VM-Series Deployment Guide

Set Up the VM-Series Firewall in AWS
VM-Series
Deployment
Guide
Version 7.0
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-us
About this Guide
This guide describes how to set up and license the VM-Series firewall; it is intended for administrators who want to
deploy the VM-Series firewall.
For more information, refer to the following sources:

For information on the additional capabilities of and instructions for configuring the features on your firewall,
refer to https://www.paloaltonetworks.com/documentation.

For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.

For contacting support, for information on support programs, to manage your account or devices, or to open a
support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.

For the most current PAN-OS 7.0 release notes, go to
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes.html.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2007–2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: May 25, 2016
2 • VM-Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM-Series Firewall on KVM
Kernel-based Virtual Machine (KVM) is an open-source virtualization module for servers running Linux
distributions. The VM-Series firewall can be deployed on a Linux server that is running the KVM hypervisor.
This guide assumes that you have an existing IT infrastructure that uses Linux and have the foundation for
using Linux/Linux tools. The instructions only pertain to deploying the VM-Series firewall on KVM.

VM-Series on KVM— Requirements and Prerequisites

Supported Deployments on KVM

Install the VM-Series Firewall on KVM
© Palo Alto Networks, Inc.
Book Title Variable • 189
Copyright © 2007-2015 Palo Alto Networks
VM-Series on KVM— Requirements and Prerequisites
Set Up the VM-Series Firewall on KVM
VM-Series on KVM— Requirements and Prerequisites

System Requirements

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM
System Requirements
Requirements
Description
Hardware Resources
• vCPU: 2, 4, 8
• Memory: 4 GB; 5 GB for the VM-1000-HV
• Disk: 40GB
• Disk types supported: Virtio and SCSI for best performance; IDE
• Disk-controllers: virtio, virt-scsi, IDE
• Intel-VT or the AMD-V chipset that support hardware assisted virtualization
Software Versions
The VM-Series on KVM requires:
• Ubuntu 12.04 LTS (QEMU-KVM 1.0 and libvirt 0.9.8)
• CentOS/ RedHat Enterprise Linux 6.5 (QEMU-KVM 0.12 and libvirt 0.10)
• Open vSwitch: 1.9.3, 2.3.1 with bridge compatibility mode
Starting with PAN-OS 7.0.4, the VM-Series on KVM also support:
• Ubuntu 14.04 LTS (QEMU-KVM 2.0.0 and libvirt 1.2.2)
• CentOS/RedHat Enterprise Linux 7.0 (QEMU-KVM 1.5.3 and libvirt 1.2.8)
Open vSwitch with bridge compatibility mode is not required for Ubuntu 14.04 LTS
or CentOS/RedHat Enterprise Linux 7.0
190 • Book Title Variable
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Set Up the VM-Series Firewall on KVM
VM-Series on KVM— Requirements and Prerequisites
Requirements
Description
Network Interfaces—
Network Interface Cards
and Software Bridges
The VM-Series on KVM supports a total of 25 interfaces— 1 management interface
and a maximum of 24 network interfaces for data traffic.
VM-Series deployed on KVM supports software-based virtual switches such as the
Linux bridge or the Open vSwitch bridge, and direct connectivity to PCI passthrough
or an SR-IOV capable adapter.
• On the Linux bridge and OVS, the e1000 and virtio drivers are supported; the
default driver rtl8139 is not supported.
• For PCI passthrough/SR-IOV support, the VM-Series firewall has been tested for
the following network cards:
– Intel 82576 based 1G NIC: SR-IOV support on all supported Linux
distributions; PCI-passthrough support on all except Ubuntu 12.04 LTS.
– Intel 82599 based 10G NIC: SR-IOV support on all supported Linux
distributions; PCI-passthrough support on all except Ubuntu 12.04 LTS.
– Broadcom 57112 and 578xx based 10G NIC: SR-IOV support on all
supported Linux distributions; No PCI-passthrough support.
• Drivers: igb; ixgbe; bnx2x
• Drivers: igbvf; ixgbevf; bnx2x
SR-IOV capable interfaces assigned to the VM-Series firewall, must be
configured as Layer 3 interfaces or as HA interfaces.
Options for Attaching the VM-Series on the Network
© Palo Alto Networks, Inc.
Book Title Variable • 191
Copyright © 2007-2015 Palo Alto Networks
VM-Series on KVM— Requirements and Prerequisites



Set Up the VM-Series Firewall on KVM
With a Linux bridge or OVS, data traffic uses the software bridge to connect guests on the same host.
For external connectivity, data traffic uses the physical interface to which the bridge is attached.
With PCI passthrough, data traffic is passed directly between the guest and the physical interface to
which it is attached. When the interface is attached to a guest, it is not available to the host or to other
guests on the host.
With SR-IOV, data traffic is passed directly between the guest and the virtual function to which it is
attached.
Prerequisites for VM-Series on KVM
Before you install the VM-Series firewall on the Linux server, review the following sections:

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall
Prepare the Linux Server
 Check the Linux distribution version. For a list of supported versions, see System Requirements.
 Verify that you have installed and configured KVM tools and packages that are required for creating and
managing virtual machines, such as Libvirt.
 If you want to use a SCSI disk controller to access the disk to which the VM-Series firewall stores data,
you must use virsh to attach the virtio-scsi controller to the VM-Series firewall. You can then edit the
XML template of the VM-Series firewall to enable the use of the virtio-scsi controller. For instructions,
see Enable the Use of a SCSI Controller.
KVM on Ubuntu 12.04 does not support the virtio-scsi controller.
 Verify that you have set up the networking infrastructure for steering traffic between the guests and
the VM-Series firewall and for connectivity to an external server or the Internet. The VM-Series firewall
can connect using a Linux bridge, the Open vSwitch, PCI passthrough, or SR-IOV capable network card.
– Make sure that the link state for all interfaces you plan to use are up, sometimes you have to
manually bring them up.
– Verify the PCI ID of all the interfaces. To view the list, use the command: Virsh nodedev-list –tree
– If using a Linux bridge or OVS, verify that you have set up the bridges required to send/receive
traffic to/from the firewall. If not, create bridge(s) and verify that they are up before you begin
installing the firewall.
– If using PCI-passthrough or SR-IOV, verify that the virtualization extensions (VT-d/IOMMU) are
enabled in the BIOS. For example, to enable IOMMU, intel_iommu=on must be defined in
/etc/grub.conf. Refer to the documentation provided by your system vendor for instructions.
– If using PCI-passthrough, ensure that the VM-Series firewall has exclusive access to the interface(s)
that you plan to attach to it.
To allow exclusive access, you must manually detach the interface(s) from the Linux server; Refer to
the documentation provided by your network card vendor for instructions.
To manually detach the interface(s) from the server., use the command:
Virsh nodedev-detach <pci id of interface>
For example, pci_0000_07_10_0
192 • Book Title Variable
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Set Up the VM-Series Firewall on KVM
–
VM-Series on KVM— Requirements and Prerequisites
In some cases, in /etc/libvirt/qemu.conf, you may have to uncomment relaxed_acs_check = 1.
If using SR-IOV, verify that the virtual function capability is enabled for each port that you plan to
use on the network card. With SR-IOV, a single Ethernet port (physical function) can be split into
multiple virtual functions. A guest can be mapped to one or more virtual functions.
To enable virtual functions, you need to:
1. Create a new file in this location: /etc/modprobe.d/
2. Modify the file using the vi editor to make the functions persistent: vim /etc/modprobe.d/igb.conf
3. Enable the number of number of virtual functions required: options igb max_vfs=4
After you save the changes and reboot the Linux server, each interface (or physical function) in this
example will have 4 virtual functions.
Refer to the documentation provided by your network vendor for details on the actual number of
virtual functions supported and for instructions to enable it.
Prepare to Deploy the VM-Series Firewall
 Purchase the VM-Series model and register the authorization code on the Palo Alto Networks support
portal. See Create a Support Account and Register the VM-Series Firewall.
 Obtain the qcow2 image and save it on the Linux server. As a best practice, copy the image to the folder:
/var/lib/libvirt/qemu/images.
If you plan to deploy more than one instance of the VM-Series firewall, make the required number of
copies of the image. Because each instance of the VM-Series firewall maintains a link with the .qcow2
image that was used to deploy the firewall, to prevent any data corruption issues ensure that each image
is independent and is used by a single instance of the firewall.
© Palo Alto Networks, Inc.
Book Title Variable • 193
Copyright © 2007-2015 Palo Alto Networks
Supported Deployments on KVM
Set Up the VM-Series Firewall on KVM
Supported Deployments on KVM
You can deploy a single instance of the VM-Series firewall per Linux host (single tenant) or multiple instances
of the VM-Series firewalls on a Linux host. The VM-Series firewall can be deployed with virtual wire, Layer
2, or Layer 3 interfaces. If you plan on using SR-IOV capable interfaces on the VM-Series firewall, you can
only configure the interfaces as Layer 3 interfaces.

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts
Secure Traffic on a Single Host
To secure east west traffic across guests on a Linux server, the VM-Series firewall can be deployed with
virtual wire, Layer 2, or Layer 3 interfaces. The illustration below shows the firewall with Layer 3 interfaces,
where the firewall and the other guests on the server are connected using Linux bridges. In this deployment,
all traffic between the web servers and the database servers is routed through the firewall; traffic across the
database servers only or across the web servers only is processed by the bridge and is not routed through
the firewall.
Secure Traffic Across Linux hosts
To secure your workloads, more than one instance of the VM-Series firewalls can be deployed on a Linux
host. If, for example, you want to isolate traffic for separate departments or customers, you can use VLAN
tags
194 • Book Title Variable
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Set Up the VM-Series Firewall on KVM
Supported Deployments on KVM
to logically isolate network traffic and route it to the appropriate VM-Series firewall. In the following
example, one Linux host hosts the VM-Series firewalls for two customers, Customer A and Customer B, and
the workload for Customer B is spread across two servers. In order to isolate traffic and direct it to the
VM-Series firewall configured for each customer, VLANs are used.
In another variation of this deployment, a pair of VM-Series firewalls are deployed in a high availability set
up. The VM-Series firewalls in the following illustration are deployed on a Linux server with SR-IOV capable
adapters. With SR-IOV, a single Ethernet port (physical function) can be split into multiple virtual functions.
Each virtual function attached to the VM-Series firewall is configured as a Layer 3 interface. The active peer
in the HA pair secures traffic that is routed to it from guests that are deployed on a different Linux server.
© Palo Alto Networks, Inc.
Book Title Variable • 195
Copyright © 2007-2015 Palo Alto Networks
Install the VM-Series Firewall on KVM
Set Up the VM-Series Firewall on KVM
Install the VM-Series Firewall on KVM
The libvirt API that is used to manage KVM includes a host of tools that allow you to create and manage
virtual machines. To install the VM-Series firewall on KVM you can use any of the following methods:



Manually create the XML definition of the VM-Series firewall, then use virsh to import the definition.
Virsh is the most powerful tool that allows for full administration of the virtual machine.
Use virt-install to create the definition for the VM-Series firewall and install it.
Use the desktop user interface called virt-manager; virt-manager provides a convenient wizard to help
you through the installation process.
The following procedure uses virt-manager to install the VM-Series firewall on a server running KVM on
RHEL; the instructions for using virsh or virt-install are not included in this document.
If you are deploying several VM-Series firewalls and want to automate the initial configuration on the
firewall, see Use an ISO File to Deploy the VM-Series Firewall.
196 • Book Title Variable
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Set Up the VM-Series Firewall on KVM
Install the VM-Series Firewall on KVM
Install the VM-Series on KVM
Step 1
Install the VM-Series firewall.
1.
On the Virt-manager, select Create a new virtual machine.
2.
Add a descriptive Name for the VM-Series firewall.
3.
Select Import existing disk image, browse to the image, and
set the OS Type: Linux and Version: Red Hat Enterprise Linux 6.
If you prefer, you can leave the OS Type and Version as
Generic.
4.
Set the Memory to 4096 MB; or 5120 MB, if you have
purchased the VM-1000-HV license.
5.
Set CPU to 2, 4, or 8.
© Palo Alto Networks, Inc.
Book Title Variable • 197
Copyright © 2007-2015 Palo Alto Networks
Install the VM-Series Firewall on KVM
Set Up the VM-Series Firewall on KVM
Install the VM-Series on KVM (Continued)
6.
Select Customize configuration before install.
7.
Under Advanced options, select the bridge for the
management interface, and accept the default settings.
198 • Book Title Variable
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Set Up the VM-Series Firewall on KVM
Install the VM-Series Firewall on KVM
Install the VM-Series on KVM (Continued)
8.
To modify disk settings:
a. Select Disk, expand Advanced options and select Storage
format — qcow2; Disk Bus—Virtio or IDE, based on your set
up.
If you want to use a SCSI disk bus, see Enable the
Use of a SCSI Controller.
b. Expand Performance options, and set Cache
mode to writethrough. This setting improves installation
time and execution speed on the VM-Series firewall.
© Palo Alto Networks, Inc.
Book Title Variable • 199
Copyright © 2007-2015 Palo Alto Networks
Install the VM-Series Firewall on KVM
Set Up the VM-Series Firewall on KVM
Install the VM-Series on KVM (Continued)
9.
To add network adapters for the data interfaces:
a. Select Add Hardware > Network if you are using a software
bridge such as the Linux bridge or the Open vSwitch.
• For Host Device, enter the name of the bridge or select
it from the drop down list.
• To specify the driver, set Device Model to e-1000 or
virtio. These are the only supported virtual interface
types.
b. Select Add Hardware > PCI Host Device for
PCI-passthrough or an SR-IOV capable device.
• In the Host Device list, select the interface on the card
or the virtual function.
c. Click Apply or Finish.
10. Click Begin Installation
200 • Book Title Variable
.
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Set Up the VM-Series Firewall on KVM
Install the VM-Series Firewall on KVM
Install the VM-Series on KVM (Continued)
By default, the XML template for the
11. Wait 5-7 minutes for the installation to complete.
VM-Series firewall is created and stored at
etc/libvirt/qemu.
Step 2
Configure the network access settings
for the management interface.
1.
Open a connection to the console.
2.
Log into the firewall with username/password: admin/admin.
3.
Enter configuration mode with the following command:
configure
4.
Use the following command to configure the management
interface:
set deviceconfig system ip-address <Firewall-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where <Firewall-IP> is the IP address you want to assign to the
management interface, <netmask> is the subnet mask,
<gateway-IP> is the IP address of the network gateway, and
<DNS-IP> is the IP address of the DNS server.
Step 3
Step 4
Verify which ports on the host are
mapped to the interfaces on the
VM-Series firewall. In order to verify the
order of interfaces on the Linux host, see
Verify PCI-ID for Ordering of Network
Interfaces on the VM-Series Firewall.
To make sure that traffic is handled by the correct interface, use the
following command to identify which ports on the host are mapped
to the ports on the VM-Series firewall.
Access the web interface of the
VM-Series firewall and configure the
interfaces and define security rules and
NAT rules to safely enable the
applications that you want to secure.
Refer to the PAN-OS Administrator’s Guide.
admin@PAN-VM> debug show vm-series interfaces
all
Phoenix_interface Base-OS_port
Base-OS_MAC
PCI-ID
mgt
eth0
52:54:00:d7:91:52
0000:00:03.0
Ethernet1/1
eth1
52:54:00:fe:8c:80
0000:00:06.0
Ethernet1/2
eth2
0e:c6:6b:b4:72:06
0000:00:07.0
Ethernet1/3
eth3
06:1b:a5:7e:a5:78
0000:00:08.0
Ethernet1/4
eth4
26:a9:26:54:27:a1
0000:00:09.0
Ethernet1/5
eth5
52:54:00:f4:62:13
0000:00:10.0
Enable the Use of a SCSI Controller
If you want the VM-Series firewall to use the disk bus type SCSI to access the virtual disk, use the following
instructions to attach the virtio scsi controller to the firewall and then enable the use of the virtio-scsi
controller.
© Palo Alto Networks, Inc.
Book Title Variable • 201
Copyright © 2007-2015 Palo Alto Networks
Install the VM-Series Firewall on KVM
Set Up the VM-Series Firewall on KVM
KVM on Ubuntu 12.04 does not support the virtio-scsi controller; the virtio-scsi controller can
only be enabled on the VM-Series firewall running on RHEL or CentOS.
This process requires virsh because Virt manager does not support the virtio-scsi controller.
Enable the VM-Series Firewall to use a SCSI Controller
1.
Create an XML file for the SCSI controller. In this example, it is called virt-scsi.xml.
[root@localhost ~]# cat /root/virt-scsi.xml
<controller type='scsi' index='0' model='virtio-scsi'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0b'function='0x0'/>
</controller>
Make sure that the slot used for the virtio-scsi controller does not conflict with another device.
2.Associate this controller with the XML template of the VM-Series firewall.
[root@localhost ~]# virsh attach-device --config <VM-Series_name> /root/virt-scsi.xml
Device attached successfully
3.
Enable the firewall to use the SCSI controller.
[root@localhost ~]# virsh attach-disk
<VM-Series_name>/var/lib/libvirt/images/PA-VM-6.1.0-c73.qcow2 sda --cache none --persistent
Disk attached successfully
4.
Edit the XML template of the VM-Series firewall. In the XML template, you must change the target disk and the
disk bus, used by the firewall.
By default, the XML template is stored at etc/libvirt/qemu.
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='writeback'/>
<source file='/var/lib/libvirt/images/PA-VM-7.0.0-c73.qcow2'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
Regardless of whether you use a virtual interfaces (Linux/OVS bridge) or PCI devices (PCI-passthrough or
SR-IOV capable adapter) for connectivity to the VM-Series firewall, the VM-Series firewall treats the
interface as a PCI device. The assignment of an interface on the VM-Series firewall is based on PCI-ID which
is a value that combines the bus, device or slot, and function of the interface. The interfaces are ordered
starting at the lowest PCI-ID, which means that the management interface (eth0) of the firewall is assigned
to the interface with the lowest PCI-ID.
Let's say you assign four interfaces to the VM-Series firewall, three virtual interfaces of type virtio and e1000
and the fourth is a PCI device. To view the PCI-ID for each interface, enter the command virsh dumpxml
$domain <name of the VM-Series firewall> on the Linux host to view the list of interfaces attached to the
VM-Series firewall. In the output, check for the following networking configuration:
<interface type='bridge'>
<mac address='52:54:00:d7:91:52'/>
<source bridge='mgmt-br'/>
202 • Book Title Variable
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Set Up the VM-Series Firewall on KVM
Install the VM-Series Firewall on KVM
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='bridge'>
<mac address='52:54:00:f4:62:13'/>
<source bridge='br8'/>
<model type='e1000'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x10' function='0x0'/>
</interface>
<interface type='bridge'>
<mac address='52:54:00:fe:8c:80'/>
<source bridge='br8'/>
<model type='e1000'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>
<hostdev mode='subsystem' type='pci' managed='yes'>
<source>
<address domain='0x0000' bus='0x08' slot='0x10' function='0x1'/>
</source>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</hostdev>
In this case, the PCI-ID of each interface is as follows:

First virtual interface PCI-ID is 00:03:00

Second virtual interface PCI-ID is 00:10:00

Third virtual interface PCI-ID is 00:06:00

Fourth interface PCI-ID is 00:07:00
Therefore, on the VM-Series firewall, the interface with PCI-ID of 00:03:00 is assigned as eth0 (management
interface), the interface with PCI-ID 00:06:00 is assigned as eth1 (ethernet1/1), the interface with PCI-ID
00:07:00 is eth2 (ethernet1/2) and the interface with PCI-ID 00:10:00 is eth3 (ethernet1/3).
Use an ISO File to Deploy the VM-Series Firewall
If you want to pass a script to the VM-Series firewall at boot time, you can mount a CD-ROM with an ISO
file. The ISO file allows you to define a bootstrap XML file that includes the initial configuration parameters
for the management port of the firewall. The VM-Series firewall on first boot checks for the
bootstrap-networkconfig.xml file, and uses the values defined in it.
If a single error is encountered in parsing the bootstrap file, the VM-Series firewall will reject all the configuration in this
file and boot with default values.
© Palo Alto Networks, Inc.
Book Title Variable • 203
Copyright © 2007-2015 Palo Alto Networks
Install the VM-Series Firewall on KVM
Set Up the VM-Series Firewall on KVM
Create a Bootable ISO File
Step 1
Create the XML file and define it as a
virtual machine instance.
For a sample file, see Sample XML file for
the VM-Series Firewall.
In this example, the VM-Series firewall is
called PAN_Firewall_DC1.
For example:
user-PowerEdge-R510:~/kvm_script$ sudo vi
/etc/libvirt/qemu/PAN_Firewall_DC1.xml
user-PowerEdge-R510:~/kvm_script$ sudo virsh
define/etc/libvirt/qemu/PAN_Firewall_DC1.xm
l
Domain PAN_Firewall_DC1_bootstp defined from
/etc/libvirt/qemu/PAN_Firewall_DC1.xml
user-PowerEdge-R510:~/kvm_script$ sudo virsh
-q attach-interface
PAN_Firewall_DC1_bootstp bridge br1
--model=virtio --persistent
user-PowerEdge-R510:~/kvm_script$ virsh list
--all
Id
Name
State
--------------------------------------------PAN_Firewall_DC1_bootstp
shut off
Step 2
Step 3
Step 4
Create the bootstrap XML file.
You can define the initial configuration
parameters in this file and name it
bootstrap-networkconfig.
If you do not want to include a
parameter, for example
panorama-server-secondary.
Delete the entire line from the file. If you
leave the IP address field empty, the file
will not be parsed successfully.
Create the ISO file. In this example, we
use mkisofs.
Save the ISO file in the images
directory (/var/lib/libvirt/image)
or the qemu directory
(/etc/libvirt/qemu) to ensure that the
firewall has read access to the ISO file.
Attach the ISO file to the CD-ROM.
Use the following example as a template for the
bootstrap-networkconfig file. The bootstrap-networkconfig file can
include the following parameters only:
<vm-initcfg>
<hostname>VM_ABC_Company</hostname>
<ip-address>10.5.132.162</ip-address>
<netmask>255.255.254.0</netmask>
<default-gateway>10.5.132.1</default-gatewa
y>
<dns-primary>10.44.2.10</dns-primary>
<dns-secondary>8.8.8.8</dns-secondary>
<panorama-server-primary>10.5.133.4</panora
ma-server-primary>
<panorama-server-secondary>10.5.133.5</pano
rama-server-secondary>
</vm-initcfg>
For example:
# mkisofs -J -R -v -V "Bootstrap" -A
"Bootstrap" -ldots -l -allow-lowercase
-allow-multidot -o <iso-filename>
bootstrap-networkconfig.xml
For example:
# virsh -q attach-disk <vm-name>
<iso-filename> sdc --type cdrom --mode
readonly –persistent\
204 • Book Title Variable
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Set Up the VM-Series Firewall on KVM
Install the VM-Series Firewall on KVM
Sample XML file for the VM-Series Firewall
<?xml version="1.0"?>
<domain type="kvm">
<name>PAN_Firewall_DC1</name>
<memory>4194304</memory>
<currentMemory>4194304</currentMemory>
<vcpu placement="static">2</vcpu>
<os>
<type arch="x86_64">hvm</type>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type="file" device="disk">
<driver type="qcow2" name="qemu"/>
<source file="/var/lib/libvirt/images/panos-kvm.qcow2"/>
<target dev="vda" bus="virtio"/>
</disk>
<controller type="usb" index="0"/>
<controller type="ide" index="0"/>
<controller type="scsi" index="0"/>
<serial type="pty">
<source path="/dev/pts/1"/>
<target port="0"/>
<alias name="serial0"/>
</serial>
<console type="pty" tty="/dev/pts/1">
<source path="/dev/pts/1"/>
<target type="serial" port="0"/>
<alias name="serial0"/>
</console>
<input type="mouse" bus="ps2"/>
<graphics type="vnc" port="5900" autoport="yes"/>
</devices>
</domain>
To modify the number of vCPUs assigned on the VM-Series firewall, change the value 2 to 4 or 8 vCPUs in this line of the
sample XML file:
<vcpu placement="static">2</vcpu>
© Palo Alto Networks, Inc.
Book Title Variable • 205
Copyright © 2007-2015 Palo Alto Networks
Install the VM-Series Firewall on KVM
Set Up the VM-Series Firewall on KVM
206 • Book Title Variable
© Palo Alto Networks, Inc.
Copyright © 2007-2015 Palo Alto Networks
Download PDF