application,confirmthatthefileowneriswww-data
andthatthespellingandsyntaxareaccurate.
SetUptheAmazonRelationalDatabaseService(RDS)
Thissectionshowshowtosetupthedatabaseserviceforthisusecase.Theseinstructionsareincluded
solelyforthepurposeoftakingyouthroughtheimplementationofthisspecificusecase.Forsetupand
conceptualinformationontheservice,refertoAmazonRelationalDatabaseServicedocumentation.
SetUptheRelationalDatabaseService
Step1 IntheVPCDashboard,makesuretherearetwodatabasesubnets.Ifnot,createasecondone(aminimumof
twosubnetsisrequiredfortheRDS).

SetUptheRelationalDatabaseService(Continued)
Step2 IntheRDSDashboard,createaDB Subnet Groupthatincludesbothsubnets.
Step3 LaunchtheCreate DB Wizard.Thisexampleusesthefollowingoptions:

DBEngineMySQL
MultiAZDeploymentYes
DBInstanceclassandAdvancedSettingsBasedonyourdeploymentneeds

SetUptheRelationalDatabaseService(Continued)
Step4 VerifythattheRDSisrunning.
ThissectionshowsyouhowtosetuptheNetScalerVPXloadbalancerforthisusecase.Theseinstructions
areincludedsolelyforthepurposeoftakingyouthroughtheimplementationinthisusecase.Forsetupand
conceptualinformationontheNetScalerVPX,refertotheCitrixdocumentation.
Step1 LaunchtheNetScalerVPXandassignan 1. LaunchtheNetScalerVPX.

ElasticIPAddress. 2. AllocateandassociateElasticIPAddressesforthefirewalland
theNetScalerVPX.

ConfiguretheCitrixNetScalerVPX(Continued)
Step2 ConfiguretheVirtualIPandtheSubnet 1. OntheNetScalermanagementconsole,selectConfiguration

IPontheNetScalerVPX. > System > Network > IPs.
2. AddtheVirtualIPandtheSubnetIPaddresses.
Step3 Addstaticroutestodirecttraffictothe AddtheroutesinConfiguration > System > Network > Routes.In

webservers.Makesuretoaddroutesfor thisexample,weaddroutestodirecttrafficfromweb1andweb2
thewebserversinbothAvailability througheth1/1onAZ1FW1andtrafficfromweb3andweb4to
Zones. eth1/1onAZ1FW2.
Step4 Createaserviceforeachwebserver. AddthewebservicesinConfiguration > Traffic Management >

Load Balancing > Services.

ConfiguretheCitrixNetScalerVPX(Continued)
Step5 Configurethevirtualserver.TheVirtual 1. AddaVirtualServerIPaddressinConfiguration > Traffic

serverIPaddressistheonlyIPaddress Management > Load Balancing > Virtual Servers.
thatisexposedtouserswhoconnectto
thewebserverfromtheinternet.
2. BindthewebservicesyoucreatedinStep 4tothisvirtual
server.
3. EditthesettingsforthevirtualservertoenableIPaddress
persistence.IPaddresspersistenceisrequiredforthe
applicationtoauthenticateproperly.Basedonyour
preference,selectCookie-basedorSource-IP-based
persistence.
Step6 Testyourconfiguration. Verifythatyoucanlogintothewebserver.

TheWordPressapplicationinthisusecasewouldbeaccessibleat
http://igniteawsdemo.com/wordpress.
SetupAmazonRoute53
UseAmazonRoute53astheDNSserviceforyourregistereddomainnames.
Foranoverviewofthetopologyandsolutiondetailssee,UseCase:DeploytheVMSeriesFirewallsto
SecureHighlyAvailableInternetFacingApplicationsonAWSandSolutionOverviewSecureHighly
SetupRoute53
Step1 Createahostedzone(s)foradomain(s). RefertotheAWSdocumentationonCreatingaPublicHosted

Zone.

SetupRoute53(Continued)
Step2 Addtheresourcerecordsetstoroute Tocreatearesourcerecordsetinyourhostedzone,referto

traffictothedomain(s). WorkingwithResourceRecordSets.
Inthisexample,therecordsetresolvesthedesireddomaintothe
ElasticIPAddressontheNetScalerVPXthatfrontstheweb
serversintheVPC.ItisaTypeAIPv4addressthatistheElasticIP
AddressassignedtotheVIP(192.168.0.50)ontheNetScalerVPX.
Inaredundantconfiguration,configurethedomainto
resolvetoeveryElasticIPAddressassociatedwithaVIP
ontheNetScalerVPX.
TheCitrixNetScalercanhostmultipleapplicationsonone
IPaddresswithContentSwitchingenabled.
Step3 Createahealthcheckandassociateit UseRoute53healthcheckstovalidatethattheapplicationis

witharecordset. availableforagivenAvailabilityZone.IfRoute53detectsafailure,
suchasanAvailabilityZonefailure,NetScalerVPXfailure,orfailure
ofthewebservers,itstopsservingtheassociatedElasticIPAddress
viaDNSresolutionuntilthehealthcheckissuccessful.
AccesstheWordPressserverandmonitorthelogsontheVMSeriesfirewallstoverifythatpolicyisbeing
enforcedforyourmultitieredapplicationsonAWS.

Step1 OnthewebinterfaceoftheVMSeriesfirewall,selectMonitor > Logs > Traffic.Thefollowingscreenshot

fromtheMgmtFWfirewallshowsthatmanagementtraffic(SSH)andinfrastructuretraffic(application
updates)tothewebserversaresecured.
Step2 Checkthesessionbrowser(Monitor > Session Browser)onthefirewallforsessionsthatarestillinprogress.

Bydefault,atrafficlogisgeneratedafterasessionterminates.Thefollowingscreenshotisfromthe
VMSeriesfirewallthatissecuringtheRDS.
Fortheoverviewofthetopologyandsolutiondetailssee,UseCase:DeploytheVMSeriesFirewallsto
SecureHighlyAvailableInternetFacingApplicationsonAWSandSolutionOverviewSecureHighly
PortTranslationforServiceObjects
ThistableshowshowthefirewallperformsIPaddressandporttranslationforroutingtraffictothewebfarm
whenyouhaveconfiguredserviceobjectswithNATpolicyinStep 5andStep 7ofConfiguretheVMSeries
FirewallforSecuringOutboundAccessfromtheVPC.

Server PrivateIP:Port PrivateIP:TranslatedPort PublicIP:Port
Web1 192.168.2.50:22 192.168.2.50:10000 52.8.66.226:10000
Web2 192.168.2.51:22 192.168.2.51:10001 52.8.66.226:10001
Web3 192.168.2.52:22 192.168.2.52:10002 52.8.66.226:10002
Web4 192.168.2.53:22 192.168.2.53:10003 52.8.66.226:10003

SetUptheVMSeriesFirewallonAWS UseCase:VMSeriesFirewallsasGlobalProtectGatewaysonAWS
UseCase:VMSeriesFirewallsasGlobalProtectGateways
onAWS
Securingmobileusersfromthreatsandriskyapplicationsisoftenacomplexmixofprocuringandsettingup
thesecurityandITinfrastructure,ensuringbandwidthanduptimerequirementsinmultiplelocationsaround
theglobewhilestayingwithinyourbudget.
TheVMSeriesfirewallonAWSmeldsthesecurityandITlogisticsrequiredtoconsistentlyandreliably
protectdevicesusedbymobileusersinregionswhereyoudonothaveapresence.Bydeployingthe
VMSeriesfirewallintheAWScloud,youcanquicklyandeasilydeployGlobalProtectgatewaysinany
regionwithouttheexpenseorITlogisticsthataretypicallyrequiredtosetupthisinfrastructureusingyour
ownresources.
Tominimizelatency,selectAWSregionsthatareclosesttoyourusers,deploytheVMSeriesfirewallson
EC2instances,andconfigurethefirewallsasGlobalProtectgateways.Withthissolution,theGlobalProtect
gatewaysintheAWScloudenforcesecuritypolicyforinternettrafficsothereisnoneedtobackhaulthat
traffictothecorporatenetwork.Additionally,foraccesstoresourcesonthecorporatenetwork,the
VMSeriesfirewallsonAWSleveragetheLSVPNfunctionalitytoestablishIPSectunnelsbacktothefirewall
onthecorporatenetwork.
Foreaseofdeploymentandcentralizedmanagementofthisdistributedinfrastructure,usePanoramato
configuretheGlobalProtectcomponentsusedinthissolution.Optionally,toensurethatmobiledevices,
suchassmartphonesandtablets,aresafeforuseonyournetwork,useaMobileDeviceManagerto
configureandmanagemobiledevices.

UseCase:VMSeriesFirewallsasGlobalProtectGatewaysonAWS SetUptheVMSeriesFirewallonAWS
ComponentsoftheGlobalProtectInfrastructure
Toblockriskyapplicationsandprotectmobileusersfrommalware,youmustsetuptheGlobalProtect
infrastructure,whichincludestheGlobalProtectportal,theGlobalProtectgateway,andtheGlobalProtect
app.Additionally,foraccesstocorporateresources,youmustsetupanIPSecVPNconnectionbetweenthe
VMSeriesfirewallsonAWSandthefirewallinthecorporateheadquartersusingLSVPN(ahubandspoke
VPNdeployment).
TheGlobalProtectagent/appisinstalledoneachendusersystemthatisallowedtoaccesscorporate
applicationsandresources.Theagentfirstconnectstotheportaltoobtaininformationonthegateways
andthenestablishesasecureVPNconnectiontotheclosestGlobalProtectgateway.TheVPN
connectionbetweentheendusersystemandthegatewayensuresdataprivacy.
TheGlobalProtectportalprovidesthemanagementfunctionsfortheGlobalProtectinfrastructure.Every
endusersystemreceivesconfigurationinformationfromtheportal,includinginformationabout
availablegatewaysaswellasanyclientcertificatesthatmayberequiredtoconnecttotheGlobalProtect
gateway(s).Inthisusecase,theGlobalProtectportalisahardwarebasedfirewallthatisdeployedinthe
corporateheadquarters.
TheGlobalProtectgatewaydeliversmobilethreatpreventionandpolicyenforcementbasedon
applications,users,content,device,anddevicestate.Inthisusecase,theVMSeriesfirewallsonAWS
functionastheGlobalProtectgateways.TheGlobalProtectgatewayscanseachuserrequestformalware
andotherthreats,and,ifpolicyallows,sendstherequesttotheinternetortothecorporatenetworkover
theIPSectunnel(totheLSVPNgateway).
ForLSVPN,youmustconfiguretheGlobalProtectportal,GlobalProtectgatewayforLSVPN(hub),and
theGlobalProtectSatellites(spokes).
Inthisusecase,thehardwarebasedfirewallinthecorporateofficeisdeployedastheGlobalProtect
portalandtheLSVPNgateway.TheVMSeriesfirewallsonAWSareconfiguredtofunctionas
GlobalProtectsatellites.TheGlobalProtectsatellitesandgatewayareconfiguredtoestablishanIPSec
tunnelthatterminatesonthegateway.Whenamobileuserrequestsanapplicationorresourcethat
residesonthecorporatenetwork,theVMSeriesfirewallroutestherequestovertheIPSectunnel.
DeployGlobalProtectGatewaysonAWS
Tosecuremobileusers,inadditiontodeployingandconfiguringtheGlobalProtectgatewaysonAWS,you
needtosetuptheothercomponentsrequiredforthisintegratedsolution.Thefollowingtableincludesthe
recommendedworkflow:
DeployGlobalProtectonAWS
DeploytheVMSeriesfirewall(s)onAWS. SeeDeploytheVMSeriesFirewallonAWS.
Configurethefirewallatthecorporate ConfiguretheGlobalProtectportal.
headquarters. ConfiguretheGlobalProtectportalforLSVPN.
Inthisusecase,thefirewallisconfiguredasthe ConfiguretheportaltoauthenticateLSVPNsatellites.
GlobalProtectportalandtheLSVPNgateway. ConfiguretheGlobalProtectgatewayforLSVPN.

SetUptheVMSeriesFirewallonAWS UseCase:VMSeriesFirewallsasGlobalProtectGatewaysonAWS
DeployGlobalProtectonAWS(Continued)
SetupatemplateonPanoramaforconfiguring Createtemplate(s)onPanorama.
theVMSeriesfirewallsonAWSas Thenusethefollowinglinkstodefinetheconfigurationinthe
GlobalProtectgatewaysandLSVPNsatellites. templates.
Toeasilymanagethisdistributeddeployment, ConfigurethefirewallasaGlobalProtectgateway.
usePanoramatoconfigurethefirewallson PreparethesatellitetojointheLSVPN.
AWS.
CreatedevicegroupsonPanoramatodefinethe SeeCreatedevicegroups.
networkaccesspoliciesandinternetaccess
rulesandapplythemtothefirewallsonAWS.
Applythetemplatesandthedevicegroupsto
theVMSeriesfirewallsonAWS,andverifythat
thefirewallsareconfiguredproperly.
DeploytheGlobalProtectclientsoftware. EveryendusersystemrequirestheGlobalProtectagentorappto
connecttotheGlobalProtectgateway.
SeeDeploytheGlobalProtectclientsoftware.

AutoScaleVMSeriesFirewallswiththeAmazonELB SetUptheVMSeriesFirewallonAWS
AutoScaleVMSeriesFirewallswiththeAmazonELB
PaloAltoNetworksdeliversCloudFormationTemplatesfordeployinganautoscalingtierofVMSeries
firewallsusingseveralAWSservicessuchasLambda,autoscalinggroups,ElasticLoadBalancing(ELB),S3,
SNS,andCloudWatch,andtheVMSeriesautomationcapabilitiesincludingthePANOSAPIand
bootstrapping.Thetemplates(latestisvpcclassicv1.2.templateandvpcalbv1.2.template)allowyouto
leveragetheAWSscalabilityfeaturesdesignedtomanagesuddensurgesindemandforapplicationworkload
resourcesbysimultaneouslyscalingtheVMSeriesfirewallswithchangingworkloads.
ThetemplatesdeploytheVMSeriesinanELBsandwichtopologywithaninternetfacingclassicELBandan
eitheraninternalclassicloadbalanceroraninternalapplicationloadbalancer(internalELB). The
internetfacingELBisaccessiblefromtheinternetanddistributestrafficthatenterstheVPCacrossapool
ofVMSeriesfirewalls.ThefirewallsthenredirecttrafficusingNATpolicytotheinternalELB.Theinternal
ELB,whichisonlyaccessibleinsidetheVPC,distributestraffictoanautoscalingtierofwebservers.TheAPI
integrationwithAWSCloudWatchallowstheCloudWatchservicetomonitorthehealthandresourceload
ontheEC2instancesVMSeriesfirewallsandwebserversandthenusethatinformationtotriggerascale
inorscaleouteventintherespectiveAutoScalingGroup(ASG).
WhatComponentsDoestheVMSeriesAutoScalingTemplateforAWSDeploy?
HowDoestheVMSeriesAutoScalingTemplateforAWSEnableDynamicScaling?
PlantheVMSeriesAutoScalingTemplateforAWS
LaunchtheVMSeriesAutoScalingTemplateforAWS
CustomizetheBootstrap.xmlFile

SetUptheVMSeriesFirewallonAWS AutoScaleVMSeriesFirewallswiththeAmazonELB
NATPolicyRuleandAddressObjectsintheAutoScalingTemplate
StackUpdatewithVMSeriesAutoScalingTemplateforAWS(v1.2)
ModifyAdministrativeAccountandUpdateStack
TroubleshoottheVMSeriesAutoScalingTemplateforAWS
WhatComponentsDoestheVMSeriesAutoScalingTemplateforAWS
Deploy?
TheVMSeriesAutoScalingtemplateforAWSprovidestwodeploymentoptions.Thefirstoptionoffersthe
flexibilitytodeployacompleteAWSenvironmentalongwiththeautoscalingtierofVMSeriesfirewallsin
onestreamlinedworkflow.ThesecondoptionallowsyoutodeployonlytheautoscalingtierofVMSeries
firewallsintoyourexistingAWSdeployment.
ThisVMSeriesAutoScalingtemplatedoesnotdeployPanorama,andPanoramaisoptionalinthissolution.
IfyouwanttousePanoramatomanagetheVMSeriesfirewallsthatthesolutiondeploys,youcaneitherusean
MSeriesapplianceinsideyourcorporatenetwork,oraPanoramavirtualapplianceonaVMwareESXiserver
insideyourcorporatenetworkorinvCloudAir;youcannotdeployPanoramaonAWS.
TheVMSeriesAutoScalingtemplateincludesthefollowingbuildingblocksthatmaketheseoptions
possible:

BuildingBlock Description
VPCtemplate TheVPCtemplatesautomatetheprocessofdeployingaVPCwithtwoorthree
AvailabilityZones(AZs).ItdeploysanexternalELB,awebserverfarmandaninternal
ELBthatloadbalancestraffictothewebserverfarm.Inadditiontothesubnets,route
tables,andsecuritygroupsrequiredforroutingtrafficacrosstheseAZs,italso
createstheAutoScalingGroup(ASG)forthewebserverfarmandanAWSNAT
gateway,ifyouoptforone.
DependingonyourpreferencefortheinternalELB,youcanchoosefromthesetwo
templates:
vpcclassicv.<number>templateUsethistemplateifyouwanttouseaclassicELB
forloadbalancingtraffictotheinternalwebserverfarm.
vpcalbv.<number>.templateUsethistemplate,ifyoupreferanapplicationELB
forloadbalancingtraffictotheinternalwebserverfarm.
Bothtemplates,deploytheclassicELBforinternetfacingtraffic.
Firewalltemplate TheVPCtemplateinvokesthefirewall.templatetolaunchtheVMSeriesfirewall.
IfyouhaveanexistingVPCwiththerequiredsubnets,securitygroups,webservers,
andELBs,andwanttoonlydeploytheVMSeriesfirewallatscale,youcanusethe
firewall.templateinsteadofthevpc.template.
Thefirewall.templatecreatesaninitialASGwithasingleVMSeriesfirewalltosecure
thewebserversineachAZ,addstheENIsforthetrustandmanagementinterfaces,
andtriggersthebootstrapprocessincludingregistrationwithPanorama.Toenable
autoscalingoftheVMSeriesfirewalls,thistemplateleveragesPANOSmetricsfrom
theVMSeriesfirewallandpublishesdataonyourpreferredmetrictoAWS
CloudWatch.
YoucanselectoneofthefollowingPANOSmetricsactivesessions,dataplaneCPU
utilization,ordataplaneCPUbufferutilization.
Lambdafunctions AWSLambdaprovidesrobust,eventdrivenautomationwithouttheneedfor
complexorchestrationsoftware.Inthistemplate,AWSLambdamonitorsthecustom
PANOSmetricsandtheinternalELBtoenabledynamicscalingoftheVMSeries
firewalls.TheLambdafunctionsaddorremoveelasticnetworkinterfaces(ENIs)
whenthefirewallislaunchedorterminated,collectandpublishCloudWatchmetrics
sothatyoucandefineautoscalingpolicyusingCloudWatchalarms,deleteallthe
associatedresourceswhenaninstanceisterminatedorthestackisdeleted,and
removethefirewallasamanageddeviceonPanorama.TheLambdafunctionsalso
monitortheVIPaddressesontheinternalELBsothatitcanaddorremoveanASG
fortheVMSeriesfirewallsothatitcanensurea1:1ratiobetweentheinternalELB
VIPandtheVMSeriesfirewallsASG.

BuildingBlock Description
Bootstrapfiles Thissolutionrequirestheinitcfg.txtfileandthebootstrap.xmlfilesothatthe
Thebootstrap.xmlfile VMSeriesfirewallhasthebasicconfigurationforhandlingtrafficfromtheELB.
providedintheGitHub Theinitcfg.txtfileincludesthemgmtinterfaceswapoperationalcommandto
repositoryisprovidedfor enablethefirewalltoreceivedataplanetrafficonitsprimaryinterface(eth0).For
testingandevaluation detailsseeManagementInterfaceMappingforUsewithAmazonELB.
only.Foraproduction Thebootstrap.xmlfilecontainsaNATpolicyruletoproperlyroutetrafficinthis
deployment,youmust autoscalingELBenvironment.
modifythebootstrap.xml InordertoperformNAT,thefirewallrequiresasingleIPaddressintheNATpolicy
priortolaunch.See rule,thefirewallcannotuseanFQDNorroundrobinNATtomultipleIP
Customizethe addresses.Buttoenableautoscaling,theAWSELBpublishesanFQDNasavirtual
Bootstrap.xmlFile. IPaddress(VIP)ratherthatpublishinganIPaddress.AndastheinternalELBscales,
theFQDNautomaticallyresolvestomultipleIPaddresses(perAZ).TheNAT
policyruleincludedinthebootstrap.xmlfileresolvedthisconflict.
Thebootstrap.xmlfilereferencesanaddressobjectwithintheNATpolicyrule.
Whenthefirewallbootsup,aLambdafunctionaddstheIPaddressoftheinternal
ELBintotheaddressobjectsothattheNATpolicyresolvestothecorrectIP
addressfortheinternalELB,andcanroutetraffictoandfromtheexternalELBand
theinternalELBinthissolution.
Todeploythesolution,seeLaunchtheVMSeriesAutoScalingTemplateforAWS.
HowDoestheVMSeriesAutoScalingTemplateforAWSEnableDynamic
Scaling?
TheVMSeriesfirewallsscaleinandscaleoutbasedonPANOSmetricsandonapplicationtraffic.
PANOSmetricbasedscalingTheVMSeriesfirewallsscalebasedoncustomPANOSmetricsthat
triggeralarmsandpoliciestodynamicallydeployorterminateinstancestoincreaseordecreasecapacity
intheVMSeriesfirewallASG.TomonitortrafficloadontheVMSeriesfirewalls,youcanconfigure
alarmsbasedonthefollowingcustomPANOSmetricsthenumberofactivesessionsonthefirewall,
dataplaneCPUutilization,ordataplanebufferutilization.TheVMSeriesAutoScalingtemplateusesan
AWSLambdafunctiontopublishthemetricstoAWSCloudWatchataoneminutefrequency.Whena
metricthatisbeingmonitoredreachesaconfiguredthresholdforthedefinedtimeinterval,CloudWatch
triggersanalarmandinitiatesanautoscalingevent.
ApplicationtrafficbasedscalingTheVMSeriesfirewallsscalebasedontheinternalELB,whichscales
inresponsetothedemandsoftheapplicationtrafficinthewebserverASG.Thereisa1:1ratiobetween
thenumberofinternalELBVirtualIPaddressesandthenumberofASGsfortheVMSeriesfirewalls.So,
whentheLambdafunctionintheVMSeriesAutoScalingtemplatedetectstheadditionorthedeletion
ofaninternalELBVIPaddress,anASGfortheVMSeriesfirewallisaddedordeletedinresponsetothe
change.AndtheIPaddressofthefirewallisaddedorremovedfromtheexternalELBpoolsothatthe
externalELBcandistributetrafficacrossalltheavailablefirewallsintheASG.

TheVMSeriesfirewallswithinanASGareidenticalinconfiguration.Eachfirewallisbootstrappedand
configuredwithaNATpolicyrulethatdirectsalltraffictotheIPaddressoftheinternalELB.
Similarly,whentrafficvolumeisreducedandaninternalELBVIPaddressisdeleted,theLambdafunction
deletestheASGandtheVMSeriesfirewallsassociatedwiththeASG.TheIPaddressofthefirewallisalso
removedfromtheexternalELBpool.
PlantheVMSeriesAutoScalingTemplateforAWS
TheGitHubrepositoryprovidesVMSeriesAutoScalingtemplateversion1.1andversion1.2.Version1.2isthe
latestanditprovidesthemechanismtoupdatethePANOSversionoftheautoscalingtierofVMSeriesfirewallsand
otherresourcesusingthestackupdatecapabilityforAWSCloudFormationtemplates.Toaccommodateyourbusiness
needs,italsoallowsyoutochooseandswitchacrossthreelicensingoptions,BYOL,PAYGbundle1andPAYGbundle2.
VMSeriesAutoScalingtemplateversion1.1providessupportforPAYGbundle2only.
Inordertolaunchthesolutionsuccessfully,reviewthischecklistbeforeyoubegin.
VMSeriesAutoScalingTemplateforAWSVersion1.2
Theitemsinthischecklistareactionsandchoicesyoumustmakeforimplementingthissolution.

PlanningChecklistforVersion1.2
Verifythe ThesolutionrequiresAWSLambdaandSignatureversions2or4forPANOS8.0;
requirementsfor PANOS7.1requiressignatureversion2.
deployingthe LookupthelistofsupportedregionsandtheAMIIDs.
VMSeriesAuto
Scalingtemplate.
Assigntheappropriate TheuserwhodeploystheVMSeriesAutoScalingtemplatemusteitherhave
permissionsforthe administrativeprivilegesorhavethepermissionslistedintheiampolicy.jsonfileto
IAMuserrole. successfullylaunchthissolution.Copyandpastethepermissionsfromthisfileinto
anewIAMpolicyandthenattachthepolicytoaneworexistingIAMrole.
CreateaSupport WithVMSeriesAutoScalingtemplateversion1.2,youcanoptfortheBYOLor
AccountonthePalo PAYG(bundle1orbundle2)licenses.
AltoNetworksSupport ForBYOL,youmustregistertheauthcodetoyourPaloAltoNetworkssupport
portal. accountpriortolaunchingtheVMSeriesAutoScalingtemplate.
ForPAYG,youmustregistertheVMSeriesfirewallstoactivateyoursupport
entitlement.
(ForPAYG)Reviewand IntheAWSMarketplace,searchforPaloAltoNetworks,andselectthebundleyou
accepttheEndUser plantouse.TheVMSeriesAutoScalingtemplatewillfailtodeployifyouhave
LicenseAgreement notacceptedtheEULAforthebundleyouplantouse.
(EULA). Forexample,searchforVM-Series Next Generation Firewall Bundle 2.
Required,ifyouare
launchingaVMSeries
firewallinanAWS
accountforthefirst
time.
ClickContinue,andselectManual Launch.Reviewtheagreementandclick
Accept Software TermstoaccepttheEULA.
Youcannowclosethebrowser.

PlanningChecklistforVersion1.2(Continued)
Downloadthe GetthefilesfromthefollowingGitHubrepositoryat:
Templates,AWS https://github.com/PaloAltoNetworks/awselbautoscaling/tree/master/Version1.
Lambdacode,andthe 2
bootstrapfiles. TemplatesandLambdacode:
Donotmixand panwaws.zip
matchfilesacross firewall.template
VMSeriesAuto
vpcclassicv1.2.templateorvpcalbv1.2.template.(youneedonlyone)
Scalingtemplateversions.
Thevpcclassicv1.2.templateincludessupportfortwoclassicELBs;the
vpcalbv1.2.templateincludessupportforaclassicELBandaninternal
applicationELB.
Usethevpcalb.templateifyouwanttodeployanapplicationELBforload
balancingtraffictotheinternalwebserversandaclassicELBfor
internetfacingtraffic.
Usethevpcclassic.templateifyouwanttodeploytwoclassicELBs;onefor
loadbalancingtraffictotheinternalwebserversandanotherfor
ThesolutionissupportedbyPaloAltoNetworksTechnicalSupportas
itispublished.Youmaymodifythetemplatetosuityourspecificuse
casebutPaloAltoNetworksTechnicalSupportcannotassistwith
issuesthatarisefromcustomization.
Bootstrapfiles:
initcfg.txt
bootstrap.xml
Thebootstrap.xmlfilebundledwiththissolutionisdesignedtohelpyougetstarted,
andisprovidedfortestingandevaluationonly.Foraproductiondeployment,you
mustmodifythebootstrap.xmlpriortolaunch.SeeCustomizetheBootstrap.xmlFile.
Customizethe Toensurethatyourproductionenvironmentissecure,youmustCustomizethe
bootstrap.xmlfilefor Bootstrap.xmlFilewithauniqueadministrativeusernameandpassword.Thedefault
yourproduction usernameandpasswordispandemo/demopassword.Youcanalsousethis
environment. opportunitytocreateanoptimalfirewallconfigurationwithinterfaces,zones,and
securitypolicyrulesthatmeetyourapplicationsecurityneeds.

Decidewhetheryou Panoramaisanoptionforadministrativeease.Itisnotrequiredtomanagetheauto
wanttousePanorama scalingtierofVMSeriesfirewallsdeployedinthissolution.
forcentralizedlogging, IfyouwanttousePanorama,youcaneitherusetheMSeriesapplianceora
reporting,andfirewall PanoramavirtualapplianceonaVMwareESXiserverinsideyourcorporatenetwork,
management. oruseaPanoramavirtualapplianceonvCloudAir.
TosuccessfullyregisterthefirewallswithPanorama,youmustcollectthefollowing
details:
APIkeyforPanorama.SothatAWSLambdacanmakeAPIrequeststoPanorama,
youmustprovideanAPIkeywhenyoulaunchtheVMSeriesAutoScaling
template.Asabestpractice,inaproductiondeployment,youshouldcreatea
separateadministrativeaccountjustfortheAPIcallandgenerateanassociated
APIkey.
PanoramaIPaddress.YoumustincludetheIPaddressintheconfiguration
(initcfg.txt)file.ThefirewallsmustbeabletoaccessthisIPaddressfromtheVPC;
toensureasecureconnection,useadirectconnectlinkoranIPSectunnel.
VMauthkeythatallowsPanoramatoauthenticatethefirewallsinordertoadd
eachfirewallasamanageddevice.Youmustincludethiskeyintheconfiguration
(initcfg.txt)file.
Thevmauthkeyisrequiredforthelifetimeofthedeployment.Withoutavalidkey
intheconnectionrequest,theVMSeriesfirewallwillbeunabletoregisterwith
Panorama.Fordetailsonthekey,seeGenerateVMAuthKey.
Templatenameandthedevicegroupnametowhichtoassignthefirewalls.You
mustfirstaddatemplateandcreateadevicegrouponPanorama,andtheninclude
thetemplatenameandthedevicegroupnameintheconfiguration(initcfg.txt)
file.
Decidewhetheryou Toallowthefirewallstoinitiateoutboundrequestsforretrievingupdates,connecting
wanttousetheAWS toPanorama,andpublishingmetricstoAWSCloudWatch,youcaneitherdeployan
NATgatewayorassign AWSNATgatewayorassignanEIPaddresstothemanagementinterfaceoneach
anEIPaddresstothe firewall.
managementinterface TheAWSNATgatewayoptionallowsyoutoconservetheuseofEIPaddresses;you
oneachVMSeries onlyneedoneEIPaddressperAvailabilityZone(AZ).Hence,youmustallocatea
firewall. maximumofthreeEIPaddressesifyoudeploytheVMSeriesAutoScaling
templateacrossthreeAZs.WhenyouuseaNATgatewayandarenotusing
Panoramatomanagethefirewalls,youmustdeployajumpserver(abastionhost
withanEIPaddress)withintheVPCtoenableSSHand/orHTTPSaccesstothe
VMSeriesfirewalls.Thisjumpserverisrequiredbecausethemanagementinterface
ontheVMSeriesfirewallshasaprivateIPaddressonly.
IfyouchoosetoassignanEIPaddresstothemanagementinterfaceofeach
VMSeriesfirewall,youmustestimatethenumberofEIPaddressesyouneedto
enableoutboundaccessfortheVMSeriesfirewalls.Basedonthesizeofyour
deployment,youmayneedtorequestanincreaseinthemaximumnumberofEIP
addressesfortheAWSregion;thedefaultlimitis5EIPaddressesperaccount.This
estimationiscrucialtothedeploymentbecauseAWSLambdarequirestheEIP
addresstosuccessfullylaunchthefirewall.
Getstarted LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.2)

Theitemsinthischecklistareactionsandchoicesyoumustmakeforimplementingthissolution.
PlanningChecklistforVersion1.1
Verifythe ThesolutionrequiresAWSLambdaandSignatureversion2,andissupportedinthe
requirementsfor followingregions:USEast(N.Virginia),USWest(Oregon),EU(Ireland),AsiaPacific
deployingthe (Singapore),AsiaPacific(Tokyo),AsiaPacific(Sydney).
VMSeriesAuto
Scalingtemplate
version1.1.
Assigntheappropriate TheuserwhodeploystheVMSeriesAutoScalingtemplatemusteitherhave
permissionsforthe administrativeprivilegesorhavethepermissionslistedintheiampolicy.jsonfileto
IAMuserrole. successfullylaunchthesolution.Copyandpastethepermissionsfromthisfileintoa
newIAMpolicyandthenattachthepolicytoaneworexistingIAMrole.
CreateaSupport AlltheVMSeriesfirewallsdeployedbyVMSeriesAutoScalingtemplateversion
AccountonthePalo 1.1supporttheusagebased(PAYGbundle2)licenses.Version1.1doesnotsupport
AltoNetworksSupport theBYOLoption.
portal. YoumustregistertheVMSeriesfirewallstoactivateyoursupportentitlement.
Reviewandacceptthe IntheAWSMarketplace,searchforPaloAltoNetworks,andselectVM-Series Next

EndUserLicense Generation Firewall Bundle 2.
Agreement(EULA).
Required,ifyouare
launchingaVMSeries
firewallonAWSforthe
firsttime.The
VMSeriesAuto
Scalingtemplatewill
failtodeployifyou
havenotacceptedthe
EULA.
ClickContinue,andselectManual Launch.Reviewtheagreementandclick
Accept Software TermstoaccepttheEULA.
Youcannowclosethebrowser.

Downloadthe GetthefilesfromthefollowingGitHubrepositoryat:
Templates,AWS https://github.com/PaloAltoNetworks/awselbautoscaling/tree/master/Version1.
Lambdacode,andthe 1
bootstrapfiles. TemplatesandLambdacode:
panwaws.zip
firewall.template
vpcclassicv1.1.templateorvpcalbv1.1.template.(youneedonlyone)
Thevpcclassicv1.1.templateincludessupportfortwoclassicELBs;the
vpcalbv1.1.templateincludessupportforaclassicELBandaninternal
applicationELB.
Usethevpcalb.templateifyouwanttodeployanapplicationELBforload
balancingtraffictotheinternalwebserversandaclassicELBfor
Usethevpcclassic.templateifyouwanttodeploytwoclassicELBs;onefor
loadbalancingtraffictotheinternalwebserversandanotherfor
ThesolutionissupportedbyPaloAltoNetworksTechnicalSupportas
itispublished.Youmaymodifythetemplatetosuityourspecificuse
casebutPaloAltoNetworksTechnicalSupportcannotassistwith
issuesthatarisefromcustomization.
Bootstrapfiles:
initcfg.txt
bootstrap.xml
Thebootstrap.xmlfilebundledwiththissolutionisdesignedtohelpyougetstarted,
andisprovidedfortestingandevaluationonly.Foraproductiondeployment,you
mustmodifythebootstrap.xmlpriortolaunch.SeeCustomizetheBootstrap.xmlFile.
Customizethe Toensurethatyourproductionenvironmentissecure,youmustCustomizethe
bootstrap.xmlfilefor Bootstrap.xmlFilewithauniqueadministrativeusernameandpassword.Youcan
yourproduction alsousethisopportunitytocreateanoptimalfirewallconfigurationwithinterfaces,
environment. zones,andsecuritypolicyrulesthatmeetyourapplicationsecurityneeds.

Decidewhetheryou Panoramaisanoptionforadministrativeease.Itisnotrequiredtomanagetheauto
wanttousePanorama scalingtierofVMSeriesfirewallsdeployedinthissolution.
forcentralizedlogging, IfyouwanttousePanorama,youcaneitherusetheMSeriesapplianceora
reporting,andfirewall PanoramavirtualapplianceonaVMwareESXiserverinsideyourcorporatenetwork,
management. oruseaPanoramavirtualapplianceonvCloudAir.
And,ifyouusePanorama,youneedthefollowinginformationsothatthefirewalls
canregisterwithPanorama:
APIkeyforanadministrativeuseraccountonPanorama.AWSLambdausesthis
keytomakeAPIrequeststoPanorama.Bydefault,theVMSeriesAutoScaling
templateusesanAPIkeywithusernameandpassword,admin/admin.Forbetter
security,createanadministrativeaccountonPanoramaandgenerateanewAPI
keyfortheaccount.YoumustenterthiskeywhenyoulaunchtheVMSeries
AutoScalingtemplate.
PanoramaIPaddress.YoumustincludetheIPaddressintheconfiguration
(initcfg.txt)file.ThefirewallsmustbeabletoaccessthisIPaddressfromtheVPC;
toensureasecureconnection,useadirectconnectlinkoranIPSectunnel.
VMauthkeythatallowsPanoramatoauthenticatethefirewallsinordertoadd
eachfirewallasamanageddevice.Youmustincludethiskeyintheconfiguration
(initcfg.txt)file.
Thevmauthkeyisrequiredforthelifetimeofthedeployment.Withoutavalidkey
intheconnectionrequest,theVMSeriesfirewallwillbeunabletoregisterwith
Panorama.Fordetailsonthekey,seeGenerateVMAuthKey.
Templatenameandthedevicegroupnametowhichtoassignthefirewalls.You
mustfirstaddatemplateandcreateadevicegrouponPanorama,andtheninclude
thetemplatenameandthedevicegroupnameintheconfiguration(initcfg.txt)
file.
Decidewhetheryou Toallowthefirewallstoinitiateoutboundrequestsforretrievingupdates,connecting
wanttousetheAWS toPanorama,andpublishingmetricstoAWSCloudWatch,youcaneitherdeployan
NATgatewayorassign AWSNATgatewayorassignanEIPaddresstothemanagementinterfaceoneach
anEIPaddresstothe firewall.
managementinterface TheAWSNATgatewayoptionallowsyoutoconservetheuseofEIPaddresses;you
oneachVMSeries onlyneedoneEIPaddressperAvailabilityZone(AZ).Hence,youmustallocatea
firewall. maximumofthreeEIPaddressesifyoudeploytheVMSeriesAutoScaling
templateacrossthreeAZs.WhenyouuseaNATgatewayandarenotusing
Panoramatomanagethefirewalls,youmustdeployajumpserver(abastionhost
withanEIPaddress)withintheVPCtoenableSSHand/orHTTPSaccesstothe
VMSeriesfirewalls.Thisjumpserverisrequiredbecausethemanagementinterface
ontheVMSeriesfirewallshasaprivateIPaddressonly.
IfyouchoosetoassignanEIPaddresstothemanagementinterfaceofeach
VMSeriesfirewall,youmustestimatethenumberofEIPaddressesyouneedto
enableoutboundaccessfortheVMSeriesfirewalls.Basedonthesizeofyour
deployment,youmayneedtorequestanincreaseinthemaximumnumberofEIP
addressesfortheAWSregion;thedefaultlimitis5EIPaddressesperaccount.This
estimationiscrucialtothedeploymentbecauseAWSLambdarequirestheEIP
addresstosuccessfullylaunchthefirewall.
Getstarted LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.1)

LaunchtheVMSeriesAutoScalingTemplateforAWS
PicktheworkflowfortheVMSeriesAutoScalingtemplateversionyouaredeploying.
LaunchtheVMSeriesAutoScalingTemplateforAWS(v1.2)
Ifyouhavedeployedthetemplatev1.2andwanttoupdateresourcesseeStackUpdatewithVMSeries
AutoScalingTemplateforAWS(v1.2).
Usethefollowingworkflowtodeployallthecomponentsinthissolutionusingthevpcclassicv1.2.template
orthevpcalbv1.2.template.
IfyouhaveanexistingVPCwiththerequiredsubnets,securitygroups,webservers,andELBs,youonlyneedtodeploy
theVMSeriesfirewallatscale,usethefirewall.template.Theworkflowforusingonlythefirewall.tempateisnot
documentedinthisversionofthedocument,butitisverysimilar.
LaunchtheTemplateVersion1.2
Step1 PlantheVMSeriesAutoScaling Makesurethatyouhavecompletedthefollowingtasks:

TemplateforAWS. (ForPAYGonly)ReviewedandacceptedtheEULAforthePAYG
bundleyouplantouse.
(ForBYOLonly)Obtainedtheauthcode.Youwillneedtoenter
thisauthcodeinthe/licensefolderofthebootstrappackage.
Fordetails,seePreparetheBootstrapPackage
DownloadedthefilesrequiredtolaunchtheVMSeriesAuto
ScalingtemplatefromtheGitHubrepository.

LaunchtheTemplateVersion1.2(Continued)
Step2 (Optional)Modifytheinitcfg.txtfile. IfyoureusingPanoramatomanagethefirewalls,completethe

Formoreinformationonthe followingtasks:
bootstrappingprocessseeBootstrapthe 1. GeneratethevmauthkeyonPanorama.Thefirewallsmust
VMSeriesFirewall;fordetailsonthe includeavalidkeyintheconnectionrequesttoPanorama.Set
initcfg.txtfile,seeCreatetheinitcfg.txt thelifetimeforthekeyto8760hours(1year).
File.
2. Opentheinitcfg.txtfilewithatexteditor,suchasNotepad.
Makesurethatyoudonotaltertheformatasthiswillcausea
failureindeployingtheVMSeriesAutoScalingtemplate.
Addthefollowinginformationasnamevaluepairs:
IPaddressesfortheprimaryPanoramaandoptionallya
secondaryPanorama.Enter:
panorama-server=
panorama-server-2=
Specifythetemplateandthedevicegrouptowhichyou
wanttoassignthefirewall.Enter:
tplname=
dgname=
VMauthkey.Enter:
vm-auth-key=
3. Verifythatyouhavenotdeletedthecommandforswapping
themanagementinterface(mgmt)andthedataplaneinterface
(ethernet1/1)ontheVMSeriesfirewallonAWS.For
example,thefilemustincludenamevaluepairsfortheitems
inbold:
op-command-modes=mgmt-interface-swap
vm-auth-key=755036225328715
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
ThevmauthkeyandPanoramaIPaddressaboveare
examplevalues.Youneedtoenterthevaluesthatmatch
yoursetup.
4. Saveandclosethefile.
Step3 (ForBYOLonly)Addthelicenseauth 1. Createanew.txtfilewithatexteditor,suchasNotepad.

codeinthe/licensefolderofthe 2. AddtheauthcodeforyourBYOLlicenses.Theauthcodemust
bootstrappackage.Formore supportthenumberoffirewallsthatmayberequiredforyour
informationonthebootstrapping deployment.Youmustuseanauthcodebundleinsteadof
processseePreparetheBootstrap individualauthcodessothatthefirewallcansimultaneously
Package. fetchalllicensekeysassociatedwithafirewall.Ifyouuse
individualauthcodesinsteadofabundle,thefirewallwill
retrieveonlythelicensekeyforthefirstauthcodeincludedin
thefile.
Step4 Changethedefaultcredentialsforthe RequiredforusingtheVMSeriesAutoScalingtemplateina

VMSeriesfirewalladministrator productionenvironment.
accountdefinedinthebootstrap.xmlfile. Thebootstrap.xmlfileprovidedintheGitHubrepositoryis
providedfortestingandevaluationonly.Foraproduction
deployment,youmustmodifythebootstrap.xmlpriortolaunch,
seeCustomizetheBootstrap.xmlFile

Step5 PreparetheAmazonSimpleStorage(S3) TheVMSeriesAutoScalingtemplaterequiresoneS3bucket

bucketsforlaunchingtheVMSeries fortheVMSeriesbootstrapfiles;andanotherS3bucketforthe
AutoScalingtemplate. AWSLambdafunctionsandthenestedfirewall.template.
MakesuretocreatetheS3 1. CreateanewS3bucketforthebootstrapfiles.
bucketsinthesameregionin a. SignintotheAWSManagementConsoleandopentheS3
whichyouplantodeploythe console.
template.
b. ClickCreate Bucket.
c. EnteraBucket NameandaRegion,andclickCreate.The
bucketmustbeattheS3rootlevel.Ifyounestthebucket,
bootstrappingwillfailbecauseyoucannotspecifyapathto
thelocationofthebootstrapfiles.
2. UploadthebootstrapfilestotheS3bucket.
a. ClickthenameofbucketandthenclickCreate folder.
b. Createthefollowingfolderstructureforbootstrapping.
c. Clickthelinktoopentheconfigfolder.
d. SelectActions > UploadandAdd Files,browsetoselectthe
initcfg.txtfileandbootstrap.xmlfile,andclickOpen.
e. ClickStart Uploadtoaddthefilestotheconfigfolder.The
foldercancontainonlytwofiles:initcfg.txtandthe
bootstrap.xml.
f. (ForBYOLonly)Clickthelinktoopenthelicensefolderand
uploadthetxtfilewiththeauthcoderequiredforlicensing
theVMSeriesfirewalls.

3. CreateanotherS3bucketanduploadtheAWSLambdacode
andthefirewall.templatetotheS3bucket.
a. Clickthebucketname.
b. ClickAdd Filestoselectthepanwaws.zipfileandthe
firewall.template,clickOpen.
c. ClickStart UploadtoaddthefilestotheS3bucket.
Step6 SelecttheVMSeriesAutoScaling 1. IntheAWSManagementConsole,selectCloudFormation>

templatetolaunch. Create Stack.
2. SelectUpload a template to Amazon S3,choosethe
vpcclassicv1.2.templateorthevpcalbv1.2.templatethat
youdownloadedpreviously,andclickOpenandNext.
3. SpecifytheStack name in10charactersorless.Thestack
nameallowsyoutouniquelyidentifyalltheresourcesthatare
deployedusingthisVMSeriesAutoScalingtemplate.
Usingalongerstacknameresultsinafailuretosuccessfully
deploythetemplate.

Step7 ConfiguretheparametersfortheVPC. 4. EntertheparametersfortheVPC Configurationasfollows:

a. EnteraVPCNameandaVPC CIDR.ThedefaultCIDRis
192.168.0.0/16.
b. EntertheIPaddressblocksforthemanagement,untrust
andtrustsubnetsfortheVMSeriesfirewallsineach
AvailabilityZone.Bydefaultthreesubnetsareallocated
acrossthreeAZs.Thedefaultblocksforthemanagement
subnetsare192.168.0.0/24,192.168.10.0/24and
192.168.20.0/24,Untrustsubnetsare192.168.1.0/24,
192.168.11.0/24and192.168.21.0/24andTrustsubnets
are192.168.2.0/24,192.168.12.0/24and
192.168.22.0/24
c. ForDo you want to create a NAT Gateway in each AZ,enter
YesifyouwanttheVMSeriesAutoScalingtemplateto
deployanAWSNATgateway.EnterNo,ifyouwantto
assignEIPstothemanagementinterfaceoneachfirewallto
enableoutboundaccessfromtheVPC.Ifyoudonotplanto
allocateEIPsonthemanagementinterfaceforeach
VMSeriesfirewall,theAWSNATgatewayisrequiredfor
thefirewallstoaccessthePaloAltoNetworksUpdate
servers,Panorama,andtopublishmetricstoCloudWatch.
d. (RequiredifyouoptedfortheAWSNATGateway)Enter
theIPaddressblocksfortheNATgatewayineachAZ.The
defaultassignmentis192.168.100.0/24,
192.168.101.0/24,192.168.102.0/24,192.168.103.0/24.
e. (RequiredifyouoptedfortheAWSNATGateway)Enter
theIPaddressblocksfortheLambdafunctionsineachAZ.
Thedefaultassignmentis192.168.200.0/24,
192.168.201.0/24,192.168.202.0/24,192.168.203.0/24
f. Selectwhethertheuptimeneedsforyoursetuprequires
theVPCtospantwoorthreeAvailabilityZonesinNumber
of Availability Zones for deployment.
g. SelectyourAZpreferencefromtheSelect list of
Availability Zones dropdown.Makesuretoselecttwoor
threebasedonthenumberofAZsyouselectedabove.

Step8 Selectyourpreferencesforthe 1. SelecttheEC2instancesizefortheVMSeriesfirewall.

VMSeriesfirewalls. 2. LookuptheAMIIDfortheVMSeriesfirewallandenterit.
MakesurethattheAMIIDmatchestheAWSregion,PANOS
versionandtheBYOLorPAYGlicensingoptionyouhave
optedtouse.
3. CopyandpastethelicensedeactivationAPIkeyforyour
account.Thiskeyisrequiredtosuccessfullydeactivate
licensesonyourfirewallswhenascaleineventoccurs.Toget
thiskey:
a. LogintotheCustomerSupportPortal.
b. FromtheGo Todropdown,selectLicense API.
c. CopytheAPIkey.
4. SelecttheEC2Key pair(fromthedropdown)forlaunching
thefirewall.Tologintothefirewallorthewebservers,you
mustprovidethenameofthiskeypairandtheprivatekey
associatedwithit.
5. Ifyouwanttorestrictaccesstothefirewall,specifytheIP
addressblockorIPaddressesthatcanSSHintothefirewall.
VerifyyourIPaddressbeforeconfiguringitontheVMSeries
AutoScalingtemplatetomakesurethatyoudonotlock
yourselfout.
Step9 SpecifythenameoftheAmazonS3 1. EnterthenameoftheS3bucketthatcontainsthebootstrap

buckets. files.
Ifthebootstrapbucketisnotsetupproperlyorifyouenter
thebucketnameincorrectly,thebootstrapprocesswillfail
andyouwillnotbeabletologintothefirewall;ELBhealth
checkswillalsofail.
2. EnterthenameoftheS3bucketthatcontainsthe
firewall.templateandtheLambdacodethatyouextracted
fromthezipfile.
Step10 SpecifythekeysforenablingAPIaccess 1. EnterthekeythatthefirewallwillusetoauthenticateAPI

tothefirewallandPanorama. calls.Thedefaultkeyisbasedonthesamplebootstrap.xmlfile
andshouldonlybeusedfortestingandevaluation.Fora
productiondeployment,youmustcreateaseparatePANOS
loginjustfortheAPIcallandgenerateanassociatedkey.
2. EntertheAPIKeytoallowAWSLambdatomakeAPIcallsto
Panorama,ifyouareusingPanoramaforcentralized
management.Foraproductiondeployment,youshouldcreate
aseparateloginjustfortheAPIcallandgenerateanassociated
key.
Step11 SpecifythenamefortheELBs. TheELBnamemustbe12charactersorless.Ifthenameislonger

than12characters,theVMSeriesAutoScalingtemplatewill
failtodeploy.
1. Enterthenamefortheinternetfacing(orexternal)classic
ELB.
2. EnterthenamefortheinternalclassicorapplicationELB.

Step12 Configurethemetrictomonitorand 1. Selectonescalingmetric:

definethethresholdsforautoscaling. ActiveSessions(number)Monitorsthetotalnumberof
ThecustomPANOSmetricscreate sessionsthatareactiveonthefirewall.Becausethefirewall
CloudWatchalarmsthatexecuteauto usesNATinthissolution,themaximumnumberofsessions
scalingpoliciestoscaleinorscaleoutthe supportedis64,000.
VMSeriesfirewallsbasedonthe DataplaneCPUUtilization(%)Monitorsthedataplane
thresholdsyoudefine. CPUusagetomeasurethetrafficloadonthefirewall.
DataplaneBufferUtilization(%)Monitorsthedataplane
bufferusagetomeasurebufferutilization.Ifyouhavea
suddenburstintraffic,monitoringbufferutilizationallows
youtoensurethatthefirewalldoesnotdepletethe
dataplanebufferandcausedroppedpackets.
2. Enterthescalingperiod.Thisisthetimeintervalforwhicha
monitoredmetricmustremainattheconfiguredthresholdto
triggerascalingevent.Thevalueisinseconds;chooseoneof
thesevaluesforthescalingperiod:60,300,900(default),
3,600,21,600,or84,600.
3. EnterthemaximumnumberofVMSeriesfirewallsinanASG.
4. EntertheminimumnumberofVMSeriesfirewallsinanASG.
Theminimumvalueof1meansthateveryASGwillhaveat
leastoneVMSeriesfirewall.
5. Enterthethresholdsforascalingevent.Thisinputcanbea
numberorapercentagebasedonthescalingmetricyou
selectedabove.
Foractivesessions,asabestpractice,setthisvalueata
maximumof51,200(80%of64,000)toallowforscaleout
eventstocompletewithafullyfunctioningfirewall.Assessthe
trafficpatternsforyourapplication,anddeterminewhether
youneedtosetamoreconservativethreshold.
Fordataplanebufferutilization,setthevalueatamaximumof
40%sothatthefirewallcanoptimallyhandleaburstintraffic.
BootstrappingaPANOSfirewallcantake10to15minutes.
Makesuretosetsomebufferinyourscalethresholdsto
accommodatethatboottime.Forexample,don'twaituntilthe
sessiontableis95%fullbeforelaunchinganewfirewallinthe
autoscalegroup.
Step13 SelecttheEC2instancetypefortheweb Makesuretopickaninstancesizethatmatchestheexpectedload

servers. onyourwebserverssothattheinternalELBdoesnotfluctuate
hugelywithvariabledemand.IftheinternalELBfluctuates,itwill
triggerscalingeventsfortheASGsandthecorresponding
VMSeriesfirewalls.
Step14 (Optional)Applytagstoidentifythe Addanamevaluepairtoidentifyandcategorizetheresourcesin

resourcesassociatedwiththe thisstack.
VMSeriesAutoScalingtemplate.

Step15 Reviewthetemplatesettingsandlaunch 1. SelectI acknowledge that this template might cause AWS
thetemplate. CloudFormation to create IAM resources.
2. ClickCreatetolaunchthetemplate.The
CREATE_IN_PROGRESSeventdisplays.
3. Onsuccessfuldeploymentthestatusupdatesto
CREATE_COMPLETE.
IneachAZ,theVMSeriesAutoScalingtemplatewilllaunchan
ASGthatincludesoneVMSeriesfirewallbehindtheexternal
ELB.ThefirewallswillbebootstrappedwithaNATpolicyrule
andabasicSecuritypolicyrule.Itwillalsolaunchtwoweb
serversinanASGbehindtheinternalELB.
Step16 Verifythatthetemplatehaslaunchedall 1. OntheEC2Dashboard,selectLoad Balancers.

requiredresources. 2. GettheDNS namefortheexternalELB,andenteritintoaweb
Tomodifyorupdatetheresourcesfor browser.Forexample:
thisVMSeriesAutoScalingtemplate, http://publicelb123456789.useast1.elb.amazonaws.com/
seeStackUpdatewithVMSeriesAuto
Thewebpagewilldisplaytoindicatethatyouhave
ScalingTemplateforAWS(v1.2)
successfullylaunchedtheCloudFormationtemplate.
3. OntheEC2Dashboard,selectAuto Scaling Groups. Verify
thatineachAZ,youhaveoneASGfortheVMSeriesfirewalls
withtheminimumnumberoffirewallsyouspecifiedinthe
templateandthewebserverASG.
IfyouselectedthreeAZsandtheAWSNATgateway,
theVMSeriesfirewallASGnamedisplaysthis
informationasaz3n;thedetailsareappendedtothe
stacknameforexample:
VMAutoCFTaz3nEB4Y7D3DMJ6E_ASG_LC_1921682
6
4. LogintotheVMSeriesfirewall.
Itmaytakeupto20minutesforthefirewallstoboot
upandbeavailabletohandletraffic.
UsetheEIPaddress,ifyouallocatedone.Ifyouchose
theNATgatewayoption,youmustdeployajumpserveror
usePanoramatoaccessthewebinterfaceonthefirewall.
5. SelectMonitor > Logs > Trafficonthewebinterfaceofthe
firewalltoviewlogs.
Whenyouarefinishedwithtestingoraproductiondeployment,theonlywaytoensurechargesstopoccurring
istocompletelydeletethestack.Shuttingdowninstances,orchangingtheASGmaximumto0,isnotsufficient
astheVMSeriesAutoScalingtemplatemightautomaticallydeploynewASGs.
IfyouareusingPanorama,deletetheinternalELBonAWSbeforeyoudeletethestack.DeletingtheinternalELB
allowstheVMSeriesfirewallstoshutdowngracefully,andPanoramacanremovethefirewallsfromthelistof
manageddevices.
Usethefollowingworkflowtodeployallthecomponentsinthissolutionusingthevpcclassicv1.1.template
orthevpcalbv1.1.template.

IfyouhaveanexistingVPCwiththerequiredsubnets,securitygroups,webservers,andELBs,youonlyneedtodeploy
theVMSeriesfirewallatscale,usethefirewall.template.Theworkflowforusingonlythefirewall.tempateisnot
documentedinthisversionofthedocument,butitisverysimilar.
LaunchtheTemplateVersion1.1
Step1 PlantheVMSeriesAutoScaling Makesurethatyouhavecompletedthefollowingtasks:

TemplateforAWS. ReviewedandacceptedtheEULA.
DownloadedthefilesrequiredtolaunchtheVMSeriesAuto
ScalingtemplatefromtheGitHubrepository.
Step2 (Optional)Modifytheinitcfg.txtfile. IfyoureusingPanoramatomanagethefirewalls,completethe

Formoreinformationonthe followingtasks:
bootstrappingprocessseeBootstrapthe 1. GeneratethevmauthkeyonPanorama.Thefirewallsmust
VMSeriesFirewall;fordetailsonthe includeavalidkeyintheconnectionrequesttoPanorama.Set
initcfg.txtfile,seeCreatetheinitcfg.txt thelifetimeforthekeyto8760hours(1year).
File.
2. Opentheinitcfg.txtfilewithatexteditor,suchasNotepad.
3. Addthefollowinginformationasnamevaluepairs:
IPaddressesfortheprimaryPanoramaandoptionallya
secondaryPanorama.Enter:
panorama-server=
panorama-server-2=
Specifythetemplateandthedevicegrouptowhichyou
wanttoassignthefirewall.Enter:
tplname=
dgname=
VMauthkey.Enter:
vm-auth-key=
4. Verifythatyouhavenotdeletedthecommandforswapping
themanagementinterface(mgmt)andthedataplaneinterface
(ethernet1/1)ontheVMSeriesfirewallonAWS.For
example,thefilemustincludenamevaluepairsfortheitems
inbold:
op-command-modes=mgmt-interface-swap
vm-auth-key=755036225328715
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
ThevmauthkeyandPanoramaIPaddressaboveare
examplevalues.Youneedtoenterthevaluesthatmatch
yoursetup.
5. Saveandclosethefile.
Step3 Changethedefaultcredentialsforthe RequiredforusingtheVMSeriesAutoScalingtemplateina

VMSeriesfirewalladministrator productionenvironment.
accountdefinedinthebootstrap.xmlfile. Thebootstrap.xmlfileprovidedintheGitHubrepositoryis
providedfortestingandevaluationonly.Foraproduction
deployment,youmustmodifythebootstrap.xmlpriortolaunch,
seeCustomizetheBootstrap.xmlFile

Step4 PreparetheAmazonSimpleStorage(S3) TheVMSeriesAutoScalingtemplaterequiresoneS3bucketfor

bucketsforlaunchingtheVMSeries theVMSeriesbootstrapfiles;andanotherS3bucketfortheAWS
AutoScalingtemplate. Lambdafunctionsandthenestedfirewall.template.
MakesuretocreatetheS3 1. CreateanewS3bucketforthebootstrapfiles.
bucketsinthesameregionin a. SignintotheAWSManagementConsoleandopentheS3
whichyouplantodeploythe console.
template.
b. ClickCreate Bucket.
c. EnteraBucket NameandaRegion,andclickCreate.The
bucketmustbeattheS3rootlevel.Ifyounestthebucket,
bootstrappingwillfailbecauseyoucannotspecifyapathto
thelocationofthebootstrapfiles.
2. UploadthebootstrapfilestotheS3bucket.
a. ClickthenameofbucketandthenclickCreate folder.
b. Createthefollowingfolderstructureforbootstrapping.
c. Clickthelinktoopentheconfigfolder.
d. SelectActions > UploadandAdd Files,browsetoselectthe
initcfg.txtfileandbootstrap.xmlfile,andclickOpen.
e. ClickStart Uploadtoaddthefilestotheconfigfolder.The
foldercancontainonlytwofiles:initcfg.txtandthe
bootstrap.xml.
3. CreateanotherS3bucketanduploadtheAWSLambdacode
andthefirewall.templatetotheS3bucket.
a. Clickthebucketname.
b. ClickAdd Filestoselectthepanwaws.zipfileandthe
firewall.template,clickOpen.
c. ClickStart UploadtoaddthefilestotheS3bucket.

Step5 SelecttheVMSeriesAutoScaling 1. IntheAWSManagementConsole,selectCloudFormation>

templatethatyouwanttolaunch. Create Stack.
2. SelectUpload a template to Amazon S3,choosethe
vpcclassicv1.templateorthevpcalbv1.templatethatyou
downloadedpreviously,andclickOpenandNext.
3. SpecifytheStack name in10charactersorless.Thestack
nameallowsyoutouniquelyidentifyalltheresourcesthatare
deployed.
Step6 ConfiguretheparametersfortheVPC. 4. EntertheparametersfortheVPC Configurationasfollows:

a. EnteraVPCNameandaVPC CIDR.ThedefaultCIDRis
192.168.0.0/16.
b. EntertheIPaddressblocksforthemanagement,untrust
andtrustsubnetsfortheVMSeriesfirewallsineach
AvailabilityZone.Bydefaultthreesubnetsareallocated
acrossthreeAZs.Thedefaultblocksforthemanagement
subnetsare192.168.0.0/24,192.168.10.0/24and
192.168.20.0/24,Untrustsubnetsare192.168.1.0/24,
192.168.11.0/24and192.168.21.0/24andTrustsubnets
are192.168.2.0/24,192.168.12.0/24and
192.168.22.0/24
c. ForDo you want to create a NAT Gateway in each AZ,enter
YesifyouwanttheVMSeriesAutoScalingtemplateto
deployanAWSNATgateway.EnterNo,ifyouwantto
assignEIPstothemanagementinterfaceoneachfirewallto
enableoutboundaccessfromtheVPC.Ifyoudonotplanto
allocateEIPsonthemanagementinterfaceforeach
VMSeriesfirewall,theAWSNATgatewayisrequiredfor
thefirewallstoaccessthePaloAltoNetworksUpdate
servers,Panorama,andtopublishmetricstoCloudWatch.
d. (RequiredifyouoptedfortheAWSNATGateway)Enter
theIPaddressblocksfortheNATgatewayineachAZ.The
defaultassignmentis192.168.100.0/24,
192.168.101.0/24,192.168.102.0/24,192.168.103.0/24.
e. (RequiredifyouoptedfortheAWSNATGateway)Enter
theIPaddressblocksfortheLambdafunctionsineachAZ.
Thedefaultassignmentis192.168.200.0/24,
192.168.201.0/24,192.168.202.0/24,192.168.203.0/24
f. Selectwhethertheuptimeneedsforyoursetuprequires
theVPCtospantwoorthreeAvailabilityZonesinNumber
of Availability Zones for deployment.
g. SelectyourAZpreferencefromtheSelect list of
Availability Zones dropdown.Makesuretoselecttwoor
threebasedonthenumberofAZsyouselectedabove.

Step7 Selectyourpreferencesforthe 1. SelecttheEC2instancesizefortheVMSeriesfirewall.

VMSeriesfirewalls. 2. SelecttheEC2Key pair(fromthedropdown)forlaunching
thefirewall.Tologintothefirewallorthewebservers,you
mustprovidethenameofthiskeypairandtheprivatekey
associatedwithit.
3. Ifyouwanttorestrictaccesstothefirewall,specifytheIP
addressblockorIPaddressesthatcanSSHintothefirewall.
VerifyyourIPaddressbeforeconfiguringitontheVMSeries
AutoScalingtemplatetomakesurethatyoudonotlock
yourselfout.
Step8 SpecifythenameoftheAmazonS3 1. EnterthenameoftheS3bucketthatcontainsthebootstrap

buckets. files.
Ifthebootstrapbucketisnotsetupproperlyorifyouenter
thebucketnameincorrectly,thebootstrapprocesswillfail
andyouwillnotbeabletologintothefirewall;ELBhealth
checkswillalsofail.
2. EnterthenameoftheS3bucketthatcontainsthe
firewall.templateandtheLambdacodethatyouextracted
fromthezipfile.
Step9 SpecifythekeysforenablingAPIaccess 1. EnterthekeythatthefirewallwillusetoauthenticateAPI

tothefirewallandPanorama. calls.Thedefaultkeyisbasedonthesamplebootstrap.xmlfile
andshouldonlybeusedfortestingandevaluation.Fora
productiondeployment,youmustcreateaseparatePANOS
loginjustfortheAPIcallandgenerateanassociatedkey.
2. EntertheAPIKeytoallowAWSLambdatomakeAPIcallsto
thPanorama,ifyouareusingPanoramaforcentralized
management.Foraproductiondeployment,youshouldcreate
aseparateloginjustfortheAPIcallandgenerateanassociated
key.
Step10 SpecifythenamefortheELBs. TheELBnamemustbe12charactersorless.Ifthenameislonger

than12characters,theVMSeriesAutoScalingtemplatewillfailto
deploy.
1. Enterthenamefortheinternetfacing(orexternal)classic
ELB.
2. EnterthenamefortheinternalclassicorapplicationELB.

Step11 Configurethemetrictomonitorand 1. Selectonescalingmetric:

definethethresholdsforautoscaling. ActiveSessions(number)Monitorsthetotalnumberof
ThecustomPANOSmetricscreate sessionsthatareactiveonthefirewall.Becausethefirewall
CloudWatchalarmsthatexecuteauto usesNATinthissolution,themaximumnumberofsessions
scalingpoliciestoscaleinorscaleoutthe supportedis64,000.
VMSeriesfirewallsbasedonthe DataplaneCPUUtilization(%)Monitorsthedataplane
thresholdsyoudefine. CPUusagetomeasurethetrafficloadonthefirewall.
DataplaneBufferUtilization(%)Monitorsthedataplane
bufferusagetomeasurebufferutilization.Ifyouhavea
suddenburstintraffic,monitoringbufferutilizationallows
youtoensurethatthefirewalldoesnotdepletethe
dataplanebufferandcausedroppedpackets.
2. Enterthescalingperiod.Thisisthetimeintervalforwhicha
monitoredmetricmustremainattheconfiguredthresholdto
triggerascalingevent.Thevalueisinseconds;chooseoneof
thesevaluesforthescalingperiod:60,300,900(default),
3,600,21,600,or84,600.
3. EnterthemaximumnumberofVMSeriesfirewallsinanASG.
4. EntertheminimumnumberofVMSeriesfirewallsinanASG.
Theminimumvalueof1meansthateveryASGwillhaveat
leastoneVMSeriesfirewall.
5. Enterthethresholdsforascalingevent.Thisinputcanbea
numberorapercentagebasedonthescalingmetricyou
selectedabove.
Foractivesessions,asabestpractice,setthisvalueata
maximumof51,200(80%of64,000)toallowforscaleout
eventstocompletewithafullyfunctioningfirewall.Assessthe
trafficpatternsforyourapplication,anddeterminewhether
youneedtosetamoreconservativethreshold.
Fordataplanebufferutilization,setthevalueatamaximumof
40%sothatthefirewallcanoptimallyhandleaburstintraffic.
BootstrappingaPANOSfirewallcantake10to15minutes.
Makesuretosetsomebufferinyourscalethresholdsto
accommodatethatboottime.Forexample,don'twaituntilthe
sessiontableis95%fullbeforelaunchinganewfirewallinthe
autoscalegroup.
Step12 SelecttheEC2instancetypefortheweb Makesuretopickaninstancesizethatmatchestheexpectedload

servers. onyourwebserverssothattheinternalELBdoesnotfluctuate
hugelywithvariabledemand.IftheinternalELBfluctuates,itwill
triggerscalingeventsfortheASGsandthecorresponding
VMSeriesfirewalls.
Step13 (Optional)Applytagstoidentifythe Addanamevaluepairtoidentifyandcategorizetheresourcesin

resourcesassociatedwiththeVMSeries thisstack.
AutoScalingtemplate.

Step14 Reviewthetemplatesettingsandlaunch 1. SelectI acknowledge that this template might cause AWS
thetemplate. CloudFormation to create IAM resources.
2. ClickCreatetolaunchthetemplate.The
CREATE_IN_PROGRESSeventdisplays.
3. Onsuccessfuldeploymentthestatusupdatesto
CREATE_COMPLETE.
IneachAZ,theVMSeriesAutoScalingtemplatewilllaunchan
ASGthatincludesoneVMSeriesfirewallbehindtheexternal
ELB.ThefirewallswillbebootstrappedwithaNATpolicyrule
andabasicSecuritypolicyrule.Itwillalsolaunchtwoweb
serversinanASGbehindtheinternalELB.
Step15 Verifythatthetemplatehaslaunchedall 1. OntheEC2Dashboard,selectLoad Balancers.

requiredresources. 2. GettheDNS namefortheexternalELB,andenteritintoaweb
browser.Forexample:
http://publicelb123456789.useast1.elb.amazonaws.com/
Thewebpagewilldisplaytoindicatethatyouhave
successfullylaunchedtheCloudFormationtemplate.
3. OntheEC2Dashboard,selectAuto Scaling Groups. Verify
thatineachAZ,youhaveoneASGfortheVMSeriesfirewalls
withtheminimumnumberoffirewallsyouspecifiedinthe
templateandthewebserverASG.
IfyouselectedthreeAZsandtheAWSNATgateway,
theVMSeriesfirewallASGnamedisplaysthis
informationasaz3n;thedetailsareappendedtothe
stacknameforexample:
VMAutoCFTaz3nEB4Y7D3DMJ6E_ASG_LC_1921682
6
4. LogintotheVMSeriesfirewall.
Itmaytakeupto20minutesforthefirewallstoboot
upandbeavailabletohandletraffic.
UsetheEIPaddress,ifyouallocatedone.Ifyouchose
theNATgatewayoption,youmustdeployajumpserveror
usePanoramatoaccessthewebinterfaceonthefirewall.
5. SelectMonitor > Logs > Trafficonthewebinterfaceofthe
firewalltoviewlogs.
Whenyouarefinishedwithtestingoraproductiondeployment,theonlywaytoensurechargesstopoccurring
istocompletelydeletethestack.Shuttingdowninstances,orchangingtheASGmaximumto0,isnotsufficient
astheVMSeriesAutoScalingtemplatemightautomaticallydeploynewASGs.
IfyouareusingPanorama,deletetheinternalELBonAWSbeforeyoudeletethestack.DeletingtheinternalELB
allowstheVMSeriesfirewallstoshutdowngracefully,andPanoramacanremovethefirewallsfromthelistof
manageddevices.

CustomizetheBootstrap.xmlFile
Thebootstrap.xmlfileprovidedintheGitHubrepositoryusesadefaultusernameandpasswordforthe
firewalladministrator.BeforedeployingtheVMSeriesAutoScalingtemplateinaproductionenvironment,
ataminimum,youmustcreateauniqueusernameandpasswordfortheadministrativeaccountonthe
VMSeriesfirewall.Optionally,youcanfullyconfigurethefirewallwithzones,policyrules,securityprofiles
andexportagoldenconfigurationsnapshot.Youcanthenusethisconfigurationsnapshotasthe
bootstrap.xmlfileforyourproductionenvironment.
Youhavetwowaystocustomizethebootstrap.xmlfileforuseinaproductionenvironment:
Option1:LaunchaVMSeriesfirewallonAWSusingthebootstrapfilesprovidedintheGitHub
repository,modifythefirewallconfigurationandexporttheconfigurationtocreateanewbootstrap.xml
filefortheVMSeriesAutoScalingtemplate.SeeUsetheGitHubBootstrapFilesasSeed.
Option2:LaunchanewVMSeriesfirewallonAWSwithoutusingthebootstrapfiles,addaNATpolicy
ruletoensurethattheVMSeriesfirewallhandlestrafficproperly,andexporttheconfigurationtocreate
anewbootstrap.xmlfilefortheVMSeriesAutoScalingtemplate.SeeCreateanewBootstrapFilefrom
Scratch.
Ifyouhavedeployedthetemplateandnowneedtochangethecredentialsfortheadministrativeuseroradda
newadminuserandupdatethetemplatestack,seeModifyAdministrativeAccountandUpdateStack.
UsetheGitHubBootstrapFilesasSeed
LaunchaVMSeriesfirewallonAWSfromtheAWSMarketplaceusingthebootstrapfilesprovidedinthe
GitHubrepository,modifythefirewallconfigurationforyourproductionenvironmentandexportthe
configurationtocreateanewbootstrap.xmlfilethatyoucannowusefortheVMSeriesAutoScaling
template.
Option1:CustomizetheBootstrap.xmlFile
1. TolaunchthefirewallseeBootstraptheVMSeriesFirewallinAWS.
2. Addanelasticnetworkinterface(ENI)andassociateanelasticIPaddress(EIP)toit,sothatyoucanaccessthe
webinterfaceontheVMSeriesfirewall.SeeLaunchtheVMSeriesFirewallonAWSfordetails.
3. UsetheEIPaddresstologintothefirewallwebinterfacewithadminastheusernameandpassword.
4. Addasecurepasswordfortheadminuseraccount(Device > Local User Database > Users).
5. (Optional)Configurethefirewallforsecuringyourproductionenvironment.
6. SelectPolicies > NAT toverifythefirewallhastheNATpolicyrulerequiredfortheVMSeriesAutoScaling
template.TheNATpolicyruleisincludedinthebootstrap.xmlfile,andisrequiredtoavoidblackholingtraffic.
TheNATpolicyruleroutestraffictotheinternalELBandensuressymmetricreturnofthetrafficfromthe
webservers.
7. Committhechangesonthefirewall.
8. GenerateanewAPIkeyfortheadministratoraccount.Copythisnewkeytoanewfile.Youwillneedtoenter
thisAPIkeywhenyoulaunchtheVMSeriesAutoScalingtemplate;theAWSservicesusetheAPIkeyto
deploythefirewallandtopublishmetricsforautoscaling.

9. Exporttheconfigurationfileandsaveitasbootstrap.xml.(Device > Setup > Operation > Export Named

Configuration Snapshot).
10. Openthebootstrap.xmlfilewithatexteditingtoolanddeletethemanagementinterfaceconfiguration.
11. (RequiredifyouexportedaPANOS8.0configuration)EnsurethatthesettingtovalidatethePaloAlto
Networksserversisdisabled.Lookfor<server-verification>no</server-verification>.
Ifthecheckisyes,changeittono.
12. Savethefile.YoucannowproceedwithLaunchtheVMSeriesAutoScalingTemplateforAWS.
CreateanewBootstrapFilefromScratch
LaunchanewVMSeriesfirewallonAWSusingPANOS8.0withoutusingthebootstrapfiles,addaNAT
policyruletoensurethattheVMSeriesfirewallhandlestrafficproperly,andexporttheconfigurationto
createanewbootstrap.xmlfilefortheVMSeriesAutoScalingtemplate.

1. DeploytheVMSeriesFirewallonAWS(nobootstrappingrequired)andusethepublicIPaddresstoSSHinto
theCommandLineInterface(CLI)oftheVMSeriesfirewall.Youwillneedtoconfigureanewadministrative
passwordforthefirewall.
2. Logintothefirewallwebinterface.
3. (Optional)Configurethefirewall.Youcanconfigurethedataplaneinterfaces,zonesandpolicyrules.Commit
thechangesonthefirewall.
4. Exporttheconfigurationfileandnameitasbootstrap.xml.(Device > Setup > Operation > Export Named
Configuration Snapshot).
5. Downloadthebootstrap.xmlfilefromtheGitHubrepository,openitwithatexteditingtool,andcopylines
406to435and445to454.TheselinesdefinetheNATpolicyruleandtheaddressobjectrequiredforthe
VMSeriesAutoScalingtemplate.IfyouwanttocopyandpastetheNATpolicyruleandaddressobjects,see

6. Useatexteditingtooltoopentheconfigurationfileyouexportedearlier.
a. Searchfor</security>andpastethelines406to435after</security>.
b. Searchfor</import> andpastethelines445to454after</import>.
7. Deletethemanagementinterfaceconfiguration.
a. Searchfor</service>anddeletetheipaddress,netmaskanddefaultgatewaythatfollow.
b. Searchfor</type>anddeletetheipaddress,netmask,defaultgateway,andpublickeythatfollow.
8. Savethefile.YoucannowproceedwithLaunchtheVMSeriesAutoScalingTemplateforAWS.
ToCustomizetheBootstrap.xmlFilefordeployingtheVMSeriesAutoScalingTemplateforAWSinyour
productionenvironment,youmustcopythefollowingNATpolicyruleintoyourconfigurationfile.Youcan
findtheNATruleandaddressobjectsinthebootstrap.xmlfileintheGitHubrepository.
NATPolicyRule

<nat>
<rules>
<entry name="nat-for-asg">
<to>
<member>Untrust</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>AWS-NAT-UNTRUST</member>
</destination>
<service>any</service>
<to-interface>ethernet1/1</to-interface>
<destination-translation>
<translated-address>AWS-NAT-ILB</translated-address>
</destination-translation>
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/2</interface>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
</entry>
</rules>
</nat>
NATPolicyAddressObjects
<address>
<entry name="AWS-NAT-ILB">
<ip-netmask>192.168.12.223</ip-netmask>
<description>ILB-IP-address</description>
</entry>
<entry name="AWS-NAT-UNTRUST">
<ip-netmask>192.168.11.115</ip-netmask>
<description>UNTRUST-IP-address</description>
</entry>
</address>
AstackupdateallowsyoutomodifytheresourcesthattheVMSeriesAutoScalingtemplatedeploys.
Insteadofdeletingyourexistingdeploymentandredeployingthesolution,usethestackupdatetomodify
thefollowingparameters:
PANOSversionDeploynewVMSeriesfirewallswithadifferentPANOSversion.

LicenseSwitchfromBYOLtoPAYGandviceversaorswitchfromonePAYGbundletoanother.
OtherstackresourcesChangethelaunchconfigurationparameterssuchastheAmazonMachineImage
(AMI)ID,theinstancetype,keypairforyourautoscalinggroups.YoucanalsoupdatetheAPIkey
associatedwiththeadministrativeuseraccountonthefirewall.
WhenyoudeploytheVMSeriesAutoScalingtemplate,theautoscalinggroupsandthelaunchconfiguration
areautomaticallycreatedforyou.Thelaunchconfigurationisatemplatethatanautoscalinggroupusesto
launchEC2instance,anditspecifiesparameterssuchastheAMIID,theinstancetype,keypairforyourauto
scalinggroup.Tomodifytheseparameters,youmustupdatethestackandthenreplacetheexistingauto
scalinggroupwithanewautoscalinggroupthatusestheupdatedstackparameterstocreatethelaunch
configurationanddeploynewinstanceswiththesenewparameters;existinginstancescontinuetorunwith
theconfigurationthattheywereoriginallylaunchedwith.Thisphasedrolloutallowsyoutoverifythe
updatesinoneAZatatimeandthencompletethechangesacrosstheotherAZswithoutdisruption.For
criticalapplications,performastackupdateduringamaintenancewindow.
Youcanupdatestackdirectlyorcreatechangesets.Theworkflowinthisdocumenttakesyouthroughthe
manualstackupdate.
StackUpdatewithVMSeriesAutoScalingTemplatev1.2
Step1 IntheAWSCloudFormationconsole,selecttheparentstackthatyouwanttoupdateandchoose
Actions > Update Stack.

Step2 Modifytheresourcesthatyouwanttoupdate.
PANOSversionTomodifythePANOSversionlookuptheAMIIDfortheversionyouwanttouse
andentertheID.IfyouareupgradingtoPANOS8.0makesuretoselectaninstancetypethatmeets
theVMSeriesSystemRequirements.
LicenseoptionSwitchfromBYOLtoPAYGoracrossPAYGbundles1and2.
IfyoureswitchingtoBYOL,makesuretoincludetheauthcodeinthebootstrappackage(SeeStep 3
andStep 5).
IfyoureswitchingbetweenPAYGbundleversion1and2,lookuptheAMIIDfortheVMSeries
firewall.
OtherstackresourcesYoucanmodifytheAMIID,theinstancetype,securitygroup,keypairforthe
stackresources,ortheAPIkeyassociatedwiththeadministrativeuseraccountonthefirewall.
Ifyoucreateanewadministrativeuseraccountormodifythecredentialsoftheexistingadministrator
onthefirewall,inordertoupdatethatstackanddeploynewfirewallswiththeupdatedAPIkey,you
needtofollowtheworkflowinModifyAdministrativeAccountandUpdateStack.
Step3 AcknowledgethenotificationsandreviewthechangesandclickUpdatetoinitiatethestackupdate.
Step4 OntheEC2 dashboard > Auto Scaling GroupsandpickanAZinwhichtodeletetheASG.

DeletinganASGallowsyoutoreplacetheexistingASGs(oneatatime)withanewASGthatusesthe
newparameters.

Step5 Deletethelaunchconfiguration.
Step6 VerifythattheupdatedparametersareusedtolaunchtheVMSeriesfirewallsinthenewASG.
TestthenewASGthoroughlyandensureitisproperlyhandlingtraffic.Asabestpractice,waitonehour
beforecontinuingtothenextASG.
Step7 RepeatStep 4throughStep 6toreplacetheASGsintheremainingAZs.

Ifyouhavealreadydeployedthetemplateandnowwanttochangethepasswordfortheadministrative
accountorcreateanewadministrativeuseraccountontheVMSeriesfirewall,youmustgenerateanew
APIkeyandupdatethetemplatestackwiththenewAPIkeyfortheadministrativeuseraccount.Andin
ordertoensurethatnewfirewallinstancesareconfiguredwiththeupdatedadministrativeuseraccount,you
needtoexportthefirewallconfigurationandrenameittobootstrap.xml,thenuploadittotheS3bootstrap
folderthattheVMSeriesAutoScalingtemplateuses.
Step1 Logintothewebinterfaceofthefirewallandchangethecredentialsforanexisting
administrativeuserorcreateanewaccount.
Step2 GeneratetheAPIkey.
Step3 Exportthecurrentrunningconfigurationandrenameittobootstrap.xml.
Step4 Uploadthisbootstrap.xmlfiletotheS3bootstrapfolder.
Step5 UpdatetheAPIkeyinthestacktoensurethatnewlylaunchedfirewallswillhavetheupdated
administratoraccount.SeeStackUpdatewithVMSeriesAutoScalingTemplateforAWS(v1.2)for
details.
TroubleshoottheVMSeriesAutoScalingTemplateforAWS
WhendeployingtheVMSeriesAutoScalingtemplate,ifthetemplatestackisunabletoprovisionthe
resourcesspecifiedinthetemplate,theprocessautomaticallyrollsbackanddeletestheresourcesthatwere
successfullycreated.Becauseaninitialerrorcantriggeracascadeofadditionalerrors,youneedtoreview
thelogstolocatethefirstfailureevent.

DeploymentIssues
Error:InadequatenumberofElasticIPaddresses(EIPs)
AWSLambdarequiresEIPaddresstosuccessfullylaunchthefirewall.
1. OntheAWSManagementConsole,selectCloudFormation.
2. IntheStacklist,selectthenameofthetemplatethatfailedtodeployandviewthelistofEvents.
3. Lookthroughthefailureeventsformaximum number of addresses has been reached.
Error:Stacknameislongerthan10characters.
TheVMSeriesAutoScalingtemplatedeploymentfailsifthestacknameislongerthan10charactersinlength.
1. OntheAWSManagementConsole,selectCloudWatch > Logs.
2. IntheLogGroupslist,selectthenameoftheLogStreamforthetemplatethatfailedtodeploysothat
youcanfindtheerror.
3. FilterforERROReventsandlookforstack name more than 10 characters long.
Error:TheinstancesizedoesnotmeettheminimumsystemrequirementsfortheVMSeriesfirewallmodel.
TheVMSeriesAutoScalingtemplatedeploymentfailsiftheinstancesizeyouselecteddoesnot
matchtheVMSeriesSystemRequirements.

DeploymentIssues(Continued)
Error:Unabletologintothefirewall
Thereasonsyoucannotlogintothefirewallcanbebecause:
Thefirewallisnotconfiguredproperlybecausethebootstrapprocessfailed.
YouchosetheNATgatewayoptiontoconservetheuseofEIPaddresses,sothefirewalldoesnothavea
publiclyaccessibleIPaddress.IfyouarenotusingPanoramatomanagethefirewall,toaccesstheCLIor
webinterfaceonthefirewallontheprivateIPaddressassignedbyAWS,youmustdeployabastionhost
orjumpserveronthesamesubnetasthefirewallandassignapublicIPaddresstothejumpserver.Then
logintothejumpserverandconnecttothefirewall.
Youeditedthebootstrap.xmlfileandtheNATpolicyismissingorincorrect.
1. Totroubleshoot,firstcheckthatthetemplatereferencesthecorrectS3bucketwiththebootstrapfiles:
a. OntheEC2Dashboard,selectInstances.
b. Selectthefirewallinstance,andclickActions > View/Change User Data.
c. VerifythenamefortheS3bucketthatcontainsthebootstrapfiles.
d. VerifythatyoucreatedtheS3bucketattherootlevel,directlyunderAllBuckets.IfyounesttheS3
bucket,bootstrappingwillfailbecauseyoucannotspecifyapathtothelocationofthebootstrapfiles.
SeePreparetheAmazonSimpleStorage(S3)bucketsforlaunchingtheVMSeriesAutoScaling
template.
e. VerifythattheS3bucketisinthesameregioninwhichyouaredeployingtheVMSeriesAutoScaling
template.
2. CheckiftheinternetfacingELBisinservice.Ifbootstrappingfails,theVMSeriesfirewallforload
balancingtrafficwillbeoutofservice.
a. SelectEC2 > LoadBalancers.
b. Selecttheinternetfacing(orexternal)classicELBtoverifythattheVMSeriesfirewallinstancesare
inservice.
ThefollowingscreenshotshowsthattheVMSeriesfirewallsarenotinservice.

3. IftheVMSeriesfirewallsareinservice,checkthattheNATpolicywassuccessfullycommitted.
Ifyoueditedthebootstrap.xmlfileanddeletedormodifiedtheNATpolicyrules,thefirewallmayhavea
misconfiguration,thatpreventstrafficfrombeingproperlyroutedtothefirewall.

Error:AWSLambdaisnotsupportedintheregioninwhichyouaredeployingtheVMSeriesAutoScaling
template.
Tofindtheerror:
2. IntheStacklist,selectthenameofthetemplatethatfailedtodeployandviewthelistofEvents.The
errorResourceisnotsupportedinthisregion.
Error:Failuretosuccessfullycreatearesourcewithamessagesuchas:
Embedded stack arn:aws:cloudformation:<AWS region>:290198859335:stack/<name of your stack>
was not successfully created: The following resource(s) failed to create:[ResourceName].
Tofindtheerrors:
1. OntheAWSManagementConsole,selectCloudWatch.
2. ClickonLogsandthenselectLambda functionontheright.Youllseeoneormorelogstreams.
3. Searchfor[ERROR]and[CRITICAL].
ThefollowingexampleshowsthattheELBspecifiedwasnotfound:

Error:FailuretolaunchtheVMSeriesAutoScalingtemplatebecauseofamissingrequiredparameterornot
specifyingtheAWSAvailabilityZonesforthetemplate.
Tofindtheerror:
2. IntheStacklist,selectthenameofthetemplatethatfailedtodeploy.Agenerictemplatevalidationerror
displays.

Error:FailuretolaunchtheVMSeriesAutoScalingtemplatebecauseyoudidnotaccepttheEndUser
LicenseAgreement(EULA)forthePAYGVMSeriesFirewallBundleyouaredeploying.
1. OntheEC2Dashboard,selectAuto Scaling Groups.
2. CheckthedetailsonthefailuretolaunchthefirewallsintheASG.Theerrorindicatesthatyoumust
acceptthetermsfordeployingtheVMSeriesfirewalls.

ListofAttributesMonitoredontheAWSVPC SetUptheVMSeriesFirewallonAWS
ListofAttributesMonitoredontheAWSVPC
Youcanmonitoruptoatotalof32attributes14predefinedand18userdefinedaskeyvaluepairs.The
followingattributes(ortagnames)areavailableasmatchcriteriafordynamicaddressgroups.
Attribute Format
Architecture Architecture.<Architecturestring>
GuestOS GuestOS.<guestOSname>
ImageID ImageId.<ImageIdstring>
InstanceID InstanceId.<InstanceIdstring>
InstanceState InstanceState.<instancestate>
InstanceType InstanceType.<instancetype>
KeyName KeyName.<KeyNamestring>
PlacementTenancy, Placement.Tenancy.<string>
GroupName,Availability Placement.GroupName.<string>
Placement.AvailabilityZone.<string>
PrivateDNSName PrivateDnsName.<PrivateDNSName>
PublicDNSName PublicDnsName.<PublicDNSName>
SubnetID SubnetID.<subnetIDstring>
Tag(key,value) awstag.<key>.<value>
Maximumof18ofthesetagsaresupportedperinstance
VPCID VpcId.<VpcIdstring>
IAMPermissionsRequiredforMonitoringtheAWSVPC
InordertoenableVMMonitoringtheusersAWSlogincredentialstiedtotheAWSAccessKeyandSecret
AccessKeymusthavepermissionsfortheattributeslistedabove.Theseprivilegesallowthefirewallto
initiateAPIcallsformonitoringthevirtualmachinesintheAWSVPC.
TheIAMpolicyassociatedwiththeusermusteitherhaveglobalreadonlyaccesssuchas
AmazonEC2ReadOnlyAccess,ormustincludeindividualpermissionsforallofthemonitoredattributes.The
followingIAMpolicyexampleliststhepermissionsforinitiatingtheAPIactionsformonitoringtheresources
intheAWSVPC:
{
"Version":"20121017",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:DescribeAvailabilityZones",

SetUptheVMSeriesFirewallonAWS ListofAttributesMonitoredontheAWSVPC
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeKeyPairs",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs"
],
"Resource":[
"*"
]
}
]
}

ListofAttributesMonitoredontheAWSVPC SetUptheVMSeriesFirewallonAWS

SetUptheVMSeriesFirewallonKVM
KernelbasedVirtualMachine(KVM)isanopensourcevirtualizationmoduleforserversrunningLinux
distributions.TheVMSeriesfirewallcanbedeployedonaLinuxserverthatisrunningtheKVMhypervisor.
ThisguideassumesthatyouhaveanexistingITinfrastructurethatusesLinuxandhavethefoundationfor
usingLinux/Linuxtools.TheinstructionsonlypertaintodeployingtheVMSeriesfirewallonKVM.
VMSeriesonKVMRequirementsandPrerequisites
SupportedDeploymentsonKVM
InstalltheVMSeriesFirewallonKVM
PerformanceTuningoftheVMSeriesforKVM

VMSeriesonKVMRequirementsandPrerequisites SetUptheVMSeriesFirewallonKVM
VMSeriesonKVMRequirementsandPrerequisites
SystemRequirements
OptionsforAttachingtheVMSeriesontheNetwork
PrerequisitesforVMSeriesonKVM
SystemRequirements
Requirements Description
HardwareResources SeeVMSeriesSystemRequirementsfortheminimumhardwarerequirementsfor
yourVMSeriesmodel.
SoftwareVersions Ubuntu:
14.04LTSQEMUKVM2.0.0andlibvirt1.2.2)
16.04LTS(QEMUKVM2.50;libvirt1.3.1;OpenvSwitch:2.5.0)
CentOS/RedHatEnterpriseLinux:7.2(QEMUKVM1.5.3andlibvirt2.0.0)
OpenvSwitch:2.3.1andlater
NetworkInterfaces TheVMSeriesonKVMsupportsatotalof25interfaces1managementinterface
NetworkInterfaceCards andamaximumof24networkinterfacesfordatatraffic.
andSoftwareBridges VMSeriesdeployedonKVMsupportssoftwarebasedvirtualswitchessuchasthe
LinuxbridgeortheOpenvSwitchbridge,anddirectconnectivitytoPCIpassthrough
oranSRIOVcapableadapter.
OntheLinuxbridgeandOVS,thee1000andvirtiodriversaresupported;the
defaultdriverrtl8139isnotsupported.
ForPCIpassthrough/SRIOVsupport,theVMSeriesfirewallhasbeentestedfor
thefollowingnetworkcards:
Intel82576based1GNIC:SRIOVsupportonallsupportedLinux
distributions;PCIpassthroughsupportonallexceptUbuntu12.04LTS.
Intel82599based10GNIC:SRIOVsupportonallsupportedLinux
distributions;PCIpassthroughsupportonallexceptUbuntu12.04LTS.
Broadcom57112and578xxbased10GNIC:SRIOVsupportonall
supportedLinuxdistributions;NoPCIpassthroughsupport.
Drivers:igb;ixgbe;bnx2x
Drivers:igbvf;ixgbevf;bnx2x
SRIOVcapableinterfacesassignedtotheVMSeriesfirewall,mustbe
configuredasLayer3interfacesorasHAinterfaces.
DataPlaneDevelopment DPDKisenabledbydefaultonVMSeriesfirewallsonKVM.FortheVMSeriesto
Kit(DPDK)Support takeadvantageofDPDK,youmustconfigureOpenvSwitchandDPDKonthehost.
YoumustuseaNICwithoneofthefollowingdrivers:
VirtualDriver:virtio
NICDrivers:ixgbe,ixgbevf,i40e,i40evf
SRIOVcapableinterfacesassignedtotheVMSeriesfirewall,mustbe
configuredasLayer3interfacesorasHAinterfaces.

SetUptheVMSeriesFirewallonKVM VMSeriesonKVMRequirementsandPrerequisites
OptionsforAttachingtheVMSeriesontheNetwork
WithaLinuxbridgeorOVS,datatrafficusesthesoftwarebridgetoconnectguestsonthesamehost.
Forexternalconnectivity,datatrafficusesthephysicalinterfacetowhichthebridgeisattached.
WithPCIpassthrough,datatrafficispasseddirectlybetweentheguestandthephysicalinterfaceto
whichitisattached.Whentheinterfaceisattachedtoaguest,itisnotavailabletothehostortoother
guestsonthehost.
WithSRIOV,datatrafficispasseddirectlybetweentheguestandthevirtualfunctiontowhichitis
attached.
PrerequisitesforVMSeriesonKVM
BeforeyouinstalltheVMSeriesfirewallontheLinuxserver,reviewthefollowingsections:
PreparetheLinuxServer
PreparetoDeploytheVMSeriesFirewall
PreparetheLinuxServer
ChecktheLinuxdistributionversion.Foralistofsupportedversions,seeSystemRequirements.
VerifythatyouhaveinstalledandconfiguredKVMtoolsandpackagesthatarerequiredforcreatingand
managingvirtualmachines,suchasLibvirt.

VMSeriesonKVMRequirementsandPrerequisites SetUptheVMSeriesFirewallonKVM
IfyouwanttouseaSCSIdiskcontrollertoaccessthedisktowhichtheVMSeriesfirewallstoresdata,
youmustusevirshtoattachthevirtioscsicontrollertotheVMSeriesfirewall.Youcantheneditthe
XMLtemplateoftheVMSeriesfirewalltoenabletheuseofthevirtioscsicontroller.Forinstructions,
seeEnabletheUseofaSCSIController.
KVMonUbuntu12.04doesnotsupportthevirtioscsicontroller.
Verifythatyouhavesetupthenetworkinginfrastructureforsteeringtrafficbetweentheguestsand
theVMSeriesfirewallandforconnectivitytoanexternalserverortheInternet.TheVMSeriesfirewall
canconnectusingaLinuxbridge,theOpenvSwitch,PCIpassthrough,orSRIOVcapablenetworkcard.
Makesurethatthelinkstateforallinterfacesyouplantouseareup,sometimesyouhaveto
manuallybringthemup.
VerifythePCIIDofalltheinterfaces.Toviewthelist,usethecommand:Virsh nodedev-list tree
IfusingaLinuxbridgeorOVS,verifythatyouhavesetupthebridgesrequiredtosend/receive
trafficto/fromthefirewall.Ifnot,createbridge(s)andverifythattheyareupbeforeyoubegin
installingthefirewall.
IfusingPCIpassthroughorSRIOV,verifythatthevirtualizationextensions(VTd/IOMMU)are
enabledintheBIOS.Forexample,toenableIOMMU,intel_iommu=onmustbedefinedin
/etc/grub.conf.Refertothedocumentationprovidedbyyoursystemvendorforinstructions.
IfusingPCIpassthrough,ensurethattheVMSeriesfirewallhasexclusiveaccesstotheinterface(s)
thatyouplantoattachtoit.
Toallowexclusiveaccess,youmustmanuallydetachtheinterface(s)fromtheLinuxserver;Referto
thedocumentationprovidedbyyournetworkcardvendorforinstructions.
Tomanuallydetachtheinterface(s)fromtheserver.,usethecommand:
Virsh nodedev-detach <pci id of interface>
Forexample,pci_0000_07_10_0
Insomecases,in/etc/libvirt/qemu.conf,youmayhavetouncommentrelaxed_acs_check = 1.
IfusingSRIOV,verifythatthevirtualfunctioncapabilityisenabledforeachportthatyouplanto
useonthenetworkcard.WithSRIOV,asingleEthernetport(physicalfunction)canbesplitinto
multiplevirtualfunctions.Aguestcanbemappedtooneormorevirtualfunctions.
Toenablevirtualfunctions,youneedto:
1.Createanewfileinthislocation:/etc/modprobe.d/
2.Modifythefileusingthevieditortomakethefunctionspersistent:vim/etc/modprobe.d/igb.conf
3.Enablethenumberofnumberofvirtualfunctionsrequired:optionsigbmax_vfs=4
AfteryousavethechangesandreboottheLinuxserver,eachinterface(orphysicalfunction)inthis
examplewillhave4virtualfunctions.
Refertothedocumentationprovidedbyyournetworkvendorfordetailsontheactualnumberof
virtualfunctionssupportedandforinstructionstoenableit.
ConfigurethehostformaximumVMSeriesperformance.RefertoPerformanceTuningofthe
VMSeriesforKVMforinformationaboutconfiguringeachoption.
EnableDPDK.DPDKallowsthehosttoprocesspacketsfasterbybypassingtheLinuxkernel.
Instead,interactionswiththeNICareperformedusingdriversandtheDPDKlibraries.Open
vSwitchisrequiredtouseDPDKwiththeVMSeriesfirewall.
EnableSRIOV.SinglerootI/Ovirtualization(SRIOV)allowsasinglePCIephysicaldeviceundera
singlerootporttoappeartobemultipleseparatephysicaldevicestothehypervisororguest.
EnablemultiqueuesupportforNICs.Multiqueuevirtionetallowsnetworkperformancetoscale
withthenumberofvCPUsandallowsforparallelpacketprocessingbycreatingmultipleTXandRX
queues.

SetUptheVMSeriesFirewallonKVM VMSeriesonKVMRequirementsandPrerequisites
IsolateCPUResourceinaNUMANode.YoucanimproveperformanceofVMSeriesonKVMby
isolatingtheCPUresourcesoftheguestVMtoasinglenonuniformmemoryaccess(NUMA)node.
PreparetoDeploytheVMSeriesFirewall
PurchasetheVMSeriesmodelandregistertheauthorizationcodeonthePaloAltoNetworksCustomer
Supportwebsite.SeeCreateaSupportAccountandRegistertheVMSeriesFirewall.
Obtaintheqcow2imageandsaveitontheLinuxserver.Asabestpractice,copytheimagetothefolder:
/var/lib/libvirt/qemu/images.
IfyouplantodeploymorethanoneinstanceoftheVMSeriesfirewall,maketherequirednumberof
copiesoftheimage.BecauseeachinstanceoftheVMSeriesfirewallmaintainsalinkwiththe.qcow2
imagethatwasusedtodeploythefirewall,topreventanydatacorruptionissuesensurethateachimage
isindependentandisusedbyasingleinstanceofthefirewall.

SupportedDeploymentsonKVM SetUptheVMSeriesFirewallonKVM
SupportedDeploymentsonKVM
YoucandeployasingleinstanceoftheVMSeriesfirewallperLinuxhost(singletenant)ormultipleinstances
oftheVMSeriesfirewallsonaLinuxhost.TheVMSeriesfirewallcanbedeployedwithvirtualwire,Layer
2,orLayer3interfaces.IfyouplanonusingSRIOVcapableinterfacesontheVMSeriesfirewall,youcan
onlyconfiguretheinterfacesasLayer3interfaces.
SecureTrafficonaSingleHost
SecureTrafficAcrossLinuxhosts
SecureTrafficonaSingleHost
TosecureeastwesttrafficacrossguestsonaLinuxserver,theVMSeriesfirewallcanbedeployedwith
virtualwire,Layer2,orLayer3interfaces.TheillustrationbelowshowsthefirewallwithLayer3interfaces,
wherethefirewallandtheotherguestsontheserverareconnectedusingLinuxbridges.Inthisdeployment,
alltrafficbetweenthewebserversandthedatabaseserversisroutedthroughthefirewall;trafficacrossthe
databaseserversonlyoracrossthewebserversonlyisprocessedbythebridgeandisnotroutedthrough
thefirewall.
SecureTrafficAcrossLinuxhosts
Tosecureyourworkloads,morethanoneinstanceoftheVMSeriesfirewallscanbedeployedonaLinux
host.If,forexample,youwanttoisolatetrafficforseparatedepartmentsorcustomers,youcanuseVLAN
tags

SetUptheVMSeriesFirewallonKVM SupportedDeploymentsonKVM
tologicallyisolatenetworktrafficandrouteittotheappropriateVMSeriesfirewall.Inthefollowing
example,oneLinuxhosthoststheVMSeriesfirewallsfortwocustomers,CustomerAandCustomerB,and
theworkloadforCustomerBisspreadacrosstwoservers.Inordertoisolatetrafficanddirectittothe
VMSeriesfirewallconfiguredforeachcustomer,VLANsareused.
Inanothervariationofthisdeployment,apairofVMSeriesfirewallsaredeployedinahighavailabilityset
up.TheVMSeriesfirewallsinthefollowingillustrationaredeployedonaLinuxserverwithSRIOVcapable
adapters.WithSRIOV,asingleEthernetport(physicalfunction)canbesplitintomultiplevirtualfunctions.
EachvirtualfunctionattachedtotheVMSeriesfirewallisconfiguredasaLayer3interface.Theactivepeer
intheHApairsecurestrafficthatisroutedtoitfromgueststhataredeployedonadifferentLinuxserver.

InstalltheVMSeriesFirewallonKVM SetUptheVMSeriesFirewallonKVM
InstalltheVMSeriesFirewallonKVM
ThelibvirtAPIthatisusedtomanageKVMincludesahostoftoolsthatallowyoutocreateandmanage
virtualmachines.ToinstalltheVMSeriesfirewallonKVMyoucanuseanyofthefollowingmethods:
ManuallycreatetheXMLdefinitionoftheVMSeriesfirewall,thenusevirshtoimportthedefinition.
Virshisthemostpowerfultoolthatallowsforfulladministrationofthevirtualmachine.
UsevirtinstalltocreatethedefinitionfortheVMSeriesfirewallandinstallit.
Usethedesktopuserinterfacecalledvirtmanager;virtmanagerprovidesaconvenientwizardtohelp
youthroughtheinstallationprocess.
ThefollowingprocedureusesvirtmanagertoinstalltheVMSeriesfirewallonaserverrunningKVMon
RHEL;theinstructionsforusingvirshorvirtinstallarenotincludedinthisdocument.
IfyouaredeployingseveralVMSeriesfirewallsandwanttoautomatetheinitialconfigurationonthe
firewall,seeUseanISOFiletoDeploytheVMSeriesFirewall.

SetUptheVMSeriesFirewallonKVM InstalltheVMSeriesFirewallonKVM
InstalltheVMSeriesonKVM
Step1 InstalltheVMSeriesfirewall. 1. OntheVirtmanager,selectCreate a new virtual machine.

2. AddadescriptiveNamefortheVMSeriesfirewall.
3. SelectImport existing disk image,browsetotheimage,and

settheOS Type:LinuxandVersion:RedHatEnterpriseLinux6.
Ifyouprefer,youcanleavetheOSTypeandVersionas
Generic.
4. SettheMemorytotheminimummemorybasedonthe
VMSeriesSystemRequirementsofyourVMSeriesmodel.
5. SetCPUtotheminimumCPUsbasedontheVMSeriesSystem
RequirementsofyourVMSeriesmodel.

InstalltheVMSeriesonKVM(Continued)
6. SelectCustomize configuration before install.

7. UnderAdvancedoptions,selectthebridgeforthe
managementinterface,andacceptthedefaultsettings.

8. Tomodifydisksettings:
a. SelectDisk,expandAdvancedoptionsandselectStorage
format qcow2;Disk BusVirtioorIDE,basedonyourset
up.
IfyouwanttouseaSCSIdiskbus,seeEnablethe
UseofaSCSIController.
b.ExpandPerformanceoptions,andsetCache
modetowritethrough.Thissettingimprovesinstallation
timeandexecutionspeedontheVMSeriesfirewall.

9. Toaddnetworkadaptersforthedatainterfaces:
a. SelectAdd Hardware >Network ifyouareusingasoftware
bridgesuchastheLinuxbridgeortheOpenvSwitch.
ForHost Device,enterthenameofthebridgeorselect
itfromthedropdownlist.
Tospecifythedriver,setDevice Modeltoe1000or
virtio.Thesearetheonlysupportedvirtualinterface
types.
b. SelectAdd Hardware>PCI Host Device for

PCIpassthroughoranSRIOVcapabledevice.
IntheHost Devicelist,selecttheinterfaceonthecard
orthevirtualfunction.
c. ClickApplyorFinish.
10. ClickBeginInstallation .

Bydefault,theXMLtemplateforthe 11. Wait57minutesfortheinstallationtocomplete.

VMSeriesfirewalliscreatedandstoredat
etc/libvirt/qemu.
Step2 (Optional)BootstraptheVMSeries Ifyouareusingbootstrappingtoperformtheconfigurationofyour

firewall VMSeriesfirewallonKVM,refertoBootstraptheVMSeries
FirewallonKVM.Formoreinformationaboutbootstrapping,see
BootstraptheVMSeriesFirewall.
Step3 Configurethenetworkaccesssettings 1. Openaconnectiontotheconsole.

forthemanagementinterface. 2. Logintothefirewallwithusername/password:admin/admin.
3. Enterconfigurationmodewiththefollowingcommand:
configure
4. Usethefollowingcommandtoconfigurethemanagement
interface:
where<FirewallIP>istheIPaddressyouwanttoassigntothe
<gatewayIP>istheIPaddressofthenetworkgateway,and
<DNSIP>istheIPaddressoftheDNSserver.
Step4 Verifywhichportsonthehostare Tomakesurethattrafficishandledbythecorrectinterface,usethe

mappedtotheinterfacesonthe followingcommandtoidentifywhichportsonthehostaremapped
VMSeriesfirewall.Inordertoverifythe totheportsontheVMSeriesfirewall.
orderofinterfacesontheLinuxhost,see admin@PAN-VM> debug show vm-series interfaces
VerifyPCIIDforOrderingofNetwork all
InterfacesontheVMSeriesFirewall. Phoenix_interfaceBaseOS_portBaseOS_MACPCIID
mgt eth052:54:00:d7:91:520000:00:03.0
Ethernet1/1eth152:54:00:fe:8c:800000:00:06.0
Ethernet1/2eth20e:c6:6b:b4:72:060000:00:07.0
Ethernet1/3eth306:1b:a5:7e:a5:780000:00:08.0
Ethernet1/4eth426:a9:26:54:27:a10000:00:09.0
Ethernet1/5eth552:54:00:f4:62:130000:00:10.0
Step5 Accessthewebinterfaceofthe RefertothePANOSAdministratorsGuide.

VMSeriesfirewallandconfigurethe
interfacesanddefinesecurityrulesand
NATrulestosafelyenablethe
applicationsthatyouwanttosecure.

EnabletheUseofaSCSIController
IfyouwanttheVMSeriesfirewalltousethediskbustypeSCSItoaccessthevirtualdisk,usethefollowing
instructionstoattachthevirtioscsicontrollertothefirewallandthenenabletheuseofthevirtioscsi
controller.
KVMonUbuntu12.04doesnotsupportthevirtioscsicontroller;thevirtioscsicontrollercan
onlybeenabledontheVMSeriesfirewallrunningonRHELorCentOS.
ThisprocessrequiresvirshbecauseVirtmanagerdoesnotsupportthevirtioscsicontroller.
EnabletheVMSeriesFirewalltouseaSCSIController
Step1 CreateanXMLfilefortheSCSIcontroller.Inthisexample,itiscalledvirtscsi.xml.
[root@localhost ~]# cat /root/virt-scsi.xml
<controller type='scsi' index='0' model='virtio-scsi'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0b'function='0x0'/>
</controller>
Makesurethattheslotusedforthevirtioscsicontrollerdoesnotconflictwithanotherdevice.
Step2AssociatethiscontrollerwiththeXMLtemplateoftheVMSeriesfirewall.
[root@localhost ~]# virsh attach-device --config <VM-Series_name> /root/virt-scsi.xml
Device attached successfully
Step3 EnablethefirewalltousetheSCSIcontroller.
[root@localhost ~]# virsh attach-disk
<VM-Series_name>/var/lib/libvirt/images/PA-VM-6.1.0-c73.qcow2 sda --cache none --persistent
Disk attached successfully
Step4 EdittheXMLtemplateoftheVMSeriesfirewall.IntheXMLtemplate,youmustchangethetargetdiskand
thediskbus,usedbythefirewall.
Bydefault,theXMLtemplateisstoredatetc/libvirt/qemu.
<disk type='file' device='disk'>

<driver name='qemu' type='qcow2' cache='writeback'/>
<source file='/var/lib/libvirt/images/PA-VM-7.0.0-c73.qcow2'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
VerifyPCIIDforOrderingofNetworkInterfacesontheVMSeriesFirewall
Regardlessofwhetheryouuseavirtualinterfaces(Linux/OVSbridge)orPCIdevices(PCIpassthroughor
SRIOVcapableadapter)forconnectivitytotheVMSeriesfirewall,theVMSeriesfirewalltreatsthe
interfaceasaPCIdevice.TheassignmentofaninterfaceontheVMSeriesfirewallisbasedonPCIIDwhich
isavaluethatcombinesthebus,deviceorslot,andfunctionoftheinterface.Theinterfacesareordered
startingatthelowestPCIID,whichmeansthatthemanagementinterface(eth0)ofthefirewallisassigned
totheinterfacewiththelowestPCIID.

Let'ssayyouassignfourinterfacestotheVMSeriesfirewall,threevirtualinterfacesoftypevirtioande1000
andthefourthisaPCIdevice.ToviewthePCIIDforeachinterface,enterthecommandvirsh dumpxml
$domain <name of the VM-Series firewall>ontheLinuxhosttoviewthelistofinterfacesattachedtothe
VMSeriesfirewall.Intheoutput,checkforthefollowingnetworkingconfiguration:
<interface type='bridge'>
<mac address='52:54:00:d7:91:52'/>
<source bridge='mgmt-br'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<mac address='52:54:00:f4:62:13'/>
<source bridge='br8'/>
<model type='e1000'/>
</interface>
<mac address='52:54:00:fe:8c:80'/>
<source bridge='br8'/>
<model type='e1000'/>
</interface>
<hostdev mode='subsystem' type='pci' managed='yes'>

<source>
<address domain='0x0000' bus='0x08' slot='0x10' function='0x1'/>
</source>
</hostdev>
Inthiscase,thePCIIDofeachinterfaceisasfollows:
FirstvirtualinterfacePCIIDis00:03:00
SecondvirtualinterfacePCIIDis00:10:00
ThirdvirtualinterfacePCIIDis00:06:00
FourthinterfacePCIIDis00:07:00
Therefore,ontheVMSeriesfirewall,theinterfacewithPCIIDof00:03:00isassignedaseth0(management
interface),theinterfacewithPCIID00:06:00isassignedaseth1(ethernet1/1),theinterfacewithPCIID
00:07:00iseth2(ethernet1/2)andtheinterfacewithPCIID00:10:00iseth3(ethernet1/3).
UseanISOFiletoDeploytheVMSeriesFirewall
IfyouwanttopassascripttotheVMSeriesfirewallatboottime,youcanmountaCDROMwithanISO
file.TheISOfileallowsyoutodefineabootstrapXMLfilethatincludestheinitialconfigurationparameters
forthemanagementportofthefirewall.TheVMSeriesfirewallonfirstbootchecksforthe
bootstrapnetworkconfig.xmlfile,andusesthevaluesdefinedinit.

Ifasingleerrorisencounteredinparsingthebootstrapfile,theVMSeriesfirewallwillrejectalltheconfigurationinthis
fileandbootwithdefaultvalues.
CreateaBootableISOFile
Step1 CreatetheXMLfileanddefineitasa Forexample:

virtualmachineinstance. user-PowerEdge-R510:~/kvm_script$ sudo vi
Forasamplefile,seeSampleXMLfilefor /etc/libvirt/qemu/PAN_Firewall_DC1.xml
Inthisexample,theVMSeriesfirewallis user-PowerEdge-R510:~/kvm_script$ sudo virsh
calledPAN_Firewall_DC1. define/etc/libvirt/qemu/PAN_Firewall_DC1.xm
l
Domain PAN_Firewall_DC1_bootstp defined from

/etc/libvirt/qemu/PAN_Firewall_DC1.xml
user-PowerEdge-R510:~/kvm_script$ sudo virsh

-q attach-interface
PAN_Firewall_DC1_bootstp bridge br1
--model=virtio --persistent
user-PowerEdge-R510:~/kvm_script$ virsh list

--all
Id Name State
---------------------------------------------
- PAN_Firewall_DC1_bootstp shut off
Step2 CreatethebootstrapXMLfile. Usethefollowingexampleasatemplateforthe
Youcandefinetheinitialconfiguration bootstrapnetworkconfigfile.Thebootstrapnetworkconfigfilecan
parametersinthisfileandnameit includethefollowingparametersonly:
bootstrapnetworkconfig. <vm-initcfg>
Ifyoudonotwanttoincludea <hostname>VM_ABC_Company</hostname>
parameter,forexample <ip-address>10.5.132.162</ip-address>
panoramaserversecondary. <netmask>255.255.254.0</netmask>
Deletetheentirelinefromthefile.Ifyou <default-gateway>10.5.132.1</default-gatewa
leavetheIPaddressfieldempty,thefile y>
willnotbeparsedsuccessfully. <dns-primary>10.44.2.10</dns-primary>
<dns-secondary>8.8.8.8</dns-secondary>
<panorama-server-primary>10.5.133.4</panora
ma-server-primary>
<panorama-server-secondary>10.5.133.5</pano
rama-server-secondary>
</vm-initcfg>
Step3 CreatetheISOfile.Inthisexample,we Forexample:
usemkisofs. # mkisofs -J -R -v -V "Bootstrap" -A
SavetheISOfileintheimages "Bootstrap" -ldots -l -allow-lowercase
directory(/var/lib/libvirt/image) -allow-multidot -o <iso-filename>
ortheqemudirectory bootstrap-networkconfig.xml
(/etc/libvirt/qemu)toensurethatthe
firewallhasreadaccesstotheISOfile.

CreateaBootableISOFile(Continued)
Step4 AttachtheISOfiletotheCDROM. Forexample:

# virsh -q attach-disk <vm-name>
<iso-filename> sdc --type cdrom --mode
readonly persistent\
SampleXMLfilefortheVMSeriesFirewall
<?xml version="1.0"?>
<domain type="kvm">
<name>PAN_Firewall_DC1</name>
<memory>4194304</memory>
<currentMemory>4194304</currentMemory>
<vcpu placement="static">2</vcpu>
<os>
<type arch="x86_64">hvm</type>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type="file" device="disk">
<driver type="qcow2" name="qemu"/>
<source file="/var/lib/libvirt/images/panos-kvm.qcow2"/>
<target dev="vda" bus="virtio"/>
</disk>
<controller type="usb" index="0"/>
<controller type="ide" index="0"/>
<controller type="scsi" index="0"/>
<serial type="pty">
<source path="/dev/pts/1"/>
<target port="0"/>
<alias name="serial0"/>
</serial>
<console type="pty" tty="/dev/pts/1">
<source path="/dev/pts/1"/>
<target type="serial" port="0"/>
<alias name="serial0"/>
</console>
<input type="mouse" bus="ps2"/>
<graphics type="vnc" port="5900" autoport="yes"/>

</devices>
</domain>
TomodifythenumberofvCPUsassignedontheVMSeriesfirewall,changethevalue2to4or8vCPUsinthislineofthe
sampleXMLfile:
<vcpu placement="static">2</vcpu>

SetUptheVMSeriesFirewallonKVM PerformanceTuningoftheVMSeriesforKVM
PerformanceTuningoftheVMSeriesforKVM
TheVMSeriesfirewallforKVMisahighperformanceappliancebutmayrequiretuningofthehypervisor
toachievethebestresults.Thissectiondescribessomebestpracticesandrecommendationsforfacilitating
thebestperformanceoftheVMSeriesfirewall.
Bydefault,KVMusesalinuxbridgeforVMnetworking.However,thebestperformanceinavirtual
environmentisrealizedwithdedicatedI/Ointerfaces(PCIpassthroughorSRIOV).Ifavirtualswitchis
required,useaperformanceoptimizedvitualswitch(suchasOpenvSwitchwithDPDK).
InstallKVMandOpenvSwitchonUbuntu16.04.1LTS
EnableOpenvSwitchonKVM
IntegrateOpenvSwitchwithDPDK
EnableSRIOVonKVM
EnableMultiQueueSupportforNICsonKVM
IsolateCPUResourcesinaNUMANodeonKVM
Foreaseofinstallation,Ubuntu16.04.1LTSisrecommendedforuseastheKVMhypervisorplatform.
Step1 InstallKVMandOVS. 1. LogintotheUbuntuCLI.

2. Executethefollowingcommands:
$ sudo apt-get install qemu-kvm libvirt-bin
ubuntu-vm-builder bridge-utils
$ sudo apt-get install openvswitch-switch
Step2 Checkandcomparetheversionsof Executethefollowingcommands:

relevantpackages. $ virsh --version
1.3.1
$ libvirtd --version
libvirtd (libvirt) 1.3.1
$ /usr/bin/qemu-system-x86_64 --version
QEMU emulator version 2.5.0 (Debian
1:2.5+dfsg-5ubuntu10.6), Copyright (c) 2003-2008
Fabrice Bellard
$ ovs-vsctl --version
ovs-vsctl (Open vSwitch) 2.5.0
Compiled Mar 10 2016 14:16:49
DB Schema 7.12.1
EnableOpenvSwitchonKVM
EnableOVSbymodifyingtheguestXMLdefinitionnetworksettings.

PerformanceTuningoftheVMSeriesforKVM SetUptheVMSeriesFirewallonKVM
EnableOVS
Step1 ModifytheguestXMLdefinitionasfollows.
[...]
<mac address='52:54:00:fb:00:01'/>
<source bridge='ovsbr0'/>
<virtualport type='openvswitch'/>
</interface>
[...]
IntegrateOpenvSwitchwithDPDK
TointegrateOpenvSwitch(OVS)withDPDK,youmustinstalltherequiredcomponentsandthenconfigure
OVS.DPDKisenabledbydefaultontheVMSeriesfirewallforKVM.
InstallQEMU,DPDK,andOVSonUbuntu
ConfigureOVSandDPDKontheHost
EdittheVMSeriesFirewallConfigurationFile
InstallQEMU,DPDK,andOVSonUbuntu
BeforeyoucanenableDPDKonOVS,youmustinstallQEMU2.5.0,DPDK2.2.0,andOVS2.5.1.Complete
thefollowingprocedurestoinstallthecomponents.
BuildandInstallOVSDPDKonUbuntu16.04
Step1 LogintotheKVMhostCLI.
Step2 InstallQEMU2.5.0byexecutingthefollowingcommands:
apt-get install build-essential gcc pkg-config glib-2.0 libglib2.0-dev libsdl1.2-dev
libaio-dev libcap-dev libattr1-dev libpixman-1-dev
apt-get build-dep qemu
apt-get install qemu-kvm libvirt-bin
wget http://wiki.qemu.org/download/qemu-2.5.0.tar.bz2
tar xjvf qemu-2.5.0.tar.bz2
cd qemu-2.5.0
./configure
make
make install

BuildandInstallOVSDPDKonUbuntu16.04
Step3 Installdpdk2.2.0.
wget http://dpdk.org/browse/dpdk/snapshot/dpdk-2.2.0.tar.gz
tar xzvf dpdk-2.2.0.tar.gz
cd dpdk-2.2.0
vi config/common_linuxapp
2. ChangeCONFIG_RTE_APP_TEST=ytoCONFIG_RTE_APP_TEST=n
3. ChangeCONFIG_RTE_BUILD_COMBINE_LIBS=ntoCONFIG_RTE_BUILD_COMBINE_LIBS=y
vi GNUmakefile
5. ChangeROOTDIRS-y := lib drivers app toROOTDIRS-y := lib drivers
make install T=x86_64-native-linuxapp-gcc
Step4 InstallOVS2.5.1byexecutingthefollowingcommands:
wget http://openvswitch.org/releases/openvswitch-2.5.1.tar.gz
tar xzvf openvswitch-2.5.1.tar.gz
cd openvswitch-2.5.1
./configure with-dpdk=/root/dpdk-2.2.0/x86_64-native-linuxapp-gcc/
make
make install
AfterinstallingthenecessarycomponentstosupportOVSandDPDK,youmustconfigurethehosttouse
OVSandDPDK.
Step2 IfyouarereplacingorreconfiguringanexistingOVSDPDKsetup,executethefollowingcommandstoreset
anypreviousconfiguration.Repeatthecommandforeachinterface.
rm /usr/local/var/run/openvswitch/<interface-name>
Step3 ConfigureinitialhugepagesforOVS.
echo 16384 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
Step4 MounthugepagesforQEMU:
mkdir /dev/hugepages
mkdir /dev/hugepages/libvirt
mkdir /dev/hugepages/libvirt/qemu
mount -t hugetlbfs hugetlbfs /dev/hugepages/libvirt/qemu
Step5 UsethefollowingcommandtokillanycurrentlyexistingOVSdaemon.
killall ovsdb-server ovs-vswitchd
Step6 CreatedirectoriesfortheOVSdaemon.
mkdir -p /usr/local/etc/openvswitch
mkdir -p /usr/local/var/run/openvswitch

Step7 Clearolddirectories.
rm -f /var/run/openvswitch/vhost-user*
rm -f /usr/local/etc/openvswitch/conf.db
Step8 Initializetheconfigurationdatabase.
ovsdb-tool create /usr/local/etc/openvswitch/conf.db\
/usr/local/share/openvswitch/vswitch.ovsschema
Step9 CreateanOVSDBserver.
ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \
--remote=db:Open_vSwitch,Open_vSwitch,manager_options \
--private-key=db:Open_vSwitch,SSL,private_key \
--certificate=db:Open_vSwitch,SSL,certificate \
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
--pidfile --detach
Step10 InitializeOVS.
ovs-vsctl --no-wait init
Step11 Startthedatabaseserver.
export DB_SOCK=/usr/local/var/run/openvswitch/db.sock
Step12 Installtheigb_uiomodule(networkdevicedriver)forDPDK.
cd ~/dpdk-2.2.0/x86_64-native-linuxapp-gcc/kmod
modprobe uio
insmod igb_uio.ko
cd ~/dpdk-2.2.0/tools/
Step13 EnableDPDKoninterfacesusingPCIIDorinterfacename.
./dpdk_nic_bind.py --bind=igb_uio <your first data interface>
./dpdk_nic_bind.py --bind=igb_uio <your second data interface>
Step14 StarttheOVSdaemoninDPDKmode.Youcanchangethenumberofcoresforovsvswitchd.Bychangingc
0x1toc0x3,youcanhavetwocorerunthisdaemon.
ovs-vswitchd --dpdk -c 0x3 -n 4 -- unix:$DB_SOCK --pidfile --detach
echo 50000 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
Step15 CreatetheOVSbridgeandattachportstotheOVSbridge.
ovs-vsctl add-br ovs-br0 -- set bridge ovs-br0 datapath_type=netdev
ovs-vsctl add-port ovs-br0 dpdk0 -- set Interface dpdk0 type=dpdk
ovs-vsctl add-br ovs-br1 -- set bridge ovs-br1 datapath_type=netdev
ovs-vsctl add-port ovs-br1 dpdk1 -- set Interface dpdk1 type=dpdk
Step16 CreateDPDKvhostuserportsforOVS.
ovs-vsctl add-port ovs-br0 vhost-user1 -- set Interface vhost-user1 type=dpdkvhostuser
ovs-vsctl add-port ovs-br1 vhost-user2 -- set Interface vhost-user2 type=dpdkvhostuser
Step17 SetthenumberofhardwarequeuesoftheNICusedbythehost.
ovs-vsctl set Open_vSwitch . other_config:n-dpdk-rxqs=8
ovs-vsctl set Open_vSwitch . other_config:n-dpdk-txqs=8
Step18 SettheCPUmaskusedforOVS.
ovs-vsctl set Open_vSwitch . other_config:pmd-cpu-mask=0xffff

Step19 SetthenecessarypermissionsforDPDKvhostuserports.Intheexamplebelow,777isusedtogiveread,
write,andexecutablepermissions.
chmod 777 /usr/local/var/run/openvswitch/vhost-user1
chmod 777 /usr/local/var/run/openvswitch/vhost-user2
chmod 777 /dev/hugepages/libvirt/qemu
EdittheVMSeriesFirewallConfigurationFile
EdittheVMSeriesfirewallXMLconfigurationfiletosupportOVSandDPDK.YoucanaccesstheXML
configurationfileorafterdeployingtheVMSeriesfirewall.Ifyoudothisafterdeployingthefirewall,besure
toshutdownthefirewallbeforemakinganychanges.Thevaluesbelowareexamples,yourvaluesforeach
parameterwillvarybasedonyourVMSeriesmodel.

EdittheVMConfigurationFile
Step2 EdittheXMLconfigurationfileofyourVMSeriesfirewall.
1. OpentheXMLconfigfileusingvirsh edit $<your-vm-series-name>.
2. Setsthememorybackingforthehugepage.Ensurethatyouprovideenoughmemorytosupportthe
VMSeriesfirewallmodelyouaredeployingonthehost.SeeVMSeriesSystemRequirementsformore
information.
<memory unit='KiB'>12582912</memory>
<currentMemory unit='KiB'>6291456</currentMemory>
<memoryBacking>
<hugepages/>
3. SetthenecessaryCPUflagsforVM.
<cpu mode='host-model'>
4. EnablememorysharingbetweentheVMandthehost.
<numa>
<cell id='0' cpus='0,2,4,6' memory='6291456' unit='KiB' memAccess='shared'/>
<cell id='1' cpus='1,3,5,7' memory='6291456' unit='KiB' memAccess='shared'/>
</numa>
5. SettheDPDKvhostuserportsastheVMseriesfirewallsnetworkinterfaces.Additionally,setthenumber
ofvirtiovirtualqueuesprovidedtotheVMSeriesfirewallbythehost.
<interface type='vhostuser'>
<mac address='52:54:00:36:83:70'/>
<source type='unix' path='/usr/local/var/run/openvswitch/vhost-user1'
mode='client'/>
<driver name=vhost queues=8/>
</interface>
<interface type='vhostuser'>
<mac address='52:54:00:30:d7:94'/>
<source type='unix' path='/usr/local/var/run/openvswitch/vhost-user2'
mode='client'/>
<driver name=vhost qeueus=8>
</interface>
EnableSRIOVonKVM
SinglerootI/Ovirtualization(SRIOV)allowsasinglePCIephysicaldeviceunderasinglerootporttoappear
tobemultipleseparatephysicaldevicestothehypervisororguest.ToenableSRIOVonaKVMguest,define
apoolofvirtualfunction(VF)devicesassociatedwithaphysicalNICandautomaticallyassignVFdevices
fromthepooltoPCIIDs.
SRIOVontheVMSeriesforKVMrequiresoneofthefollowingIntelNICdrivers.
ixgbe/ixgbe.ko 4.2.0.4.1

ixgbevf/ixgbevf.ko 2.14.2
i40e/i40e.ko 1.3.49
i49evf/i40evf.ko 1.2.25
CompletethefollowingproceduretoenableSRIOV.
EnableSRIOV
Step1 DefineanetworkforapoolofVFs. 1. GenerateanXMLfilewithtextsimilartothefollowing

example.Changethevalueofpfdevtotheethdev
correspondingtoyouSRIOVdevicesphysicalfunction.
<network>
<name>passthrough</name>
<forward mode='hostdev' managed='yes'>
<pf dev='eth3'/>
</forward>
</network>
2. SavetheXMLfile.
$ virsh net-define <path to network XML file>
$ virsh net-autostart passthrough
$ virsh net-start passthrough
Step2 Afterthedefiningandstartingthe <interface type='network'>

network,modifytheguestXML <source network='passthrough'>
</interface>
definitiontospecifythenetwork. Whenthegueststarts,aVFisautomaticallyassignedtotheguest.
EnableMultiQueueSupportforNICsonKVM
ModifytheguestXMLdefinitiontoenablemultiqueuevirtionet.Multiqueuevirtionetallowsnetwork
performancetoscalewiththenumberofvCPUsandallowsforparallelpacketprocessingbycreating
multipleTXandRXqueues.
EnableMultiQueueSupport
Step1 ModifytheguestXMLdefinition.Insertavaluefrom1to256forNtospecifythenumberofqueues.Forthe
bestresults,matchthenumberofqueueswithnumberofdataplanecoresconfiguredontheVM.
<interface type='network'>
<source network='default'/>
<driver name='vhost' queues='N'/>
</interface>
IsolateCPUResourcesinaNUMANodeonKVM
YoucanimproveperformanceofVMSeriesonKVMbyisolatingtheCPUresourcesoftheguestVMtoa
singlenonuniformmemoryaccess(NUMA)node.OnKVM,youcanviewtheNUMAtopologyvirsh.The
followingexampleisfromatwonodeNUMAsystem:

IsolateCPUResourcesinaNUMANode
Step1 ViewtheNUMAtopology.Intheexamplebelow,therearetwoNUMAnodes(sockets),eachwitha
fourcoreCPUwithhyperthreadingenabled.AlltheevennumberedCPUIDsbelongtoonenode
andalltheoddnumberedCPUIDsbelongtotheothernode.
% virsh capabilities
<>
<topology>
<cells num='2'>
<cell id='0'>
<pages unit='KiB' size='4'>8256807</pages>
<distances>
<sibling id='0' value='10'/>
</distances>
<cpus num='8'>
<cpu id='0' socket_id='1' core_id='0' siblings='0,8'/>
</cpus>
</cell>
<cell id='1'>
<distances>
</distances>
<cpus num='8'>
</cpus>
</cell>
</cells>

Step2 PinvCPUsinaKVMguesttospecificphysicalvCPUs,usethecpusetattributeintheguestxmldefinition.
Inthisexample,all8vCPUsarepinnedtophysicalCPUsinthefirstNUMAnode.Ifyoudonotwishto
explicitlypinthevCPUs,youcanomitthecputuneblock,inwhichcase,allvCPUswillbepinnedtotherange
ofCPUsspecifiedincpuset,butwillnotbeexplicitlymapped.
<vcpu cpuset='0,2,4,6,8,10,12,14'>8</vcpu>
<cputune>
<vcpupin vcpu='0' cpuset='0'/>
</cputune>


HyperV
TheVMSeriesfirewallcanbedeployedonaserverrunningMicrosoftHyperV.HyperVispackagedasa
standalonehypervisor,calledHyperVServer2012R2,orasanaddon/roleforWindowsServer2012R2.
SupportedDeploymentsonHyperV
SystemRequirementsonHyperV
InstalltheVMSeriesFirewallonHyperV

SupportedDeploymentsonHyperV SetUptheVMSeriesFirewallonHyperV
SupportedDeploymentsonHyperV
YoucandeployoneormoreinstancesoftheVMSeriesonhostsrunningHyperV.Whereyouplacethe
VMSeriesfirewalldependsonyournetworktopology.VMSeriessupportstap,virtualwire,Layer2,and
Layer3interfacedeployments.
SecureTrafficonaSingleHyperVHost
SecureTrafficAcrossMultipleHyperVHosts
SecureTrafficonaSingleHyperVHost
TheVMSeriesfirewallisdeployedonasingleHyperVhostalongwithotherguestVMs.Intheexample
below,theVMSeriesfirewallhasaLayer3interfacesandtheVMSeriesandotherguestVMsare
connectedbyHyperVvSwitches.Alltrafficbetweenthewebserversanddatabaseserversisrouted
throughthefirewall.Trafficacrossthedatabaseserversonlyoracrossthewebserversonlyisprocessedby
theexternalvSwitchandnotroutedthroughthefirewall.
SecureTrafficAcrossMultipleHyperVHosts
YoucandeployyourVMSeriesfirewalltosecurethetrafficofmultipleHyperVhosts.Intheexample
below,theVMSeriesisdeployedinLayer2modeprotectingtraffictoandfromtheguestVMs.Asingle
VMSeriesfirewallprotectstrafficbetweenfourguestVMsspreadacrosstwoHyperVhosts.VLANtagging
isusedtologicallyisolatetrafficanddirectittothefirewall.Additionally,managementtrafficisdecoupled
fromallothertrafficbyplacingitonitsownexternalvSwitch.

SetUptheVMSeriesFirewallonHyperV SupportedDeploymentsonHyperV

SystemRequirementsonHyperV SetUptheVMSeriesFirewallonHyperV
SystemRequirementsonHyperV
TheVMSeriesrequiresaminimumresourceallocationontheHyperVhost,somakesuretoconformtothe
requirementslistedbelowtoensureoptimalperformance.
ThehostCPUmustbea64bitx86basedIntelorAMDCPUwithvirtualizationextension.
SeeVMSeriesSystemRequirementsfortheminimumhardwarerequirementsforyourVMSeries
model.
Minimumoftwonetworkadapters.TheVMSeriesfirewallsupportssyntheticnetworkadapters,which
providebetterperformancethanemulatednetworkadapters.HyperVsupportsuptoeightsynthetic
networkadapters.
WindowsServer2012R2withHyperVroleaddon.TheHyperVroleaddonforWindowsServer2012
R2canbemanagedthroughHyperVManagerorPowerShell.
HyperVServer2012R2HyperVServer2012R2doesnothaveanativegraphicaluserinterface;all
configurationisdonethroughPowerShell.However,HyperVServer2012R2canbemanagedusing
HyperVManagerrunningonaremotemachine.
TheVMSeriesdoesnotsupportLegacyNetworkAdapterorSRIOV/PCIPassthrough.
LinuxIntegrationServices
LinuxIntegrationServices(LIS)isapackageofdriversandservicesthatenhancetheperformanceof
LinuxbasedvirtualmachinesonHyperV.TheVMSeriesfirewallsupportsthefollowingservicestoimprove
theintegrationbetweenthehostandthevirtualmachine:
GracefulShutdownAllowsyoutoperformagracefulshutdownoftheVMSeriesfirewallfromthe
HyperVmanagementinterfacewithouthavingtologintotheguest.
HeartbeattoHyperVManagerProvidesheartbeatmonitoringoftherunningstatusofguestVMsfrom
theHyperVmanagementinterface.
FirewallManagementIPAddressVisibilityAllowsyoutouseHyperVManagertoviewtheIPaddress
assignedtothemanagementinterfaceonthefirewall.

SetUptheVMSeriesFirewallonHyperV InstalltheVMSeriesFirewallonHyperV
UsetheinstructionsinthissectiontodeployyourVMSeriesfirewallonaHyperVhost.APaloAlto
NetworkssupportaccountandavalidVMSerieslicensearerequiredtodownloadtheVHDXimagefileand
installtheVMSeriesontheHyperVhost.Ifyouhavenotalreadyregisteredthecapacityauthcodethat
youreceivedwiththeorderfulfillmentemail,withyoursupportaccount,seeRegistertheVMSeries
Firewall.Aftercompletingtheregistrationcontinuetothefollowingtasks:
BeforeYouBegin
PerformanceTuningoftheVMSeriesFirewallonHyperV
ProvisiontheVMSeriesFirewallonaHyperVhostwithHyperVManager
ProvisiontheVMSeriesFirewallonaHyperVhostwithPowerShell
PerformInitialConfigurationontheVMSeriesFirewall
BeforeYouBegin
BeforeinstallingandconfiguringyourVMSeriesfirewall,considerthefollowingitemsandkeepthemin
mindwhencompletingyourconfiguration.
VirtualSwitchTypes
BeforeinstallingtheVMSeries,youmustcreatethevSwitchesrequiredforprovidingexternalconnectivity
formanagementaccessandforroutingtrafficfromandtothevirtualmachinesthatthefirewallwillsecure.
HyperVallowsyoutocreatethreetypesofvSwitches:
ExternalvSwitchbindstoaphysicalnetworkadapterandprovidesthevSwitchaccesstoaphysical
network.
InternalvSwitchpassestrafficbetweenthevirtualmachinesandtheHyperVhost.ThistypeofvSwitch
doesnotprovideconnectivitytoaphysicalnetworkconnection.
PrivatevSwitchpassestrafficbetweenthevirtualmachinesontheHyperVhostonly.
AnexternalvSwitchisrequiredformanagementoftheVMSeriesfirewall.OthervSwitchesconnectedto
theVMSeriesfirewallcanbeofanytypeandwilldependonyournetworktopology.
MACAddressSpoofing
IfyouaredeployingtheVMSeriesfirewallwithinterfacesenabledinLayer3mode,makesuretoenableuse
ofhypervisorassignedMACaddressessothatthehypervisorandthefirewallcanproperlyhandlepackets.
Alternatively,usetheHyperVManagertoenableMACaddressspoofingonthevirtualnetworkadapterfor
eachdataplaneinterfaceonthefirewall.Formoreinformation,seeHypervisorAssignedMACAddresses.

InstalltheVMSeriesFirewallonHyperV SetUptheVMSeriesFirewallonHyperV
IfyouaredeployingtheVMSeriesfirewallwithinterfacesenabledinLayer2modeorvirtualwiremode,
youmustenableMACaddressspoofingonthevirtualnetworkadapterinHyperVforeachdataplane
interfaceonthefirewall.ThissettingisrequiredtoensurethatpacketssentbytheVMSeriesarenot
droppedbythevirtualnetworkadapterifthesourceMACaddressdoesnotmatchtheoutgoinginterface
MACaddress.
PerformanceTuningoftheVMSeriesFirewallonHyperV
TheVMSeriesfirewallforHyperVisahighperformanceappliancebutmayrequiretuningofthe
hypervisortoachievethebestresults.Thissectiondescribessomebestpracticesandrecommendationsfor
facilitatingthebestperformanceoftheVMSeriesfirewall.
DisableVirtualMachineQueues
DisableVirtualMachineQueues
PaloAltoNetworksrecommendsdisablingvirtualmachinequeues(VMQ)forallNICsontheHyperVhost.
Thisoptionispronetomisconfigurationandcancausereducednetworkperformancewhenenabled.
DisableVMQ
Step1 LogintoHyperVManagerandselectyourVM.
Step2 SelectSettings > Hardware > Network Adapter > Hardware Acceleration.
Step3 UnderVirtualmachinequeue,uncheckEnable virtual machine queue.
Step4 ClickApplysaveyourchangesandOKtoexittheVMsettings.
YoucanimproveperformanceofVMSeriesforHyperVbyisolatingtheCPUresourcesoftheguestVMto
asinglenonuniformmemoryaccess(NUMA)node.YoucanviewtheNUMAsettingsofyourVMinHyperV
ManagerbyselectingSettings > Hardware > Processor > NUMA.
ProvisiontheVMSeriesFirewallonaHyperVhostwithHyperVManager
UsetheseinstructionstodeploytheVMSeriesfirewallonHyperVusingHyperVManager.

Step1 DownloadtheVHDXfile. RegisteryourVMSeriesfirewallandobtaintheVHDXfile.

1. Gotohttps://www.paloaltonetworks.com/support.
2. FilterbyPAN-OS for VM-Series Base Imagesanddownload
theVHDXfile.Forexample,PAVMHPV7.1.0.vhdx.
Step2 SetupanyvSwitch(es)thatyouwill TocreateavSwitch:

need. 1. FromHyperVManager,selectthehostandselectAction >
Virtual Switch ManagertoopentheVirtualSwitchManager
window.
2. UnderCreate virtual switch,selectthetypeofvSwitch
(external,internal,orprivate)tocreateandclickCreate Virtual
Switch.
Step3 Installthefirewall. 1. OntheHyperVManager,selectthehostandselectAction >

New > Virtual Machine. Configurethefollowingsettingsinthe
NewVirtualMachineWizard:
a. ChooseaNameandLocationfortheVMSeriesfirewall.
TheVMSeriesfirewallstorestheVHDXfileatthe
specifiedlocation.
b. ChooseGeneration 1.Thisisthedefaultoptionandthe
onlyversionsupported.
c. ForStartup Memory,assignthememorybasedonthe
VMSeriesSystemRequirementsofyourVMSeriesmodel.
Donotenabledynamicmemory;theVMSeries
firewallrequiresstaticmemoryallocation.
d. ConfigureNetworking.SelectanexternalvSwitchto
connectthemanagementinterfaceonthefirewall.
e. ToconnecttheVirtual Hard Disk,selectUse an existing
virtual hard diskandbrowsetotheVHDXfileyou
downloadedearlier.
f. ReviewthesummaryandclickFinish.
2. AssignvirtualCPUstothefirewall.
a. SelecttheVMyoucreatedandnavigatetoAction >
Settings.
b. SelectProcessorandentertheminimumnumberofCPUs
basedontheVMSeriesSystemRequirementsofyour
VMSeriesmodel..
c. ClickOK.
Step4 Connectatleastonenetworkadapterfor 1. SelectSettings >Hardware > Add Hardwareandselectthe

thedataplaneinterfaceonthefirewall. Hardware typeforyournetworkadapter.
LegacyNetworkAdapterandSRIOVarenot
supported.Ifselected,theVMSeriesfirewallwill
bootintomaintenancemode.
2. ClickOK.
Step5 (Optional)EnableMACaddressspoofing 1. Doubleclickthedataplanevirtualnetworkadapterandclick

onHyperVifyouarenotusingLayer3 Advanced Settings.
withhypervisorassignedMACaddress. 2. ClicktheEnable MAC address spoofingcheckboxandclick
Apply.

Step6 Poweronthefirewall. SelectthefirewallfromthelistofVirtual Machinesandnavigateto

Action >Starttopoweronthefirewall.
ProvisiontheVMSeriesFirewallonaHyperVhostwithPowerShell
UsetheseinstructionstodeploytheVMSeriesfirewallonHyperVusingPowerShell.
Step1 DownloadtheVHDXfile. RegisteryourVMSeriesfirewallandobtaintheVHDXfile.

1. Gotohttps://www.paloaltonetworks.com/support.
2. FilterbyPAN-OS for VM-Series Base Imagesanddownload
theVHDXfile.Forexample,PAVMHPV7.1.0.vhdx.
Step2 SetupanyvSwitch(es)thatyouwill CreateavSwitchbyusingthefollowingcommands.Givethe

need. vSwitchanameandchoosetheswitchtype.
> New-VMSwitch -Name <"switch-name"> -SwitchType
<switch-type>
Step3 InstalltheVMSeriesfirewall. 1. Createthenewvirtualmachineandsetthememorybasedon

theVMSeriesSystemRequirementsofyourVMSeries
model.
> NEW-VM -Name <vm-name> -MemoryStartupBytes 4GB
-VHDPath <file-path-to-vhdx>
2. SetprocessorcountbasedontheVMSeriesSystem
RequirementsofyourVMSeriesmodel.
> SETVMProcessorVMName<vmname>Count2
Step4 Connectatleastonenetworkadapterfor ConnectthedefaultnetworkadaptercreatedduringVMcreation

themanagementinterfaceonthe tomanagementvSwitch.
firewall. > connect-VMNetworkAdapter -vmname <vm-name> -Name
<"network-adapter-name"> -SwitchName
<"management-vswitch">
Step5 (Optional)EnableMACaddressspoofing > Set-VMNetworkAdapter -vmname <vm-name> -Name

onHyperVifyouarenotusingLayer3 <"network-adapter-name"> -MacAddressSpoofing On
withhypervisorassignedMACaddress.
Step6 Poweronthefirewall. Forexample:

> Start-VM -vmname <vm-name>

PerformInitialConfigurationontheVMSeriesFirewall
UsetheseinstructionstoperformtheinitialconfigurationofyourVMSeriesfirewall.Bydefault,the
VMSeriesfirewallusesDHCPtoobtainanIPaddressforthemanagementinterface.However,youcan
assignastaticIPaddress.Aftercompletingtheinitialconfiguration,accessthewebinterfacetocomplete
furtherconfigurationstasks.IfyouhavePanoramaforcentralmanagement,refertothePanorama
AdministratorsGuideforinformationonmanagingthedeviceusingPanorama.
IfyouareusingbootstrappingtoperformtheconfigurationofyourVMSeriesfirewallonHyperV,referto
BootstraptheVMSeriesFirewallonHyperV.Formoreinformationaboutbootstrapping,seeBootstrapthe
VMSeriesFirewall.
ConfiguretheManagementInterface
Step1 Gathertherequiredinformationfrom ManagementportIPaddress

yournetworkadministrator. Netmask
Defaultgateway
DNSserverIPaddress
Step2 AccesstheconsoleoftheVMSeries 1. InHyperVManager,selecttheVMSeriesfirewallandclick

firewall. ConnectfromtheActionslist.
2. Logintothefirewallwiththedefaultusernameandpassword:
admin/admin
3. Enterconfigurationmodeusingthefollowingcommand:
configure
Step3 Configurethenetworkaccesssettings Enterthefollowingcommands:

forthemanagementinterface. set deviceconfig system type static
where<Firewall-IP>istheIPaddressyouwanttoassigntothe
<gateway-IP>istheIPaddressofthenetworkgateway,and
<DNS-IP>istheIPaddressoftheDNSserver.
Step4 Commityourchangesandexitthe 1. Entercommit.

configurationmode. 2. Enterexit.

Step5 Verifythatyoucanviewthe 1. SelecttheVMSeriesfirewallfromthelistofVirtual

managementinterfaceIPaddressfrom Machines.
theHyperVManager. 2. SelectNetworking.Thefirstnetworkadapterthatdisplaysin
thelistisusedformanagementaccesstothefirewall;
subsequentadaptersinthelistareusedasthedataplane
interfacesonthefirewall.
Step6 Verifynetworkaccesstoexternal 1. UsethepingutilitytoverifynetworkconnectivitytothePalo

servicesrequiredforfirewall AltoNetworksUpdateserverasshowninthefollowing
management,suchasthePaloAlto example.VerifythatDNSresolutionoccursandtheresponse
NetworksUpdateServer. includestheIPaddressfortheUpdateserver;theupdate
serverdoesnotrespondtoapingrequest.
admin@PA-200 > ping host
updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
Unreachable
Unreachable
Unreachable
Unreachable
AfterverifyingDNSresolution,pressCtrl+Ctostopthe
pingrequest.
2. UsethefollowingCLIcommandtoretrieveinformationonthe
supportentitlementforthefirewallfromthePaloAlto
Networksupdateserver:
request support check
Ifyouhaveconnectivity,theupdateserverwillrespondwith
thesupportstatusforyourfirewall.

Step7 (Optional)VerifythatyourVMSeries TheVMSerieshasadefaultMTUsizeof9216byteswhenjumbo

jumboframeconfigurationdoesnot framesareenabled.However,themaximumMTUsizesupported
exceedthemaximumMTUsupportedon bythephysicalnetworkadapterontheHyperVhostis9000or
HyperV. 9014bytesdependingonthenetworkadaptercapabilities.To
verifytheconfiguredMTUonHyperV:
1. InWindowsServer2012R2,openthe Control Paneland
navigatetoNetwork and Internet > Network and Sharing
Center > View network status and tasks.
2. Clickonanetworkadapterorvirtualswitchfromthelist.
3. ClickProperties.
4. ClickConfigure.
5. OntheAdvancedtab,selectJumbo Packetfromthelist.
6. Select9000or9014bytesfromtheValuedropdownmenu.
7. ClickOK.
IfyouhaveenabledjumboframesonHyperV,EnableJumbo
FramesontheVMSeriesFirewallandsettheMTUsizetomatch
thatconfiguredontheHyperVhost.
Step8 Accessthewebinterfaceofthe RefertothePANOSAdministratorsGuide.

VMSeriesfirewallandconfigurethe
interfacesanddefinesecurityrulesand
NATrulestosafelyenablethe
applicationsyouwanttosecure.


SetuptheVMSeriesFirewallonAzure
VMSeriesfirewallonAzurebringsthesecurityfeaturesofPaloAltoNetworksnextgenerationfirewallasa
virtualmachineintheAzurepubliccloudandAzureGovernmentCloudMarketplace.MicrosoftAzureallows
youtodeploythefirewalltosecureyourworkloadswithinthevirtualnetworkinthecloud,sothatyoucan
deployapubliccloudsolutionoryoucanextendtheonpremisesITinfrastructuretocreateahybrid
solution.
AbouttheVMSeriesFirewallonAzure
DeploymentsSupportedonAzure
DeploytheVMSeriesFirewallfromtheAzureMarketplace(SolutionTemplate)
UsetheARMTemplatetoDeploytheVMSeriesFirewall
DeploytheVMSeriesandAzureApplicationGatewayTemplate

AbouttheVMSeriesFirewallonAzure SetuptheVMSeriesFirewallonAzure
AbouttheVMSeriesFirewallonAzure
TheVMSeriesfirewallonAzuremustbedeployedinavirtualnetwork(VNet)usingtheResourceManager
deploymentmode.YoucandeploytheVMSeriesfirewallonboththestandardAzurepubliccloudandon
AzureGovernmentenvironments.TheVMSeriesfirewallonAzuresupportsboththeBringYourOwn
License(BYOL)modelandthehourlyPayAsYouGo(PAYG)option(usagebasedlicensing).ForAzure
GovernmentMarketplace,theVMSeriesfirewallisavailableintheBYOLoptiononly.Todeploythe
VMSeriesonAzureGovernment,usetheBYOLworkflowoutlinedintheDeploytheVMSeriesFirewall
fromtheAzureMarketplace(SolutionTemplate).
Forlicensingdetails,seeLicenseTypesVMSeriesFirewalls,andrefertothelistofsupportedAzureregions
inwhichyoucandeploytheVMSeriesfirewall.
AzureDoDisaspecialregionthatoffersahigherlevelofsecurityclassificationthanAzureGovernment.The
VMSeriesfirewallisnotsupportedonAzureDoDregions.
AzureNetworkingandVMSeries
VMSeriesFirewallTemplatesonAzure
MinimumSystemRequirementsfortheVMSeriesonAzure
AzureNetworkingandVMSeries
TheAzureVNetinfrastructuredoesnotrequirevirtualmachinestohaveanetworkinterfaceineachsubnet.
Thearchitectureincludesaninternalroutetable(calledsystemroutes)thatdirectlyconnectsallvirtual
machineswithinaVNetsuchthattrafficisautomaticallyforwardedtoavirtualmachineinanysubnet.For
adestinationIPaddressthatisnotwithintheVNet,thetrafficissenttothedefaultInternetgatewayorto
aVPNgateway,ifconfigured.InordertoroutetrafficthroughtheVMSeriesfirewall,youmustcreateuser
definedroutes(UDRs)thatspecifythenexthopfortrafficleavingasubnet.Thisrouteforcestrafficdestined
toanothersubnettogototheVMSeriesfirewallinsteadofusingthesystemroutestodirectlyaccessthe
virtualmachineintheothersubnet.Forexample,inatwotieredapplicationwithawebtierandadatabase
tier,youcansetupUDRsfordirectingtrafficfromthewebsubnettotheDBsubnetthroughtheVMSeries
firewall.
OnAzure,UDRsarefortrafficleavingasubnetonly.Youcannotcreateuserdefinedroutestospecifyhowtraffic
comesintoasubnetfromtheInternetortoroutetraffictovirtualmachineswithinasubnet.
FordocumentationonMicrosoftAzure,refertohttps://azure.microsoft.com/enus/documentation/.
ThesolutiontemplatesfordeployingtheVMSeriesfirewallthatareavailableintheAzureMarketplace,
havethreenetworkinterfaces.BecausetheVNetinfrastructuredoesnotrequirevirtualmachinestohavea
networkinterfaceineachsubnet,threenetworkinterfacesaresufficientformostdeployments.Ifyouwant
tocustomizethetemplate,usetheARMtemplatesthatareavailableintheGitHubrepository.

SetuptheVMSeriesFirewallonAzure AbouttheVMSeriesFirewallonAzure
VMSeriesFirewallTemplatesonAzure
YoucandeploytheVMSeriesfirewallonAzureusingtemplates.PaloAltoNetworksprovidestwokindsof
templates:
SolutionTemplatesintheAzureMarketplaceThesolutiontemplatesthatareavailableintheAzure
MarketplaceallowyoutodeploytheVMSeriesfirewallusingtheAzureportal.Youcanuseanexisting
resourcegroupandstorageaccount(orcreatethemnew)todeploytheVMSeriesfirewallwiththe
followingdefaultsettings:
VNetCIDR192.168.0.0/16;youcancustomizetheCIDRtoadifferentprivateIPaddressrange.
Threesubnets192.168.0.0/24(management),192.168.1.0/24(untrust),192.168.2.0/24(trust)
Threenetworkinterfaces,oneineachsubnet.IfyoucustomizetheVNetCIDR,thesubnetranges
maptoyourchanges.
Tousethesolutiontemplate,seeDeploytheVMSeriesFirewallfromtheAzureMarketplace(Solution
Template).
ARMTemplatesintheGitHubRepositoryInadditiontoMarketplacebaseddeployments,PaloAlto
NetworksprovidesAzureResourceManagertemplatesintheGitHubRepositorytosimplifytheprocess
ofdeployingtheVMSeriesfirewallonAzure.
UsetheARMTemplatetoDeploytheVMSeriesFirewallThebasicARMtemplateincludestwoJSON
files(aTemplatefileandaParametersFile)tohelpyoudeployandprovisionalltheresourceswithin
theVNetinasingle,coordinatedoperation.Thesetemplatesareprovidedunderanasis,besteffort,
supportpolicy.
IfyouwanttousetheAzureCLItolocatealltheimagesavailablefromPaloAltoNetworks,youtheneedthe
followingdetailstocompletethecommand(showvmimagelist):
Publisher:paloaltonetworks
Offer:vmseries1
SKU:byol,bundle1,bundle2
Version:8.0.0,7.1.1orlatest
DeploytheVMSeriesandAzureApplicationGatewayTemplatetosupportascaleoutsecurity
architecturethatprotectsyourinternetfacingwebapplicationsusingtwoVMSeriesfirewalls
betweenapairof(externalandinternal)AzureloadbalancersVMSeriesandAzureApplication
Gateway.
MinimumSystemRequirementsfortheVMSeriesonAzure
YoumustdeploytheVMSeriesfirewallintheAzureResourceManager(ARM)modeonly;theclassicmode
(ServiceManagementbaseddeployments)isnotsupported.TheVMSeriesfirewallonAzuremustmeetthe
followingrequirements:
AzureVMsofthefollowingtypes:Standard_A4,Standard_D3,Standard_D3_v2,Standard_D4,
Standard_D4_v2,Standard_D5_v2,Standard_DS5_v2.
Formemory,diskandCPUcoresrequiredtodeploytheVMSeriesfirewall,seeVMSeriesSystem
Requirements.
Youcanaddadditionaldiskspaceof60GBto8TBforloggingpurposes.TheVMSeriesfirewalldoesnot
utilizethetemporarydiskthatAzureprovides.
Uptothreenetworkinterfaces(NICs).Aprimaryinterfaceisrequiredformanagementaccessandupto
twointerfacesfordatatraffic.

AbouttheVMSeriesFirewallonAzure SetuptheVMSeriesFirewallonAzure
OnAzure,becauseavirtualmachinedoesnotrequireanetworkinterfaceineachsubnet,youcansetup
theVMSeriesfirewallwithjustthreenetworkinterfaces.Tocreatezonebasedpolicyrulesonthe
firewall,inadditiontothemanagementinterface,youneedatleasttwodataplaneinterfacessothatyou
canassignonedataplaneinterfacetothetrustzone,andtheotherdataplaneinterfacetotheuntrust
zone.
BecausetheAzureVNetisaLayer3network,theVMSeriesfirewallonAzuresupportsLayer3
interfacesonly.
VMSeriesonAzuredoesnotsupportthetraditionalactive/passivehighavailabilitywithsession
synchronization,asitisnotagoodfitforcloudarchitectures.Instead,forbothsmallandlargedeployments,
useascaleoutarchitectureusingcloudnativeloadbalancerssuchastheAzureApplicationGatewayor
AzureLoadBalancer.Fordetails,seeDeploytheVMSeriesandAzureApplicationGatewayTemplate.
NativeVMMonitoringcapabilitiesforvirtualmachinesthatarehostedonAzureisalsonotavailable.

SetuptheVMSeriesFirewallonAzure DeploymentsSupportedonAzure
DeploymentsSupportedonAzure
UsetheVMSeriesfirewallonAzuretosecureyournetworkusersinthefollowingscenarios:
HybridandVNettoVNetTheVMSeriesfirewallonAzureallowsyoutosecurelyextendyourphysical
datacenter/privatecloudintoAzureusingIPSecandExpressRoute.Toimproveyourdatacenter
security,ifyouhavesegmentedyournetworkanddeployedyourworkloadsinseparateVNets,youcan
securetrafficflowingbetweenVNetswithanIPSectunnelandapplicationwhitelistingpolicies.
InterSubnetTheVMSeriesfirewallcanfrontyourserversinaVNetandprotectagainstlateralthreats
forintersubnettrafficbetweenapplicationsinamultitierarchitecture.
GatewayTheVMSeriesfirewallservesastheVNetgatewaytoprotectInternetfacingdeploymentsin
theAzureVirtualNetwork(VNet).TheVMSeriesfirewallsecurestrafficdestinedtotheserversinthe
VNetanditalsoprotectsagainstlateralthreatsforintersubnettrafficbetweenapplicationsina
multitierarchitecture.
GlobalProtectUsetheAzureinfrastructuretoquicklyandeasilydeploytheVMSeriesfirewallas
GlobalProtectandextendyourgatewaysecuritypolicytoremoteusersanddevices,regardlessof
location.
YoucancontinuewithDeploytheVMSeriesFirewallfromtheAzureMarketplace(SolutionTemplate)and
configurethefirewallandAzureforyourdeploymentneeds,oryoucanlearnabouttheVMSeriesFirewall
TemplatesonAzurethatyoucanusetodeploythefirewall.Forinformationonbootstrapping,seeBootstrap
theVMSeriesFirewallinAzure.

DeploytheVMSeriesFirewallfromtheAzureMarketplace(SolutionTemplate)SetuptheVMSeriesFirewallonAzure
DeploytheVMSeriesFirewallfromtheAzureMarketplace
(SolutionTemplate)
ThefollowinginstructionsshowyouhowtodeploythesolutiontemplatefortheVMSeriesfirewallthatis
availableintheAzurepublicorGovernmentCloudMarketplace.TousethecustomizableARMtemplates
availableintheGitHubrepository,seeUsetheARMTemplatetoDeploytheVMSeriesFirewall.
DeploytheVMSeriesFirewallonAzure
Step1 SetupanAzureaccount. 1. CreateaMicrosoftaccount.

2. LogintotheAzureportal(https://portal.azure.com)using
yourMicrosoftaccountcredentials.
Ifyouareusingatrialsubscription,youmayneedto
openasupportrequest(Help + Support > New Support
Request)toincreasethequotaofallocatedVMcores.
Step2 FindtheVMSeriessolutiontemplatein 1. SelectAzure Marketplace > Virtual Machines.

theAzureMarketplace. 2. SearchforPaloAltoNetworks.Theofferingsforthe
VMSeriesfirewalldisplay.ForthedifferencesintheBYOL
andPAYGmodels,seeVMSeriesFirewallinAmazonWeb
Services(AWS)andAzureLicenses.
3. SelectanofferingandclickCreate.

SetuptheVMSeriesFirewallonAzureDeploytheVMSeriesFirewallfromtheAzureMarketplace(SolutionTemplate)
DeploytheVMSeriesFirewallonAzure(Continued)
Step3 Deploythefirewall.
1. Configurebasicsettingsforthefirewall.
a. EnteraUsernameforthefirewalladministrator.
b. EnteraPasswordorcopyandpasteanSSH public keyforsecuringadministrativeaccesstothefirewall.
c. SelectyourAzureSubscription.
d. CreateanewresourcegroupforholdingalltheresourcesassociatedwiththeVMSeriesfirewallforthis
deployment.
FromtheAzureMarketplace,youcandeploytheVMSeriesfirewallintoanewResourceGroup,or
anexistingResourceGroupthatisempty.Todeploythefirewallintoanexistingresourcegroupthat
hasotherresources,usetheARMtemplateintheGitHubRepositoryoryourowncustomARM
template.EnsurethattheexistingresourcesmatchtheparametervaluesyouprovideintheARMtemplate.
e. SelecttheAzure Location.Thisistheregioninwhichyouaredeployingthefirewall.
2. Configurestorageandnetworking.
a. Selectanexistingstorageaccountorcreateanewone.
b. SelectanexistingVNetorcreateanewone,andentertheIPaddressspacefortheVNet.BydefaulttheCIDR
is10.0.0.0/16.
c. Configurethesubnetsforthenetworkinterfaces.IfyouuseanexistingVNet,youmusthavedefinedthree
subnets,oneeachforthemanagement,trustanduntrustinterfaces.IfyoucreateanewVNet,verifyorchange
theprefixesforeachsubnet.Thedefaultsubnetsare10.0.0.0/24forthemanagementsubnet,10.0.1.0/24for
theuntrustsubnet,and10.0.2.0/24forthetrustsubnet.
d. EnterthesourceIPaddressorIPrange(includeCIDR)thatcanaccesstheVNet.Network Security Group:
inbound source IP allowsyoutorestrictinboundaccesstotheAzureVNet.
3. Definemanagementaccesstothefirewall.
a. Usethedefaultvariable(newPublicIP)toassignaPublic IP addresstothemanagementinterface(eth0)ofthe
firewall.
b. EnteraprefixtoaccessthefirewallusingaDNSname.Youmustcombinetheprefixyouenterwiththesuffix
displayedonscreenforexample<yourname>centralus.cloudapp.azure.comtoaccessthewebinterfaceofthe
firewall.
c. EnteradisplaynametoidentifytheVMSeriesfirewallwithintheresourcegroup.
d. ToselectthePANOSversion,usetheVM-Series Versiondropdown.Thelatestisthemostrecentrelease,
whichis8.0.0currently.
e. SelecttheAzurevirtualmachinetierandsizetomeetyourneeds.SeeMinimumSystemRequirementsforthe
VMSeriesonAzure.
4. Reviewthesummary,acceptthetermsofuseandprivacypolicy,andclickCreatetodeploythefirewall.
5. VerifythatyouhavesuccessfullydeployedtheVMSeriesfirewall.
a. SelectDashboard >Resource Groups,selecttheresourcegroup.
b. SelectAll Settings > Deployments > Deployment Historyfordetailedstatus

Step4 AttachapublicIPaddressfortheuntrustinterfaceoftheVMSeriesfirewall.
1. OntheAzureportal,selectthenetworkinterfaceforwhichyouwanttoaddapublicIPaddress.For
exampletheeth1interface.
2. SelectIP Configurations > AddandforPublicIPaddress,selectEnabled.CreateanewpublicIPaddress
orselectonethatyouhaveavailable.
3. VerifythatyoucanviewthesecondaryIPaddressassociatedwiththeinterface.
WhenyouattachasecondaryIPaddresstoanetworkinterface,theVMSeriesfirewalldoesnot
automaticallyacquiretheprivateIPaddressassignedtotheinterface.Youwillneedtomanuallyconfigure
theprivateIPaddressusingtheVMSeriesfirewallwebinterface.SeeConfigurethedataplanenetwork
interfacesasLayer3interfacesonthefirewall.
EachinterfaceontheVMSeriesfirewallonAzurecanhaveonedynamic(default)orstaticprivateIP
address,andmultiplepublicIPaddresses(staticordynamic)associatedwithit.Themaximumnumberof
publicIPaddressesyoucanassigntoaninterfaceisbasedonyourAzuresubscription.Whenyoucreatea
newpublicIPaddressyougetonefromtheblockofIPaddressesMicrosoftowns,soyoucantchoosea
specificone.
Step5 Logintothewebinterfaceofthefirewall.
1. OntheAzureportal,inAll Resources,selecttheVMSeriesfirewallandviewthefullDNSnameforthe
firewall.
2. Usingasecureconnection(https)fromyourwebbrowser,logintotheDNSnameforthefirewall.
3. Entertheusername/passwordyoudefinedintheparametersfile.Youwillseeacertificatewarning;thatis
okay.Continuetothewebpage.

Step6 ActivatethelicensesontheVMSeries FortheBYOLversion

firewall. 1. CreateaSupportAccount.
2. RegistertheVMSeriesFirewall(withauthcode).
3. Onthefirewallwebinterface,selectDevice >Licensesand
selectActivate feature using authentication code.
4. Enterthecapacityauthcodethatyouregisteredonthe
supportportal.Thefirewallwillconnecttotheupdateserver
(updates.paloaltonetworks.com),anddownloadthelicense
andrebootautomatically.
5. Logbackintothewebinterfaceandconfirmthefollowingon
theDashboard:
AvalidserialnumberdisplaysinSerial#.
IfthetermUnknowndisplays,itmeansthedeviceisnot
licensed.Toviewtrafficlogsonthefirewall,youmustinstall
avalidcapacitylicense.
TheVM ModedisplaysasMicrosoftAzure.
ForthePAYGversion
1. CreateaSupportAccount.
2. RegistertheUsageBasedModeloftheVMSeriesFirewallin
AWSandAzure(noauthcode).

Step7 Configurethedataplanenetwork 1. SelectNetwork > Interfaces > Ethernet.

interfacesasLayer3interfacesonthe 2. Clickthelinkforethernet 1/1andconfigureasfollows:
firewall.
Interface Type:Layer3(default).
Ifyouarehostingmultiplewebsitesor
OntheConfig tab,assigntheinterfacetothedefault
serviceswithdifferentIPaddressesand
router.
SSLcertificatesonasingleserver,you
mightneedtoconfiguremorethanone OntheConfig tab,expandtheSecurity Zone dropdown
IPaddressontheVMSeriesfirewall andselectNew Zone.DefineanewzonecalledUnTrust,
interfaces. andthenclickOK.
Withthesupportformultiple OntheIPv4 tab,select DHCP Clientifyouplantoassign
publicIPaddressforthefirewall onlyoneIPaddressontheinterface.TheprivateIP
interfaces,theNATVMisno addressassignedintheARMtemplatewillbe
longerrequired.Ifyouhavean automaticallyacquired.Ifyouplantoassignmorethan
existingdeploymentthatuses oneIPaddressselect Static andmanuallyenterthe
theNATVM,reassignthepublic primaryandsecondaryIPaddressesassignedtothe
IPaddressfromtheNATVMto interfaceontheAzureportal.
theuntrustinterfaceonthe CleartheAutomatically create default route to default
firewall,andthendeletetheNAT gateway provided by server checkbox.Disablingthis
VM,theUDR,andsubnet. optionensuresthattraffichandledbythisinterfacedoes
notflowdirectlytothedefaultgatewayintheVNet.
3. Clickthelinkforethernet 1/2 andconfigureasfollows:
SetInterface TypetoLayer3(default).
Security Zone:Trust
IP address:SelectDHCP ClientorStatic.
CleartheAutomatically create default route to default
gateway provided by servercheckbox.Disablingthis
optionensuresthattraffichandledbythisinterfacedoes
notflowdirectlytothedefaultgatewayintheVNet.
4. ClickCommit.Verifythatthelinkstatefortheinterfacesisup.
Step8 Configurethefirewallforyourspecific GatewayDeploya3rdpartyloadbalancerinfrontofthe

deployment. UnTrustzone.
HybridandInterVNetDeployanAzureVPNGatewayora
NATvirtualmachineinfronttheUnTrustzone.
InterSubnetOntheVMSeriesfirewall,addanintrazone
securitypolicyruletoallowtrafficbasedonthesubnetsattached
totheTrustinterface.
GlobalProtectDeployaNATvirtualmachineinfrontofthe
UnTrustzone.

Step9 DirecttraffictotheVMSeriesfirewall. 1. ToensurethattheVMSeriesfirewallsecuresalltrafficwithin

theAzureresourcegroup,configurestaticroutesonthe
firewall.
2. ConfigureUDRstodirectalltrafficthroughtheinterfaceson
theVMSeriesfirewall.RefertotheAzuredocumentationon
UDRsfordetails.
TheUDRsontheinternalsubnetsmustsendalltrafficthrough
theTrustinterface.TheUDRsontheUnTrustsidedirectall
trafficfromtheInternetthroughtheUnTrustinterfaceonthe
VMSeriesfirewall.ThetrafficfromtheInternetmaybe
comingfromanAzureApplicationGatewayorAzureLoad
Balancer,orthroughtheAzureVPNGatewayincaseofa
hybriddeploymentthatconnectsyouronpremisesnetwork
withtheAzurecloud.

UsetheARMTemplatetoDeploytheVMSeriesFirewall SetuptheVMSeriesFirewallonAzure
InadditiontoMarketplacebaseddeployments,PaloAltoNetworksprovidesaGitHubrepositorywhich
hostssampleARMtemplatesthatyoucandownloadandcustomizeforyourneeds.ARMtemplatesare
JSONfilesthatdescribetheresourcesrequiredforindividualresourcessuchasnetworkinterfaces,a
completevirtualmachineorevenanentireapplicationstackwithmultiplevirtualmachines.
Tosimplifythedeploymentofalltherequiredresources,thetemplateincludestwojsonfiles:
TemplateFileTheazureDeploy.jsonisthemainresourcesfilethatdeploysallthecomponentswithin
theresourcegroup.
ParametersFileTheazureDeploy.parameters.jsonisthefilethatincludestheparametersrequiredto
successfullydeploytheVMSeriesfirewallintheVNet.Itincludesdetailssuchasthevirtualmachinetier
andsize,usernameandpasswordforthefirewall,thenameofthestoragecontainerforthefirewall.You
cancustomizethisfileforyourAzureVNetdeployment.
TohelpyoudeploythefirewallasagatewayforInternetfacingapplications,thetemplateprovisionsthe
VMSeriesfirewall,adatabaseserver,awebserverandavirtualmachinethatperformsNATsothatthe
VMSeriesfirewallcanreceivedatatrafficfromtheInternet.TheNATvirtualmachinefrontsthefirewalland
receivesdatatrafficonitspublicIPaddress,whichitthenroutestothefirewall.TheVNetusestheprivate
nonroutableIPaddressspace192.168.0.0/16.Youcanmodifythetemplatetouse172.16.0.0/12,or
10.0.0.0/8.
TheARMtemplatealsoprovidesthenecessaryuserdefinedrulesandIPforwardingflagstoenablethe
VMSeriesfirewalltosecuretheAzureresourcegroup.ForthefivesubnetsTrust,Untrust,Web,DB,and
NATincludedinthetemplate,youhavefiveroutetables,oneforeachsubnetwithuserdefinedrulesfor
routingtraffictotheVMSeriesfirewallandtheNATvirtualmachine.
ARMtemplatesareforadvancedusers.PaloAltoNetworksprovidestheARMtemplateunderanasis,best
effort,supportpolicy.
DeployingVMSeriesFirewallusingtheARMTemplate

SetuptheVMSeriesFirewallonAzure UsetheARMTemplatetoDeploytheVMSeriesFirewall
Step1 DownloadtheARMtemplatefromthe Downloadandsavethefilestoalocalclient:

GitHubrepository. https://github.com/PaloAltoNetworks/azure
Step2 CreateaResourceGrouponAzure. 1. LogintotheAzureCLIusingthecommand:azure login

Ifyouneedhelp,refertotheAzuredocumentationon
installingtheCLI.
2. SwitchtoResourceManagermodeusingthecommand:
azure config mode arm
3. Createaresourcegroup.
Step3 DeploytheARMtemplate. 1. OpentheParametersFilewithatexteditorandmodifythe

valuesforyourdeployment:
2. Deploythetemplateintheresourcegroupyoucreated.
azure group create -v -n
<YourResourceGroupName> -l
<YourAzureLocation> -d
<GiveASmallDeploymentLabel> -f
azureDeploy.json -e
azureDeploy.parameters.json
3. Checktheprogress/statusofthedeploymentfromtheAzure
CLI:
azure group deployment show
"<YourResourceGroupName>"
<YourDeploymentLabel>
Whenthetemplateissuccessfullydeployedthe
ProvisioningState is Running.
IftheProvisioningState is Failed,youmustcheck
forerrorsontheAzureportalatResource Group >
Events.Filterforonlyeventsinthelastonehour,select
themostrecentevents,anddrilldowntofindtheerrors.
4. VerifythatyouhavesuccessfullydeployedtheVMSeries
firewall.
a. SelectDashboard >Resource Groups,selecttheresource
group.
b. SelectAll Settings > Deployments > Deployment History
fordetailedstatus.

UsetheARMTemplatetoDeploytheVMSeriesFirewall SetuptheVMSeriesFirewallonAzure
UsetheARMTemplatetoDeploytheVMSeriesFirewall(Continued)
TheaddressspacewithintheVNetusestheprefix192.168,whichisdefinedintheARMtemplate.

SetuptheVMSeriesFirewallonAzure UsetheARMTemplatetoDeploytheVMSeriesFirewall
UsetheARMTemplatetoDeploytheVMSeriesFirewall(Continued)
Step4 ConfigurethefirewallasaVNetgateway 1. LogintothemanagementinterfaceIPaddressonthefirewall.

toprotectyourInternetfacing 2. ConfigurethedataplanenetworkinterfacesasLayer3
deployment. interfacesonthefirewall(Network > Interfaces > Ethernet).
3. Addstaticrulestothevirtualrouteronthefirewall.Toroute
trafficthroughthefirewallinthisexample,youneedthree
staticroutesonthefirewall(Network > Virtual Routers,select
therouterandclick Static Routes):
a. RoutealloutboundtrafficthroughtheUnTrustzone,
ethernet1/1totheAzurerouterat192.168.1.1.
b. Routeallinboundtrafficdestinedtothewebserversubnet
throughtheTrustzone,ethernet1/2totheAzurerouterat
192.168.2.1.
c. Routeallinboundtrafficdestinedtothedatabaseserver
subnetthroughtheTrustzone,ethernet1/2totheAzure
routerat192.168.2.1.
4. Createsecuritypolicyrules(Policies > Security)toallow
inboundandoutboundtrafficonthefirewall.Youalsoneed
securitypolicyrulestoallowappropriatetrafficfromtheweb
serversubnettothedatabaseserversubnetandviceversa.
5. AddNATpolicies(Policies > NAT).
a. AddaDestinationNATruletosendalltrafficthattheNAT
virtualmachineforwardstoeth1/1interfaceonthe
VMSeriesfirewallonAzuretothewebserverIPaddress.
b. AddaSourceNATruletotranslatetheIPaddressforall
trafficfromtheeth1/2interfacetoeth1/1interfacetothe
IPaddressoftheeth1/1interface,192.168.1.4inthis
example.
6. Commit thechangesonthefirewall.
7. VerifythattheVMSeriesfirewallissecuringtraffic(Monitor
> Logs > Traffic).

DeploytheVMSeriesandAzureApplicationGatewayTemplate SetuptheVMSeriesFirewallonAzure
DeploytheVMSeriesandAzureApplicationGateway
Template
TheVMSeriesandAzureApplicationGatewaytemplateisastarterkitthatyoucanusetodeployVMSeries
firewallstosecurewebworkloadsforinternetfacingdeploymentsonMicrosoftAzure.
ThistemplatedeploystwoVMSeriesfirewallsbetweenapairof(externalandinternal)Azureloadbalancers.
TheexternalloadbalancerisanAzureApplicationGateway,whichisanHTTP(Layer7)loadbalancerthat
alsoservesastheinternetfacinggateway,whichreceivestrafficanddistributesitthroughtheVMSeries
firewallontotheinternalloadbalancer.TheinternalloadbalancerisanAzureLoadBalancer(Layer4)that
frontsapairofwebservers.ThetemplatesupportstheBYOLandtheAzureMarketplaceversionsofthe
VMSeriesfirewall.
Asdemandonyourwebworkloadsincreasesandyouincreasecapacityforthewebservertieryoucan
manuallydeployadditionalVMSeriesfirewallstosecureyourwebservertier.
VMSeriesandAzureApplicationGatewayTemplate
StartUsingtheVMSeries&AzureApplicationGatewayTemplate

SetuptheVMSeriesFirewallonAzure DeploytheVMSeriesandAzureApplicationGatewayTemplate
VMSeriesandAzureApplicationGatewayTemplate
TheVMSeriesandAzureApplicationGatewaytemplatelaunchesanAzureApplicationGateway(Layer7
loadbalancer)andanAzure(Layer4)loadbalancer.NestedbetweentheApplicationgatewayandtheload
balancerareapairofVMSeriesfirewallsinanAvailabilitySet,andapairofsamplewebserversrunning
Apache2onUbuntuinanotherAvailabilitySet.TheAvailabilitySetsprovideprotectionfromplannedand
unplannedoutages.Thefollowingtopologydiagramshowstheresourcesthatthetemplatedeploys:
Youcanuseaneworanexistingstorageaccountandresourcegroupinwhichtodeployalltheresources
forthissolutionwithinanAzurelocation.Itdoesnotprovidedefaultvaluesfortheresourcegroupnameand
storageaccountname,youmustenteranameforthem.WhileyoucancreateaneworuseanexistingVNet,
thetemplatecreatesadefaultVNetnamedvnetFWwiththeCIDRblock192.168.0.0/16,andallocatesfive
subnets(192.168.1.0/24192.168.5.0/24)fordeployingtheAzureApplicationGateway,theVMSeries
firewalls,theAzureloadbalancerandthewebservers.EachVMSeriesfirewallisdeployedwiththree
networkinterfacesethernet0/1inMgmtsubnet(192.168.0.0/24),ethernet1/1inUntrustsubnet
(192.168.1.0/24),andethernet1/2inTrustsubnet(192.168.2.0/24).
ThetemplatecreatesaNetworkSecurityGroup(NSG)thatallowsinboundtrafficfromanysourceIPaddress
onports80,443,and22.ItalsodeploysthepairofVMSeriesfirewallsandthewebserverpairintheir
respectiveAvailabilitySetstoensurethatatleastoneinstanceofeachisavailableduringaplannedor
unplannedmaintenancewindow.EachAvailabilitySetisconfiguredtousethreefaultdomainsandfive
updatedomains.
TheAzureApplicationGatewayactsasareverseproxyservice,whichterminatesaclientconnectionand
forwardstherequeststobackendwebservers.TheAzureApplicationGatewayissetupwithanHTTP
listenerandusesadefaulthealthprobetotestthattheVMSeriesfirewallIPaddress(forethernet1/1)is
healthyandcanreceivetraffic.
Thetemplatedoesnotprovideanautoscalingsolution;youmustplanyourcapacityneedsandthendeploy
additionalresourcestoAdapttheTemplateforyourdeployment.
TheVMSeriesfirewallsarenotconfiguredtoreceiveandsecurewebtrafficdestinedtothewebservers.
Therefore,ataminimum,youmustconfigurethefirewallwithastaticroutetosendtrafficfromthe
VMSeriesfirewallstothedefaultrouter,configuredestinationNATpolicytosendtrafficbacktotheIP

addressoftheloadbalancer,andconfigureSecuritypolicyrules.TheNATpolicyruleisalsorequiredforthe
firewalltosendresponsesbacktothehealthprobesfromtheHTTPlistenerontheAzureApplication
Gateway.Toassistyouwithabasicfirewallconfiguration,theGitHubrepositoryincludesasample
configurationfilecalledappgwsample.xmlthatyoucanusetogetstarted.
StartUsingtheVMSeries&AzureApplicationGatewayTemplate
TheVMSeries&AzureApplicationGatewaytemplatelaunchesalltheresourcesyouneedtodeployand
secureyourwebworkloadsforInternetfacingdeploymentsonMicrosoftAzure.Thissectionprovides
detailsonhowtodeploythetemplate,configurethefirewallstorouteandsecuretrafficdestinedtotheweb
servers,andextendthecapabilitiesandresourcesthatthistemplateprovidestoaccommodateyour
deploymentneeds.
DeploytheTemplatetoAzure
VMSeriesandAzureApplicationGatewayTemplateParameters
SampleConfigurationFile
AdapttheTemplate
UsethefollowinginstructionstodeploythetemplatetoAzure.

Step1 Deploythetemplate. 1. Accessthetemplatefrom

https://github.com/PaloAltoNetworks/azureapplicationgate
way
2. ClickDeploy to Azure.
3. Fillinthedetailsfordeployingthetemplate.SeeVMSeries
andAzureApplicationGatewayTemplateParametersfora
descriptionandthedefaultvalues,ifany,foreachparameter.
Ataminimum,youhavetopicktheAzure Subscription,
Resource Group,Location,Storage Account Name,anda
Username/passwordorSSH Keyfortheadministrative
accountontheVMSeriesfirewalls.
4. ClickPurchasetoacceptthetermsandconditionsanddeploy
theresources.
Ifyouhavevalidationerrors,clicktoviewthedetailsandfix
yourerrors.
5. OntheAzureportal,verifythatyouhavesuccessfully
deployedthetemplateresources,includingtheVMSeries
firewalls.
a. SelectDashboard >Resource Groups,selecttheresource
group.
b. SelectOverviewtoreviewalltheresourcesthathavebeen
deployed.Thedeploymentstatusshoulddisplay
Succeeded.
c. NotethePublicIPaddressortheDNSnameassignedto
eth0-VM-Series0 and eth0-VM-Series1 toaccessthe
managementinterfaceoftheVMSeriesfirewalls.

Step2 Logintothefirewalls. 1. Usingasecureconnection(https)fromyourwebbrowser,log

intotheIPaddressforeth0VMSeries0ortheDNSnamefor
thefirewall.
2. Entertheusername/passwordyoudefinedintheparameters
file.Youwillseeacertificatewarning;thatisokay.Continue
tothewebpage.
Step3 ConfiguretheVMSeriesfirewall. Youcaneitherconfigurethefirewallmanuallyorimportthe

SampleConfigurationFileprovidedintheGitHubrepositoryand
customizeitforyoursecurityneeds.
Toconfigurethefirewallmanually,youmustdothefollowing
ataminimum:
1. ConfigurethedataplanenetworkinterfacesasLayer3
interfacesonthefirewall(Network > Interfaces > Ethernet).
2. Addastaticruletothevirtualrouteronthefirewall.Thisstatic
rulespecifiesthefirewallsuntrustinterfaceIPaddressasthe
nexthopaddressforanytrafficdestinedforethernet1/1.
(Network > Virtual Routers,selecttherouterandclick Static
Routes).
3. Createsecuritypolicyrules(Policies > Security)toallow
inboundandoutboundtrafficonthefirewall.
4. AddNATpolicies(Policies > NAT).Youmustcreate
destinationNATandsourceNATrulesonthefirewalltosend
traffictothewebserversandbackouttotheclientwho
initiatedtherequest.
ThedestinationNATruleisforalltrafficthatarrivesonthe
firewallsuntrustinterface.Thisruleisrequiredtotranslate
thedestinationIPaddressonthepackettothatoftheinternal
loadbalancersothatalltrafficisdirectedtotheinternalload
balancerandontothebackendwebservers.
ThesourceNATruleisforalltrafficfromthebackendweb
serveranddestinedtotheuntrustinterfaceonthefirewall.
ThisruletranslatesthesourceaddresstotheIPaddressofthe
trustinterfaceonthefirewall

Toimportthesampleconfigurationfile:
1. DownloadandsavetheSampleConfigurationFiletoyourlocal
client.
2. SelectDevice > Setup > Operations,clickImport named
configuration snapshot,Browsetothesampleconfiguration
filethatyouhavesavedlocally,andclickOK.
3. ClickLoad named configuration snapshot,selecttheNameof
thesampleconfigurationfileyoujustimported,andclickOK.
4. ChangetheIPaddressoftheaddressobjectsandthestatic
routetomatchtheIPaddressfromtheCIDRblockyouused.
UpdateaddressobjectstousetheprivateIPaddressesfor
eth1VMSeries0andeth1VMSeries1.
5. Important!Createanewadminuseraccount.SelectDevice >
Administrators andAddanewaccount.
6. ModifytheHostnameintheGeneralSettingswidgetinDevice
> Setup > Management.
7. Commityourchanges,andlogout.Thecommitoverwritesthe
runningconfigurationwiththesampleconfigurationfileand
updatesyoujustmade.Oncommit,thehostnameandthe
administratoruseraccountthatyouspecifiedwhendeploying
thetemplateareoverwritten.Youwillnowneedtologinusing
thenewadminuseraccountandpassword.
8. Logintothefirewallusingthecredentialsyoucreated,and
deletethepandemoadminaccountthatwasimportedfromthe
sampleconfigurationfile.
Step4 Loginandconfiguretheotherinstance SeeConfiguretheVMSeriesfirewall.

oftheVMSeriesfirewall.
Step5 Verifythatyouhaveconfiguredthe Fromyourwebbrowser,usehttptoaccesstheIPaddressorDNS

firewallsproperly. namefortheappgateway.Youshouldbeabletoviewthedefault
Apache2Ubuntuwebpage.
Ifyouhaveusedthesampleconfigurationfirewall,loginto
thefireewallandviewtheTrafficlogsgeneratedonsession
startinMonitor > Logs > Traffic.

VMSeriesandAzureApplicationGatewayTemplateParameters
Thefollowingtableliststherequiredandoptionalparametersandthedefaultvalues,ifany.
Parameter Description
Resourcegroup Createneworuseexisting(nodefault).
Subscription ThetypeofAzuresubscriptionyouwillusetocoverthecostoftheresources
deployedwiththetemplate.
Location SelecttheAzurelocationtowhichyouwanttodeploythetemplate(nodefault).
NetworkSecurityGroup
NetworkSecurityGroupName ThenetworksecuritygrouplimitsthesourceIPaddressesfromwhichtheVMSeries
firewallsandwebserverscanbeaccessed.
Default:nsgmgmt
NetworkSecurityGroup ThesourceIPaddressesthatcanlogintothemanagementportoftheVMsdeployed
InboundSrcIP bythetemplate.
Thedefaultvalue0.0.0.0/0meansyoucanlogintothefirewallmanagementport
fromanyIPaddress.
StorageAccount
StorageAccountName CreateneworenterthenameofanexistingStorageAccount(nodefault).Thename
mustbegloballyunique.
StorageAccountType Choosebetweenstandardandpremiumstorageandyourdatareplicationneedsfor
localredundancy,georedundancy,andreadaccessgeoredundancy.
ThedefaultoptionisLocallyRedundantStorage(LRS).Theotheroptionsare
StandardGRS,PremiumLRS,andStandardRAGRS.
VNet
VirtualNetwork CreateneworenterthenameofanexistingVNet.
ThedefaultnamefortheVNetisvnetFW
VirtualNetworkAddressPrefix 192.168.0.0/16
AzureApplicationGateway
AppGatewayName myAppGw
AppGatewayDNSName EnteragloballyuniqueDNSnamefortheAzureApplicationGateway.
AppGatewaySubnetNameand DefaultnameisAppGWSubnetandthesubnetprefixis192.168.3.0/24.
Prefix
AzureLoadBalancerandWebServers
InternalLoadBalancerName myPrivateLB
InternalLoadBalancerSubnet DefaultnameisbackendSubnetandthesubnetprefixis192.168.4.0/24.
NameandPrefix
BackendVmSize ThedefaultsizeisStandardtierD1AzureVM.Usethedropdowninthetemplateto
viewtheotherAzureVMoptionsavailableforthebackendwebservers.

Firewalls
FirewallModel ChoosefromBYOLorPAYG(bundle1orbundle2,eachbundleincludestheVM300
andasetofsubscriptions).
FirewallVmNameandSize ThedefaultnameforthefirewallisVMSeries,andthedefaultsizeisStandardtier
D3AzureVM.
UsethedropdowninthetemplatetoviewtheotherAzureVMoptionsavailablefor
theVMSeriesfirewalls
MgmtSubnetNameandPrefix ThemanagementsubnetfortheVMSeriesfirewallsandthewebserversdeployed
inthissolution.
DefaultnameisMgmtandthesubnetprefixis192.168.0.0/24.
MgmtPublicIPAddressName Enterahostnametoaccessthemanagementinterfaceoneachfirewall.Thenames
mustbegloballyunique.
TrustedSubnetNameandPrefix Thesubnettowhicheth1/1ontheVMSeriesfirewallisconnected;thissubnet
connectstheVMSeriesfirewalltotheAzureApplicationgateway.Thefirewall
receiveswebtrafficdestinedtothewebserversoneth1/1.
DefaultnameisTrustandthesubnetprefixis192.168.2.0/24.
UntrustedSubnetName Thesubnettowhicheth1/2ontheVMSeriesfirewallisconnected.Thefirewall
receivesreturnandoutboundwebtrafficonthisinterface.
DefaultnameisUntrustandthesubnetprefixis192.168.1.0/24.Thenamemustbe
globallyunique.
Username EntertheusernamefortheadministrativeaccountontheVMSeriesfirewallsand
thewebservers.
AuthenticationType YoumusteitherenterapasswordforauthenticationoruseanSSHpublickey(no
default).
SampleConfigurationFile
Tohelpyougetstarted,theGitHubrepositorycontainsasampleconfigurationfilenamedappgwsample.xml
thatincludesthefollowingrules/objects:
AddressobjectsTwoaddressobjects,firewall-untrust-IPand
internal-load-balancer-IP,whichyouwillneedtomodifytomatchtheIPaddressesinyour
setup.YouneedtomodifytheseaddressobjectstousetheprivateIPaddressesassignedto
eth1VMSeries0andeth1VMSeries1ontheAzureportal.
StaticrouteThedefaultvirtualrouteronthefirewallhasastaticrouteto192.168.1.1,andthisIP
addressisaccurateifyouusethedefaulttemplatevalues.IfyouhavechangedtheUntrustsubnetCIDR,
youllneedtoupdatetheIPaddresstomatchyoursetup.Alltrafficcomingfromthebackendweb
servers,destinedfortheapplicationgateway,usesthisIPaddressasthenexthopfordeliveringpackets
totheuntrustinterfaceonthefirewall.
NATPolicyRuleTheNATpolicyruleenablesdestinationNATandsourceNAT.
ThedestinationNATruleisforalltrafficthatarrivesonthefirewallsuntrustinterface(ethernet1/2),
whichisthefirewalluntrustIPaddressobject.ThisruletranslatesthedestinationIPaddressonthe

packettothatoftheinternalloadbalancersothatalltrafficisdirectedtotheinternalloadbalancer
andthustothebackendwebservers.
ThesourceNATruleisforalltrafficfromthebackendwebserveranddestinedtotheuntrust
networkinterfaceonthefirewall.ThisruletranslatesthesourceaddresstotheIPaddressofthe
trustinterfaceonthefirewall(ethernet1/2).
SecurityPolicyRuleTwoSecuritypolicyrulesaredefinedinthesampleconfigurationfile.Thefirstrule
allowsallinboundwebbrowsingtrafficandgeneratesalogatthestartofasessiononthefirewall.The
secondruleblocksallothertrafficandgeneratesalogatthestartandendofasessiononthefirewall.
Youcanusetheselogstomonitoralltraffictothewebserversinthisdeployment.
AdministrativeUserCredentialsThesampleconfigurationfileincludesausernameandpasswordfor
loggingintothefirewall,whichissettopandemo/demopassword.Afteryouimportthesample
configuration,youmusteitherchangethepasswordandsetittoastrong,custompasswordorcreatea
newadministratoraccountanddeletethepandemoaccount.
AdapttheTemplate
Asyourneedsevolve,youcanscopeyourcapacityneedsandextendthetemplateforyourdeployment
scenario.Herearesomewaysyoucanbuildonthestartertemplatetomeetyourplannedcapacityneeds:
DeployadditionalVMSeriesfirewallsbehindtheAzureApplicationGateway.Youcanmanuallyinstall
moreVMSeriesfirewallsintothesameAvailabilitySetorlaunchanewAvailabilitySetandmanually
deployadditionalVMSeriesfirewalls.
ConfiguretheVMSeriesfirewallsbeyondthebasicconfigurationprovidedinthesampleconfiguration
fileintheGitHubrepository.
EnableHTTPSloadbalancing(SSLoffload)ontheAzureApplicationGateway.RefertotheAzure
documentationfordetails.
Addorreplacethesamplewebserversincludedwiththetemplate.

OpenStack
TheVMSeriesfirewallforOpenStackallowsyoutodeploytheVMSeriesfirewallinyourOpenStack
environmenttoprovidesecureapplicationdeliveryalongwithnetworksecurity,performanceandvisibility.
ThissolutiondeploystheVMSeriesfirewallonaKVM/UbuntuhypervisorinaMirantisOpenStack
environmentthatusesContrailforvirtualizednetworkingfunctions.
VMSeriesFirewallforOpenStack
VMSeriesFirewallonOpenStackDeploymentChecklist
InstalltheVMSeriesFirewallinOpenStack

VMSeriesFirewallforOpenStack SetUptheVMSeriesFirewallonOpenStack
VMSeriesFirewallforOpenStack
TheVMSeriesfirewallforOpenStackallowsyoutodeploytheVMSeriesfirewallontheKVMhypervisor
runningonacomputenodeinyourOpenStackenvironment.ThissolutionusesHeatOrchestration
TemplatesandbootstrappingtodeploytheVMSeriesfirewallandaLinuxserver.TheVMSeriesfirewall
protectsthedeployedLinuxserverbyinspectingthetrafficgoinginandoutoftheserver.Thesample
bootstrapfilesallowtheVMSeriesfirewalltobootwithbasicconfigurationforhandlingtraffic.
ComponentsoftheVMSeriesforOpenStackSolution
OrchestrationwiththeHeatTemplate
ComponentsoftheVMSeriesforOpenStackSolution
ThefollowingcomponentsarerequiredfordeployingtheVMSeriesfirewallinanOpenStackenvironment.
Software Hypervisor:KVM/Ubuntu14.04
Networking:Contrail3.0.2
OpenStackDistro:Mirantis8.0(Liberty)
Orchestration:OpenStackHeatTemplates(Version20151015orhigher)
VMSeriesforKVMPANOS8.0orlater
VMSeriesHardware SeeVMSeriesSystemRequirementsfortheminimumhardwarerequirementsfor
Resources yourVMSeriesmodel.
InOpenStack,flavorsdefinetheCPU,memory,andstoragecapacityofacompute
instance.WhensettingupyourHeattemplate,choosethecomputeflavorthatmeets
orexceedsthehardwarerequirementsfortheVMSeriesmodel.
FuelMaster FuelisawebUIdrivendeploymentandmanagementtoolforOpenStack.
OpenStackController ThisnoderunsmostofthesharedOpenStackservices,suchAPIandscheduling.
Additionally,theHorizonUIrunsonthisnode.
OpenStackCompute Thecomputenodecontainsthevirtualmachines,includingtheVMSeriesfirewall,in
theOpenStackdeployment.ThecomputenodethathousestheVMSeriesmust
meetthefollowingcriteria:
InstancetypeOS::Nova::Server
Allowconfigurationofatleastthreeinterfaces
AccepttheVMSeriesqcow2image
Acceptthecomputeflavorparameter
InstalltheOpenStackcomputenodeonabaremetalserverbecausethe
VMSeriesfirewalldoesnotsupportnestedvirtualization.
ContrailController TheContrailcontrollernodeisasoftwaredefinednetworkingcontrollerusedfor
management,control,andanalyticsforthevirtualizednetwork.Itprovidesrouting
informationtothecomputeandgatewaynodes.

SetUptheVMSeriesFirewallonOpenStack VMSeriesFirewallforOpenStack
ContrailGateway TheContrailgatewaynodeprovidesIPconnectivitytoexternalnetworksfromvirtual
networks.MPLSoverGREtunnelsfromthevirtualmachinesterminateatthe
gatewaynode,wherepacketsaredecapsulatedandsenttotheirdestinationsonIP
networks.
HeatOrchestration PaloAltoNetworksprovidesasampleHeattemplatefordeployingtheVMSeries
TemplateFiles firewall.Thistemplateismadeupofamaintemplate(pan_basic_gw.yaml)andan
environmenttemplate(pan_basic_gw_env.yaml).Thesefilesinstantiateone
VMSeriesinstancewithonemanagementinterfaceandtwodatainterfaces.The
managementinterfaceandonedatainterfaceattachtoanuntrustnetwork.The
otherdatainterfaceconnectstothetrustnetwork.
Additionally,thetemplateinstantiatesaLinuxserverwithoneinterface.The
interfaceoftheserverattachestotheprivatenetworkcreatedbythetemplate.
VMSeriesFirewall TheVMSeriesfirewallbootstrapfilesconsistofainitcfg.txtfile,bootstrap.xmlfile,
BootstrapFiles andVMSeriesauthcodes.AlongwiththeHeattemplatefiles,PaloAltoNetworks
providesasampleinitcfg.txtandbootstrap.xmlfiles.Youmustprovideyourown
authcodestolicenseyourVMSeriesfirewallandactivateanysubscriptions.See
BootstraptheVMSeriesFirewallformoreinformationaboutVMSeriesbootstrap
files.
OrchestrationwiththeHeatTemplate
TheheattemplatefileincludesthefollowingfourfilestohelpyoulaunchtheVMSeriesfirewallonKVMin
OpenStack.AllfourfilesarerequiredtodeploytheVMSeriesfirewallandLinuxserver.
pan_basic_gw.yamlDefinestheresourcescreatedtosupporttheVMSeriesfirewallandLinuxserver
onthecomputenode,suchasinterfacesandIPaddresses.
pan_basic_gw_env.yamlDefinestheenvironmentthattheVMSeriesfirewallandLinuxserverexistin.
Manyparametersinthepan_basic_gw.yamlfilereferencetheparametersdefinedinthisfile,suchas
flavorfortheVMSeriesandtheLinuxserver.
initcfg.txtIncludestheoperationalcommandtoenableDHCPonthefirewallmanagementinterface.
bootstrap.xmlProvidesbasicconfigurationfortheVMSeriesfirewall.Thebootstrap.xmlfileconfigures
thedatainterfacesandIPaddresses.Thesevaluesmustmatchthecorrespondingvaluesinthe
pan_basic_gw.yamlfile.
Additionally,thebootstrap.xmlfileincludesaNATrulecalleduntrust2trust.Thisruletranslatethetrust
portontheservertotheuntrustportoftheVMSeriesfirewall.
Theseheattemplatefilesandthebootstrapfilescombinetocreatetwovirtualmachines,theVMSeries
firewallandLinuxserver,inanetworkconfigurationsimilartothatshownbelow.

VMSeriesFirewallforOpenStack SetUptheVMSeriesFirewallonOpenStack
Thetablebelowdescribesresourcesthatthepan_basic_gw.yamltemplatefilecreatesandprovidesthe
defaultvalue,ifapplicable.
Resource Description
pan_fw_instance VMSeriesfirewallwithamanagementinterfaceandtwodatainterfaces.
server_instance ALinuxserverwithasingleinterface.
pan_trust_net Aconnectiontotheinternalnetworktowhichthetrustinterfaceofthefirewalland
trustinterfaceoftheserverareattached.
pan_trust_subnet Subnetattachedtothetrustinterfaceonthefirewall(pan_trust_net)andhasaCIDR
valueof192.168.100.0/24.
pan_untrust_net Untrustnetworktowhichtheuntrustportofthefirewallisattached.
pan_untrust_subnet Subnetattachedtotheuntrustinterfaceofthefirewall(pan_untrust_net)andhasa
CIDRvalueof192.168.200.0/24.
allow_ssh_https_icmp_sec SecuritygroupthatallowsTCPonports22and443andICMPtraffic.
group
pan_untrust_port TheuntrustportoftheVMSeriesfirewalldeployedinLayer3mode.TheHeat
templateprovidesadefaultIPaddressof192.168.200.10tothisport.
IfyouchangethisIPaddressintheheattemplate,youmustchangetheIPaddressin
thebootstrap.xmlfile.
pan_untrust_floating_ip AfloatingIPaddressassignedfromthepublic_network.
pan_untrust_floating_ip_a Thisassociatesthepan_untrust_floating_iptothepan_untrust_port.
ssoc
pan_trust_port ThetrustportoftheVMSeriesfirewallLayer3mode.

SetUptheVMSeriesFirewallonOpenStack VMSeriesFirewallforOpenStack
Resource Description
server_trust_port ThetrustportoftheLinuxserverLayer3mode.TheHeattemplateprovidesadefault
IPaddressof192.168.100.10tothisport.
IfyouchangethisIPaddressintheheattemplate,youmustchangetheIPaddressin
thebootstrap.xmlfile.
Thepan_basic_gw.yamlfilereferencesthepan_basic_gw_env.yamlformanyofthevaluesneededtocreate
theresourcesneedtodeploytheVMSeriesfirewallandLinuxserver.Theheattemplateenvironmentfile
containsthefollowingparameters.
mgmt_network TheVMSeriesfirewallmanagementinterfaceattachestothenetworkspecifiedin
thisparameter.Thetemplatedoesnotcreatethemanagementnetwork;youmust
createthisbeforedeployingtheheattemplates.Thedefaultvalueismgmt_ext_net.
public_network AddressesthattheOpenStackclusterandthevirtualmachinesintheclusteruseto
communicatewiththeexternalorpublicnetwork.Thepublicnetworkprovides
virtualIPaddressesforpublicendpoints,whichareusedtoconnecttoOpenStack
servicesAPIs.Thetemplatedoesnotcreatethepublicnetwork;youmustcreatethis
beforedeployingtheheattemplates.Thedefaultvalueispublic_net.
pan_image ThisparameterspecifiestheVMSeriesbaseimageusedbytheHeattemplatewhen
deployingtheVMSeriesfirewall.Thedefaultvalueispavm7.1.4.
pan_flavor ThisparameterdefinesthehardwareresourcesallocatedtotheVMSeriesfirewall.
Thedefaultvalueism1.medium.ThisvaluemeetstheSystemRequirements
describedintheSetUptheVMSeriesFirewallonKVMchapter.
server_image ThisparametertellstheHeattemplatewhichimagetousefortheLinuxserver.The
defaultvalueisUbuntu14.04.
server_flavor ThisparameterdefinesthehardwareresourcesallocatedtotheLinuxserver.The
defaultvalueism1.small.
server_key TheserverkeyisusedforaccessingtheLinuxserverthroughssh.Thedefaultvalue
isserver_key.Youcanchangethisvaluebyenteranewserverkeyinthe
environmentfile.

VMSeriesFirewallonOpenStackDeploymentChecklist SetUptheVMSeriesFirewallonOpenStack
VMSeriesFirewallonOpenStackDeploymentChecklist
TodeploytheVMSeriesfirewallinOpenStack,usethefollowingworkflow:
Step1SetupyourOpenStackEnvironment.
Ifyouhavenotalreadysetupthesecomponents,seetheOpenStackandContraildocumentationfor
instructionsonsettinguptheOpenStackenvironment.Thisdocumentdoesnottakeyouthroughthe
processofsettingupacompleteOpenStackenvironment.
Deploytherequirednodes(seeComponentsoftheVMSeriesforOpenStackSolutionformore
information).
Createapublicnetwork.ThedefaultvalueintheHeattemplateispublic_net.Ifyouuseadifferent
name,changethedefaultvalueinthepan_basic_gw_env.yamlfile.
Createamanagementnetwork.ThedefaultvalueintheHeattemplateismgmt_ext_net.Ifyouuse
adifferentname,changethedefaultvalueinthepan_basic_gw_env.yamlfile.
Step2InstalltheVMSeriesFirewallinOpenStack.
Downloadthetemplatefiles.
(Optional)Editthedefaultvaluesinthetemplatefilestomatchyournetwork.
DownloadtheVMSeriesbaseimageforKVM(PAVMKVM8.0.0.qcow2)fromtheCustomer
SupportPortal.
DownloadUbuntu14.04usedfortheLinuxserver.
UploadthefilestoyourOpenStackcontrollernode.
DeploytheVMSeriesfirewallandLinuxserver.

SetUptheVMSeriesFirewallonOpenStack InstalltheVMSeriesFirewallinOpenStack
Completethefollowingstepstopreparetheheattemplates,bootstrapfiles,andsoftwareimagesneededto
deploytheVMSeriesfirewallinOpenStack.Afterpreparingthefiles,deploytheVMSeriesfirewalland
Linuxserver.
Step1 DownloadtheHeattemplateand DownloadtheHeattemplatepackagefromtheGitHubrepository.

bootstrapfiles.
Step2 DownloadtheVMSeriesbaseimage. 1. LoginintothePaloAltoNetworksCustomerSupportPortal.

2. SelectSoftware UpdatesandchoosePAN-OS for VM-Series
KVM Base ImagesfromtheFilter Bydropdown.
3. DownloadPA-VM-KVM-8.0.0.qcow2.
Step3 DownloadUbuntu14.04anduploadthe 1. DownloadUbuntu14.04.

imagetotheOpenStackcontroller. 2. LogintotheHorizonUI.
TheHeattemplateneedsanUbuntu
3. SelectProject > Compute > Images > Create Image.
imageforlaunchingtheLinuxserver.
4. NametheimageUbuntu14.04tomatchtheparameterinthe
pan_basic_gw_env.yamlfile.
5. SetImageSourcetoImage File.
6. ClickChoose FileandnavigatetoyourUbuntuimagefile.
7. SettheFormattomatchthefileformatofyourUbuntuimage.
8. ClickCreate Image.
Step4 UploadtheVMSeriesforKVMbase 1. LogintotheHorizonUI.

imagetotheOpenStackcontroller. 2. SelectProject > Compute > Images > Create Image.
3. Nametheimagepavm8.0.0.
4. SetImageSourcetoImage File.
5. ClickChoose FileandnavigatetoyourVMSeriesimagefile.
6. SettheFormattoQCOW2-QEMU Emulator.
7. ClickCreate Image.
Step5 Uploadthebootstrapfiles. Youcanuploadtheinitcfg.txt,bootstrap.xml,andyourVMSeries

authcodestoyourOpenStackcontrollerorawebserverthatthe
OpenStackcontrollercanaccess.

InstalltheVMSeriesFirewallinOpenStack SetUptheVMSeriesFirewallonOpenStack
Step6 Editthepan_basic_gw.yamltemplatetopointtothebootstrapfilesandauthcodes.UnderPersonality,specify
thefilepathorwebserveraddresstothelocationofyourfiles.Uncommentwhicheverlinesyouarenotusing.
pan_fw_instance:
type: OS::Nova::Server
properties:
image: { get_param: pan_image }
flavor: { get_param: pan_flavor }
networks:
- network: { get_param: mgmt_network }
- port: { get_resource: pan_untrust_port }
- port: { get_resource: pan_trust_port }
user_data_format: RAW
config_drive: true
personality:
/config/init-cfg.txt: {get_file: "/opt/pan_bs/init-cfg.txt"}
# /config/init-cfg.txt: { get_file: "http://web_server_name_ip/pan_bs/init-cfg.txt" }
/config/bootstrap.xml: {get_file: "/opt/pan_bs/bootstrap.xml"}
# /config/bootstrap.xml: { get_file: "http://web_server_name_ip/pan_bs/bootstrap.xml" }
/license/authcodes: {get_file: "/opt/pan_bs/authcodes"}
# /license/authcodes: {get_file: "http://web_server_name_ip/pan_bs/authcodes"}
Step7 Editthepan_basic_gw_env.yamltemplateenvironmentfiletosuityourenvironment.Makesurethatthe
managementandpublicnetworkvaluesmatchthosethatyoucreatedinyourOpenStackenvironment.Set
thepan_imagetomatchthenameyouassignedtotheVMSeriesbaseimagefile.Youcanalsochangeyour
serverkeyhere.
root@node-2:~# cat basic_gateway/pan_basic_gw_env.yaml
parameters:
mgmt_network: mgmt_ext_net
public_network: public_net
pan_image: pa-vm-8.0.0
pan_flavor: m1.medium
server_image: Ubuntu-14.04
server_flavor: m1.small
server_key: server_key
Step8 DeploytheHeattemplate.
1. Executethecommandsource openrc
2. Executethecommandheat stack-create <stack-name> -f <template> -e ./<env-template>
Step9 VerifythatyourVMSeriesfirewallis Youcanusethefollowingcommandstocheckthecreationstatus

deployedsuccessfully. ofthestack.
Checkthestackstatuswithheat stack-list
Viewadetailedlistofeventsthatoccurredduringstackcreation
withheat event-list
Viewdetailsaboutyourstackwithheat stack-show

SetUptheVMSeriesFirewallonOpenStack InstalltheVMSeriesFirewallinOpenStack
Step10 VerifythattheVMSeriesfirewallis 1. Fromanexternalnetwork,executethecommandsshi

bidirectionallyinspectingtraffic <serverkey>@<pan_untrust_floating_ip>
accessingtheLinuxserver. 2. LogintothefirewallandselectMonitor > Logs > Trafficto
viewthesshsession.

InstalltheVMSeriesFirewallinOpenStack SetUptheVMSeriesFirewallonOpenStack

BootstraptheVMSeriesFirewall
BootstrappingallowsyoutocreatearepeatableandstreamlinedprocessofdeployingnewVMSeries
firewallsonyournetworkbecauseitallowsyoutocreateapackagewiththemodelconfigurationforyour
networkandthenusethatpackagetodeployVMSeriesfirewallsanywhere.Youcanbootstrapthe
VMSeriesfirewalloffanexternaldevice(suchasavirtualdisk,avirtualCDROMoranAWSS3bucket)to
completetheprocessofconfiguringandlicensingtheVMSeriesfirewall.Youcaneitherbootstrapthe
firewallwithbasicinitialconfigurationandlicensessothatthefirewallcanregisterwithPanoramaandthen
retrieveitsfullconfigurationfromPanorama,oryoucanbootstrapthecompleteconfigurationsothatthe
firewallisfullyconfiguredonbootup.
VMSeriesFirewallBootstrapWorkflow
BootstrapPackage
PreparetheLicensesforBootstrapping
PreparetheBootstrapPackage
BootstraptheVMSeriesFirewallonESXi
BootstraptheVMSeriesFirewallonHyperV
BootstraptheVMSeriesFirewallonKVM
BootstraptheVMSeriesFirewallinAWS
BootstraptheVMSeriesFirewallinAzure
VerifyBootstrapCompletion
BootstrapErrors

VMSeriesFirewallBootstrapWorkflow BootstraptheVMSeriesFirewall
VMSeriesFirewallBootstrapWorkflow
AfteryoufamiliarizeyourselfwiththeBootstrapPackageandassesswhetheryouwillwanttofullyconfigure
thefirewallorusePanoramatomanagethebootstrappedfirewall,usethefollowingworkflowtobootstrap
yourVMSeriesfirewall.
BootstrapaVMSeriesFirewall
Forsecurityreasons,youcanonlybootstrapafirewallwhenitisinfactorydefaultstate.Ifyouwantto
bootstrapaVMSeriesfirewallthathasbeenpreviouslyconfigured,ResettheFirewalltoFactoryDefault
Settings.
GeneratetheVMAuthKeyonPanorama,ifyouwanttousePanoramatomanagetheVMSeries
firewallsbeingbootstrapped.Youmustincludethiskeyinthebasicconfiguration(initcfg.txt)file,
whenyoupreparethebootstrappackage.
PreparetheLicensesforBootstrapping.
Createtheinitcfg.txtFileandoptionallyCreatethebootstrap.xmlFileifyouarenotusingPanoramato
managethefirewallconfiguration.
PreparetheBootstrapPackage.
PlacethebootstrappackageintheformatrequiredbyyourhypervisorandbootstraptheVMSeriesfirewall.
VerifyBootstrapCompletion.

BootstraptheVMSeriesFirewall BootstrapPackage
BootstrapPackage
Thebootstrapprocessisinitiatedonlyonfirstbootwhenthefirewallisinafactorydefaultstate.Whenyou
attachthevirtualdisk,virtualCDROM,orAWSS3buckettothefirewall,thefirewallscansforabootstrap
packageand,ifoneexists,thefirewallusesthesettingsdefinedinthebootstrappackage.Ifyouhave
includedaPanoramaserverIPaddressinthefile,thefirewallconnectswithPanorama.Ifthefirewallhas
Internetconnectivity,itcontactsthelicensingservertoupdatetheUUIDandobtainthelicensekeysand
subscriptions.ThefirewallisthenaddedasanassetinthePaloAltoNetworksSupportPortal.Ifthefirewall
doesnothaveInternetconnectivity,iteitherusesthelicensekeysyouincludedinthebootstrappackageor
itconnectstoPanorama,whichretrievestheappropriatelicensesanddeploysthemtothemanaged
firewalls.
Thebootstrappackagethatyoucreatemustincludethefollowingfourfolders,evenifempty:
/configfolderContainstheconfigurationfiles.Thefoldercanholdtwofiles:initcfg.txtandthe
bootstrap.xml.FordetailsseeBootstrapConfigurationFiles.
IfyouintendtopreregisterVMSeriesfirewallswithPanoramawithbootstrapping,youmustgenerateaVMauthkey
onPanoramaandincludethegeneratedkeyintheinitcfgfile.SeeGeneratetheVMAuthKeyonPanorama.
/licensefolderContainsthelicensekeysorauthcodesforthelicensesandsubscriptionsthatyou
intendtoactivateonthefirewalls.IfthefirewalldoesnothaveInternetconnectivity,youmusteither
manuallyobtainthelicensekeysfromthePaloAltoNetworksSupportportalorusetheLicensingAPIto
obtainthekeysandthensaveeachkeyinthisfolder.Fordetails,seePreparetheLicensesfor
Bootstrapping.
Youmustincludeanauthcodebundleinsteadofindividualauthcodessothatthefirewallororchestrationservicecan
simultaneouslyfetchalllicensekeysassociatedwithafirewall.Ifyouuseindividualauthcodesinsteadofabundle,the
firewallwillretrieveonlythelicensekeyforthefirstauthcodeincludedinthefile.
/softwarefolderContainsthesoftwareimagesrequiredtoupgradeanewlyprovisionedVMSeries
firewalltothedesiredPANOSversionforyournetwork.Youmustincludeallintermediatesoftware
versionsbetweentheOpenVirtualizationFormat(OVF)versionandthefinalPANOSsoftwareversion
towhichyouwanttoupgradetheVMSeriesfirewall.
/contentfolderContainstheapplicationandthreatupdates,WildFireupdates,andtheBrightCloud
URLfilteringdatabaseforthevalidsubscriptionsontheVMSeriesfirewall.Youmustincludethe
minimumcontentversionsrequiredforthedesiredPANOSversion,withouttheminimumrequired
contentversionassociatedwiththePANOSversion,theVMSeriesfirewallcannotcompletethe
softwareupgrade.
ThefiletypeusedtodeliverthebootstrappackagetotheVMSeriesfirewallvariesbasedonyour
hypervisor.Usethetablebelowtodeterminethefiletypeyourhypervisorsupports.
ExternalDeviceforBootstrapping ESXi KVM HyperV AWS Azure KVMin

(BootstrapPackageFormat) OpenStack
CDROM(ISOimage) Yes Yes Yes
VirtualHardDisk(vhd) Yes
S3Bucket(ISOimage) Yes
configdrive Yes

BootstrapPackage BootstraptheVMSeriesFirewall
ExternalDeviceforBootstrapping ESXi KVM HyperV AWS Azure KVMin

(BootstrapPackageFormat) OpenStack
BlockStorageDevice Yes Yes Yes

BootstraptheVMSeriesFirewall BootstrapConfigurationFiles
BootstrapConfigurationFiles
Thebootstrappackagemustincludethebasicconfigurationcontainedintheinitcfg.txtfileinthe/config
folder;thecompleteconfiguration(containedinbootstrap.xmlfileinthe/configfolder)isoptional.When
youincludebothfilesinthebootstrappackage,thefirewallmergestheconfigurationsofthosefilesand,if
anyconfigurationsettingsoverlapbetweenthetwofiles,thefirewallusesthesettingdefinedinthe
initcfg.txtfile.
BasicConfigurationTheinitcfg.txtfileisatextfilethatcontainsbasicinitialconfigurationinformation.
Youcannamethisfilegenericallyasinitcfg.txt,oryoucanprependtheUUIDorSerialnumberofeach
firewalltothefilenametobemorespecific(forexample:0008C100105initcfg.txt).Thisfilemust
includebasicinformationforconfiguringthemanagementinterfaceonthefirewall,suchastheIPaddress
type(staticorDHCP),IPaddress(IPv4onlyorbothIPv4andIPv6),netmask,anddefaultgateway.The
DNSserverIPaddress,PanoramaIPaddressanddevicegroupandtemplateparametersareoptional.
Whenthefirewallboots,itsearchesforatextfilethatmatchesitsUUIDorserialnumberand,ifnoneis
found,itsearchesusingthegenericfilename.Forasamplefile,seeCreatetheinitcfg.txtFile.
FortheVMSeriesfirewallsthatyouwanttomanageusingPanorama,youmustgenerateaVMauthkey
onPanoramaandincludethekeyintheinitcfg.txtfile.Formoreinformation,seeGeneratetheVMAuth
KeyonPanorama.
CompleteConfigurationThebootstrap.xmlfileallowsyoutofullyconfigurethefirewall.The
bootstrap.xmlfileisoptionalandisonlyrequiredifyouarenotusingPanoramaforcentrallymanaging
yourfirewall.Youcaneitherdefinethismanuallyorexporttherunningconfigurationfromanexisting
firewallandsavethefileasbootstrap.xml.Ifyouincludethebootstrap.xmlfile,makesuretoexportthe
XMLfilefromafirewallofthesameplatformorhypervisor.Ifyouprovidetheinitcfg.txtfileandthe
bootstrap.xmlfile,thefirewallmergesthefilesintoarunningconfigurationaspartofthebootstrap
processand,ifanysettingsoverlap,thefirewallwillusethesettingfromthebasicconfigurationfile.See
Createthebootstrap.xmlFile.

GeneratetheVMAuthKeyonPanorama BootstraptheVMSeriesFirewall
GeneratetheVMAuthKeyonPanorama
IfyouwanttousePanoramatomanagetheVMSeriesfirewallsthatyouarebootstrapping,youmust
generateaVMauthkeyonPanoramaandincludethekeyinthebasicconfiguration(initcfg.txt)file.TheVM
authkeyallowsPanoramatoauthenticatethenewlybootstrappedVMSeriesfirewall.So,tomanagethe
firewallusingPanorama,youmustincludetheIPaddressforPanoramaandtheVMauthkeyinthebasic
configurationfileaswellasthelicenseauthcodesinthe/licensefolderofthebootstrappackage.The
firewallcanthenprovidetheIPaddress,serialnumber,andtheVMauthkeyinitsinitialconnectionrequest
toPanoramasothatPanoramacanverifythevalidityoftheVMauthkeyandaddthefirewallasamanaged
device.Ifyouprovideadevicegroupandtemplateinthebasicconfigurationfile,Panoramawillassignthe
firewalltotheappropriatedevicegroupandtemplatesothatyoucancentrallyconfigureandadministerthe
firewallusingPanorama.
Thelifetimeofthekeycanvarybetween1hourand8760hours(1year).Afterthespecifiedtime,thekey
expiresandPanoramawillnotregisterVMSeriesfirewallswithoutavalidauthkeyinthisconnection
request.
GeneratetheVMAuthKeyonPanorama
Step1 LogintothePanoramaCLIoraccesstheAPI:
IntheCLI,usethefollowing operationalcommand:
request bootstrap vm-auth-key generate lifetime <1-8760>
Forexampletogenerateakeythatisvalidfor24hrs,enterthefollowing:
request bootstrap vm-auth-key generate lifetime 24
VM auth key 755036225328715 generated. Expires at: 2015/12/29 12:03:52
IntheAPI,usethefollowingURL:
https://Panorama_IP_address/api/?type=op&cmd=<request><bootstrap><vm-auth-key><generate>
<lifetime><number-of-hours></lifetime></generate></vm-auth-key></bootstrap></request>
wherethelifetimeisthenumberofhoursforwhichtheVMauthkeyisvalid.

BootstraptheVMSeriesFirewall GeneratetheVMAuthKeyonPanorama
GeneratetheVMAuthKeyonPanorama(Continued)
Step2 VerifythevaliditytermoftheVMauthkey(s)yougeneratedonPanorama.Makesurethatthevalidityterm
allowsenoughtimeforthefirewall(s)toregisterwithPanorama.
https://Panorama_IP_address/api/?type=op&cmd=<request><bootstrap><vm-auth-key><show>
</show></vm-auth-key></bootstrap></request>
Step3 AddthegeneratedVMauthkeytothebasicconfiguration(initcfg.txt)file.SeeCreatetheinitcfg.txtFile

Createtheinitcfg.txtFile BootstraptheVMSeriesFirewall
Createtheinitcfg.txtFile
Createtheinitcfg.txtFile
Step1 Createanewtextfile. UseatexteditorsuchasNotepad,EditPad,orother

plaintexteditorstocreateatextfile.
Step2 Addthebasicnetworkconfigurationfor Therearenospacesbetweenthekeyandvalueineach
themanagementinterfaceonthe field.Donotaddspacesastheycouldcausefailuresduring
firewall. parsingonthemgmtsrvrside.
Ifanyoftherequiredparameters ToconfigurethemanagementinterfacewithastaticIPaddress,
aremissinginthefile,thefirewall youmustspecifytheIPaddress,typeofaddress,default
exitsthebootstrapprocessand gateway,andnetmask.AnIPv4addressisrequired,IPv6address
bootsupusingthedefaultIP isoptional.Forsyntax,seeSampleinitcfg.txtfile(StaticIP
address,192.168.1.1.Youcan Address).
viewthesystemlogonthe ToconfigurethemanagementinterfaceasaDHCPclient,you
firewalltodetectthereasonfor mustspecifyonlythetypeofaddress.IfyouenabletheDHCP
thebootstrapfailure.Forerrors, clientonthemanagementinterface,thefirewallignorestheIP
seeLicensingAPI. address,defaultgateway,netmask,IPv6address,andIPv6
defaultgatewayvaluesdefinedinthefile.Forsyntax,see
Sampleinitcfg.txtfile(DHCPClient).
WhenyouenableDHCPonthemanagementinterface,the
firewalltakestheDHCPassignedIPaddressandisaccessible
overthenetwork.YoucanviewtheDHCPassignedIPaddress
ontheGeneralInformationwidgetontheDashboardorwith
theCLIcommandshow system info.However,thedefault
staticmanagementIPaddress192.168.1.1isretainedinthe
runningconfiguration(show config running)onthe
firewall.ThisstaticIPaddressensuresthatyoucanalways
restoreconnectivitytoyourfirewall,intheeventyoulose
DHCPaccesstothefirewall.
Step3 AddtheVMauthkeytoregistera ToaddaVMSeriesfirewallonPanorama,youmustaddtheVM

VMSeriesfirewallwithPanorama. authkeythatyougeneratedonPanoramatothebasic
configuration(initcfg.txt)file.Fordetailsongeneratingakey,see
GeneratetheVMAuthKeyonPanorama.
Step4 AdddetailsforaccessingPanorama. AddIPaddressesfortheprimaryandsecondaryPanorama

servers.
Specifythetemplateandthedevicegrouptowhichyouwantto
assignthefirewall.
Step5 (Optional)Includeadditionalparameters AddIPaddressfortheprimaryandsecondaryDNSservers.

forthefirewall. Addthehostnameforthefirewall.
Enableeitherjumboframesormultiplevirtualsystems(orboth)
Enableswappingofthemanagementinterface(mgmt)andthe
dataplaneinterface(ethernet1/1)ontheVMSeriesfirewallin
AWS.Formoreinformationonchangingthemanagement
interface,seeManagementInterfaceMappingforUsewith
AmazonELB.
Thefollowingtabledescribesthefieldsintheinitcfg.txtfile.Thetype,ipaddress,defaultgateway,and
netmaskarerequired.

BootstraptheVMSeriesFirewall Createtheinitcfg.txtFile
Fieldsintheinitcfg.txtFile
Field Description
type= TypeofmanagementIPaddress:staticordhcpclient.Thisfieldisrequired.
ipaddress= IPv4address.Thisfieldisignoredifthetypeisdhcpclient.Ifthetypeisstatic,anIPv4
addressisrequired;theipv6addressfieldisoptionalandcanbeincluded.
YoucannotspecifythemanagementIPaddressandnetmaskconfigurationforthe
VMSeriesfirewallinAWSandAzure.Ifdefined,thefirewallignoresthevaluesyou
specify.
defaultgateway= IPv4defaultgatewayforthemanagementinterface.Thisfieldisignoredifthetype
isdhcpclient.Ifthetypeisstatic,andipaddressisused,thisfieldisrequired.
netmask= IPv4netmask.Thisfieldisignoredifthetypeisdhcpclient.Ifthetypeisstatic,and
ipaddressisused,thisfieldisrequired.
ipv6address= (Optional)IPv6addressand/prefixlengthofthemanagementinterface.Thisfieldis
ignoredifthetypeisdhcpclient.Ifthetypeisstatic,thisfieldcanbespecifiedalong
withtheipaddressfield,whichisrequired.
ipv6defaultgateway= IPv6defaultgatewayforthemanagementinterface.Thisfieldisignoredifthetype
isdhcpclient.Ifthetypeisstaticandipv6addressisused,thisfieldisrequired.
hostname= Hostnameforthefirewall.
panoramaserver= IPv4orIPv6addressoftheprimaryPanoramaserver.Thisfieldisnotrequiredbut
recommendedforcentrallymanagingyourfirewalls.
panoramaserver2= IPv4orIPv6addressofthesecondaryPanoramaserver.Thisfieldisnotrequiredbut
recommended.
tplname= Panoramatemplatename.IfyouaddaPanoramaserverIPaddress,asabestpractice
createatemplateonPanoramaandenterthetemplatenameinthisfieldsothatyou
cancentrallymanageandpushconfigurationsettingstothefirewall.
dgname= Panoramadevicegroupname.IfyouaddaPanoramaserverIPaddress,asabest
practicecreateadevicegrouponPanoramaandenterthedevicegroupnameinthis
fieldsothatyoucangroupthefirewallslogicallyandpushpolicyrulestothefirewall.
dnsprimary= IPv4orIPv6addressoftheprimaryDNSserver.
dnssecondary= IPv4orIPv6addressofthesecondaryDNSserver.
vmauthkey= Virtualmachineauthenticationkey.(Thisfieldisignoredwhenbootstrapping
hardwarefirewalls.)
opcommandmodes= Thefollowingvaluesareallowed:multivsys,jumboframe,mgmtinterfaceswap.If
youentermultiplevalues,useaspaceoracommatoseparatetheentries.
multivsys(Forhardwarebasedfirewallsonly)Enablesmultiplevirtualsystems.
jumboframesEnablesthedefaultMTUsizeforallLayer3interfacestobesetat
9192bytes.
mgmtinterfaceswap(ForVMSeriesfirewallinAWSonly)Allowsyoutoswap
themanagementinterface(MGT)withthedataplaneinterface(ethernet1/1)
whendeployingthefirewall.Fordetails,seeManagementInterfaceMappingfor
UsewithAmazonELB.

Createtheinitcfg.txtFile BootstraptheVMSeriesFirewall
Fieldsintheinitcfg.txtFile
Field Description
dhcpsendhostname= ThevalueofyesornocomesfromtheDHCPserver.Ifyes,thefirewallwillsendits
hostnametotheDHCPserver.Thisfieldisrelevantonlyiftypeisdhcpclient.
dhcpsendclientid= ThevalueofyesornocomesfromtheDHCPserver.Ifyes,thefirewallwillsendits
clientIDtotheDHCPserver.Thisfieldisrelevantonlyiftypeisdhcpclient.
dhcpacceptserverhostname ThevalueofyesornocomesfromtheDHCPserver.Ifyes,thefirewallwillacceptits
= hostnamefromtheDHCPserver.Thisfieldisrelevantonlyiftypeisdhcpclient.
dhcpacceptserverdomain= ThevalueofyesornocomesfromtheDHCPserver.Ifyes,thefirewallwillacceptits
DNSserverfromtheDHCPserver.Thisfieldisrelevantonlyiftypeisdhcpclient.
Thefollowingsamplebasicconfiguration(initcfg.txt)filesshowsalltheparametersthataresupportedinthe
file;requiredparametersareinbold.
Sampleinitcfg.txtfile(StaticIPAddress) Sampleinitcfg.txtfile(DHCPClient)
type=static type=dhcp-client
ip-address=10.5.107.19 ip-address=
default-gateway=10.5.107.1 default-gateway=
netmask=255.255.255.0 netmask=
ipv6-address=2001:400:f00::1/64 ipv6-address=
ipv6-default-gateway=2001:400:f00::2* ipv6-default-gateway=
hostname=Ca-FW-DC1 hostname=Ca-FW-DC1
vm-auth-key=755036225328715 vm-auth-key=755036225328715
panorama-server=10.5.107.20 panorama-server=10.5.107.20
panorama-server-2=10.5.107.21 panorama-server-2=10.5.107.21
tplname=FINANCE_TG4 tplname=FINANCE_TG4
dgname=finance_dg dgname=finance_dg
dns-primary=10.5.6.6 dns-primary=10.5.6.6
dns-secondary=10.5.6.7 dns-secondary=10.5.6.7
op-command-modes=jumbo-frame, op-command-modes=jumbo-frame,
mgmt-interface-swap** mgmt-interface-swap**
dhcp-send-hostname=no dhcp-send-hostname=yes
dhcp-send-client-id=no dhcp-send-client-id=yes
dhcp-accept-server-hostname=no dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=no dhcp-accept-server-domain=yes
You cannot specify the management IP address and netmask configuration for the VM-Series firewall in AWS. If
defined, the firewall ignores the values you specify because AWS uses a back-end metadata file to assign the
management IP address and netmask.
*TheIPv6defaultgatewayisrequiredifyouincludeanIPv6address.
**Themgmt-interface-swapoperationalcommandpertainsonlytoaVMSeriesfirewallinAWS.

BootstraptheVMSeriesFirewall Createthebootstrap.xmlFile
Createthebootstrap.xmlFile
Usetheseinstructionstocreatetheoptionalbootstrap.xmlfile.
Createthebootstrap.xmlFile
Step1 Exportaconfigurationfromafirewall. 1. SelectDevice > Setup > Operations.

2. Selecttheconfigurationfileyouwanttoexport.
Toexporttherunningconfiguration,intheConfiguration
Managementsection,Export named configuration
snapshotandselectrunning config.xml fromthe
dropdown.
Toexportapreviousversionofafirewallconfiguration,in
theConfigurationManagementsection,Export
configuration versionandselecttheappropriate
configurationversioninthedropdown.
Step2 Renametheconfigurationfileas 1. Renamethefileasbootstrap.xml.

bootstrap.xml. Forthebootstrapprocesstobesuccessful,thefilenamemust
beanexact(casesensitive)match.
2. Savethebootstrap.xmlfileinthesamelocationasthe
initcfg.txtfile.

PreparetheLicensesforBootstrapping BootstraptheVMSeriesFirewall
Tolicensethefirewallduringthebootstrappingprocess,youmustpurchasetheauthcodesandregisterthe
licensesandsubscriptionsonthePaloAltoNetworksSupportportalbeforeyoubeginbootstrapping.
FortheVMSeriesfirewallsrunningBYOL(notapplicableforusagebasedlicensingPAYG),youmusthave
anauthcodebundlethatincludesthecapacityauthcode,supportsubscription,andanyothersubscriptions
yourequire.Theprocessofpreparingthelicensesforbootstrappingdependsonwhetherthefirewallhas
internetaccesswhenbootstrapping:
DirectInternetaccessThefirewallisconnecteddirectlytotheInternet.
IndirectInternetaccessThefirewallismanagedbyPanorama,whichhasdirectInternetaccessandthe
abilitytofetchthelicensekeysonbehalfofthefirewall.
NoInternetaccessThefirewallusesanorchestrationserviceoracustomscripttofetchthelicensekeys
onbehalfofthefirewall.
ForVMSeriesfirewallswithInternetaccess. Entertheauthcodeinthe/licensefolderwhenyouPreparethe
BootstrapPackage.
ForVMSeriesfirewallswithindirectInternet 1. RegistertheauthcodeonthePaloAltoNetworksSupport
access. portal.
a. Gotosupport.paloaltonetworks.com,login,andselect
Assets > Register New Device > Register device using
Serial Number or Authorization Code.
b. FollowthestepstoRegistertheVMSeriesFirewall
c. ClickSubmit.
2. ActivatetheauthcodesonthePaloAltoNetworksSupport
portaltogeneratelicensekeys.
a. Gotosupport.paloaltonetworks.com,login,andselectthe
Assetstab.
b. ForeachS/N,clicktheActionlink.
c. SelecttheActivate Auth-Codebutton.
d. EntertheAuthorization code,clickAgree,andSubmit.
e. Downloadthelicensekeysandsaveittoalocalfolder.
f. ContinuetoPreparetheBootstrapPackage;youmustadd
thelicensekeysthatyoudownloadedtothe\license
folderinthebootstrappackage.
Foracustomscriptoranorchestrationservice ThescriptorservicemustfetchtheCPUIDandtheUUIDfromthe
thatcanaccesstheInternetonbehalfof hypervisoronwhichthefirewallisdeployedandaccessthePalo
firewalls. AltoNetworksSupportportalwithCPUID,UUID,APIkeyandthe
authcodetoobtaintherequiredkeys.SeeLicensingAPI.

BootstraptheVMSeriesFirewall PreparetheBootstrapPackage
Usethefollowingproceduretopreparethebootstrappackage.
Step1 Createthetopleveldirectorystructure Onyourlocalclientorlaptop,createthefollowingfolders:

forthebootstrappackage. /config
/license
/software
/content
Youcanleaveafolderempty,butyoumusthaveallfour
folders.
Step2 Addcontentwithineachfolder. /config

Foranoverviewoftheprocess,see 0008C100105initcfg.txt
BootstrapPackage.Fordetailsonthe 0008C100107initcfg.txt
filesinthe/configfolder,seeBootstrap bootstrap.xml
ConfigurationFiles.
/content
panupv2allcontents4882590
panupallantivirus14941969
panupallwildfire5474661460
/software
PanOS_vm7.1.1
PanOS_vm7.1.4
/license
Ifyousavethekeystothisfolder,youcanuseafilenaming
conventionthatworksforyoubutkeepthe .keyextensioninthe
filename.
0001A100105authcodes
0001A100110url3.key
0001A100110threats.key
0001A100110url3wildfire.key
Useanauthcodebundleinsteadofindividualauthcodesso
thatthefirewallororchestrationservicecan
simultaneouslyfetchalllicensekeysassociatedwitha
firewall.Ifyouuseindividualauthcodesinsteadofa
bundle,thefirewallwillretrieveonlythelicensekeyforthe
firstauthcodeincludedinthefile.
Step3 Createthebootstrappackage. ForVMSeriesfirewalls,createtheimageintheappropriateformat

foryourhypervisor.

BootstraptheVMSeriesFirewallonESXi BootstraptheVMSeriesFirewall
YoucanbootstraptheVMSeriesfirewallusinganISOimageoravirtualharddisk.
BootstraptheVMSeriesFirewallonESXiwithanISO
BootstraptheVMSeriesFirewallonESXiwithaBlockStorageDevice
BootstraptheVMSeriesFirewallonESXiwithanISO
UsetheseinstructionstobootstraptheVMSeriesfirewallonanESXiserverusinganISO.
BootstraptheVMSeriesFirewallinESXi
Step1 CreateanISOimageanduploadittoa 1. PreparetheBootstrapPackage.

VirtualMachineFileSystem(VMFS) 2. CreateanISOimage.Thetoolyouusetocreatetheimage
datastoreortoaNetworkFileSystem variesbasedonyourclientoperatingsystem.
(NFS)volume.
3. UploadtheISOimagetoaVMFSdatastoreortoanNFS
volumethatisaccessibletotheESX/ESXIhost.
Step2 Deploythefirewall. 1. ProvisiontheVMSeriesFirewallonanESXiServer.

Bydefault,thefirewallisdeployedwithtwonetwork
interfacesoneformanagementtrafficandonedatatraffic.
Makesurethatthefirstethernetinterfaceonthefirewall,
whichisitsmanagementinterface, isconnectedtothevirtual
switchportgroupassignedfordevicemanagement.
2. Donotpoweronthefirewall.
Step3 Attachthebootstrapimagetothe 1. SelecttheVMSeriesfirewallfromtheInventorylist.

firewall. 2. ClickEdit SettingsandselectVirtual Hardware.
3. SelectDatastore iso fileintheCD DVD drivedropdown,and
browsefortheISOimage.
4. Poweronthefirewall.Thefirewallwillbeginwiththe
bootstrappingprocess,whichwilltakeseveralminutes.The
statusmessagesonthesuccessorfailureoftheprocesswill
displayontheconsole.
5. VerifyBootstrapCompletion.
BootstraptheVMSeriesFirewallonESXiwithaBlockStorageDevice
UsetheseinstructionstobootstraptheVMSeriesfirewallonanESXiserverusingablockstoragedevice.

BootstraptheVMSeriesFirewall BootstraptheVMSeriesFirewallonESXi
VirtualHardDiskBootstrappinginESXI
Step1 Createthebootstrappackageandthe 1. Createthebootstrappackage.

virtualharddisk. 2. DeployaLinuxvirtualmachine.
3. OntheLinuxmachine,PreparetheBootstrapPackage.You
canleavethefolderempty,butyoumusthaveallfourfolders.
4. Attachanewdatadisklessthan39GBtotheLinuxvirtual
machine.
5. Partitionthediskandformatthefilesystemasext3.
6. Makeadirectoryforthenewfilesystemandmountthedisk
totheLinuxvirtualmachine.
7. Copythecontentsofyourbootstrappackagetothedisk.
8. Unmountthedisk.
9. DetachthediskfromtheLinuxvirtualmachine.Takenoteof
theDiskFiledescribingthebootstrapdiskyoucreated;it
showsthedatastorenameandpathtothedisk.Additionally,
donotchecktheDeleteFilesFromDatastorecheckbox;
doingsodeletesthedisk.
Step2 Deploythefirewall. 1. ProvisiontheVMSeriesFirewallonanESXiServer.

Step3 Attachthebootstrappackagetothe 1. SelecttheVMSeriesfirewallfromtheInventorylist.

firewall. 2. ClickEdit SettingsandselectVirtual Hardware.
3. FromtheNewDevicedropdown,selectExisting Hard Disk.
Selectthebootstrapdiskaccordingtothedatastoreandpath
notedpreviously.

BootstraptheVMSeriesFirewallonHyperV BootstraptheVMSeriesFirewall
YoucanbootstraptheVMSeriesfirewallusinganISOimageoravirtualharddisk.
BootstraptheVMSeriesFirewallonHyperVwithanISO
BootstraptheVMSeriesFirewallonHyperVwithaBlockStorageDevice
BootstraptheVMSeriesFirewallonHyperVwithanISO
UsetheseinstructionstobootstraptheVMSeriesfirewallonaHyperVserverwithanISO.
BootstraptheVMSeriesFirewallinHyperV
Step1 CreateanISOimage. 1. PreparetheBootstrapPackage.

2. CreateanISOimage.Thetoolyouusetocreatetheimage
variesbasedonyourclientoperatingsystem.
3. UploadtheISOimagetoalocationaccessibletotheHyperV
host.
Step2 Deploythefirewall. 1. ProvisiontheVMSeriesFirewallonaHyperVhostwith

HyperVManager.
whichisitsmanagementinterface, isconnectedtothe
vSwitchassignedfordevicemanagement.
Step3 Attachthebootstrapimagetothe 1. InHyperVManager,selecttheVMSeriesfirewallfromthe

firewall. Virtual Machineslist.
2. ClickSettings> Hardware > IDE Controller > DVD Drive.
3. UnderMedia,clicktheImage fileradiobutton.
4. ClickBrowseandselectyouruploadedISOimage.
5. ClickApplyandOktoexitthevirtualmachinesettings.
BootstraptheVMSeriesFirewallonHyperVwithaBlockStorageDevice
UsetheseinstructionstobootstraptheVMSeriesfirewallonaHyperVserverwithablockstoragedevice.

BootstraptheVMSeriesFirewall BootstraptheVMSeriesFirewallonHyperV
VirtualHardDiskBootstrappinginHyperV
Step1 Createthebootstrappackageandthe 1. DeployaLinuxvirtualmachine.

virtualharddisk. 2. OntheLinuxmachine,PreparetheBootstrapPackage.You
canleavethefolderempty,butyoumusthaveallfourfolders.
3. Attachanewdatadisklessthan39GBtotheLinuxvirtual
machine.
a. PoweroftheLinuxvirtualmachine.
b. InHyperV,selecttheLinuxvirtualmachinefromthe
VirtualMachineslist.
c. SelectSettings > Hardware > IDE Controller.
d. SelectHard DriveandclickAdd.
e. SelectVirtual Hard DiskandclickNew.
f. FollowtheonscreeninstructionstocreateanewVHD.
NotethenameandpathofthenewVHD.
g. ClickApplythenOKtoexitthevirtualmachinesettings.
h. PowerontheLinuxvirtualmachine.
4. ConnecttotheCLIoftheLinuxvirtualmachine.
6. Makeadirectoryforthenewfilesystemandmountthedisk
totheLinuxvirtualmachine.
8. Unmountthedisk.
9. DetachthediskfromtheLinuxvirtualmachine.
a. PoweroftheLinuxvirtualmachine.
b. SelecttheLinuxvirtualmachinefromtheVirtualMachines
list.
c. SelectSettings > Hardware > IDE Controller.
d. SelecttheVHDyoucreated.
e. ClickRemove.ThisdetachestheVHDbutdoesnotdelete
it.
Step2 Deploythefirewall. 10. ProvisiontheVMSeriesFirewallonaHyperVhostwith

HyperVManager.
Step3 Attachthebootstrapdiskimagetothe 1. SelectthefirewallfromtheVirtualMachineslist.

firewall. 2. SelectSettings > Hardware > IDE Controller.
3. SelectHard DriveandclickAdd.
4. SelectVirtual Hard DiskandclickBrowse.
5. BrowsetothebootstrapVHDyoucreated,selectit,andclick
Open.
6. ClickApplyandOKtoexittheVirtualMachinesettings.

BootstraptheVMSeriesFirewallonKVM BootstraptheVMSeriesFirewall
YoucanbootstraptheVMSeriesfirewallonKVMusinganISOimageoravirtualharddisk.Additionally,you
canbootstraptheVMSeriesfirewallonKVMinanOpenStackenvironmentusingaconfigdrive.
BootstraptheVMSeriesFirewallonKVMwithanISO
BootstraptheVMSeriesFirewallonKVMWithaBlockStorageDevice
BootstraptheVMSeriesFirewallonKVMinOpenStack
BootstraptheVMSeriesFirewallonKVMwithanISO
UsetheseinstructionstobootstraptheVMSeriesfirewallonaKVMserverusinganISO.
BootstraptheVMSeriesFirewallinKVM
Step1 CreateanISOimage. 1. PreparetheBootstrapPackage.

2. CreateanISOimage.Thetoolyouusetocreatetheimage
variesbasedonyourclientoperatingsystem.
3. UploadtheISOimagetoalocationaccessibletotheKVM
host.
Step2 Deploythefirewall. 1. InstalltheVMSeriesFirewallonKVM.

whichisitsmanagementinterface, isconnectedtothevirtual
switchportgroupassignedfordevicemanagement.
Step3 Attachthebootstrapimagetothe 1. Invirtmanager,doubleclickontheVMSeriesfirewallto

firewall. opentheconsole.
2. ViewtheVMhardwaredetailsbynavigatingtoView > Details.
3. OpentheAddNewVirtualHardwaremenubyclickingAdd
Hardware.
4. ChangethedevicetypetoIDECDROM.
5. ClicktheSelect managed or other existing storageradio
buttonandclickBrowse.LocatetheISOimageyoucreated
andclickChoose Volume.
6. ClickFinishtoexittheAddNewVirtualHardwaremenu.
7. PoweronthefirewallbynavigatingtoVirtual Machine > Run.
Thefirewallwillbeginwiththebootstrappingprocess,which
willtakeseveralminutes.Thestatusmessagesonthesuccess
orfailureoftheprocesswilldisplayontheconsole.

BootstraptheVMSeriesFirewall BootstraptheVMSeriesFirewallonKVM
BootstraptheVMSeriesFirewallonKVMWithaBlockStorageDevice
UsetheseinstructionstobootstraptheVMSeriesfirewallonaKVMserverwithablockstoragedevice.
VirtualHardDiskBootstrappinginKVM
Step1 Createthebootstrappackageandthe 1. Createthebootstrappackage.

virtualharddisk. 2. Createanewdiskimagelessthan39GBinsizeandpartition
thediskandformatthefilesystemasext3.Thetoolsusedto
completethisprocessvarybasedonyourclientoperating
system.
3. Mountthediskimagefileandcopythepreparedbootstrap
packagetothediskimagefiles.
5. Unmountthediskimage.
6. UploadthediskimagefiletoalocationaccessibletotheKVM
host.
Step2 Deploythefirewall. 1. InstalltheVMSeriesFirewallonKVM.

Step3 Attachthebootstrapdiskimagetothe 1. Invirtmanager,doubleclickontheVMSeriesfirewalltoopen

firewall. theconsole.
2. ViewtheVMhardwaredetailsbeselectingView > Details.
3. OpentheAddNewVirtualHardwaremenubyclickingAdd
Hardware.
4. SelectStorageandtheselectSelect or create custom
storage.
5. ClicktheManagebuttontoopentheChoose Storage Volume
dialog,andselectthediskimagefilethatyoupreviously
created.
6. ClickChooseVolume.
7. EnsurethatthedevicetypeisDiskDeviceanddonotchange
theBusType.
8. ClickFinish.
YoucanbootstraptheKVMeditionoftheVMSeriesfirewallinanOpenStackenvironmentwith:
RedHatOpenStackPlatform5orOpenStackPlatform7runningonRedHatEnterpriseLinux7.2or
Mirantis7.0runningonUbuntu14.04.
SupportforOpenStackCLIonly;theUIisnotsupported.

MinimumPANOSversionisPANOS7.1.4.
ISO9660orVFATconfigurationdriveformats.
TheKVMeditionoftheVMSeriesfirewallinanOpenStackenvironmentreadsthebootstrappackagefrom
aconfigdrivethatattachestotheinstancewhenitboots.Theconfigdriveislimitedtoamaximumsizeof
64MB.Therefore,only/configand/licenseoftheBootstrapPackagecanhavecontent;/softwareand
/contentmustremainempty.
PANOSsupportstwomethodsforpassingthebootstrappackagetotheconfigdrive:
file:passesthebootstrappackageascleartextfiles
userdata:passesthebootstrappackageinacompressedtarball(.tgzfile)
Tousetheuserdatamethod,ensurethatyourversionofOpenStackPlatform5(Icehousebased)hasbeenpatched
withafixforthisIcehouseissue.Withoutthepatch,useofatarballwiththeuserdatamethodcausesthenovaboot
commandtofail.
Youcanusebothmethodsconcurrentlyindeploymentswheresomefilesinthebootstrappackagearestatic
acrossallVMSeriesinstanceswhileotherfilesareuniquetoeachfirewall.Ifyouincludefilesusingboth
methods,thecomputenodeunpacksthetarballfirstandanyfilespassedbythe--filecommandoverwrite
duplicatefilesfromthetarball.
Step1 Placethebootstrappackageinyour 1. PreparetheBootstrapPackage.

OpenStackenvironment. 2. AccesstheOpenStackCLI.
3. SavethebootstrappackageandPANOSimageinalocation
accessiblebytheOpenStackcontrollernode.
4. Ifusingthe--user-datamethodtopassthebootstrap
packagetotheconfigdrive,youcanusethefollowing
commandtocreatethetarball:
tar -cvzf <file-name>.tgz config/ license
software content
Step2 RetrievethenetworkUUID(s). ToattachaNICtotheVMSeriesfirewallinstancewiththenic
netid=argument,youneedthenetworkUUID.Youcanretrieve
thenetworkUUIDthroughtheOpenStackCLIbyusingthe
followingcommand:
neutron net-list

BootstraptheVMSeriesFirewall BootstraptheVMSeriesFirewallonKVM
BootstraptheVMSeriesFirewallonKVMinOpenStack(Continued)
Step3 Deploythefirewall. Therearethreemethodsforpopulatingaconfigdrivewiththe

bootstrappackageandattachingittothehostVM.Completethe
commandsequenceofyourchoiceontheOpenStackcontroller
node.SeeNovaBootCommandArgumentsfordescriptionsofthe
argumentsrequiredforbootstrapping.
userdata
nova boot --config-drive true --image
<pan-os-image-file-name> --flavor <flavor>
--user-data <tgz location and filename>
--security-groups <security-group> --nic
net-id=<mgmt nic net-id> --nic net-id=<eth1
nic net-id> --nic net-id=<eth2 nic net-id>
<vm-series name>
file
--file /license/authcodes=<source-path>
--file /config/init-cfg.txt=<source-path>
<vm-series name>
userdataandfile
--file
/config/init-cfg.txt=<source-path>--user-da
ta <tgz location and filename>
<vm-series name>
Step4 VerifyBootstrapCompletion.
ThenovabootcommandandthefollowingargumentsarerequiredtoBootstraptheVMSeriesFirewallon
KVMinOpenStack.
Arguments Description
novaboot Usedtobootanewcomputeinstance.
configdrivetrue Enablestheconfigdrive.
image SpecifiesthePANOSimagefile.Onlytheimagenameisrequired.Thisbaseimagefile
isrequiredtolaunchtheVMSeriesfirewall.Youcanviewalistofimagesavailablein
yourOpenStackenvironmentwiththefollowingcommand:
nova image-list

Arguments Description
flavor TheVMinstancetype.Ensurethatyouselectaflavorthatprovidesthehardware
resourcesrequiredforyourVMSeriesfirewall.Youcanviewalistofavailableflavors
andtheirhardwareresourceswiththefollowingcommand:
nova flavor-list
SeeVMSeriesonKVMRequirementsandPrerequisitesforminimumhardware
resourcesrequiredbytheKVMVMSeriesfirewall.
userdata Usedtopassthetarballcontainingthebootstrappackagetotheconfigdrive.
file Usedtopasstheinitcfg.txtfileandlicensefileascleartextfilestotheconfigdrive.
Forthebootstrapprocesstosucceed,youmustincludethe/config/initcfg.txt=
argumentandeitherthe/license/license.keyor/license/authcodesargument.
Optionally,bootstrap.xmlfilesarealsosupported.
file/config/initcfg.txt=
file/config/bootstrap.xml=
file/license/license.key=
file/license/authcodes=
TheServerPersonalitydefinesthemaximumnumberoffilesthatcanbepassedusing
the--filecommand.Usethenova absolute-limits commandtoviewthelimit.In
theexamplebelow,thePersonalitylimitisfive.Therefore,themaximumnumberoffiles
islimitedtofive.
nova absolute-limits
+--------------------+-------+--------+
| Name | Used | Max |
+--------------------+-------+--------+
| Cores | 18 | 240 |
| FloatingIps | 0 | 10 |
| ImageMeta | - | 128 |
| Instances | 12 | 1000 |
| Keypairs | - | 100 |
| Personality | - | 5 |
| Personality Size | - | 65536 |
| RAM | 32256 | 393216 |
| SecurityGroupRules | - | 20 |
| SecurityGroups | 1 | 10 |
| Server Meta | - | 128 |
| ServerGroupMembers | - | 10 |
| ServerGroups | 0 | 10 |
+--------------------+-------+--------+
Exceedingthislimitgeneratesanerrormessage.Ifyouneedtopassmorefilesthanthis
limitallows,usetheuserdatamethodorthecombineduserdataandfilemethod.
nicnetid<networkUUID> CreatesaNIContheVMSeriesfirewallwiththespecifiedUUID.Youshouldcreateat
leasttwoNICs:oneforamanagementportandoneforadataport.
securitygroup Youcanprovideacommaseparatedlistofsecuritygroupstoprovideaccesstothe
VMSeriesfirewall.Ifyoudonotspecifyasecuritygroup,theVMisplacedinthe
defaultsecuritygroup.

BootstraptheVMSeriesFirewall BootstraptheVMSeriesFirewallinAWS
Toperformbootstrapping,youmustbefamiliarwithAWSS3andIAMpermissionsrequiredforcompleting
thisprocess.Fordetailedinstructionsoncreatingpolicy,refertotheAWSdocumentationonCreating
CustomerManagedPolices.
ThemanagementinterfaceoftheVMSeriesfirewallmustbeabletoaccesstheS3buckettocomplete
bootstrapping.YoucaneitherassignapublicIPaddressoranelasticIPaddresstothemanagementinterface
sothattheS3bucketcanbeaccessedovertheInternet.Or,createaAWSVPCendpointinthesameregion
astheS3bucket,ifyouprefertocreateaprivateconnectionbetweenyourVPCandtheS3bucketanddo
notwanttoenableinternetaccessonthefirewallmanagementinterface.Formoreinformationrefertothe
AWSdocumentationonsettingupVPCendpoints.
BootstrapthefirewallinAWS
Step1 OntheAWSconsole,createanAmazonSimpleStorageService(S3)bucketattherootlevel.TheS3
bucketinthisexample,vmseriesawsbucketisattheAllBucketsrootfolderlevel.Bootstrapwillfail
ifyounestthefolderbecauseyoucannotspecifyapathtothelocationofthebootstrapfiles.
Step2 CreateanIAMrolewithinlinepolicytoenablereadaccesstotheS3bucket[ListBucket,GetObject].
FordetailedinstructionsoncreatinganIAMrole,definingwhichaccountsorAWSservicescan
assumetherole,definingwhichAPIactionsandresourcestheapplicationcanuseuponassumingthe
role,refertotheAWSdocumentationonIAMRolesforAmazonEC2.WhenlaunchingtheVMSeries
firewall,youmustattachthisroletoenableaccesstotheS3bucketandtheobjectsincludedinthe
bucketforbootstrappingsuccessfully.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<bucketname>"]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::<bucketname>/*"]
}
]
}

BootstraptheVMSeriesFirewallinAWS BootstraptheVMSeriesFirewall
BootstrapthefirewallinAWS
Step3 CreatethefolderswithintheS3bucket.
Createthetopleveldirectorystructureforthebootstrappackage.Createthestructuredirectlyin
thisS3bucket.
Addcontentwithineachfolder.Youcanleaveafolderempty,butyoumusthaveallthefour
folders.
IfyouhaveenabledlogginginAmazonS3,aLogsfolderisautomaticallycreatedintheS3
bucket.TheLogsfolderhelpstroubleshootissueswithaccesstotheS3bucket.
Step4 LaunchtheVMSeriesFirewallonAWS.WhenlaunchingthefirewallasanEC2instance,attachthe
IAMroleyoucreatedinStep 2andintheuserdatafield(Advancedsection),specifythefollowingS3
keyvalue:
vmseries-bootstrap-aws-s3bucket=<bucketname>

BootstraptheVMSeriesFirewall BootstraptheVMSeriesFirewallinAzure
Toperformbootstrapping,youmustbefamiliarwiththeprocessofcreatingaVHDandmustknowabout
storageaccountsandcontainersinAzure,andhowtoattachtheVHDtoavirtualmachine.
BootstrapthefirewallinAzure
Step1 CreatetheVHD.UsetheAzuredocumentationforthecommandsrequiredtocompletetheprocess
ofcreatingaVHD.
1. OntheAzureportal,deployaLinuxvirtualmachine.
2. OntheLinuxvirtualmachine,Add a data disk rangingbetween1to39GB.Makesuretosavethe
disktothesamestorageaccountthatyouwillusefortheVMSeriesfirewall.
3. ConnecttotheconsoleorCLIoftheLinuxvirtualmachine.
5. Createthetopleveldirectorystructureforthebootstrappackage.andAddcontentwithineach
folder.Youcanleaveafolderempty,butyoumusthaveallthefourfolders.
6. Copythecontentsofthebootstrappackageyoucreatedabovetothedisk.
7. Unmountthedisk.
8. DetachthediskfromtheAzureportal.Thediskisstoredasapageblob.

BootstraptheVMSeriesFirewallinAzure BootstraptheVMSeriesFirewall
BootstrapthefirewallinAzure
Step2 CustomizetheARMtemplatetopointtotheVHDsothatthefirewallcanaccessthediskonfirst
boot.Forexample,youneedtoaddthefollowingobjectinthevirtualMachineresourceinthe
Templatefile:
"storageProfile": {
"imageReference": {
"publisher": "[parameters('imagePublisher')]",
"offer": "[parameters('imageOffer')]",
"sku": "[parameters('imageSku')]",
"version": "latest"
},
"dataDisks": [
{
"name": "datadisk1",
"diskSizeGB": "[parameters('BootstrapUriSizeGB')]",
"lun": 0,
"vhd": {
"uri": "[parameters('BootstrapUri')]"
},
"caching": "ReadOnly",
"createOption": "Attach"
}
],
"osDisk": {
"name": "osdisk",
"vhd": {
"uri": "[concat('http://',
parameters('storageAccountName'), '.blob.core.windows.net/vhds/',
parameters('vmName'), '-', parameters('imageOffer'), '-',
parameters('imageSku'), '.vhd')]"
},
"caching": "ReadWrite",
"createOption": "FromImage"
}
},

BootstraptheVMSeriesFirewall VerifyBootstrapCompletion
Youcanseebasicstatuslogsontheconsoleduringthebootstrapandyoucanverifythattheprocessis
complete.
Step1 Ifyouincludedpanoramaserver,tplname,anddgnameinyourinitcfg.txtfile,checkPanoramamanaged
devices,devicegroup,andtemplatename.
Step2 Verifythegeneralsystemsettingsandconfiguration.AccessthewebinterfaceandselectDashboard >

Widgets > SystemorusetheCLIoperationalcommandsshow system info andshow config running.
Step3 Verifythelicenseinstallation.SelectDevice > LicensesorusetheCLIoperationalcommandrequest

license info.
Step4 IfyouhavePanoramaconfigured,managethecontentversionsandsoftwareversionsfromPanorama.Ifyou
donothavePanoramaconfigured,usethewebinterfacetomanagecontentversionsandsoftwareversions.

BootstrapErrors BootstraptheVMSeriesFirewall
BootstrapErrors
Ifyoureceiveanerrormessageduringthebootstrappingprocess,refertothefollowingtablefordetails.
Errormessage(Severity) Reasons
Bootimageerror(high) Noexternaldevicewasdetectedwiththebootstrappackage.
Or
Acriticalerrorhappenedwhilebootingfromtheimageontheexternaldevice.
Thebootstrapprocesswasaborted.
Nobootstrapconfigfileon Theexternaldevicedidnothavethebootstrapconfigurationfile.
externaldevice(high)
Badornoparametersfor Thenetworkingparametersrequiredforbootstrappingwereeitherincorrector
mandatorynetworking missing.TheerrormessageliststhevalueIPaddress,netmask,defaultgateway
informationinthebootstrap thatcausedthebootstrapfailure.
configfile(high)
Failedtoinstalllicensekeyfor Thelicensekeycouldnotbeapplied.Thiserrorindicatesthatthelicensekeyused
file<licensekeyfilename> wasinvalid.Theoutputincludesthenameofthelicensekeythatcouldnotbe
(high) applied.
Failedtoinstalllicensekey Thelicenseauthcodecouldnotbeapplied.Thiserrorindicatesthatthelicense
usingauthcode<authcode> authcodeusedwasinvalid.Theoutputincludesthenameoftheauthcodethat
(high) couldnotbeapplied.
Failedcontentupdatecommits Thecontentupdateswerenotsuccessfullyapplied.
(high)
USBmediaprepared ThebootstrapimagehasbeensuccessfullycompliedontheUSBflashdevice.
successfullyusinggivenbundle <username>:SuccessfullypreparedtheUSBusingbundle<bundlename>
(informational)
Successfulbootstrap Thefirewallwassuccessfullyprovisionedwiththebootstrapconfigurationfile.The
(informational) outputincludesthelicensekeysinstalledandthefilenameofthebootstrap
configuration.OntheVMSeriesfirewallsonly,thePANOSversionandcontent
updateversionarealsodisplayed.
ReadabouttheBootstrapPackageandhowtoPreparetheBootstrapPackage.

Palo Alto Firewall Virtualization

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Palo Alto Firewall Virtualization

Uploaded by

Copyright:

Available Formats

VMSeries

SetUptheVMSeriesFirewallonKVM ............................... 293

Model Sessions Security DynamicIP SecurityZones IPSecVPN SSLVPN

VM50 50,000 250 1,000 15 250 250

VM100 250,000 1,500 2,500 40 1,000 500

VM700 10,000,000 20,000 100,000 200 8,000 12,000

VMSeriesModel Supported SupportedvCPUs MinimumMemory MinimumHardDrive

VM50 ESXi,KVM,HyperV 2 4.5GB 32GB(60GBatboot)

VM100 ESXi,KVM,HyperV, 2 6.5GB 60GB

VM300 ESXi,KVM,HyperV, 2,4 9GB 60GB

VM500 ESXi,KVM,HyperV, 2,4,8 16GB 60GB

VM700 ESXi,KVM,HyperV, 2,4,8,16 56GB 60GB

TotalvCPUs ManagementPlanevCPUs DataplanevCPUs

Features/LinksSupported ESX KVM SDX AWS NSX HyperV Azure

Active/PassiveHA Yes Yes Yes Yes No Yes No

Active/ActiveHA Yes Yes Yes No No Yes No

HA1 Yes Yes Yes Yes No Yes No

HA2(sessionsynchronizationand Yes Yes Yes Yes No Yes No

HA3 Yes Yes Yes No No Yes No

Step2 Fromthewebinterface,navigatetoDevice > LicensesandmakesureyouhavethecorrectVMSeries

Step1 Allocateadditionalhardwareresources Verifythatthereareenoughhardwareresourcesavailabletothe

Step2 Saveabackupofthecurrent 1. SelectDevice > Setup > OperationsandclickExport

Step3 ChecktheReleaseNotestoverifythe 1. SelectPanorama > Device Deployment > Dynamic Updates.

Step4 Deploysoftwareupdatestoselected 1. SelectPanorama > Device Deployment > Software.

Step5 VerifythesoftwareandContentRelease 1. SelectPanorama > Managed Devices.

Step1 EnableautomaticVMSerieslicense BeforeupgradingyourVMSeriesfirewallcapacity,Installa

Step2 UpgradethelicenseontheCustomer 1. LogintothePaloAltoNetworksCustomerSupportportal.

5. SelectAgree and Submit.

Step3 Allocateadditionalhardwareresources Beforeinitiatingthecapacityupgrade,youmustverifythatenough

Step4 Upgradethecapacity. SelectDevice > Licenses > Upgrade Capacity andthenactivate

Step5 Verifythatyourfirewallcapacitylicense OntheDevice > Licensespage,verifythatthelicensewas

Step1 Upgradethecapacitylicenseofthe FollowtheproceduretoUpgradetheVMSeriesCapacity.

Step2 Upgradethecapacitylicenseofthe FollowtheproceduretoUpgradetheVMSeriesCapacity.

Step1 UpgradePanorama. TheVMwareNSXpluginisautomaticallyinstalleduponupgradeto

Step2 Updatethematchcriteriaformatinyour 1. SelectObjects > Address Groupsandclickthelinknamefor

Step3 ChangesecuritypolicyusedasNSX 1. SelectPolicies > Security > Pre Rulesandclickthelinkname

Step4 Generatenewsteeringrules. 1. SelectPanorama > VMware NSX > Steering Rules.

Step5 Commityourchanges. Whenyoucommityourchanges,Panoramapushesupdatesto

Step7 Deletetheoldsecuritygroupsfrom 1. SelectNetworking & Security > Security Groups.

Step1 Enablejumboframesand 1. SelectDevice > Setup > SessionandedittheSessionSettingssection.

Step2 SettheMTUvaluefora 1. SelectNetwork > Interfaces.

LicenseType SerialNumber CPUID

BYOL 15digits,allnumeric <Hypervisor>:<ActualCPUID>

PAYG 15digits,alphanumeric <Hypervisor>:<InstanceID>:<CloudProductCode>:<

Step2 SelectAssets andclickAdd VM-Series Auth-Codes.

Step3 IntheAdd VM-Series Auth-Codefield,enterthecapacityauthcodeyoureceivedbyemail,andclickthe

Step3 SelectyourCloud Marketplace vendorandSubmit.

Step4 EntertheSerial #,theCPU ID,andthe UUID oftheVMSeriesfirewall.

Step5 Agree and SubmittoaccepttheEULAandregisterthefirewall.

Step1 Saveabackupofthecurrent 1. SelectDevice > Setup > Operationsand

Step2 Deployanewfirewallandregisteror ForanewPAYGinstance:

Step3 Onthenewlydeployedfirewall,restore 1. Accessthewebinterfaceofthenewly

IfyourVMSeriesfirewallhasdirectinternet 1. SelectDevice >LicensesandselecttheActivate feature using

IfyourVMSeriesfirewalldoesnothave 1. SelectDevice > LicensesandclicktheActivate Feature using

5. NavigatetoAssets >My DevicesandsearchfortheVMSeries

Step2 Verifythateachfirewallislicensed. SelectPanorama > Device Deployment > Licensesandverifythat

Step2 Activatetheauthcodeandgeneratethe 1. LogintothePaloAltoNetworksCustomerSupportwebsite

Step3 Uploadthekeystothefirewall. 1. Logintothefirewallwebinterface.

Step4 Addtheserialnumberofthefirewallon SelectPanorama > Managed DevicesandclickAddtoenterthe

Successfully removed license keys

Step9 ClicktheDeactivate License(s) linkontheAssetstab.

Fromthefirewall 1. LogintothewebinterfaceandselectDevice > Licenses.

FromPanorama 1. LogintothePanoramawebinterfaceandselectPanorama >

Step1 GetyourLicensingAPIkey. 1. LogintothePaloAltoNetworksSupportportalwithan