Quickstart Guide

VM-Series Evaluation

July, 2021
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com
Table of Contents

Introducing the VM-Series Evaluation 3

VM-Series Models and Resources 4

Deployment and Set Up 4

Deploy and Set Up Your VM-Series NGFW on ESXi 5
Deploy and Set Up Your VM-Series NGFW on KVM 8
Initial Configuration 9

Application and Threat Visibility (Tap Interface) 12

Getting Support 15
Useful Links 15

© 2021 Palo Alto Networks, Inc. All rights reserved. 2

Introducing the VM-Series
Evaluation

The VM-Series evaluation version provides an easy way to try and experience
the best-in-class security provided by a Palo Alto Networks software firewall.
The evaluation is based on PanOS version 10.0.4 and is pre-licensed for Next
Generation Firewall, Threat Prevention and the WildFire® cloud-based threat
analysis service, the industry’s most advanced analysis and prevention engine
for highly evasive zero-day exploits and malware. You can also configure URL
filtering and deploy DNS protection. Global Protect and SD-WAN features are
also available as optional features. The evaluation version lets you try these
great security features for a period of 30 days.

© 2021 Palo Alto Networks, Inc. All rights reserved. 3

VM-Series Models and
Resources

The following VM-Series models are supported for evaluation.

Model CPU Memory
VM-100 2 6.5
VM-300 4 9
VM-500 8 16
VM-700 16 56

The VM-Series evaluation image does not include Panorama licensing. If a licensed
Panorama is available, the VM-Series evaluation instances can be managed with
Panorama.

You can familiarize yourself with the different interface deployment models
supported on VM-Series FWs link.

Deployment and Set Up

This evaluation is supported on ESXi and KVM. Follow the links below for system
requirements for deploying on these hypervisors.

VM-Series for VMware vSphere Hypervisor (ESXi)

VM-Series for KVM

© 2021 Palo Alto Networks, Inc. All rights reserved. 4

Deploy and Set Up Your VM-Series NGFW on ESXi

The first step in deploying VM-Series on VMware ESXi is to plan the interfaces. We
recommend starting with 3 interfaces at the minimum; one for management and
one each for trust and untrust interfaces. Interface maps to vNICS should be
considered before deployment, as the best practice is to create placeholders for the
10 interfaces that VM-Series supports to avoid reordering when new interfaces are

added. You can find more details on interface mappings here .

Before you start the installation, set up the virtual standard switch(es) or virtual
distributed switch(es) that you need for VM-Series. You will also need to decide if you
want to deploy in Layer 2 mode or Layer 3 mode.

The following recommendations are for setting up in either mode.

L2 mode instructions
L3 mode instructions

To familiarize yourself with deployment architectures, please refer to the Architecture

Guide and Deployment Guide.

You will start the deployment with the evaluation ova image.

From the VMware vCenter or vSphere Client, create a new virtual machine and
choose ‘deploy from ovf or ova file.’ Name your VM-Series firewall and upload the
evaluation image.

© 2021 Palo Alto Networks, Inc. All rights reserved. 5

Select the appropriate datastore and then select the network mapping for the first
interface.

Click Finish to start deployment.

Once deployment completes, before you ‘power on’ the VM, select and use ‘Edit
settings’ to allocate the desired number CPUs to the VM. Memory should be
assigned as per the table above. At this state you can add additional disk space. Add
the desired number of network adaptors and map them to the standard/distributed
vswitches.

© 2021 Palo Alto Networks, Inc. All rights reserved. 6

Power on the VM.

© 2021 Palo Alto Networks, Inc. All rights reserved. 7

Deploy and Set Up Your VM-Series NGFW on KVM

VM-Series can be deployed on a Linux server that is running the KVM hypervisor. The
deployment supports up to 25 interfaces and supports software-based virtual
switches such as the Linux bridge, the Open vSwitch bridge, and direct connectivity
to PCI passthrough or an SR-IOV capable adapter.

As you plan the interfaces, follow our System Requirements for supported
configurations and options for attaching VM-Series to your network.

Next, prepare your Linux environment which includes verifying the Linux distribution
and networking infrastructure. VM-Series can connect using a Linux bridge, the
Open vSwitch, PCI passthrough, or SR-IOV capable network card. Follow the
instructions here to set up the desired options for your environment. Whether you
are going to secure traffic within a single host or across multiple hosts, you will
choose one of these supported deployment models.

When deploying VM-Series on KVM, you will use the qcow image.

To install VM-Series on KVM, you can use any of the following methods.
● virt-manager—Deploy VM-Series using the virt-manager virtual machine
manager. Virt-manager provides a convenient wizard to help you through the
installation process.
● virsh—Deploy VM-Series using the KVM command line. Create an XML file that
defines the virtual machine instance and bootstrap XML file that defines the
initial configuration settings of the firewall. Then install the firewall by
mounting an ISO image as a CD-ROM.
● virt-install—Another option is to use the KVM command line to create the
definition for the VM-Series firewall and install it.

Detailed instructions on deploying on KVM via these methods can be found here.

© 2021 Palo Alto Networks, Inc. All rights reserved. 8

Initial Configuration

Once the deployment of VM-Series is complete, configure the management

interface. By default, DHCP will be enabled on the management interface. If DHCP
service is not available in the network mapped to the management interface,
configure IP, gateway and DNS settings via the console.

The default login will be: admin/admin

Enter ‘configure’ to switch to configuration mode

Use this command to configure the management interface.

set deviceconfig system type static

set deviceconfig system ip-address <Firewall-IP> netmask <netmask>

default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>

Commit

Once the Management IP address is configured, use https://<ip address> from your
browser to launch the UI.

© 2021 Palo Alto Networks, Inc. All rights reserved. 9

For the evaluation, CPUID will start with ESXEVL/KVMEVL.

To track validity of the evaluation image, use the CLI command: Show System Info

Next, ensure that VM-Series can reach the Palo Alto update server. Navigate to
Device > Dynamic Updates and ensure that the latest packages are downloaded and
installed.

© 2021 Palo Alto Networks, Inc. All rights reserved. 10

© 2021 Palo Alto Networks, Inc. All rights reserved. 11
Application and Threat
Visibility (Tap Interface)
While vWire layer 2 or layer 3 modes let you secure your traffic, the fastest way you
can get visibility into what applications are running on your network without having
to make any changes to your network design, is to use tap mode. In addition, when
in tap mode, the firewall can also identify threats on your network.

Tap mode deployment allows you to passively monitor traffic flows across a network
by way of a switch SPAN or mirror port. The SPAN or mirror port permits the copying
of traffic from other ports on the switch. By dedicating an interface on the firewall as
a tap mode interface and connecting it with a switch SPAN port, the switch SPAN
port provides the firewall with the mirrored traffic. This provides application visibility
within the network without being in the flow of network traffic.

To start configuring your environment for this, start by identifying the interface that
is connected to the virtual switch that is receiving the mirrored traffic.

To configure a zone, navigate to Network > Zones and use the ‘+’ button to create a
new zone and name the zone.

To set the interface to tap mode, navigate to Network > interface. Select the interface
that will receive the mirrored traffic and set the zone.

© 2021 Palo Alto Networks, Inc. All rights reserved. 12

Next, configure the security policy. Navigate to Policies > Security and use ‘+’ to
create a new policy. Name the policy and select Source zone and destination zone to
the one we created now. Source address, destination address, and application can be
anything you choose. Action should be set to ‘Allow’ and enable ‘Log at Session End’.

Click OK to commit the changes.

Navigate to Monitor > Traffic and you will see traffic logs.

© 2021 Palo Alto Networks, Inc. All rights reserved. 13

You can run the traffic for awhile and start generating reports to gain insights into
applications in your traffic as well as threats detected.

© 2021 Palo Alto Networks, Inc. All rights reserved. 14

Getting Support
Useful Links

● VM-Series Firewall Hypervisor Support

● PANOS Admin Guide : Configuring Interfaces
● Troubleshoot ESXi Deployments
● Performance Tuning of the VM-Series for ESXi
● Performance Tuning of the VM-Series for KVM
● Live Community
● Contact Sales

© 2021 Palo Alto Networks, Inc. All rights reserved. 15