====== Palo Alto Networks VM Firewalls ======

===== Cloning =====
When cloning a lab VM firewall to use on another machine, edit the VMware VMX config file to use ''uuid.action = "keep"''. When you boot the VM, click "I moved it".

===== VM Credit SKU =====
  * PAN-SOFTWARE-NGFW-CR
  * PAN-SOFTWARE-NGFW-LAB 
  * PAN-SOFTWARE-NGFW-NFR 

===== VM Flex Licencing =====

Data gathered Nov 2021.

[[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw/migrate-to-a-flexible-vm-series-license.html|Useful Page on VM-FLEX migration]].

You can migrate a VM-100 firewall to VM-FLEX licencing while still keeping it a VM-100.

I had a VM-100 on PAN-OS 9.1.11. I found I had to de-register the VM, reboot it, apply the FLEX VM-100 auth code, reboot and that was it. I could then add/remove subscriptions, etc. I noticed that after upgrading to 10.1.3 there were issues with refreshing the licences but I don't know if that was due to some other lab stuff (I increased the CPU count to 4 when it was only licenced for 2). I'll need to recheck.

When you "Upgrade capacity", to change a VM-100 to a VM-FLEX-2, the firewall rebooted and was automatically moved from one FLEX profile (VM-100) to the other (FLEX) in the support portal.

I also had a PAN-OS 10.1.3 VM that I licensed directly as VM-100.

The VM Capacity Tier is based on RAM. From PAN-OS 10.0.4, CPU will control throughput while RAM controls limits like sessions, addres objects, etc. [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw/maximum-limits-based-on-memory.html|See here]].

  * 4.5 GB (VM-50-lite ish)
  * 5.5 GB (VM-50 ish)
  * 6.5 GB (VM-100 ish)
  * 9 GB (VM-300 ish)
  * 16 GB (VM-500 ish)
  * 56 GB (VM-700 ish)

For the old model of VM licencing (e.g. VM-100), if you assign more vCPUs than those officially supported by the license, any additional vCPUs are assigned to the management plane.
^ Licence ^ Total vCPUs ^ Mgmt vCPU ^ Data vCPU ^
| VM-50 and VM-100 | 2 | 1 | 1 |
| VM-300 | 4 | 2 | 2 |
| VM-500 | 8 | 2 | 6 |
| VM-700 | 16 | 14 | 12 |

For operation, the VM-50 firewall requires minimum 32GB of hard drive space. However, because the VM-Series base image is common to all models, you must allocate 60GB of hard drive space until you license the VM-50.

To achieve the best performance, all of the needed cores should be available on a single CPU socket.

In 10.1.X, 9 GB might be insufficient for VM-300 depending upon the feature set or combination of feature sets used on the firewall. If you experience memory resource related issues, increase memory to 11 GB to accommodate the additional memory requirements of some of the features or combination of features. Alternately, you can Enable ZRAM on the VM-Series Firewall to improve memory usage.


To enable ZRAM, the documentation is [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/about-the-vm-series-firewall/enable-zram-on-the-vm-series-firewall.html|here]].
  * ''grep pattern "KiB Mem :" mp-log mp-monitor.log''
  * Convert the above total memory from KB to MB. For example: ''9202656 / 1024 = 8987 MB''
  * ''debug software kernelcfg zram-swap enable''
  * ''debug software kernelcfg zram-swap modify host-mem-threshold <total-memory-in-MB>''
  * Reboot
  * Verify ''debug software kernelcfg zram-swap show config''



===== VM System Requirements =====
 [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/vm-series-models/vm-series-system-requirements.html|System requirements are here]].

For VM-FLEX firewalls, the ammount of RAM you give the VM determins the "Memory Profile". Depending on what memory profile you have, [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw.html|the firewall will assign]] the available CPU's in different ways between MGMT and Dataplane.

  * [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-performance-capacity/vm-series-performance-capacity/vm-series-on-aws-performance-and-capacity.html|AWS VM Firewall Performance and Capacity]]
  * [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-performance-capacity/vm-series-performance-capacity/vm-series-on-azure-performance-and-capacity.html|Azure VM Firewall Performance and Capacity]]
  * [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-performance-capacity/vm-series-performance-capacity/vm-series-on-google-performance-and-capacity.html|GCP VM Firewall Performance and Capacity]]
  * [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-performance-capacity/vm-series-performance-capacity/vm-series-on-oracle-performance-and-capacity.html|Oracle VM Firewall Performance and Capacity]]

  * [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-performance-capacity/vm-series-performance-capacity/vm-series-on-aws-models-and-instances.html|AWS Underlying VM Instances]]
  * [[https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-performance-capacity/vm-series-performance-capacity/vm-series-on-azure-models-and-vms.html|Azure Underlying VM Instances]]

===== VM Core Assignment =====
Assign cores [[https://docs-new.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/software-ngfw/customize-data-plane-cores.html|here]].
<code>show plugins vm_series dp-cores</code>
<code>request plugins vm_series dp-cores 14</code>



===== Legacy - Activate VM =====
Request the license for the VM. In my case, I got an evaluation licence that includes Threat Prevention, URL Filtering (PAN-DB) and WildFire. I was sent an Authorisation Code that is in the following format ''V1234567''.

I've noticed that, for renewing evaluation VMs, it can be cleaner to create a band new VM, license it and then migration the configuration from the old VM to the new one.

  - Log into the [[https://support.paloaltonetworks.com|support portal]].
  - Go to ''Assets->VM-Series Auth-Codes'' and add VM-Series Auth-Code.
  - If you have a Panorama auth code and serial number, go to ''Assets->Devices'' and register the serial number as a new sevice and then apply the auth code to it
  - Log into the [[https://support.paloaltonetworks.com|Palo Alto Networks support portal]].
  - Click the ''Software Updates'' in the row of tabs.
  - You should now see a list of downloads. The size of the list depends on the access your account has.
  - Search for ''PA-VM-ESX-10.1.3''
  - Click the appropriate link and download the OVA file.
  - In VMware, deploy the OVA as a new machine.
  - Boot the VM and configure the management interface with an IP, default gateway and DNS.
  - Go to ''Device->Licenses'' and click ''Activate support using authorisation code'' and use the VM auth code you were given. The VM will reboot. On the support portal under ''Assets->Devices'', the VM serial number will appear. Under ''Assets->VM-Series Auth-Codes'', the VM auth code will now show you are using 1/X (where X is the numeber of VMs you are licences for).
  - For the Panorama VM, you will need to add the serial number under '' Panorama->Setup->General->Management''. Then go to ''Panorama->Licenses'' and click ''Activate support using authorisation code'' and use the VM auth code you were given.

===== Apply API Key =====
Retrieve the license deactivation API key from the Customer Support Portal.
  - Log in to the Customer Support Portal.
  - Uner Assets > API Key Management, select Licensing API.
  - Copy the API key (each customer has one API key that covers all their firewalls).
  - SSH to the CLI of a Palo VM and run the following command <code>request license api-key set key <key></code>

===== Deactivate Licence =====
To [[
https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/license-the-vm-series-firewall/deactivate-the-licenses.html|deactivate a licence]] from the GUI you need to enable 'verify update server' and install an API key.

The Verify Update Server Identity option under Device > Setup > Services is enabled by default. Before deactivating an VM-Series firewall, verify that this option is enabled. 

You can deactivate using the "Deactivate VM" link under Device > Licences.


===== Upgrade VM Capacity =====
In my case, I had VM-50 that I wanted to make VM-100. We purchased VM-100 licence and got that set in the support portal. Once the VM Auth code section showed the VM auth code as a VM-100 instead of VM-50, we could still see the deployed VM as a VM-50.

We then logged in, set the API key (see above) and the clicked Device->Licence->Upgrade VM Capacity. The firewall restarted and was then a VM-100.

===== Trial VM =====
A trial VM will not produce traffic/threat logs but it will pass traffic (with a limited number of concurrent sessions ~1K). If you activate a trail Auth code, when the trial period is up, GlobalProtect client and Software sections of the GUI will go blank and say "Operation Failed: An active license is required for this feature". You can still download App updates and manually upload and install PAN-OS though.


===== Credits =====
**Warning** Be aware that the subscription costs get cheaper when you buy more than three subscriptions. I can't (yet) figure out the formula.
^ vCPU ^ Model ^ Cost/CPU ^ CPU ^ Panorama ^ Log Collector ^ TP ^ WF ^ DNS ^ GP ^ SD-WAN ^ URL ^ Adv URL ^ DLP ^
| 2 | VM-50 | 4.025 | 8.05 | 0.81 | 0.81 | 1.4 | 1.4 | 1.4 | 1.4 | 1.4 | 1.4 | 2.1 | 2.8 |
| 2 | VM-100 | 4.025 | 8.05 | 0.81 | 0.81 | 1.4 | 1.4 | 1.4 | 1.4 | 1.4 | 1.4 | 2.1 | 2.8 |
| 4 | VM-300 | 4.025 | 16.1 | 1.61 | 1.61 | 2.8 | 2.8 | 2.8 | 2.8 | 2.8 | 2.8 | 4.2 | 5.6 |
| 8 | VM-500 | 5.4625 | 43.7 | 4.37 | 4.37 | 7.6 | 7.6 | 7.6 | 7.6 | 7.6 | 7.6 | 11.4 | 15.2 |
| 16 | VM-700 | 5.75 | 92 | 9.2 | 9.2 | 16 | 16 | 16 | 16 | 16 | 16 | 24 | 32 |
| 2 |  | 4.025 | 8.05 |  |  |  |  |  |  |  |  |  |  |
| 3 |  | 4.026666667 | 12.08 |  |  |  |  |  |  |  |  |  |  |
| 4 |  | 4.025 | 16.1 |  |  |  |  |  |  |  |  |  |  |
| 5 |  | 5.462 | 27.31 |  |  |  |  |  |  |  |  |  |  |
| 6 |  | 5.463333333 | 32.78 |  |  |  |  |  |  |  |  |  |  |
| 7 |  | 5.462857143 | 38.24 |  |  |  |  |  |  |  |  |  |  |
| 8 |  | 5.4625 | 43.7 |  |  |  |  |  |  |  |  |  |  |
| 9 |  | 5.75 | 51.75 |  |  |  |  |  |  |  |  |  |  |
| 10 |  | 5.75 | 57.5 |  |  |  |  |  |  |  |  |  |  |
| 11 |  | 5.75 | 63.25 |  |  |  |  |  |  |  |  |  |  |
| 12 |  | 5.75 | 69 |  |  |  |  |  |  |  |  |  |  |
| 13 |  | 5.75 | 74.75 |  |  |  |  |  |  |  |  |  |  |
| 14 |  | 5.75 | 80.5 |  |  |  |  |  |  |  |  |  |  |
| 15 |  | 5.75 | 86.25 |  |  |  |  |  |  |  |  |  |  |
| 16 |  | 5.75 | 92 |  |  |  |  |  |  |  |  |  |  |
| 17 |  | 5.75 | 97.75 |  |  |  |  |  |  |  |  |  |  |
| 18 |  | 5.75 | 103.5 |  |  |  |  |  |  |  |  |  |  |
| 19 |  | 5.75 | 109.25 |  |  |  |  |  |  |  |  |  |  |
| 20 |  | 5.75 | 115 |  |  |  |  |  |  |  |  |  |  |
| 21 |  | 5.75 | 120.75 |  |  |  |  |  |  |  |  |  |  |
| 22 |  | 5.75 | 126.5 |  |  |  |  |  |  |  |  |  |  |
| 23 |  | 5.75 | 132.25 |  |  |  |  |  |  |  |  |  |  |
| 24 |  | 5.75 | 138 |  |  |  |  |  |  |  |  |  |  |