Migrate to a Flexible VM-Series License
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable ZRAM on the VM-Series Firewall
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Install a License API Key
- Use Panorama-Based Software Firewall License Management
-
- Maximum Limits Based on Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a FW-Flex License
- Transfer Credits
- Renew Your Software NGFW Credit License
- Deactivate License (Software NGFW Credits)
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Add a New Host to Your NSX-V Deployment
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
-
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
End-of-Life (EoL)
Migrate to a Flexible VM-Series License
Migrate from a model-based license to flexible Software
Next Generation firewall credits.
You can migrate your VM-Series firewall perpetual
or ELA license to a flexible VM-Series firewall license (funded
using Software NGFW credits). You can switch the license on an individual
firewall or on multiple firewalls simultaneously from Panorama.
If
the license you want to switch is for a VM-Series firewall with
and ELA or perpetual license, you must choose Fixed Models and
use the same VM-Series model and number of vCPUs when you create the SW NGFW
deployment profile for the flexible license. For example,
if you are currently using a VM-100 with 2 vCPUs, when you create
the deployment profile, select Fixed Models, select VM-100,
and specify 2 vCPUs. As long as the capacity is the same, you can
add new services.
Complete one of the following procedures
to migrate your licenses.
- Firewall
can access the CSP—Migrate a license on a standalone firewallThis process does not disrupt traffic moving through the firewall.
- Log in to the VM-Series firewall web interface.
- Verify the Palo Alto Networks update server configuration.
- Select DeviceSetupServices.
- Confirm that Update Server is set to updates.paloaltonetworks.com.
- Confirm that Verify Update Server Identity is selected.
- Log in to the CSP and Create a Deployment Profile. If the license
you want to migrate is for a VM-Series firewall with an ELA or perpetual
license, you must choose Fixed Models and
use the same VM-Series model and number of vCPUs when you create the SW NGFW
deployment profile for the flexible license. You will use the auth code from this profile. An auth code for a flexible firewall license begins with the letter D, as shown below.
- Select DeviceLicenses. If the current VM-Series model and the VM-Series model you are migrating to are different, select the Upgrade VM Capacity link.If the VM-Series model is the same before and after migration, select the Activate feature using authorization code link.
- Enter the VM-Series authorization code from the new deployment profile.
- Click OK to confirm the license upgrade.The firewall contacts the Palo Alto Networks update server and consumes the tokens required for your firewall based on the VM-Series model.
- (Optional) Verify the migration.
- Select DeviceLicenses.
- Repeat this process for each VM-Series firewall in your deployment.
- Firewall
cannot access the CSP—Migrate a license on an offline firewall
- If necessary, install the license API key on your VM-Series firewall.
- Use the CLI to use manual mode to deactivate the fixed-model license.
- deactivate-vm.html#ideebc09fc-8135-45a0-9c61-51f52a0e9124 using the manual procedure, and log in to the CSP and use the token file to deactivate the VM.
- In the CSP, Create a Deployment Profile with the same VM-Series model, number of vCPUs, and security subscriptions as the old fixed model license. You will use the auth code from this profile.
- Select the new profile and click the vertical ellipsis
and select Register Firewall.
- Enter the VM and firewall information and select Submit. This associates the firewall with the profile and its authcode and assigns a serial number.
- Click View Devices to see associated devices in Software NGFW Devices.
- In the License column, download the license keys to a location from which you can safely transfer the files to the host machine.
- On the firewall select DeviceLicenses.License keys must be installed through the web interface. The firewall does not support license key installation through SCP or FTP.
- Click Manually Upload License and enter the license keys.
- Confirm that the Dashboard displays a valid serial number and that the PA-VM license displays in the DeviceLicenses tab.
- (optional) Verify the migration.
- Panorama
can access the CSP—Migrate licenses on Panorama managed firewalls.
- Before you begin, ensure that you install a License API key on the firewall.
- Log in to the Panorama web interface.
- Verify the Palo Alto Networks update server configuration
for the firewalls.
- Select DeviceSetupServices.
- Confirm that Update Server is set to updates.paloaltonetworks.com.
- Confirm that Verify Update Server Identity is selected.
- Create a Deployment Profile for the new license if you have not done so already. This profile is required to generate the new authorization code for the migrated Panorama.
- Retrieve the VM-Series authorization code. A firewall authorization code for a flexible license begins with the letter D, as shown below.
- Apply the new authorization code.
- Select PanoramaDevice DeploymentLicenses and Activate.
- Enter your VM-Series authorization code.
- Use the filters to select the managed firewalls to be licensed.
- Enter your authorization code in the Auth Code column for each firewall.
- Activate to confirm the license upgrade. Panorama contacts the Palo Alto Networks update server and consumes the tokens required for your firewalls based on the VM-Series model, vCPUs, and services you have chosen.
- (optional) Verify the migration.
- Panorama
cannot access the CSP—Migrate licenses on offline Panorama managed
firewalls
- Before you begin, ensure that you install a License API key on the firewall.
- deactivate-vm.html#idb85de4c1-8e91-4180-9b78-bd9f3aa67425 using the manual procedure, and log in to the CSP and use the token file to deactivate the VM.
- In the CSP, Create a Deployment Profile with the same VM-Series model, number of vCPUs, security subscriptions, and Panorama as the fixed model license. You will use the auth code from this profile.
- Select the new profile and click the vertical ellipsis
and select Register Firewall.
- Enter the VM and firewall information and select Submit. This associates the firewall with the profile and its authcode and assigns a serial number.
- Click View Devices to see associated devices in Software NGFW Devices.
- In the License column, download the license keys to a location from which you can safely transfer the files to the host machine.
- Apply the new authorization code.
- Select PanoramaDevice DeploymentLicenses and click Activate.
- Use the filters to select the managed firewalls to be licensed.
- Enter your authorization code from your deployment profile in the Auth Code column for each firewall.
- Click Activate to confirm the license upgrade. Panorama contacts the Palo Alto Networks update server and consumes the tokens required for your firewalls based on the VM-Series model, vCPUs, and services you have chosen.
- (optional) Verify the migration.
- Verify
the migration
- Check the license expiration date to verify the license updated successfully.
- Verify that all subscriptions enabled in your deployment profile are applied to your device.
- On the CSP, verify the expected number of credits allocated and credits consumed against your credit pool match.
- On the CSP, verify that the associated tokens or quantity of licenses have been returned to your previous auth code.