When cloning a lab VM firewall to use on another machine, edit the VMware VMX config file to use uuid.action = “keep”. When you boot the VM, click “I moved it”.

Request the license for the VM. In my case, I got an evaluation licence that includes Threat Prevention, URL Filtering (PAN-DB) and WildFire. I was sent an Authorisation Code that is in the following format V1234567.

I've noticed that, for renewing evaluation VMs, it can be cleaner to create a band new VM, license it and then migration the configuration from the old VM to the new one.

1. Log into the support portal.
2. Go to Assets→VM-Series Auth-Codes and add VM-Series Auth-Code.
3. If you have a Panorama auth code and serial number, go to Assets→Devices and register the serial number as a new sevice and then apply the auth code to it
4. Log into the Palo Alto Networks support portal.
5. Click the Software Updates in the row of tabs.
6. You should now see a list of downloads. The size of the list depends on the access your account has.
7. Search for PA-VM-ESX-10.1.3
8. Click the appropriate link and download the OVA file.
9. In VMware, deploy the OVA as a new machine.
10. Boot the VM and configure the management interface with an IP, default gateway and DNS.
11. Go to Device→Licenses and click Activate support using authorisation code and use the VM auth code you were given. The VM will reboot. On the support portal under Assets→Devices, the VM serial number will appear. Under Assets→VM-Series Auth-Codes, the VM auth code will now show you are using 1/X (where X is the numeber of VMs you are licences for).
12. For the Panorama VM, you will need to add the serial number under Panorama→Setup→General→Management. Then go to Panorama→Licenses and click Activate support using authorisation code and use the VM auth code you were given.

Retrieve the license deactivation API key from the Customer Support Portal.

1. Log in to the Customer Support Portal.
2. Uner Assets > API Key Management, select Licensing API.
3. Copy the API key (each customer has one API key that covers all their firewalls).
4. SSH to the CLI of a Palo VM and run the following command

   request license api-key set key <key>

To deactivate a licence from the GUI you need to enable 'verify update server' and install an API key.

The Verify Update Server Identity option under Device > Setup > Services is enabled by default. Before deactivating an VM-Series firewall, verify that this option is enabled.

You can deactivate using the “Deactivate VM” link under Device > Licences.

In my case, I had VM-50 that I wanted to make VM-100. We purchased VM-100 licence and got that set in the support portal. Once the VM Auth code section showed the VM auth code as a VM-100 instead of VM-50, we could still see the deployed VM as a VM-50.

We then logged in, set the API key (see above) and the clicked Device→Licence→Upgrade VM Capacity. The firewall restarted and was then a VM-100.

A trial VM will not produce traffic/threat logs but it will pass traffic (with a limited number of concurrent sessions ~1K). If you activate a trail Auth code, when the trial period is up, GlobalProtect client and Software sections of the GUI will go blank and say “Operation Failed: An active license is required for this feature”. You can still download App updates and manually upload and install PAN-OS though.