Palo Alto VM-100 User manual
Palo Alto Networks®
VM-Series Deployment Guide
PAN-OS 6.1
Copyright © 2007-2015 Palo Alto Networks
About the VM-Series Firewall
ii
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
http://www.paloaltonetworks.com/contact/contact/
About this Guide
This guide describes how to set up and license the VM-Series firewall; it is
intended for administrators who want to deploy the VM-Series firewall.
For more information, refer to the following sources:
PAN-OS Administrator's Guide– for instructions on configuring the
features on the firewall.
https://paloaltonetworks.com/documentation– for access to the
knowledge base, complete documentation set, discussion forums, and videos.
https://support.paloaltonetworks.com– for contacting support, for
information on the support programs, or to manage your account or
devices.
For the latest release notes, go to the software downloads page at
https://support.paloaltonetworks.com/Updates/SoftwareUpdates.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2015 Palo Alto Networks Inc. All rights reserved.
Palo Alto Networks, and PAN-OS are registered trademarks of Palo Alto
Networks, Inc.
Revision Date: November 16, 2015
Copyright © 2007-2015 Palo Alto Networks
VM-Series Deployment Guide 1
About the VM-Series Firewall
The Palo Alto Networks VM-Series firewall is the virtualized form of the Palo Alto Networks next-generation
firewall. It is positioned for use in a virtualized or cloud environment where it can protect and secure east-west
and north-south traffic.
VM-Series Models
VM-Series Deployments
License and Upgrade the VM-Series Firewall
Copyright © 2007-2015 Palo Alto Networks
2VM-Series Deployment Guide
VM-Series Models About the VM-Series Firewall
VM-Series Models
The VM-Series firewall is available in four models—VM-100, VM-200, VM-300, and VM-1000-HV.
All four models can be deployed as guest virtual machines on VMware ESXi, Citrix NetScaler SDX, Amazon
Web Services, and KVM; on VMWare NSX, only the VM-1000-HV is supported. The software package (.xva
or .ovf file) that is used to deploy the VM-Series firewall is common across all models. The VM-Series model is
driven by license; when you apply the license on the VM-Series firewall, the model number and the associated
capacities are implemented on the firewall.
Each model can be purchased as an Individual or an Enterprise version. The Individual version is in multiples
of 1. The orderable SKU, for example PA-VM-300, includes an auth-code to license one instance of the
VM-Series firewall. The Enterprise version is available in multiples of 25. For example, the orderable SKU
PAN-VM-100-ENT has a single auth-code that allows you to register 25 instances of the VM-100.
Each model of the VM-Series firewall is licensed for a maximum capacity. Capacity is defined in terms of the
number of sessions, rules, security zones, address objects, IPSec VPN tunnels and SSL VPN tunnels that the
VM-Series firewall is optimized to handle. When purchasing a license, make sure to purchase the correct model
for your network requirements. The following table depicts some of the capacity differences by model:
For information on the platforms on which you can deploy the VM-Series firewall, see VM-Series Deployments.
For general information, see About the VM-Series Firewall.
Model Sessions Security
Rules Dynamic IP
Addresses Security Zones IPSec VPN
Tunnels SSL VPN
Tunnels
VM-100 50000 250 1000 10 25 25
VM-200 100000 2000 1000 20 500 200
VM-300 250000 5000 1000 40 2000 500
VM-1000-HV 250000 10000 100000 40 2000 500
Copyright © 2007-2015 Palo Alto Networks
VM-Series Deployment Guide 3
About the VM-Series Firewall VM-Series Deployments
VM-Series Deployments
The VM-Series firewall can be deployed on the following platforms:
VM-Series for VMware vSphere Hypervisor (ESXi)
VM-100, VM-200, VM-300, or VM-1000-HV is deployed as guest virtual machine on VMware ESXi; ideal
for cloud or networks where virtual form factor is required.
For details, see Set Up a VM-Series Firewall on an ESXi Server.
VM-Series for VMware NSX
The VM-1000-HV is deployed as a network introspection service with VMware NSX, and Panorama. This
deployment is ideal for east-west traffic inspection, and it also can secure north-south traffic.
For details, see Set Up a VM-Series NSX Edition Firewall
VM-Series for Citrix SDX
VM-100, VM-200, VM-300, or VM-1000-HV is deployed as guest virtual machine on Citrix NetScaler SDX;
consolidates ADC and security services for multi-tenant and Citrix XenApp/XenDesktop deployments.
For details, see Set Up a VM-Series Firewall on the Citrix SDX Server
Copyright © 2007-2015 Palo Alto Networks
4VM-Series Deployment Guide
VM-Series Deployments About the VM-Series Firewall
VM-Series for Amazon Web Services (AWS)
VM-100, VM-200, VM-300, or VM-1000-HV can be deployed on EC2 instances in the AWS Cloud.
For details, see Set Up the VM-Series Firewall in AWS.
VM-Series for Kernel Virtualization Module (KVM)
VM-100, VM-200, VM-300, or VM-1000-HV can be deployed on a Linux server that is running the KVM
hypervisor. For details, see Set Up the VM-Series Firewall on KVM.
Here is a brief look at some of the requirements for deploying the VM-Series firewall:
Deployment Hypervisor
Versions
Supported
Base Image Required from the Palo Alto
Networks Support Portal Relevant Capacity
Licenses
VM-Series for VMware
vSphere Hypervisor (ESXi)
(without VMware NSX)
5.0, 5.1, and 5.5 PAN-OS for VM-Series Base Images
For example, the download-able image
name reads as: PA-VM-6.1.0.zip
VM-100
VM-200
VM-300
VM-1000-HV
VM-Series for VMware
NSX
vSphere with VMware NSX
and Panorama
5.5 PAN-OS for VM-Series NSX Base Images
For example, the download-able image
name reads as: PA-VM-NSX-6.0.0.zip
VM-1000-HV
VM-Series for Citrix SDX
SDX version
XenServer version
10.1+
6.0.2 or later
PAN-OS for VM-Series SDX Base Images
For example, the download-able image
name reads as: PA-VM-SDX-6.1.0.zip
VM-100
VM-200
VM-300
VM-1000-HV
VM-Series for AWS N/A N/A VM-100
VM-200
VM-300
VM-1000-HV
VM-Series for KVM KVM on the
following Linux
distributions:
• Ubuntu:
12.04 LTS
• CentOS/
RedHat
Enterprise
Linux: 6.5
PAN-OS for VM-Series KVM Base Images
For example, the download-able image
name reads as: PA-VM-6.1.0.qcow2
VM-100
VM-200
VM-300
VM-1000-HV
Copyright © 2007-2015 Palo Alto Networks
VM-Series Deployment Guide 5
About the VM-Series Firewall License and Upgrade the VM-Series Firewall
License and Upgrade the VM-Series Firewall
When you purchase a VM-Series firewall, you receive a set of authorization codes over email. Typically the email
includes authorization code(s) to license the VM-Series model you purchased (VM-100, VM-200, VM300,
VM-1000-HV), support entitlement that provides access to software/content updates (for example,
PAN-SVC-PREM-VM-100 SKU auth-code), and any additional subscriptions such as Threat Prevention, URL
Filtering, GlobalProtect, or WildFire. In the case of the VMware integrated NSX solution, the email contains a
single authorization code that bundles the capacity license for one or more instances of the VM-1000-HV
model, the support entitlement, and one or more subscription licenses.
To use the authorization code(s), you must register the code to the support account on the Palo Alto Network
support portal. If you have an existing support account, you can access the VM-Series Authentication Code link
on the support portal to manage your VM-Series firewall licenses and download the software.
If you do not have an existing support account, you must provide your sales order number or customer ID, and
the capacity auth-code to register and create an account on the support portal. After your account is verified
and the registration is complete, you will be able to log in and download the software package required to install
the VM-Series firewall. For details on activating the license for your deployment, refer to the relevant section in
Activate the License.
To license your VM-Series firewall, see the following sections:
Create a Support Account
Register the VM-Series Firewall
Activate the License
Upgrade the PAN-OS Software Version (Standalone Version)
Upgrade the PAN-OS Software Version (NSX Edition)
Upgrade the VM-Series Model
For instructions on installing your VM-Series firewall, see VM-Series Deployments.
Create a Support Account
A support account is required to manage your VM-Series firewall licenses and to download the software package
required to install the VM-Series firewall. If you have an existing support account, continue with Register the
VM-Series Firewall.
If you have an evaluation copy of the VM-Series firewall and would like to convert it to a fully
licensed (purchased) copy, clone your VM-Series firewall and use the instructions to register and
license the purchased copy of your VM-Series firewall. For instructions, see Upgrade the
VM-Series Model.
Copyright © 2007-2015 Palo Alto Networks
6VM-Series Deployment Guide
License and Upgrade the VM-Series Firewall About the VM-Series Firewall
Register the VM-Series Firewall
Use the instructions in this section to register your capacity auth-code with your support account.
Create a Support Account
1. Log in to https://support.paloaltonetworks.com.
2. Click Register and fill in the details in the user registration form. You must use the capacity auth-code and the sales
order number or customer ID to register and create an account on the support portal.
3. Submit the form. You will receive an email with a link to activate the user account; complete the steps to activate the
account.
After your account is verified and the registration is complete, you will be able to log in and download the software
package required to install the VM-Series firewall.
Register the VM-Series Firewall
1. Log in to https://support.paloaltonetworks.com with your account credentials.
2. Select Assets and click Add VM-Series Auth-Codes.
3. In the Add VM-Series Auth-Code field, enter the capacity auth-code you received by email, and click the checkmark
on the far right to save your input. The page will display the list of auth-codes registered to your support account.
You can track the number of VM-Series firewalls that have been deployed and the number of licenses that are still
available for use against each auth-code. When all the available licenses are used, the auth-code does not display on
the VM-Series Auth-Codes page. To view all the assets that are deployed, select Assets > Devices.
Copyright © 2007-2015 Palo Alto Networks
VM-Series Deployment Guide 7
About the VM-Series Firewall License and Upgrade the VM-Series Firewall
Activate the License
To activate the license on your VM-Series firewall, you must have deployed the VM-Series firewall and
completed initial configuration. For instructions to deploy the VM-Series firewall, see VM-Series Deployments.
Until you activate the license on the VM-Series firewall, the firewall does not have a serial number, the MAC
address of the dataplane interfaces are not unique, and only a minimal number of sessions are supported.
Because the MAC addresses are not unique until the firewall is licensed, to prevent issues caused by overlapping
MAC addresses, make sure that you do not have multiple, unlicensed VM-Series firewalls.
When you activate the license, the licensing server uses the UUID and the CPU ID of the virtual machine to
generate a unique serial number for the VM-Series firewall. The capacity auth-code in conjunction with the serial
number is used to validate your entitlement.
After you license a VM-Series firewall, if you delete and redeploy the VM-Series firewall on the same host
(typically occurs only in a lab environment), use a unique name when redeploying the firewall. Using a unique
name ensures that the UUID assigned to the firewall is not the same as that assigned to the deleted instance of
the firewall. A unique UUID is required to complete the licensing process without any problems.
Activate the License for the VM-Series Firewall (Standalone Version)
Activate the License for the VM-Series NSX Edition Firewall
Activate the License for the VM-Series Firewall (Standalone Version)
To activate the license on your VM-Series firewall, you must have deployed the VM-Series firewall and
completed initial configuration.
Activate the License
• If your VM-Series firewall has direct Internet
access.
To activate the license, the firewall must be
configured with an IP address, netmask, default
gateway, and DNS server IP address.
1. Select Device >Licenses and select the Activate feature using
authentication code link.
2. Enter the capacity auth-code that you registered on the support
portal. The firewall will connect to the update server
(updates.paloaltonetworks.com), and download the license and
reboot automatically.
3. Log back in to the web interface and confirm that the
Dashboard displays a valid serial number. If the term Unknown
displays, it means the device is not licensed.
4. On Device > Licenses, verify that PA-VM license is added to the
device.
Copyright © 2007-2015 Palo Alto Networks
8VM-Series Deployment Guide
License and Upgrade the VM-Series Firewall About the VM-Series Firewall
Activate the License for the VM-Series NSX Edition Firewall
Panorama serves as the central point of administration for the VM-Series NSX edition firewalls and the license
activation process is automated. When a new VM-Series NSX edition firewall is deployed, it communicates with
Panorama to obtain the license. Therefore, you need to make sure that Panorama has internet access and can
connect to the Palo Alto Networks update server to retrieve the licenses. For an overview of the components
and requirements for deploying the VM-Series NSX edition firewall, see VM-Series NSX Edition Firewall
Overview.
For this integrated solution, the auth-code (for example, PAN-VM-!000-HV-SUB-BND-NSX2) includes
licenses for threat prevention, URL filtering and WildFire subscriptions and premium support for the requested
period.
In order to activate the license, you must have completed the following tasks:
• If your VM-Series firewall does not have Internet
access.
1. Select Device > Licenses and click the Activate Feature using
Auth Code link.
2. Click Download Authorization File, and download the
authorizationfile.txt on the client machine.
3. Copy the authorizationfile.txt to a computer that has access to the
Internet and log in to the support portal. Click My VM-Series
Auth-Codes link and select the applicable auth-code from the
list and click the Register VM link.
4. On the Register Virtual Machine tab upload the authorization
file. This will complete the registration process and the serial
number of your VM-Series firewall will be attached to your
account records.
5. Navigate to Assets > My Devices and search for the VM-Series
device just registered and click the PA-VM link. This will
download the VM-Series license key to the client machine.
6. Copy the license key to the machine that can access the web
interface of the VM-Series firewall and navigate to Device >
Licenses.
7. Click Manually Upload License link and enter the license key.
When the capacity license is activated on the firewall, a reboot
occurs.
8. Log in to the device and confirm that the Dashboard displays a
valid serial number and that the PA-VM license displays in the
Device > Licenses tab.
Activate the License
Copyright © 2007-2015 Palo Alto Networks
VM-Series Deployment Guide 9
About the VM-Series Firewall License and Upgrade the VM-Series Firewall
Registered the auth-code to the support account. If you don’t register the auth-code, the licensing server
will fail to create a license.
Configured the VMware Service Manager and entered this auth-code on Panorama. On Panorama, select
VMWare Service Manager to add the Authorization Code.
In order to activate the licenses, complete the following tasks:
Verify that the VM-Series firewalls that you just deployed, display as Managed Devices and are connected to
Panorama.
Select Panorama > Device Deployment > Licenses and click Refresh. Select the VM-Series firewalls for which
to retrieve subscription licenses and click OK.
Panorama will apply the licenses to each firewall that has been deployed with the matching auth-code.
Upgrade the PAN-OS Software Version (Standalone Version)
Now that the VM-Series firewall has network connectivity and the base PAN-OS software is installed, consider
upgrading to the latest version of PAN-OS. Use the following instructions for firewalls that are not deployed in
a high availability (HA) configuration. For firewalls deployed in HA, refer to the PAN-OS 6.1 New Features
Guide.
If you have purchased an evaluation auth-code, you can license up to 5 VM-Series firewalls with
the VM-1000-HV capacity license for a period of 30 or 60 days. Because this solution allows you
to deploy one VM-Series firewall per ESXi host, the ESXi cluster can include a maximum of 5
ESXi hosts when using an evaluation license.
Upgrade PAN-OS Version (Standalone Version)
1. From the web interface, navigate to Device > Licenses and make sure you have the correct VM-Series firewall
license and that the license is activated.
On the VM-Series firewall standalone version, navigate to Device > Support and make sure that you have
activated the support license.
2. (Required for a firewall that is in production) Save a backup of the current configuration file.
a. Select Device > Setup > Operations and click Export named configuration snapshot.
b. Select the XML file that contains your running configuration (for example, running-config.xml) and click
OK to export the configuration file.
c. Save the exported file to a location external to the firewall. You can use this backup to restore the
configuration if you have problems with the upgrade.
Copyright © 2007-2015 Palo Alto Networks
10 VM-Series Deployment Guide
License and Upgrade the VM-Series Firewall About the VM-Series Firewall
Upgrade the PAN-OS Software Version (NSX Edition)
For the VM-Series Firewall NSX edition, use Panorama to upgrade the software version on the firewalls.
3. Check the Release Notes to verify the Content Release version required for the PAN-OS version. The
firewalls you plan to upgrade must be running the Content Release version required for the PAN-OS version.
a. Select Device > Dynamic Updates.
b. Check the Applications and Threats or Applications section to determine what update is currently
running.
c. If the firewall is not running the required update or later, click Check Now to retrieve a list of available
updates.
d. Locate the desired update and click Download.
e. After the download completes, click Install.
4. Upgrade the PAN-OS version on the VM-Series firewall.
a. Select Device > Software.
b. Click Refresh to view the latest software release and also review the Release Notes to view a description
of the changes in a release and to view the migration path to install the software.
c. Click Download to retrieve the software then click Install.
Upgrade VM-Series NSX Edition Firewalls Using Panorama
Step 1 Save a backup of the current
configuration file on each managed
firewall that you plan to upgrade.
Although the firewall will
automatically create a backup of
the configuration, it is a best
practice to create a backup prior to
upgrade and store it externally.
1. Select Device > Setup > Operations and click Export
Panorama and devices config bundle. This option is used to
manually generate and export the latest version of the
configuration backup of Panorama and of each managed
device.
2. Save the exported file to a location external to the firewall. You
can use this backup to restore the configuration if you have
problems with the upgrade.
Upgrade PAN-OS Version (Standalone Version)
Copyright © 2007-2015 Palo Alto Networks
VM-Series Deployment Guide 11
About the VM-Series Firewall License and Upgrade the VM-Series Firewall
Step 2 Check the Release Notes to verify the
Content Release version required for the
PAN-OS version.
The firewalls you plan to upgrade must be
running the Content Release version
required for the PAN-OS version.
1. Select Panorama > Device Deployment > Dynamic Updates.
2. Check for the latest updates. Click Check Now (located in the
lower left-hand corner of the window) to check for the latest
updates. The link in the Action column indicates whether an
update is available. If a version is available, the Download link
displays.
3. Click Download to download a selected version. After
successful download, the link in the Action column changes
from Download to Install.
4. Click Install and select the devices on which you want to install
the update. When the installation completes, a check mark
displays in the Currently Installed column.
Step 3 Deploy software updates to selected
firewalls.
If your firewalls are configured in
HA, make sure to clear the Group
HA Peers check box and upgrade
one HA peer at a time.
1. Select Panorama > Device Deployment > Software.
2. Check for the latest updates. Click Check Now (located in the
lower left-hand corner of the window) to check for the latest
updates. The link in the Action column indicates whether an
update is available.
3. Review the File Name and click Download. Verify that the
software versions that you download match the firewall models
deployed on your network. After successful download, the link
in the Action column changes from Download to Install.
4. Click Install and select the devices on which you want to install
the software version.
5. Select Reboot device after install, and click OK.
6. If you have devices configured in HA, clear the Group HA
Peers check box and upgrade one HA peer at a time.
Step 4 Verify the software and Content Release
version running on each managed device.
1. Select Panorama > Managed Devices.
2. Locate the device(s) and review the content and software
versions on the table.
Upgrade VM-Series NSX Edition Firewalls Using Panorama
Copyright © 2007-2015 Palo Alto Networks
12 VM-Series Deployment Guide
License and Upgrade the VM-Series Firewall About the VM-Series Firewall
Upgrade the VM-Series Model
The licensing process for the VM-Series firewall uses the UUID and the CPU ID to generate a unique serial
number for each VM-Series firewall. Hence, when you generate a license, the license is mapped to a specific
instance of the VM-Series firewall and cannot be modified.
In order to apply a new capacity license to a firewall that has been previously licensed, you need to clone the
existing (fully configured) VM-Series firewall. During the cloning process, the firewall is assigned a unique
UUID, and you can therefore apply a new license to the cloned instance of the firewall.
Use the instructions in this section, if you are:
Migrating from an evaluation license to a production license.
Upgrading the model to allow for increased capacity. For example you want to upgrade from the VM-200 to
the VM-1000-HV license.
Migrate the License on the VM-Series Firewall
Step 1 Power off the VM-Series firewall.
Step 2 Clone the VM-Series firewall. If you are manually cloning, when prompted indicate that you are
copying and not moving the firewall.
Step 3 Power on the new instance of the
VM-Series firewall.
1. Launch the serial console of the firewall on the vSphere/SDX
web interface and enter the following command:
show system info
2. Verify that:
• the serial number is unknown
• the firewall has no licenses
• the configuration is intact
Step 4 Register the new auth-code on the
support portal.
See Register the VM-Series Firewall.
Step 5 Apply the new license. See Activate the License.
After you successfully license the new firewall, delete the previous
instance of the firewall to prevent conflict in configuration or IP
address assignments.
Copyright © 2007-2015 Palo Alto Networks
This manual suits for next models
3
Table of contents
Other Palo Alto Firewall manuals
Popular Firewall manuals by other brands
PaloAlto Networks
PaloAlto Networks TECHDOCS ION 9000 Hardware reference
Cisco
Cisco PIX-525-UR-BUN - PIX 525 Unrestricted Bundle user guide
NETGEAR
NETGEAR ProSafe FR328S Specifications
Huawei
Huawei USG6306 quick start
Draytek
Draytek Vigor 5510Gi Specifications
Fortinet
Fortinet FortiGate 3000 quick start guide
IBM
IBM Proventia Management SiteProtector SP1001 Getting started
Fortinet
Fortinet FortiGate 50A Installation and configuration guide
D-Link
D-Link NetDefend DFL-1660 user manual
NETGEAR
NETGEAR ProSafe FR328S Reference manual
Sophos
Sophos SG 550 quick start guide
Watchguard
Watchguard XCS Series Hardware guide