VM-Series Firewall Flex VCPU License Support

This document discusses the steps to prepare a Flexible vCPU License in the Palo Alto Networks portal and use the license for VNF provisioning on the Equinix Fabric portal.

Network Edge customers can leverage and bring their own Palo Alto Networks VM-Series Firewall license (BYOL) to provision virtual network functions (VNFs). Network Edge supports both traditional Fixed and Flexible vCPU licensing models.

Support of Flexible vCPU License for Palo Alto Networks VM-Series VNF

When provisioning a VM-Series NGFW with BYOL option, the user is required to provide a license token during device creation workflow in the Equinix Fabric portal. A license token is also called as Auth Code (8 or 9 digits alphanumeric code). For more information about VM-Series license types, see the Palo Alto Networks documentation.

Generating an Auth Code

Follow the steps below to generate the Auth Code by creating deployment profile in the Palo Alto Networks Customer Support Portal. The deployment profile defines the number of NGFWs and feature sets that can be allocated and activated based on the credit you provide. This document assumes that you already have access to the Palo Alto Networks Customer Support Portal and activated your credit. For more information about deployment profile creation, see the Palo Alto Networks documentation.

Create a deployment profile. In the customer support portal, go to Assets > Software NGFW Credits. In the NGFW Credits panel, click Create Deployment Profile.
Select VM-Series and then select the Flexible vCPUs option.
Provide a profile name, the number of Firewalls planned to be deployed using this profile, and the planned vCPU per Firewall. Allocate enough Firewalls and vCPU for the VNF you are about to create in the Equinix Fabric portal. For instance, if you are creating a cluster device with 4 cores as the resource option, a minimum of 2 Firewalls and 8 vCPU need to be allocated in the deployment profile. For more information, see the Self-Configured VNF specification page.
Customize your subscription by choosing your use case or by selecting specific security features you need to enable and finish the deployment profile creation.
A new AUTH CODE will be generated based on your input. This AUTH CODE is an 8- or 9-digit alphanumeric code. Use this code when creating your VNF. The steps required in the Palo Alto Customer Support Portal are completed in this step.

Important: To provision Network Edge Palo Alto Network VM-Series VNF, you only need the AUTH CODE. You DO NOT NEED to register the firewall with UUID, CPUID, Number of vCPU and Memory information.

Creating VM-Series Firewall VNF using an Auth Code

Use a generated Auth Code to provision Palo Alto VM-Series NGFW VNF.

Sign in to the Equinix Fabric portal and click Create Virtual Device.
Select Palo Alto Networks VM-Series from the marketplace selection.
Select deployment type. For VM-Series NGFW, single deployment, redundant deployment (Active – Active), and Cluster deployment (Active – Standby) options are available. For more information about deployment type, see Architecting Resiliency.
Select the metro locations you would like to deploy your Palo Alto VM-Series NGFW and select your billing account for this deployment.
In the Device Management section, select Self-Configured. This option provides full access to the VNF features and functions the customer needs for typical firewall deployment.
In the Licensing section, enter the Auth Code in the License File (BYOL) field. When creating redundant or cluster deployment types, use the Auth Code associated with your deployment profile. For instance, if you allocate enough firewalls and VCPU cores in the same deployment profile, use the same Auth Code for redundant or cluster device. If your deployment profile does not have enough firewalls or VCPU cores allocated, then you can use different Auth Code generated with separate deployment profiles.
In the Device Resources section, select the resource type that fits to your deployment profile CPU allocation. For instance, if your deployment profile allocates only 8 vCPU core and you try to select 16 Cores/56 GB Memory allocation, the Auth Code registration fails. In this case your available resource options will be 2 cores, 4 cores or 8 cores.
Select a Software Package based on your selected device resource.
In the Software Version section, select 10.1.3 or above. Flexible vCPU license is only supported PAN-OS 10.0.4 and above. If PAN-OS 9.x.x is selected, your Auth Code registration will fail.
Enter the device details:
- Device Name – Used to identify device in the Equinix Fabric portal.
- Host Name Prefix – Used as the hostname in the VNF device.
For interface section, you can deploy additional interfaces only if you select 4 Cores or greater in the Device Resource section.
In the Device Status Notification section, provide email address(es) for anyone managing this VNF.

Tip: Provide multiple email addresses in case of state change, maintenance, or any other notification purpose.
In the Add Users section, provide a username for SSH and Web-Console access. For Self-Deployment option, you also need to provide SSH Public Keys for secure device access. For information about generating your SSH Public Keys, see Network Edge Device Access.
The Diverse Compute from an Existing Single Device section allows you to select a compute plane for your VNF in case you want to increase high availability. If you have specific VNF already deployed in a specific metro location, you can deploy this NGFW VNF to the same or a different metro location. If you are deploying in the same metro location where an existing VNF exists, then this option allows you to deploy in a different compute plane in the same metro location.
The Access Control List Template(s) section allows you to control access to the WAN interface. For more information, see Primary Interface Access Control List.
The Additional Internet Bandwidth section allows you to add more bandwidth on top of the 15 Mbps connection that automatically comes with all VNFs. Additional bandwidth has additional fees.
Select your Term Length..
In the Terms and Conditions section, click Review and Accept Order Terms to review your terms and conditions.
Once terms are accepted click Create Edge Device.

Verifying Auth Code and License Registration

Once you complete your device creation, your Network Edge VNF will be instantiated with the appropriate AUTH CODE. A serial number is generated and registered to the Palo Alto Networks Customer Support Portal automatically. You can validate the registration by comparing “Show System Info” CLI output and the serial number displayed in the Software NGFW Devices on the Palo Alto Customer Support Portal. Note that the UUID used in the Equinix Fabric portal Device Details page and the UUID maintained in the PAN-OS are different.

Troubleshooting Auth Code Related Issues

This section outlines some common Auth Code related errors and how to resolve them.

In case an invalid Auth Code is entered during the VNF creation workflow, the Equinix Fabric portal proceeds with this code and completes the device provisioning process. Depending on deployment type, you will observe different provisioning status.

The following table summarizes potential root causes of Auth Code issues and the actions to take next.

Possible Root Causes	Provisioning State	Next Steps
Auth Code is not valid	Single or Redundant Device Provisioning status shows Provisioned. However, your serial number will not be generated and registered to the Palo Alto Customer Support Portal. To validate, use the web console in Device Details > Tools to access your CLI console and check your serial number using show system info If an invalid Auth Code is used, the serial number value will be unknown.	Use CLI command from the SSH or Web Console and issue request license fetch auth-code <your_auth_code> to manually trigger the Auth Code registration process. Once you provide a valid Auth Code, you will see VM Device License Installed message in the CLI console.
Auth Codes for both primary and secondary devices are not valid. Auth Codes for either primary or secondary devices are not valid.	Cluster Device Device Provisioning Status shows License Error on both cluster devices, and License Status shows Registration Failed.	Use CLI command from the SSH or Web Console and issue request license fetch auth-code <your_auth_code> to manually trigger the Auth Code registration process. Once you provide a valid Auth Code, you will see VM Device License Installed message in the CLI console. You will see an Update the license file via the console to proceed message. Select the acknowledgment statement and click Confirm to bring both VNF instances to a Provisioned state.
Auth Codes for both devices are valid, but there are no adequate credits available for both cluster devices to be deployed.	Cluster Device Device Provisioning Status shows License Error on both cluster devices, and License Status shows Registration Failed.	Log in to the Palo Alto Networks Customer Support Portal and verify that the Auth Code has adequate credits to deploy two VM series firewalls.

Possible Root Causes

Provisioning State

Next Steps

Auth Code is not valid

Single or Redundant Device Provisioning status shows Provisioned. However, your serial number will not be generated and registered to the Palo Alto Customer Support Portal. To validate, use the web console in Device Details > Tools to access your CLI console and check your serial number using

show system info

If an invalid Auth Code is used, the serial number value will be unknown.

Use CLI command from the SSH or Web Console and issue

request license fetch auth-code <your_auth_code>

to manually trigger the Auth Code registration process. Once you provide a valid Auth Code, you will see VM Device License Installed message in the CLI console.

Auth Codes for both primary and secondary devices are not valid.
Auth Codes for either primary or secondary devices are not valid.

Cluster Device
Device Provisioning Status shows License Error on both cluster devices, and License Status shows Registration Failed.

Use CLI command from the SSH or Web Console and issue

request license fetch auth-code <your_auth_code>

to manually trigger the Auth Code registration process. Once you provide a valid Auth Code, you will see VM Device License Installed message in the CLI console.

You will see an Update the license file via the console to proceed message. Select the acknowledgment statement and click Confirm to bring both VNF instances to a Provisioned state.

Auth Codes for both devices are valid, but there are no adequate credits available for both cluster devices to be deployed.

Cluster Device

Device Provisioning Status shows License Error on both cluster devices, and License Status shows Registration Failed.

Log in to the Palo Alto Networks Customer Support Portal and verify that the Auth Code has adequate credits to deploy two VM series firewalls.

The following screen is displayed when an invalid Auth Code is used in the cluster deployment.

Flexible vCPU License Supported PAN-OS Version

When creating a VNF in the Equinix Fabric portal, it is important to select PAN-OS version 10.0.4 and above (currently 10.1.3 is supported and customer may upgrade PAN-OS with self-configured device type). If the VNF is provisioned with PAN-OS 9.x.x, then your license registration process fails, and your serial number will be unknown. Also, when you are manually requesting a license using CLI, you will see error message below

Server Error : Failed to install license. Memory or vcpu is required for FLEX deployment profile to be applied on the device

Make sure that your provisioning device PAN-OS version is 10.0.4 or above when using Flexible vCPU license.

Deactivating your Palo Alto Networks VM-Series VNF

If you are de-provisioning (deleting) a VNF, make sure that you de-activate your license from the VNF. Network Edge Self-Configured device type is fully managed you after the first provisioning. Therefore, you may need to configure your PAN-OS to support the API key to interact with Palo Alto Network Customer Support Portal for de-activation.

You can manually de-activate your license. For more information, see Palo Alto Networks documentation.