: Setup Prerequisites for the Panorama Virtual Appliance
Focus
Focus

Setup Prerequisites for the Panorama Virtual Appliance

Table of Contents

Setup Prerequisites for the Panorama Virtual Appliance

Complete the following tasks before you Install the Panorama Virtual Appliance:
Review the minimum resource requirements for deploying the Panorama virtual appliance on Alibaba Cloud, Amazon Web Services (AWS), AWS GovCloud, Microsoft Azure, Google Cloud Platform (GCP), Hyper-V, KVM, Oracle Cloud Infrastructure (OCI), and VMware ESXi to ensure that the virtual machine meets the minimum required resources for the desired mode (Panorama, Management Only, or Log Collector). The minimum resource requirements for the Panorama virtual appliance are designed to help you achieve the maximum number of logs per second (LPS) for log collection in Panorama and Log Collector mode. If you add or remove virtual logging disks that results in a configuration that does not meet or exceed the number of virtual logging disks recommended (below), your LPS will be reduced.
If the minimum resource requirements are not met for Panorama mode when you Install the Panorama Virtual Appliance, Panorama defaults to Management Only mode for all supported public (Alibaba Cloud, AWS, AWS GovCloud, Azure, GCP, and OCI) and private (Hyper-V, KVM, and VMware ESXi) hypervisors. If the minimum resource requirements are not met for Management Only mode, Panorama defaults to Maintenance mode for all supported public hypervisors, Hyper-V, and KVM. If the minimum resource requirements for Management Only mode are not met when you Install Panorama on VMware, Panorama defaults to Legacy mode.
While still supported, Legacy mode is not recommended for production environments. Additionally, you can no longer switch Panorama to Legacy mode. For more information on supported modes, see Panorama Models.
System Requirements for the Panorama Virtual Appliance
Requirements
Panorama Virtual Appliance in Management Only Mode
Panorama Virtual Appliance in Panorama Mode
Panorama Virtual Appliance in Log Collector Mode
Virtual hardware version
  • VMware ESXi and vCloud Air—64-bit kernel-based VMware ESXi 6.0, 6.5, 6.7, or 7.0. The supported version of the virtual hardware family type (also known as the VMware virtual hardware version) on the ESXi server is vmx-10
    The Panorama virtual appliance for ESXi does not support the following:
    • Creation of quiesced snapshots.
      Disable Quiesce guest file system in the vSphere client or set the quiesce flag to 0 or false in the vSphere CLI before creating a snapshot of your virtual Panorama appliance.
    • VMware vMotion to migrate a Panorama virtual appliance from one ESXi server to another.
  • Hyper-V—Windows Server 2016 with Hyper-V role or Hyper-V 2016, or Windows Server 2019 with Hyper-V role or Hyper-V 2019
    Windows Server 2022 with Hyper-V role or Hyper-V 2022 is not supported.
  • KVM—Ubuntu version 16.04 or CentOS7
In Panorama mode, the virtual appliance running on any ESXi version supports up to 12 virtual logging disks with 2TB of log storage each, for a total maximum capacity of 24TB.
(VMware ESXi and vCloud Air only) In Legacy mode, the virtual appliance supports one virtual logging disk. ESXi 5.5 and later versions supports one disk of up to 8TB. Earlier ESXi versions support one disk of up to 2TB.
(ESXi and vCloud Air only)
Client computer
To install the Panorama virtual appliance and manage its resources, you must install a VMware vSphere Client or VMware Infrastructure Client that is compatible with your ESXi server.
System disk
  • Default—81GB
  • (ESXi and GCP only) Upgraded—224GB
    An upgraded system disk is required for SD-WAN.
    (Panorama and Log Collector mode) An upgraded system disk is required if you added more than 8 logging disks.
For log storage, Panorama uses virtual logging disks instead of the system disk or an NFS datastore.
Panorama must be initially installed with the Default system disk size, with the option to increase the system disk size after initial installation.
CPUs, memory, and logging disks
  • Manage up to 500 managed devices
    • 16 CPUs
    • 32GB memory
    • Local log storage not supported
  • Manage up to 1,000 managed devices
    • 32 CPUs
    • 128GB memory
    • Local log storage not supported
  • To manage more than 1,000 firewalls, see Increased Device Management Capacity Requirements.
The minimum resources below are required to achieve the specified logging rate.
  • Up to 10,000 logs/sec (LPS):
    • 16 CPUs
    • Based on your logging needs:
      • 2x2TB logging disks, 32GB memory
      • 4x2TB logging disks, 64GB memory or more
    • Manage up to 500 managed devices
  • Up to 20,000 log/sec (LPS)
    • 32 CPUs
    • 128GB memory
    • 8x2TB logging disks
    • Manage up to 1,000 managed devices
The minimum resources below are required to achieve the specified logging rate.
  • Up to 15,000 log/sec (LPS)
    • 16 CPUs
    • Based on your logging needs:
      • 2x2TB logging disks, 32GB memory
      • 4x2TB logging disks, 64GB memory or more
  • Up to 25,000 logs/sec (LPS)
    • 32 CPUs
    • 128GB memory
    • 8x2TB logging disks
The first logging disk on the Panorama virtual appliance must be 2TB in order to add additional logging disks. If the first logging disk is smaller than 2TB, you are unable to add additional logging disks.
Minimum CPUs and memory
  • 16 CPUs
  • 32GB memory
The minimum resources below do not take LPS into consideration and are only required for the Panorama virtual appliance to function based on the number of logging disks added. Palo Alto Networks recommends you refer to the recommended resources above.
For larger Panorama deployments, be aware that you may be under-provisioning your Panorama. This may lead to impacted performance and may cause Panorama to become unresponsive depending on the number of firewalls managed, the configuration size, the number of administrators logged in to Panorama, and the volume of logs ingested.
  • 2TB to 8TB—16 CPUs, 32GB memory
  • 10TB to 24TB— 16 CPUs, 64GB memory
Log storage capacity
Panorama in Management Only mode requires log forwarding to a Dedicated Log Collector.
2TB to 24TB
2TB to 24TB

Supported Interfaces

Interfaces can be used for device management, log collection, Collector Group communication, licensing and software updates. The Panorama virtual appliance supports up to six interfaces (MGT and Eth1 - Eth5).
Supported interfaces for public hypervisors
Function
Alibaba Cloud
Amazon Web Services (AWS) and AWS GovCloud
Microsoft Azure
Google Cloud Platform (GCP)
OCI
Device Management
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Device Log Collection
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Collector Group Communication
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Any interface supported
Licensing and Software Updates
MGT interface only
MGT interface only
MGT interface only
MGT interface only
MGT interface only
MGT interface only
Supported Interfaces for Private Hypervisors
Function
KVM
Hyper-V
VMware (ESXi, vCloud Air)
Device Management
Any interface supported
Any interface supported
Any interface supported
Device Log Collection
Any interface supported
Any interface supported
Any interface supported
Collector Group Communication
Any interface supported
Any interface supported
Any interface supported
Licensing and Software Updates
Any interface supported
Any interface supported
Any interface supported