Palo Alto Networks VNFs Specifications
Licensing
Bring Your Own License (BYOL) products require a valid license. You are responsible for purchasing and managing your own licenses from Palo Alto Networks. To purchase a software license, contact your Palo Alto Networks sales representative or partners.
Support
Palo Alto Networks support is available for BYOL licenses. Contact your Palo Alto Networks sales representative or partner to purchase a license and support contract.
Palo Alto Networks – VM-Series Firewall
- For a technical overview, see the VM-Series Spec Sheet.
- For documentation, see VM-Series Documentation.
- PAN-OS 10.1 Release Notes.
| Small | Medium | Large | Extra-Large | |
|---|---|---|---|---|
| CPU | 2 Cores | 4 Cores | 8 Cores | 16 Cores |
| Memory | 8 GB | 16 GB | 48 GB | 56 GB |
| Software Package | VM-100 | VM-100VM-300 | VM-100VM-300VM-500 | VM-100 VM-300 VM-500 VM-700 |
| Virtual Data Interfaces Supported (Default/Max) | 10 / 10 | 10 / 19 | ||
| System Reserved Interfaces | Management | |||
| Available License Type | BYOL | |||
| Access Methods | SSH Web Console | |||
| Image Version | See Available Image Versions | |||
| Restricted CLI Commands | None | |||
| Deployment Options | Single Redundant Cluster |
Creating a Palo Alto Networks – VM-Series Firewall
If you are using the Panorama application to manage your device(s), you will need to enter the Panorama IP Address and Authentication Key during device creation.
Panorama support is only offered for versions 10.1.12 and above.
Cluster Setup Configuration After Device Provisioning
The way Network Edge provisions Cluster devices is different based on the Connectivity Options. Read this section carefully to understand the required steps to configure both primary and secondary devices as Cluster nodes.
Both Connectivity options (With or Without Equinix Public IP Address) come with links between the primary and secondary node after the initial device provisioning. Those links are used for heartbeat communication and are required for Cluster deployment.
The following table summarizes configuration details based on connectivity type.
| Configuration | With Equinix Public IP Address | Without Equinix Public IP Address |
|---|---|---|
| Internal HA Connection | By default, GigabitEthernet 8 and 9 are automatically configured for HA connection. You do not have the option to change this configuration. There is no need to connect primary and secondary devices using device link. | Select any 2 interfaces for heartbeat communication purpose. The interface number must match between primary and secondary devices. For example, GigabitEthernet5 is configured on Primary node, GigabitEthernet 5 needs to be configured on the secondary node for the first HA connection. You need to allocate two interfaces per node for HA connection purposes. |
| Internal HA Configuration | By default, all required configurations to form Cluster between two devices is provisioned during device provisioning phase. You are not required to issue any additional configuration for clustering. | You are required to configure cluster settings on the 2 interfaces (links) described above. Sample configurations can be found in the section below. |
Cluster Configuration required for Connectivity Option Without Equinix Public IP Address
If you select the connectivity option Without Equinix Public IP Address, your are responsible for configuring two interfaces on each node to form a cluster between primary and secondary nodes. The following is a sample configuration using Command Line Interface (CLI).
| Sample configuration for Primary Node |
|---|
| set deviceconfig high-availability interface ha1 port ethernet1/<HA1_Interface> set deviceconfig high-availability interface ha1 ip-address <Primary_HA1_IP> set deviceconfig high-availability interface ha1 netmask |
| Sample configuration for Secondary Node |
|---|
| set deviceconfig high-availability interface ha1 port ethernet1/<HA1_Interface> set deviceconfig high-availability interface ha1 ip-address <Secondary_HA1_IP> set deviceconfig high-availability interface ha1 netmask |
For a sample configuration using a Graphical User Inter (GUI) from the management software, see Configure HA Cluster in the Palo Alto documentation.
License Registration for Cluster Devices
The following section describes cluster deployment scenarios Without Equinix Public IP Address.
| Scenario 1: Manage Firewall from Colocation (Offline License Registration) | |
|---|---|
| Requirement | Management interface accessible only from the network connected to colocation space Offline License registration |
| Deployment Flow | 1. Create a VM-Series firewall VNF Without Equinix Public IP Address in the Network Edge portal. 2. Log in to primary and secondary VNF consoles with your user name and password. 3. Create a virtual connection from the VNF to colocation on the first interface (management interface). 4. Assign an IP address to the management interface on both VNFs. 5. Confirm IP reachability from devices in the colocation space. 6. Access the VNF using SSH from device in the colocation space. 7. Identify the CPU ID and UUID for the VNF. 8. Access the Palo Alto Networks Customer Support Portal (License portal) and generate two identical licenses for the VNFs. 9. Apply the offline mode license to both VNFs. 10. (Optional) You can manage the VNF from Panorama management software configured in the colocation space. 11. Create the virtual connections to the Cloud Service Providers (CSPs) from the remaining interfaces. 12. Continue to use offline device management for software updates. |
| Scenario 2: Manage Firewall from an NSP Network (Online License Registration) | |
|---|---|
| Requirement | Management interface accessible from the NSP Virtual Connection or BYOC connected interface Online License registration |
| Deployment Flow | 1. Create a VM-Series firewall VNF Without Equinix Public IP Address in the Network Edge portal. 2. Log in to primary and secondary VNF consoles with your user name and password. 3. Create a virtual connection from the VNF to the NSP on the first interface (management interface). 4. Assign an IP address to the management interface on both VNFs. 5. Confirm IP reachability from devices in the NSP network. 6. Access the VNF using SSH from device in the NSP network. 7. Access the Palo Alto Networks Customer Support Portal (License portal) and generate a license and auth code for this VNF. 8. Apply the identical Auth Code to both VNFs. 9. (Optional) You can manage the VNF from Panorama management software configured in the NSP network. 10. Create virtual connections to CSPs from the remaining interfaces. |
Palo Alto Networks Prisma SD-WAN
| Small | Medium | Large | |
|---|---|---|---|
| CPU | 2 Cores | 4 Cores | 8 Cores |
| Memory | 8 GB | 8 GB | 32 GB |
| Software Package | Virtual ION (3103v) | Virtual ION (3103v) Virtual ION (3104v) | Virtual ION (3103v) Virtual ION (3104v) Virtual ION (7108v) |
| Virtual Data Interfaces Supported | 10 / 10 | ||
| System Reserved Interfaces | ControllerPort 1 (WAN1)Port 2 (WAN2) | ||
| Available License Type | BYOL | ||
| Access Methods | SSHPrime Orchestrator | ||
| Image Version | See Available Image Versions | ||
| Vendor Throughput Information | Prisma SD-WAN Instant-On Network (ION) Device Specifications | ||
| Vendor Product Specs | https://www.paloaltonetworks.com/sase/sd-wan.html |
Creating Palo Alto Networks Prisma SD-WAN Devices
When creating your device, you will need to specify:
- License Key – Enter your license key.
- License Secret – Enter your secret license phrase.
SD-WAN devices can be launched using Network Edge APIs. For more information, see Network Edge API – Launch SD-WAN Device