VM LICENSING |
---|
CONFIGURATION | TROUBLESHOOTING |
---|
Register the VM-Series Firewall for PAYG or BYOL license type | Troubleshoot License Activation Issues |
Activate the License for the VM-Series Firewall (Standalone Version) | License Error: "Failed to Install Licenses. Unexpected Error Occurred." |
Activate the License for the VM-Series Firewall for VMware NSX | VM-Series HA Error on Web UI: "VM License mismatches with peer" |
Switch Between the BYOL and the PAYG Licenses | No Logging in Unlicensed VM-Series Firewall |
How to switch between ELA to BYOL license type or vice-versa | Unable to Activate Support on Panorama |
Manage VM-Series ELA License Tokens | Failed to install License Key during PA-VM bootstrap |
Renew VM-Series Firewall License Bundles | Application and Threat version downloads and installs, but never actually updates |
Deactivate the License(s) | VM firewall loses session capacity after reboot |
Upgrade the VM-Series Model | Stop or Deallocate Marketplace Pay-As-You-Go VM |
How to Activate Trial Licenses | DotW: Deactivating and Showing Licenses (CLI Commands) |
VM-Series for AWS and Azure Licensing Considerations | “authcodes” file not found during bootstrap |
Migration from Evaluation license to Production license | Getting Invalid API Key for Dynamic Updates and Software Updates |
| If a Panorama VM fails to boot up due to an error that requires to perform factory default, how to retrieve the license using the same serial number? |
PA-VM deleted without deactivating license |
What Happens When Licenses Expire on the Palo Alto Networks Firewall? |
Unable to license VM-50 instance |
Device management capacity reached after upgrading Panorama to 8.1 |
“Invalid Auth Code” prompted when registering new PA-VM |
Error "Failed to install licenses. Model incompatible: feature model is PRA while the device model is PRA" |
Case Studies for VM-Series License |
Back to Top |
VM-SERIES ON AWS |
---|
CONFIGURATION | TROUBLESHOOTING |
---|
Deploy a VM-Series Firewall from AWS Marketplace | AWS ALB health check fails for VM-Series Firewall |
Switch Management Interface with Dataplane interface for use with AWS ELB | Dataplane Interface on VM-Series Firewall not getting DHCP IP address |
Setup and Configure AWS and VM Firewall to secure EC2 instances in AWS cloud | Traffic is not received on VM-Series firewall deployed in AWS |
Configure Active/Passive HA on AWS for VM-Series Firewalls | Bootstrapping failing for PA-VM deployment in AWS |
Mandatory IAM Permissions for HA on AWS | VM-Series Firewall fails to fetch license during bootstrap in AWS |
Port Numbers to be allowed for HA links functionality in AWS Security Groups | VM-Series Firewall does not get configuration from "init-cfg.txt" during bootstrap in AWS |
IAM Permissions Required for AWS VPC Monitoring to fetch Dynamic Address Groups | No Internet Connectivity on newly Active VM Firewall causes ENIs to not move from old Active VM Firewall after failover in AWS |
Configure VM Information Source on Firewall to fetch EC2 instance IP addresses for Dynamic Address Group and use in policy | Missing IAM role on VM Firewall Instance resulting in AWS HA failure |
Bootstrap the VM firewall in AWS | Failure to resolve DNS on newly Active VM Firewall causes ENIs to not move from Old Active VM Firewall after failover in AWS |
How to modify instance type of an existing VM-Series Firewall | Missing IKE ID settings results in Phase-1 negotiation failure of tunnel terminating on VM-Series Firewall in AWS |
How to Configure Secondary IP addresses on VM-Series Firewall NICs | IKE Phase 1 negotiation failure due to timeout on VM-Series Firewall in AWS |
Setup Cloud Watch Monitoring for VM-Series Firewalls in AWS | Interfaces Used for Accessing External Services on VM-Series Firewalls |
Setup Auto Scaling in AWS for VM-Series Firewalls (Version 2.0) | Supported Attributes monitored by Palo Alto Firewall /Panorama for AWS VPC under VM Information Sources and AWS plugin monitoring |
Setup Auto Scaling in AWS for VM-Series Firewalls (Version 2.1) | How to get AMI ID for VM-Series Firewall on AWS |
Enable DPDK on AWS VM-Series Firewalls for performance tuning | Metrics Published to AWS Cloudwatch for monitoring VM-Series Firewall deployed in AWS |
Enable Jumbo Frames on VM-Series Firewalls | How to Upgrade plugin on AWS VM-Series Firewalls |
How to attach a Secondary Logging disk on VM-Series Firewalls in AWS | Troubleshooting AWS Auto Scaling setup/configuration Failures |
Github Repository for deploying Auto Scaling setup for VM-Series Firewalls | Unable to reach specific destination/subnet through VM-Series Firewall within AWS |
Github Repository for deploying AWS Transit VPC setup with VM-Series Firewall | Unidirectional traffic seen on the VM-Series Firewall in AWS |
Comparison of performance for AWS VM-Series firewalls for different VM capacity license | Dynamic Address Group (DAG) learnt from AWS VPC are not populated with IP’s on VM-Series Firewall |
AWS Instance Type vs Capacity License mapping for VM-Series Firewalls | Case Studies for VM-Series on AWS |
Set Up the AWS Plugin for VM Monitoring on Panorama | |
Deploy a Panorama from AWS Marketplace |
Back to Top |
VM-SERIES ON AZURE |
---|
CONFIGURATION | TROUBLESHOOTING |
---|
Minimum System Requirements for VM-Series Firewall in Azure | VM-Series Firewall fails to fetch license during bootstrap in Azure |
Azure Instance Size vs Capacity License mapping for VM-Series Firewalls | VM-Series Firewall fails to bootstrap in Azure due to DNS issues |
Deploy VM-Series Firewall from Azure Marketplace | VM-Series Firewall fails to bootstrap in Azure due to no Internet Access |
Bootstrap VM-Series Firewall in Azure | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover with HTTP Error Code: 403 (Forbidden) |
Deploy VM-Series Firewall using Azure CLI | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover due to DNS resolution issues |
How to rebuild VM-Series Firewall in Azure | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover with HTTP Error Code : 404 (Not Found) |
Deploy VM-Series Firewall in Azure stack | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover with Error " Put Request Failed: 429" |
How to enable accelerated networking for VM-Series Firewall Interfaces in Azure | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover with Error "Failed to get Azure Access Token" |
Github Template for deploying VM-Series Firewall in an existing Resource Group for HA configuration in Azure | VM-Series Firewall NIC status in Azure is "Failed" after HA failover |
How to configure Active/Passive High Availability for VM-Series Firewalls in Azure | Missing IKE ID settings results in Phase-1 negotiation failure of tunnel terminating on VM-Series Firewall in Azure |
Ports required to be allowed in Network Security Groups in Azure for HA links communication | IKE Phase 1 negotiation failure due to timeout on VM-Series Firewall in Azure |
Github template for deploying VM-Series Firewall in an Availability Set | VM-Series Firewall in Azure boots up in Maintenance mode upon new deployment due to length of password |
Github Templates to setup Azure Auto-Scaling setup in Azure for VM-Series Firewall | Health Probe Fails from Azure Load Balancer to VM-Series Firewalls |
Setup/Configure Auto-Scaling of VM-Series Firewalls in Azure | What attributes are monitored through VIS or Panorama for Azure |
Enable Application Insights on VM-Series Firewall in Azure | Unable to reach specific destination/subnet through VM-Series Firewall within Azure |
Comparison of performance for Azure VM-Series firewalls for different VM capacity license | Unidirectional Traffic seen on VM-Series Firewall in Azure |
Panorama Azure Plugin for monitoring | Integration of VM-Series Firewall with Azure Security Center is not working |
Deploy the VM-Series Firewall and Azure Application Gateway Template | Enabling Serial Console to access VM-Series Firewall in Azure stuck in Maintenance mode |
Permissions required by the Service Principal in Azure for HA, Application Insights and Auto Scaling | Latency/Packet Drop on VM-Series Firewall with global counters 'pkt_tp_status_def' and 'pkt_sent_dev_err' |
Deploy a Panorama from Azure Marketplace | How to downgrade PAN-OS in Azure Or can not login after downgrade |
| Azure disk backup not supported |
Case Studies for VM-Series on Azure |
Back to Top |
VM-SERIES for VMware |
---|
CONFIGURATION | TROUBLESHOOTING |
---|
Set Up the VM-Series Firewall on VMware NSX-V | Troubleshooting VMware NSX/ESXi Deployment |
Set Up the VM-Series Firewall on VMware NSX-T (North-South) | Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama |
Set Up the VM-Series Firewall on NSX-T (East-West) | Network Adapter Issues When Moving Panorama VM Between VMware ESXi Hosts |
Set Up a VM-Series Firewall on an ESXi Server | Missing Registered-IP under the Dynamic Address Group on NSX PA-VM |
How to add a New Host to Your NSX-V Deployment | Failed to Create Dynamic Address Group in Panorama VMware NSX Setup |
How to Migrate NSX-V Operations-Centric Configuration to Security-Centric Configuration | VM-Series Firewall or Panorama Crashed from Multiple Sources of System Clock |
Extend Security Policy from NSX-V to NSX-T | Troubleshoot why Traffic is not hitting VM-Series Firewall in NSX |
Use vMotion to Move the VM-Series Firewall Between Hosts in NSX-T | Panorama VM inaccessible via GUI or SSH |
VM-Series on ESXi System Limitations | How to Configure Interfaces for VM-Series to Work in L3 without Promiscuous Mode |
Upgrade the PAN-OS Software Version - VM-Series for NSX-V | Security Groups not populated in NSX-V |
Bootstrap the VM-Series Firewall on ESXi | NSX-V: Service Deployment Failure |
MAC addresses on HA Active/Passive Pair in VM-Series Interfaces | NSX-V: Unable to populate the registered-ip under DAG |
Add Additional Disk Space to the VM-Series Firewall | NSX-V: Steering rules are not generated on Panorama |
Configure the Panorama Plugin for VMware vCenter | Security Groups are not created in NSX-V with Security Centric deployment |
Is it possible to take Quiesced Snapshot on a Panorama VM Instance? | NSX-V: Traffic not hitting VM-Series Firewall |
Upgrading Panorama VM System disk | Other common issues for NSX-V, NSX-T, ESXi |
VNF tuning guidance for VM-Series deployments in ESXI | |
Support for VMware tools on PA-VM platforms and Panorama VM |
Back to Top |
VM-SERIES ON GCP |
---|
CONFIGURATION | TROUBLESHOOTING |
---|
Set Up the VM-Series Firewall on Google Cloud Platform | GCP VM Information Source fails with error 'GCE-ERROR: gce-unauthorised : Insufficient Permission' |
Bootstrap the VM-Series Firewall on Google Cloud Platform | Bootstrapping failing with validation error 'public-key is invalid' |
VM Monitoring with the Google Cloud Platform Plugin | VM serial number issue after upgrading from 8.1 to 9.0.x |
Enable VM Monitoring to Track VM Changes on GCP | VM-Info Sources GCP dynamic groups not populating correctly |
Can we add additional network interfaces in GCP? | Health Checks to Palo Alto VM Instance is Failing |
How to achieve HA with VM-series in GCP | Interface eth0 MTU change is not persistent in GCP |
Define service route using dataplane interface with DHCP | Other Common issues for VM-series on GCP |
API access needed by PA-VM's deployed in GCP to operate properly | |
Permissions for Google Cloud Registry (GCR) |
VM-Series on GCP Deployment Resources |
Install Panorama on GCP |
Back to Top |
VM-SERIES ON KVM |
---|
CONFIGURATION | TROUBLESHOOTING |
---|
Set Up the VM-Series Firewall on KVM | PA-VM deployed on KVM keeps rebooting and ends up in maintenance mode |
Set Up the VM-Series Firewall on OpenStack | High Host CPU usage observed for VM-Series on KVM |
Supported Deployments on KVM | |
CLI Configuration: Setting up a VM-Series Gateway on a CentOS 6 |
Bootstrap the VM-Series Firewall on KVM with an ISO |
Bootstrap the VM-Series Firewall on KVM in OpenStack |
Performance Tuning of the VM-Series for KVM |
Enable SR-IOV on KVM |
Enable VLAN Access Mode with SR-IOV |
Back to Top |
VM-SERIES ON OCI |
---|
CONFIGURATION | TROUBLESHOOTING |
---|
Set up the VM-Series Firewall on Oracle Cloud Infrastructure | VM-Series Firewall in OCI intermittently stops processing traffic |
Configure Active/Passive HA on OCI | Throughput issues when traversing through Firewall in OCI |
Deploy the VM-Series Firewall on OCI Using the Terraform Template | Firewall is not accessible after deployment in OCI |
Upload the VM-Series Image to OCI | IPsec passthrough traffic routed through PA-VM via OCI (DRG) does not traverse as expected |
| Unable to create console access to the firewall in OCI |
PA-VM deployed in OCI is unable to reach out to the Internet |
OCI: Health status of PA-VM deployed behind the public load balancer shows “Unknown/Critical” |
IPsec phase-2 with OCI stays down |
Back to Top |
VM-SERIES ON ALIBABA |
---|
CONFIGURATION | TROUBLESHOOTING |
---|
Deploy the VM-series Firewall on Alibaba Cloud | Palo Alto Networks | IPsec tunnel between on-prem PA Firewall and Alibaba Cloud does not come up due to phase-1 negotiation failure |
Prepare to Deploy the VM-Series Firewall on Alibaba Cloud | Unable to assign static IP to dataplane interfaces in Alibaba Cloud |
Deploy the VM-Series Firewall on Alibaba Cloud | Alibaba Cloud: Upon attaching ENI, the interface on firewall remains down |
Configure Load Balancing on Alibaba Cloud | Hosts behind the firewall in Alibaba Cloud are unable to reach the Internet |
| Alibaba Cloud: Health status of PA-VM deployed behind the public load balancer shows “Abnormal” |
Back to Top |
Supportability & Compatibility Matrix | Reference Architectures |
---|
VM-Series System Requirements | Reference architecture for AWS - Deployment Resources |
License Types - VM-Series Firewalls | Reference architecture for Azure - Deployment Resources |
VM-Series Models | Reference architecture for GCP - Deployment Resources |
VM-Series Product comparison | Reference architectures for Cisco ACI - Deployment Resources |
Hypervisor Compatibility | Reference architectures for NSX-T - Deployment Resources |
SR-IOV and DPDK Drivers on VM-Series Firewalls | Reference architectures for ESXi - Deployment Resources |
Partner Interoperability for VM-Series Firewalls | |
Panorama Compatibility |
Setup Prerequisites for the Panorama Virtual Appliance |
Plugin Compatibility |
VM-Series Performance and Capacity on Public Clouds |
Throughput across IPsec tunnel is limited to 600 Mbps |
VM-Series in High Availability |
VM-Series Deployments Supported |
Custom PAN-OS Metrics Published for Monitoring |
Palo Alto Networks Certified Integrations |