| VM LICENSING |
|---|
| CONFIGURATION | TROUBLESHOOTING |
|---|
| Register the VM-Series Firewall for PAYG or BYOL license type | Troubleshoot License Activation Issues |
| Activate the License for the VM-Series Firewall (Standalone Version) | License Error: "Failed to Install Licenses. Unexpected Error Occurred." |
| Activate the License for the VM-Series Firewall for VMware NSX | VM-Series HA Error on Web UI: "VM License mismatches with peer" |
| Switch Between the BYOL and the PAYG Licenses | No Logging in Unlicensed VM-Series Firewall |
| How to switch between ELA to BYOL license type or vice-versa | Unable to Activate Support on Panorama |
| Manage VM-Series ELA License Tokens | Failed to install License Key during PA-VM bootstrap |
| Renew VM-Series Firewall License Bundles | Application and Threat version downloads and installs, but never actually updates |
| Deactivate the License(s) | VM firewall loses session capacity after reboot |
| Upgrade the VM-Series Model | Stop or Deallocate Marketplace Pay-As-You-Go VM |
| How to Activate Trial Licenses | DotW: Deactivating and Showing Licenses (CLI Commands) |
| VM-Series for AWS and Azure Licensing Considerations | “authcodes” file not found during bootstrap |
| Migration from Evaluation license to Production license | Getting Invalid API Key for Dynamic Updates and Software Updates |
| | If a Panorama VM fails to boot up due to an error that requires to perform factory default, how to retrieve the license using the same serial number? |
| PA-VM deleted without deactivating license |
| What Happens When Licenses Expire on the Palo Alto Networks Firewall? |
| Unable to license VM-50 instance |
| Device management capacity reached after upgrading Panorama to 8.1 |
| “Invalid Auth Code” prompted when registering new PA-VM |
| Error "Failed to install licenses. Model incompatible: feature model is PRA while the device model is PRA" |
| Case Studies for VM-Series License |
| Back to Top |
| VM-SERIES ON AWS |
|---|
| CONFIGURATION | TROUBLESHOOTING |
|---|
| Deploy a VM-Series Firewall from AWS Marketplace | AWS ALB health check fails for VM-Series Firewall |
| Switch Management Interface with Dataplane interface for use with AWS ELB | Dataplane Interface on VM-Series Firewall not getting DHCP IP address |
| Setup and Configure AWS and VM Firewall to secure EC2 instances in AWS cloud | Traffic is not received on VM-Series firewall deployed in AWS |
| Configure Active/Passive HA on AWS for VM-Series Firewalls | Bootstrapping failing for PA-VM deployment in AWS |
| Mandatory IAM Permissions for HA on AWS | VM-Series Firewall fails to fetch license during bootstrap in AWS |
| Port Numbers to be allowed for HA links functionality in AWS Security Groups | VM-Series Firewall does not get configuration from "init-cfg.txt" during bootstrap in AWS |
| IAM Permissions Required for AWS VPC Monitoring to fetch Dynamic Address Groups | No Internet Connectivity on newly Active VM Firewall causes ENIs to not move from old Active VM Firewall after failover in AWS |
| Configure VM Information Source on Firewall to fetch EC2 instance IP addresses for Dynamic Address Group and use in policy | Missing IAM role on VM Firewall Instance resulting in AWS HA failure |
| Bootstrap the VM firewall in AWS | Failure to resolve DNS on newly Active VM Firewall causes ENIs to not move from Old Active VM Firewall after failover in AWS |
| How to modify instance type of an existing VM-Series Firewall | Missing IKE ID settings results in Phase-1 negotiation failure of tunnel terminating on VM-Series Firewall in AWS |
| How to Configure Secondary IP addresses on VM-Series Firewall NICs | IKE Phase 1 negotiation failure due to timeout on VM-Series Firewall in AWS |
| Setup Cloud Watch Monitoring for VM-Series Firewalls in AWS | Interfaces Used for Accessing External Services on VM-Series Firewalls |
| Setup Auto Scaling in AWS for VM-Series Firewalls (Version 2.0) | Supported Attributes monitored by Palo Alto Firewall /Panorama for AWS VPC under VM Information Sources and AWS plugin monitoring |
| Setup Auto Scaling in AWS for VM-Series Firewalls (Version 2.1) | How to get AMI ID for VM-Series Firewall on AWS |
| Enable DPDK on AWS VM-Series Firewalls for performance tuning | Metrics Published to AWS Cloudwatch for monitoring VM-Series Firewall deployed in AWS |
| Enable Jumbo Frames on VM-Series Firewalls | How to Upgrade plugin on AWS VM-Series Firewalls |
| How to attach a Secondary Logging disk on VM-Series Firewalls in AWS | Troubleshooting AWS Auto Scaling setup/configuration Failures |
| Github Repository for deploying Auto Scaling setup for VM-Series Firewalls | Unable to reach specific destination/subnet through VM-Series Firewall within AWS |
| Github Repository for deploying AWS Transit VPC setup with VM-Series Firewall | Unidirectional traffic seen on the VM-Series Firewall in AWS |
| Comparison of performance for AWS VM-Series firewalls for different VM capacity license | Dynamic Address Group (DAG) learnt from AWS VPC are not populated with IP’s on VM-Series Firewall |
| AWS Instance Type vs Capacity License mapping for VM-Series Firewalls | Case Studies for VM-Series on AWS |
| Set Up the AWS Plugin for VM Monitoring on Panorama | |
| Deploy a Panorama from AWS Marketplace |
| Back to Top |
| VM-SERIES ON AZURE |
|---|
| CONFIGURATION | TROUBLESHOOTING |
|---|
| Minimum System Requirements for VM-Series Firewall in Azure | VM-Series Firewall fails to fetch license during bootstrap in Azure |
| Azure Instance Size vs Capacity License mapping for VM-Series Firewalls | VM-Series Firewall fails to bootstrap in Azure due to DNS issues |
| Deploy VM-Series Firewall from Azure Marketplace | VM-Series Firewall fails to bootstrap in Azure due to no Internet Access |
| Bootstrap VM-Series Firewall in Azure | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover with HTTP Error Code: 403 (Forbidden) |
| Deploy VM-Series Firewall using Azure CLI | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover due to DNS resolution issues |
| How to rebuild VM-Series Firewall in Azure | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover with HTTP Error Code : 404 (Not Found) |
| Deploy VM-Series Firewall in Azure stack | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover with Error " Put Request Failed: 429" |
| How to enable accelerated networking for VM-Series Firewall Interfaces in Azure | Secondary IP(s) fails to move to new Active VM-Series Firewall upon HA failover with Error "Failed to get Azure Access Token" |
| Github Template for deploying VM-Series Firewall in an existing Resource Group for HA configuration in Azure | VM-Series Firewall NIC status in Azure is "Failed" after HA failover |
| How to configure Active/Passive High Availability for VM-Series Firewalls in Azure | Missing IKE ID settings results in Phase-1 negotiation failure of tunnel terminating on VM-Series Firewall in Azure |
| Ports required to be allowed in Network Security Groups in Azure for HA links communication | IKE Phase 1 negotiation failure due to timeout on VM-Series Firewall in Azure |
| Github template for deploying VM-Series Firewall in an Availability Set | VM-Series Firewall in Azure boots up in Maintenance mode upon new deployment due to length of password |
| Github Templates to setup Azure Auto-Scaling setup in Azure for VM-Series Firewall | Health Probe Fails from Azure Load Balancer to VM-Series Firewalls |
| Setup/Configure Auto-Scaling of VM-Series Firewalls in Azure | What attributes are monitored through VIS or Panorama for Azure |
| Enable Application Insights on VM-Series Firewall in Azure | Unable to reach specific destination/subnet through VM-Series Firewall within Azure |
| Comparison of performance for Azure VM-Series firewalls for different VM capacity license | Unidirectional Traffic seen on VM-Series Firewall in Azure |
| Panorama Azure Plugin for monitoring | Integration of VM-Series Firewall with Azure Security Center is not working |
| Deploy the VM-Series Firewall and Azure Application Gateway Template | Enabling Serial Console to access VM-Series Firewall in Azure stuck in Maintenance mode |
| Permissions required by the Service Principal in Azure for HA, Application Insights and Auto Scaling | Latency/Packet Drop on VM-Series Firewall with global counters 'pkt_tp_status_def' and 'pkt_sent_dev_err' |
| Deploy a Panorama from Azure Marketplace | How to downgrade PAN-OS in Azure Or can not login after downgrade |
| | Azure disk backup not supported |
| Case Studies for VM-Series on Azure |
| Back to Top |
| VM-SERIES for VMware |
|---|
| CONFIGURATION | TROUBLESHOOTING |
|---|
| Set Up the VM-Series Firewall on VMware NSX-V | Troubleshooting VMware NSX/ESXi Deployment |
| Set Up the VM-Series Firewall on VMware NSX-T (North-South) | Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama |
| Set Up the VM-Series Firewall on NSX-T (East-West) | Network Adapter Issues When Moving Panorama VM Between VMware ESXi Hosts |
| Set Up a VM-Series Firewall on an ESXi Server | Missing Registered-IP under the Dynamic Address Group on NSX PA-VM |
| How to add a New Host to Your NSX-V Deployment | Failed to Create Dynamic Address Group in Panorama VMware NSX Setup |
| How to Migrate NSX-V Operations-Centric Configuration to Security-Centric Configuration | VM-Series Firewall or Panorama Crashed from Multiple Sources of System Clock |
| Extend Security Policy from NSX-V to NSX-T | Troubleshoot why Traffic is not hitting VM-Series Firewall in NSX |
| Use vMotion to Move the VM-Series Firewall Between Hosts in NSX-T | Panorama VM inaccessible via GUI or SSH |
| VM-Series on ESXi System Limitations | How to Configure Interfaces for VM-Series to Work in L3 without Promiscuous Mode |
| Upgrade the PAN-OS Software Version - VM-Series for NSX-V | Security Groups not populated in NSX-V |
| Bootstrap the VM-Series Firewall on ESXi | NSX-V: Service Deployment Failure |
| MAC addresses on HA Active/Passive Pair in VM-Series Interfaces | NSX-V: Unable to populate the registered-ip under DAG |
| Add Additional Disk Space to the VM-Series Firewall | NSX-V: Steering rules are not generated on Panorama |
| Configure the Panorama Plugin for VMware vCenter | Security Groups are not created in NSX-V with Security Centric deployment |
| Is it possible to take Quiesced Snapshot on a Panorama VM Instance? | NSX-V: Traffic not hitting VM-Series Firewall |
| Upgrading Panorama VM System disk | Other common issues for NSX-V, NSX-T, ESXi |
| VNF tuning guidance for VM-Series deployments in ESXI | |
| Support for VMware tools on PA-VM platforms and Panorama VM |
| Back to Top |
| VM-SERIES ON GCP |
|---|
| CONFIGURATION | TROUBLESHOOTING |
|---|
| Set Up the VM-Series Firewall on Google Cloud Platform | GCP VM Information Source fails with error 'GCE-ERROR: gce-unauthorised : Insufficient Permission' |
| Bootstrap the VM-Series Firewall on Google Cloud Platform | Bootstrapping failing with validation error 'public-key is invalid' |
| VM Monitoring with the Google Cloud Platform Plugin | VM serial number issue after upgrading from 8.1 to 9.0.x |
| Enable VM Monitoring to Track VM Changes on GCP | VM-Info Sources GCP dynamic groups not populating correctly |
| Can we add additional network interfaces in GCP? | Health Checks to Palo Alto VM Instance is Failing |
| How to achieve HA with VM-series in GCP | Interface eth0 MTU change is not persistent in GCP |
| Define service route using dataplane interface with DHCP | Other Common issues for VM-series on GCP |
| API access needed by PA-VM's deployed in GCP to operate properly | |
| Permissions for Google Cloud Registry (GCR) |
| VM-Series on GCP Deployment Resources |
| Install Panorama on GCP |
| Back to Top |
| VM-SERIES ON KVM |
|---|
| CONFIGURATION | TROUBLESHOOTING |
|---|
| Set Up the VM-Series Firewall on KVM | PA-VM deployed on KVM keeps rebooting and ends up in maintenance mode |
| Set Up the VM-Series Firewall on OpenStack | High Host CPU usage observed for VM-Series on KVM |
| Supported Deployments on KVM | |
| CLI Configuration: Setting up a VM-Series Gateway on a CentOS 6 |
| Bootstrap the VM-Series Firewall on KVM with an ISO |
| Bootstrap the VM-Series Firewall on KVM in OpenStack |
| Performance Tuning of the VM-Series for KVM |
| Enable SR-IOV on KVM |
| Enable VLAN Access Mode with SR-IOV |
| Back to Top |
| VM-SERIES ON OCI |
|---|
| CONFIGURATION | TROUBLESHOOTING |
|---|
| Set up the VM-Series Firewall on Oracle Cloud Infrastructure | VM-Series Firewall in OCI intermittently stops processing traffic |
| Configure Active/Passive HA on OCI | Throughput issues when traversing through Firewall in OCI |
| Deploy the VM-Series Firewall on OCI Using the Terraform Template | Firewall is not accessible after deployment in OCI |
| Upload the VM-Series Image to OCI | IPsec passthrough traffic routed through PA-VM via OCI (DRG) does not traverse as expected |
| | Unable to create console access to the firewall in OCI |
| PA-VM deployed in OCI is unable to reach out to the Internet |
| OCI: Health status of PA-VM deployed behind the public load balancer shows “Unknown/Critical” |
| IPsec phase-2 with OCI stays down |
| Back to Top |
| VM-SERIES ON ALIBABA |
|---|
| CONFIGURATION | TROUBLESHOOTING |
|---|
| Deploy the VM-series Firewall on Alibaba Cloud | Palo Alto Networks | IPsec tunnel between on-prem PA Firewall and Alibaba Cloud does not come up due to phase-1 negotiation failure |
| Prepare to Deploy the VM-Series Firewall on Alibaba Cloud | Unable to assign static IP to dataplane interfaces in Alibaba Cloud |
| Deploy the VM-Series Firewall on Alibaba Cloud | Alibaba Cloud: Upon attaching ENI, the interface on firewall remains down |
| Configure Load Balancing on Alibaba Cloud | Hosts behind the firewall in Alibaba Cloud are unable to reach the Internet |
| | Alibaba Cloud: Health status of PA-VM deployed behind the public load balancer shows “Abnormal” |
| Back to Top |
| Supportability & Compatibility Matrix | Reference Architectures |
|---|
| VM-Series System Requirements | Reference architecture for AWS - Deployment Resources |
| License Types - VM-Series Firewalls | Reference architecture for Azure - Deployment Resources |
| VM-Series Models | Reference architecture for GCP - Deployment Resources |
| VM-Series Product comparison | Reference architectures for Cisco ACI - Deployment Resources |
| Hypervisor Compatibility | Reference architectures for NSX-T - Deployment Resources |
| SR-IOV and DPDK Drivers on VM-Series Firewalls | Reference architectures for ESXi - Deployment Resources |
| Partner Interoperability for VM-Series Firewalls | |
| Panorama Compatibility |
| Setup Prerequisites for the Panorama Virtual Appliance |
| Plugin Compatibility |
| VM-Series Performance and Capacity on Public Clouds |
| Throughput across IPsec tunnel is limited to 600 Mbps |
| VM-Series in High Availability |
| VM-Series Deployments Supported |
| Custom PAN-OS Metrics Published for Monitoring |
| Palo Alto Networks Certified Integrations |