Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:vmseries:vm_licensing [2021/11/18 12:16] – bstafford
+++ paloaltonetworks:vmseries:vm_licensing [2021/11/18 12:26] (current) – removed bstafford
@@ Line 1: / Line 1: @@
-====== Palo Alto Networks VM Firewalls ======
-===== Cloning =====
-When cloning a lab VM firewall to use on another machine, edit the VMware VMX config file to use ''uuid.action = "keep"''. When you boot the VM, click "I moved it".
-===== VM Flex Licencing =====
-[[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw/migrate-to-a-flexible-vm-series-license.html|Useful Page on VM-FLEX migration]].
-You can migrate a VM-100 firewall to VM-FLEX licencing while still keeping it a VM-100.
-I had a VM-100 on PAN-OS 9.1.11. I found I had to de-register the VM, reboot it, apply the FLEX VM-100 auth code, reboot and that was it. I could then add/remove subscriptions, etc. I noticed that after upgrading to 10.1.3 there were issues with refreshing the licences but I don't know if that was due to some other lab stuff (I increased the CPU count to 4 when it was only licenced for 2). I'll need to recheck.
-When you "Upgrade capacity", to change a VM-100 to a VM-FLEX-2, the firewall rebooted and was automatically moved from one FLEX profile (VM-100) to the other (FLEX) in the support portal.
-The VM Capacity Tier is based on RAM. From PAN-OS 10.0.4, CPU will control throughput while RAM controls limits like sessions, addres objects, etc. [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw/maximum-limits-based-on-memory.html|See here]].
-  * 4.5 GB (VM-50-lite ish)
-  * 5.5 GB (VM-50 ish)
-  * 6.5 GB (VM-100 ish)
-  * 9 GB (VM-300 ish)
-  * 16 GB (VM-500 ish)
-  * 56 GB (VM-700 ish)
-===== VM System Requirements =====
- [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/vm-series-models/vm-series-system-requirements.html|System requirements are here]].
-===== VM Core Assignment =====
-Assign cores [[https://docs-new.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw/customize-data-plane-cores.html|here]].
-<code>show plugins vm_series dp-cores</code>
-<code>request plugins vm_series dp-cores 14</code>
-===== Legacy - Activate VM =====
-Request the license for the VM. In my case, I got an evaluation licence that includes Threat Prevention, URL Filtering (PAN-DB) and WildFire. I was sent an Authorisation Code that is in the following format ''V1234567''.
-I've noticed that, for renewing evaluation VMs, it can be cleaner to create a band new VM, license it and then migration the configuration from the old VM to the new one.
-  - Log into the [[https://support.paloaltonetworks.com|support portal]].
-  - Go to ''Assets->VM-Series Auth-Codes'' and add VM-Series Auth-Code.
-  - If you have a Panorama auth code and serial number, go to ''Assets->Devices'' and register the serial number as a new sevice and then apply the auth code to it
-  - Log into the [[https://support.paloaltonetworks.com|Palo Alto Networks support portal]].
-  - Click the ''Software Updates'' in the row of tabs.
-  - You should now see a list of downloads. The size of the list depends on the access your account has.
-  - Search for ''PA-VM-ESX-10.1.3''
-  - Click the appropriate link and download the OVA file.
-  - In VMware, deploy the OVA as a new machine.
-  - Boot the VM and configure the management interface with an IP, default gateway and DNS.
-  - Go to ''Device->Licenses'' and click ''Activate support using authorisation code'' and use the VM auth code you were given. The VM will reboot. On the support portal under ''Assets->Devices'', the VM serial number will appear. Under ''Assets->VM-Series Auth-Codes'', the VM auth code will now show you are using 1/X (where X is the numeber of VMs you are licences for).
-  - For the Panorama VM, you will need to add the serial number under '' Panorama->Setup->General->Management''. Then go to ''Panorama->Licenses'' and click ''Activate support using authorisation code'' and use the VM auth code you were given.
-===== Apply API Key =====
-Retrieve the license deactivation API key from the Customer Support Portal.
-  - Log in to the Customer Support Portal.
-  - Uner Assets > API Key Management, select Licensing API.
-  - Copy the API key (each customer has one API key that covers all their firewalls).
-  - SSH to the CLI of a Palo VM and run the following command <code>request license api-key set key <key></code>
-===== Deactivate Licence =====
-To [[
-https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/license-the-vm-series-firewall/deactivate-the-licenses.html|deactivate a licence]] from the GUI you need to enable 'verify update server' and install an API key.
-The Verify Update Server Identity option under Device > Setup > Services is enabled by default. Before deactivating an VM-Series firewall, verify that this option is enabled.
-You can deactivate using the "Deactivate VM" link under Device > Licences.
-===== Upgrade VM Capacity =====
-In my case, I had VM-50 that I wanted to make VM-100. We purchased VM-100 licence and got that set in the support portal. Once the VM Auth code section showed the VM auth code as a VM-100 instead of VM-50, we could still see the deployed VM as a VM-50.
-We then logged in, set the API key (see above) and the clicked Device->Licence->Upgrade VM Capacity. The firewall restarted and was then a VM-100.
-===== Trial VM =====
-A trial VM will not produce traffic/threat logs but it will pass traffic (with a limited number of concurrent sessions ~1K). If you activate a trail Auth code, when the trial period is up, GlobalProtect client and Software sections of the GUI will go blank and say "Operation Failed: An active license is required for this feature". You can still download App updates and manually upload and install PAN-OS though.