>
    Strata Copilot
    Performance Tuning of the VM-Series for ESXi
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on an ESXi Server
    4. Performance Tuning of the VM-Series for ESXi
    Download PDF
    VM-Series

    Performance Tuning of the VM-Series for ESXi

    Table of Contents

    Performance Tuning of the VM-Series for ESXi

    Learn how to tune your ESXi setup for the best performance.
    Where Can I Use This?What Do I Need?
    • ESXi Server
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    • Panorama plugin for ESXi
    The VM-Series firewall for ESXi is a high-performance appliance but may require tuning of the hypervisor to achieve the best results. This section describes some best practices and recommendations for facilitating the best performance of the VM-Series firewall. For the best performance, ESXi 6.0.0.0 or later is recommended.

    Install the NIC Driver on ESXi

    For the best performance, use SR-IOV with Intel 10GB network interfaces, which requires the ixgbe 4.4.1 driver to support multiple queues for each interface.
    1. Obtain a list of network interfaces on the ESXi host.
      1. Log in to the ESXi host CLI.
      2. Use the following command to return a list of network interfaces:
        $ esxcli network nic list
    2. Determine the driver version for a particular interface.
      You can use either ethtool or esxcli to determine the currently installed driver version. The following example uses vNIC4 and returns driver version 3.21.6.
      • ethtool—ethtool -l <nic-name>
        $ ethtool -I vNIC4 
driver: ixgbe 
version: 3.21.6iov 
firmware-version: 0x80000389  
bus-info: 0000:04:00.0
      • esxcli—esxcli network nic get -n <nic-name>
        $  esxcli network nic get -n vNIC4 
   Advertised Auto Negotiation: true 
   Advertised Link Modes:  
   Auto Negotiation: true 
   Cable Type:  
   Current Message Level: 7 
   Driver Info:  
         Bus Info: 0000:04:00.0 
         Driver: ixgbe 
         Firmware Version: 0x80000389 
         Version: 3.21.6iov 
   Link Detected: false 
   Link Status: Down  
   Name: vNIC4 
   PHYAddress: 0 
   Pause Autonegotiate: true 
   Pause RX: true 
   Pause TX: true 
   Supported Ports: FIBRE 
   Supports Auto Negotiation: true 
   Supports Pause: true 
   Supports Wakeon: false 
   Transceiver: external 
   Wakeon: None
    3. Install the new driver.
      1. Download the ixgbe 4.4.1 driver from the VMware website. Extract the contents to a local directory and find the .zip or .vib files for your driver.
      2. Create a new folder in your ESXi host datastore.
      3. Copy the local .zip or .vib file you extracted to the new folder in your ESXi host datastore.
      4. Enable maintenance mode on the ESXi host.
      5. Use one of the following commands to install the new driver, using -d for .zip files, or -v for .vib files. 
        • $ esxcli software vib install -d <path to driver .zip file>
        • $ esxcli software vib install -v <path to driver .vib file>
        Specify the absolute path to the .zip or .vib file. For example:
        $ esxcli software vib install -d  "/vmfs/volumes/Datastore/DirectoryName/DriverName.zip"
      6. Verify the VIB installation.
        $ esxcli software vib list
      7. Reboot the ESXi host.

    Enable DPDK on ESXi

    The Data Plane Development Kit (DPDK) enhances VM-Series performance by increasing network interface card (NIC) packet processing speed. On the VM-Series firewall, DPDK is enabled by default on ESXi.
    To take advantage of DPDK, you must use a NIC with one of the supported DPDK drivers mentioned in DPDK Driver Versions:
    If you disable DPDK, the NIC uses PacketMMap instead of DPDK. You can disable DPDK using the command set system setting dpdk-pkt-io off.
    See the Compatibility Matrix for ESXi hypervisor support and PacketMMAP and DPDK driver support by PAN-OS version.

    Enable SR-IOV on ESXi

    Single Root I/O Virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest. Enable SR-IOV by enabling virtual function devices on the SR-IOV NIC and the modify the guest settings in vCenter.
    SR-IOV on the VM-Series for ESXi requires one of the Intel NIC drivers mentioned in PacketMMAP Driver Versions. See the Compatibility Matrix for SR-IOV and DPDK driver support by PAN-OS version.
    There are two ways to enable SR-IOV on ESXi.
    • SR-IOV passthrough—In this method you enable virtual function devices on the SR-IOV NIC and modify the guest settings in vCenter, adding the SR-IOV VF interface as adaptor type “SR-IOV pass-through”. Refer to Assign a Virtual Function as SR-IOV Passthrough Adapter to a Virtual Machine.
      This method, which is preferred for PAN-OS 8.1.2 and later, allows you to add the SR-IOV PF to a vSwitch or DvSwitch.
    • PCI Adaptor—This method was required for PAN-OS 8.0 through 8.1.1. You can view the PCI Adaptor workflow in Enable SR-IOV on ESXi in the 8.1 Deployment Guide.
      The PCI Adaptor method has the limitation that you cannot configure a vSwitch on the physical port on which you enable SR-IOV. The VM-Series firewall must have exclusive access to the physical port and associated virtual functions (VFs) on that interface so it can communicate with the host or other virtual machines on the network. Refer to Add a PCI Device in the vSphere Web Client.

    Enable ESXi VLAN Access Mode with SR-IOV

    The VM-Series firewalls on ESXi can operate in VLAN access mode to support use cases where it is deployed as a virtual network function (VNF) that offers security as a service in a multitenant cloud or data center environment. In VLAN access mode, each VNF has dedicated virtual network interfaces (VNIs) for each network and it sends and receives packets to/from SR-IOV virtual functions (VFs) without VLAN tags; you must enable this capability on the physical and virtual functions on the host hypervisor. When you then enable VLAN access mode on the VM-Series firewall, the firewall can send and receive traffic without VLAN tags across all its dataplane interfaces. Additionally, if you configure QoS policies, the firewall can enforce QoS on the access interface and provide differentiated treatment of traffic in a multi-tenant deployment.
    By default, the VM-Series firewall on ESXi operates in VLAN trunk mode.
    1. On the host system, set up the physical and virtual function to operate in VLAN access mode.
      1. Click Networking in the VMware Host Client inventory and click Port groups.
      2. In the list that you want to edit, right-click the port group and select Edit settings. Enter a new port group Name. Enter a new value for the VLAN ID.
      For the best performance on the VM-Series firewall, make sure to:
      • Enable CPU pinning.
      • Disable Replay Protection, if you have configured IPSec Tunnels.
        On the firewall web interface, select NetworkIPSec Tunnels, select an IPSec tunnel, click General, select Show Advanced Options, and clear Enable Replay Protection.
    2. Access the CLI on the VM-Series firewall.
    3. Enable VLAN access mode.
      request plugins vm-series vlan-mode access-mode on
      on enables VLAN access mode; to use VLAN trunk mode, enter request plugins vm-series vlan-mode access-mode off.
    4. Reboot the firewall.
      request restart system
    5. Verify the VLAN mode configuration.
      show plugins vm-series vlan-mode

    Enable Multi-Queue Support for NICs on ESXi

    Multi-queue allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues. Modify the .vmx file or access Advanced Settings to enable multi-queue.
    The pNIC setting is also applicable for NSX-T since ESXi is the hypervisor for NSX-T deployments.
    1. Enable multi-queue.
      1. Open the .vmx file.
      2. Add the following parameter:
        ethernetX.pnicFeatures = “4”
    2. Enable receive-side scaling (RSS).
      1. Log in to the CLI on the ESXi host.
      2. Execute the following command:
        $ vmkload_mod -u ixgbe 
$ vmkload_mod ixgbe RSS=”4,4,4,4,4,4”
    3. For the best performance, allocate additional CPU threads per ethernet/vSwitch device. This is limited by the amount of spare CPU resources available on the ESXi host.
      1. Open the .vmx file.
      2. Add the following parameter:
        ethernetX.ctxPerDev = “1”

    © 2026 Palo Alto Networks, Inc. All rights reserved.