Creating a VM-Series MVE

This topic describes how to create and configure a Megaport Virtual Edge (MVE) with VM-Series next-generation firewall (NGFW). You can use VM-Series to secure application traffic that flows through the MVE.

Before you begin, you need user accounts with ordering permissions that provide access to the Megaport Portal and the VM-Series firewall.

For more information on setting up a Megaport account, see Creating an Account.

Palo Alto Networks provides documentation for VM-Series at VM-Series Tech Docs.

Basic steps

This section provides an overview of the configuration steps in the Megaport Portal and PAN-OS. Detailed procedures follow this basic step summary.

The basic steps are:

Obtain a VM-Series license from Palo Alto Networks.
Set a temporary admin password for VM-Series.
Generate an SSH Public Key for authentication.
Create the Palo Alto Networks VM-Series MVE in the Megaport Portal.
We strongly recommend that you provision a Megaport Internet connection onto the management plane virtual interface.
View the MVE public IP address assignment in the Megaport Portal.
Allow secure console access to the VM-Series.

MVE with VM-Series architecture

Licensing

Before you create an MVE in the Megaport Portal, you need a valid license from Palo Alto Networks. After purchasing a VM-Series firewall, you receive an authorization code via email. You will use this Auth Code to register the MVE with Palo Alto Networks.

To obtain an authorization code from Palo Alto Networks for VM-Series

Log in to the Palo Alto Networks Customer Support Portal with your account credentials.
Choose Assets > VM-Series Auth-Codes > Add VM-Series Auth-Code.
Enter the Auth Code you received by email in the Add VM-Series Auth-Code field.
Select the check box on the far right to save.
The page displays the list of Auth Codes registered to your Support account.
To view all the assets that are deployed, choose Assets > Devices.

Once the product is registered, it appears in the Palo Alto Networks Registration Completion page.

The next step is to generate an SSH key pair for authentication.

Administrative access to MVE

You establish management and administrative access to the MVE/VM-Series through a public/private SSH key pair for secure connections. The public SSH key allows you to SSH into VM-Series and set the administrative password and enable HTTPS access.

Megaport supports the 2048-bit RSA key type.

To generate an SSH key pair (Linux/Mac OSX)

Run the SSH keygen command:

 ssh-keygen -f ~/.ssh/megaport-mve-instance-1-2048 -t rsa -b 2048

The key generator command creates an SSH key pair and adds two files to your ~/.ssh directory:

megaport-mve-instance-1-2048 – Contains the private key.
megaport-mve-instance-1-2048.pub – Contains the public key that is authorized to log in to the Palo Alto Networks account.

To generate an SSH key pair (Windows, using PuTTYgen)

Open PuTTYGen.
In the Key section, choose RSA 2048 bit and click Generate.
Move your mouse randomly in the small screen to generate the key pairs.
Enter a key comment, which will identify the key.
This is convenient when you use several SSH keys.
Enter a Key passphrase, and re-enter to confirm.
The passphrase is used to protect your key. You will be asked for it when you connect via SSH.
Click Save private key, choose a location, and click Save.
Click Save public key, choose a location, and click Save.

You’ll copy and paste the contents of the public key file in the Megaport Portal later to distribute the public key to the Palo Alto Networks VM-Series appliance. Your private key will match the public key to grant access. Only a single private key has access to the VM-Series for SSH access.

Creating an MVE in the Megaport Portal

Before you create an MVE, you need to determine the best location - one that supports MVE and one that is in the most compatible metro area. You can connect multiple locations to an individual MVE. For location details, see Planning Your Palo Alto Networks Deployment.

You can deploy multiple MVEs within the same metropolitan area for redundancy or capacity reasons. As part of the MVE creation process, you will also create two Megaport Internet connections.

To create the VM Series MVE (compute)

In the Megaport Portal, go to the Services page.
Click Create MVE.
Select the MVE location.

Select a location geographically close to your target branch and/or on-premises locations.

The country you choose must be a market in which you have already registered.

If you haven’t registered a billing market in the location where you will deploy the MVE, follow the procedure in Enabling Billing Markets.

To search for your local market in the list, enter a country in the Country Filter or a metro region detail in the Search filter.
Select a diversity zone.
You can select either Red or Blue, or select Auto and have Megaport select the zone for you. The selected or allocated diversity zone will be displayed on the location details through the rest of the provisioning, and on the summary page at the end.
For more information,see MCR and MVE Diversity.
Click Next.
Select Palo Alto VM-Series and the software version.
The MVE will be configured to be compatible with this software version from Palo Alto Networks.
Specify the MVE details:
- MVE Name – Enter a name for the MVE that is easily identifiable, particularly if you plan on provisioning more than one. This name appears in the Megaport Portal.
  
  Note
  
  Partner-managed accounts can associate a Partner Deal to a service with a minimum 12-month subscription. For more information, see Associating a Deal With a Service.
- Size – Select a size from the drop-down list. The list displays all sizes that match the CPU capacity at the selected location. The sizes support varying numbers of concurrent connections, and individual partner product metrics vary slightly. For more information, see Planning your Palo Alto Networks Deployment.
  
  Note
  
  If the MVE size you want is not in the list, then there is not enough capacity at the chosen location. You can either choose another location with enough capacity or contact your Account Manager to discuss requirements.
- Service Level Reference (optional) – Specify a unique identifying number for the MVE to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice. You can also edit this field for an existing service.
- License Data (optional) – Specify the VM-Series Auth Code (the valid license for the virtual appliance). The Auth Code is used to register the VM-Series MVE instance with Palo Alto Networks. You can find it in the Palo Alto Networks Support portal.
- Admin Password – Specify a temporary administrator password. The password must be a minimum of 8 characters and include:
  - 1 uppercase character (A-Z)
  - 1 lowercase character (a-z)
  - 1 number (0-9)
  - 1 symbol
  
  Note
  
  Megaport does not store customer passwords.
- SSH Key – Copy and paste the contents of your public SSH key here. You can find the public key in the megaport-mve-instance-1-2048.pub file generated earlier.
- Virtual Interfaces (vNICs) – Each MVE is configured with two vNICs named Management Plane and Data Plane by default. To change the name, type over the name text in the box.
  
  You can add a total of five vNICs to the MVE, including the two added by default. For more information, see Types of vNIC Connections.
  
  To add a vNIC:
  - Click + Add.
  - Enter a name for the vNIC.
  Note
  
  If you want to increase or decrease the number of vNICs on this MVE after it has been deployed, you will have to delete the entire MVE and recreate it. You can’t add or delete vNICs on a deployed MVE.
- Minimum Term – Select No Minimum Term, 12 Months, 24 Months, or 36 Months. Longer terms result in a lower monthly rate. 12 Months is selected by default. For more information on contract terms, see MVE Pricing and Contract Terms.
  
  Note
  
  Partner and partner-managed accounts select MVE subscriptions instead of MVE contract terms.
Click Next to view the Summary page.
The monthly rate is based on location, size, and contract term.
Confirm the configuration and pricing then click Add MVE.
You are prompted to create a Megaport Internet connection. A Megaport Internet connection provides connectivity and allows MVE to register and communicate with Palo Alto Networks licensing systems and, optionally, Panorama.

To create the Megaport Internet connection

Click Create Megaport Internet to proceed (recommended), or click Not now to provision your own internet access at a later time.

Note

MVE requires connectivity to the internet onto the management plane virtual interface. You can either provision a Megaport Internet connection or configure a third-party internet connection using a private VXC. We strongly recommend that you create a Megaport Internet connection for the initial MVE startup and deployment to ensure that the MVE is provisioned and functioning correctly.
Select the target Port (the internet router).
The B-End of a Megaport Internet connection can be anywhere in the same country as the originating MVE.
You can filter by diversity zone, or select to view all.
Click Next.
Specify the connection details:
- Connection Name – The name of your Megaport Internet connection to be shown in the Megaport Portal.
  As a best practice, we recommend including “Management Plane” in the name for reference later.
- Service Level Reference (optional) – Specify a unique identifying number for the Megaport Internet connection to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice.
  
  Tip
  
  Use the same Service Level Reference numbers for the Megaport Internet connection and MVE to help identify the matching pair in your invoice.
- Rate Limit – The speed of your connection in Mbps. This speed is adjustable from 20 Mbps to 10 Gbps in increments of 1 Mbps. You can change the speed as needed after you create the Megaport Internet connection. Monthly billing details appear based on location and rate limit.
- VXC State – Select Enabled or Shut Down to define the initial state of the connection. For more information, see Shutting Down a VXC for Failover Testing.
  
  Note
  
  If you select Shut Down, traffic will not flow through this service and it will behave as if it was down on the Megaport network. Billing for this service will remain active and you will still be charged for this connection.
- A-End vNIC – Select vNIC-0 Management Plane from the drop-down list.
  
  Important
  
  The internet connection on the management virtual interface will be used only for management purposes such as licensing, updates, and communication with Panorama. If you require internet traffic to flow between branches, users, and/or the cloud, you will create a second Megaport Internet connection on the data plane virtual interface. For more information, see To create a second Megaport Internet connection on the data plane.
- Preferred A-End VLAN (optional) – Specify an unused VLAN ID for this connection.
  This must be a unique VLAN ID on this MVE and can range from 2 to 4093. If you specify a VLAN ID that is already in use, the system displays the next available VLAN number. The VLAN ID must be unique to proceed with the order. If you don’t specify a value, Megaport will assign one.
  
  Alternatively, you can click Untag. This selection removes the VLAN tagging for this connection and it will be configured without a VLAN ID.
- Minimum Term – Select No Minimum Term, 12 Months, 24 Months, or 36 Months. Longer terms result in a lower monthly rate. 12 Months is selected by default.
  Take note of the information on the screen to avoid early termination fees (ETF). See Megaport Internet Pricing and Contract Terms and VXC, Megaport Internet, and IX Billing for more information.
Click Next to proceed to the connection detail summary.
Click Add VXC to order the connection.
Click Order in the upper left corner of your screen under Configured Services.
If you have a promotional code, click Add Promo Code, enter it, then click Add Code.
Click Order Now.

Note

A second Megaport Internet connection is required if the firewall will be exchanging internet traffic with branches. Each data plane Megaport Internet connection receives its own unique public IP Address.

To create a second Megaport Internet connection on the data plane virtual interface

In the Megaport Portal, go to the Services page.
Click +Connection on the Palo Alto Networks MVE.
Select Megaport Internet.
Select the target Port (the internet router).
The B-End of a Megaport Internet connection can be anywhere in the same country as the originating MVE.
You can filter by diversity zone, or select to view all.
Click Next.
Specify the connection details:
- Connection Name – The name of your data plane Megaport Internet connection to be shown in the Megaport Portal. As a best practice, we recommend including “Data Plane” in the name for reference later.
- Service Level Reference (optional) – Specify a unique identifying number for the Megaport Internet connection to be used for billing purposes, such as a cost center number or a unique customer ID. The service level reference number appears for each service under the Product section of the invoice.
- Rate Limit – The speed of your connection in Mbps. This speed is adjustable from 20 Mbps to 10 Gbps in increments of 1 Mbps. You can change the speed as needed after you create the Megaport Internet connection. Monthly billing details appear based on location and rate limit.
- VXC State – Select Enabled or Shut Down to define the initial state of the connection. For more information, see Shutting Down a VXC for Failover Testing.
  
  Note
  
  If you select Shut Down, traffic will not flow through this service and it will behave as if it was down on the Megaport network. Billing for this service will remain active and you will still be charged for this connection.
- A-END vNIC – Select vNIC-1 Data Plane from the drop-down list.
- Preferred A-End VLAN (optional) – Specify an unused VLAN ID for this connection.
  This must be a unique VLAN ID on this MVE and can range from 2 to 4093. If you specify a VLAN ID that is already in use, the system displays the next available VLAN number. The VLAN ID must be unique to proceed with the order. If you don’t specify a value, Megaport will assign one.
  
  Alternatively, you can click Untag. This selection removes the VLAN tagging for this connection and it will be configured without a VLAN ID.
- Minimum Term – Select No Minimum Term, 12 Months, 24 Months, or 36 Months. Longer terms result in a lower monthly rate. 12 Months is selected by default.
  Take note of the information on the screen to avoid early termination fees (ETF). See Megaport Internet Pricing and Contract Terms and VXC, Megaport Internet, and IX Billing for more information.
Click Next to proceed to the connection detail summary, click Add VXC, and order the connection.
Click Order.
If you have a promotional code, click Add Promo Code, enter it, and click Add Code.
Click Order Now.

Ordering MVE provisions the instance and assigns IP addresses from the Megaport SDN. The Palo Alto Networks MVE provisioning time varies between versions and depends on whether you provide a license authorization code. It can take up to 15 minutes for the MVE to provision before you can log in and continue configuration.

After you order the MVE from the Megaport Portal, you can use Palo Alto Networks Panorama to manage the firewall.

Viewing the MVE in the Megaport Portal

After creating the MVE, you can view it in the Megaport Portal on the Services page. You can also view the public IP addresses assigned.

To view an MVE in the Megaport Portal

Go to the Services page.

MVE and Megaport Internet connection in the Megaport Portal

The Megaport Internet icon differs from a standard VXC icon in the Megaport Portal, as shown in the image.

For more information on the Services page, see Understanding the Services Page.

To view the public IP addresses assigned to the MVE

Click the gear icon next to the Management Plane Megaport Internet connection.
The Connection Configuration screen appears. From here, you can modify any of the Megaport Internet connection details.
Click the Details tab.
Locate the public IP address (IPv4 or IPv6).
These are the public IP addresses assigned to the MVE.

Updating the administrator password

Next, you’ll replace the temporary password you set in the Megaport Portal with a new secure password.

To update the administrator password

Log in to the Palo Alto Networks system using the temporary admin password you set in the Megaport Portal.
Choose Device > Administrators.
Select the admin user.
Enter the old temporary password, a new secure password, and confirm the new password.
Click OK.
Choose Config > Save Changes.

Configuring the data plane interface

Next, you will configure the data plane interface and assign it an interface type.

To configure the data plane interface

Choose Network > Interfaces.
Select ethernet1/1 from the Interface column.
Select Layer3 from the Interface Type drop-down list.
Click OK.
Highlight the ‘ethernet1/1’ row and click Add Subinterface at the bottom of the screen.
Provide these details:
- Interface Name – Enter a name for the subinterface. In the adjacent field, enter a number to identify the subinterface.
- Comment – Enter an alternate name.
- Tag – Specify the A-End VLAN value associated with the Megaport Internet destination Port.
- Virtual Router – Select a virtual router to the interface, as required by your network.
Select the IPv4 tab.
Select DHCP Client as the Type.
Click OK.
Click Commit in the top right corner.
Review the changes and click Commit.

Next steps

Now that you’ve deployed an MVE, the next step is to connect a VXC to a CSP, a local port, or a third-party network. You can optionally connect a physical Port to the MVE through a private VXC or connect to a service provider in the Megaport Marketplace.

Last update: 2024-04-15