Palo Alto Networks VNFs Specifications
Licensing
Bring Your Own License (BYOL) products require a valid license. You are responsible for purchasing and managing your own licenses from Palo Alto Networks. To purchase a software license, contact your Palo Alto Networks sales representative or partners.
Support
Palo Alto Networks support is available for BYOL licenses. Contact your Palo Alto Networks sales representative or partner to purchase a license and support contract.
Palo Alto Networks – VM-Series Firewall
- For a technical overview, see the VM-Series Spec Sheet.
- For documentation, see VM-Series Documentation.
- PAN-OS 10.1 Release Notes.
| Small | Medium | Large | Extra-Large | |
|---|---|---|---|---|
| CPU | 2 Cores | 4 Cores | 8 Cores | 16 Cores |
| Memory | 8 GB | 16 GB | 48 GB | 56 GB |
| Software Package | VM-100 | VM-100VM-300 | VM-100VM-300VM-500 | VM-100 VM-300 VM-500 VM-700 |
| Virtual Data Interfaces Supported (Default/Max) | 10 / 10 | 10 / 19 | ||
| System Reserved Interfaces | Management | |||
| Available License Type | BYOL | |||
| Access Methods | SSH Web Console | |||
| Image Version | See Available Image Versions | |||
| Restricted CLI Commands | None | |||
| Deployment Options | Single Redundant Cluster |
Deployment Types
There are three deployment types available for VM-Series Firewall.
| Deployment Type | Description |
|---|---|
| Single | Provision a single device that operates as a standalone device. Another single device can be paired with the existing single device (requires same resource configuration) to form a local redundancy (redundancy in single metro) or geo-redundancy (each device operates in different metro). For more information see Creating a VM-Series Firewall |
| Redundant | Provision two firewall devices. Each device operates individually, and you are responsible for configuring those in an Active-Active fashion. You have the option of deploying both devices in two different metros (recommended) to achieve distributed architecture or keep both devices in the same metro. |
| Cluster | Provision two firewall devices with Active-Standby redundancy in a single metro. (No geo-redundancy option available.) For more information, see Creating a Clustered VM-Series Firewall |
VM-Series Firewall Flex VCPU License Support
Network Edge supports both Fixed and Flexible vCPU licensing models. A Flexible vCPU license requires a specific version of PAN-OS. You will need an Auth Code (8 or 9 digit alphanumeric code) when creating a VM-Series Firewall VNF.
When provisioning a VM-Series NGFW with BYOL option, the user is required to provide a license token during device creation workflow in the Equinix Fabric portal. A license token is also called as Auth Code (8 or 9 digits alphanumeric code). For more information about VM-Series license types, see the Palo Alto Networks documentation.
Generating an Auth Code
Generate the Auth Code by creating deployment profile in the Palo Alto Networks Customer Support Portal. The deployment profile defines the number of NGFWs and feature sets that can be allocated and activated based on the credit you provide. This document assumes that you already have access to the Palo Alto Networks Customer Support Portal and activated your credit. For more information about deployment profile creation, see the Palo Alto Networks documentation.
To provision Network Edge Palo Alto Network VM-Series VNF, you only need the AUTH CODE. You DO NOT NEED to register the firewall with UUID, CPUID, Number of vCPU and Memory information.
Using the Auth Code
When you are creating your device, enter the Auth Code in the License File (BYOL) field. When creating redundant or cluster deployment types, use the Auth Code associated with your deployment profile. For instance, if you allocate enough firewalls and VCPU cores in the same deployment profile, use the same Auth Code for redundant or cluster device. If your deployment profile does not have enough firewalls or VCPU cores allocated, then you can use different Auth Code generated with separate deployment profiles.
In the Device Resources section, select the resource type that fits to your deployment profile CPU allocation. For instance, if your deployment profile allocates only 8 vCPU core and you try to select 16 Cores/56 GB Memory allocation, the Auth Code registration fails. In this case your available resource options will be 2 cores, 4 cores or 8 cores.
In the Software Version section, select 10.1.3 or above. Flexible vCPU license is only supported PAN-OS 10.0.4 and above. If PAN-OS 9.x.x is selected, your Auth Code registration will fail, and your serial number will be unknown. Also, when you are manually requesting a license using CLI, you will see an error message Server Error : Failed to install license. Memory or vcpu is required for FLEX deployment profile to be applied on the device
Make sure that your provisioning device PAN-OS version is 10.0.4 or above when using Flexible vCPU license.
Once you complete your device creation, your Network Edge VNF will be instantiated with the appropriate AUTH CODE. A serial number is generated and registered to the Palo Alto Networks Customer Support Portal automatically. You can validate the registration by comparing “Show System Info” CLI output and the serial number displayed in the Software NGFW Devices on the Palo Alto Customer Support Portal. Note that the UUID used in the Equinix Fabric portal Device Details page and the UUID maintained in the PAN-OS are different.
Troubleshooting Auth Code Issues
Even if an invalid Auth Code is entered during the VNF creation workflow, the portal proceeds with this code and completes the device provisioning process. Depending on deployment type, you will observe different provisioning status.
The following table summarizes potential root causes of Auth Code issues and the actions to take next.
| Possible Root Causes | Provisioning State | Next Steps |
|---|---|---|
| Auth Code is not valid | Single or Redundant Device Provisioning status shows Provisioned. However, your serial number will not be generated and registered to the Palo Alto Customer Support Portal. To validate, use the web console in Device Details > Tools to access your CLI console and check your serial number using show system info. If an invalid Auth Code is used, the serial number value will be unknown. | Use CLI command request license fetch auth-code <your_auth_code> from the SSH or Web Console to manually trigger the Auth Code registration process. Once you provide a valid Auth Code, you will see VM Device License Installed message in the CLI console. |
| Auth Codes for both primary and secondary devices are not valid. Auth Codes for either primary or secondary devices are not valid. | Cluster Device - Device Provisioning Status shows License Error on both cluster devices, and License Status shows Registration Failed. | Use CLI command request license fetch auth-code <your_auth_code> from the SSH or Web Console to manually trigger the Auth Code registration process. Once you provide a valid Auth Code, you will see a VM Device License Installed message in the CLI console. You will see an Update the license file via the console to proceed message. Select the acknowledgment statement and click Confirm to bring both VNF instances to a Provisioned state. |
| Auth Codes for both devices are valid, but there are no adequate credits available for both cluster devices to be deployed. | Cluster Device - Device Provisioning Status shows License Error on both cluster devices, and License Status shows Registration Failed. | Log in to the Palo Alto Networks Customer Support Portal and verify that the Auth Code has adequate credits to deploy two VM series firewalls. |
Deactivating your Palo Alto Networks VM-Series VNF
If you are de-provisioning (deleting) a VNF, make sure that you de-activate your license from the VNF. Network Edge Self-Configured device type is fully managed you after the first provisioning. Therefore, you may need to configure your PAN-OS to support the API key to interact with Palo Alto Network Customer Support Portal for de-activation.
You can manually de-activate your license. For more information, see Palo Alto Networks documentation.
Palo Alto Networks Prisma SD-WAN
| Small | Medium | Large | |
|---|---|---|---|
| CPU | 2 Cores | 4 Cores | 8 Cores |
| Memory | 8 GB | 8 GB | 32 GB |
| Software Package | Virtual ION (3103v) | Virtual ION (3103v) Virtual ION (3104v) | Virtual ION (3103v) Virtual ION (3104v) Virtual ION (7108v) |
| Virtual Data Interfaces Supported | 10 / 10 | ||
| System Reserved Interfaces | ControllerPort 1 (WAN1)Port 2 (WAN2) | ||
| Available License Type | BYOL | ||
| Access Methods | SSHPrime Orchestrator | ||
| Image Version | See Available Image Versions | ||
| Vendor Throughput Information | Prisma SD-WAN Instant-On Network (ION) Device Specifications | ||
| Vendor Product Specs | https://www.paloaltonetworks.com/sase/sd-wan.html |
Creating Palo Alto Networks Prisma SD-WAN Devices
When creating your device, you will need to specify:
- License Key – Enter your license key.
- License Secret – Enter your secret license phrase.
SD-WAN devices can be launched using Network Edge APIs. For more information, see Network Edge API – Launch SD-WAN Device