(/content/techdocs/en_US.

html)

Updated on Thu Mar 13 20:26:10 UTC 2025

Home (/) | Panorama (/content/techdocs/en_US/panorama.html)

| Panorama Administrator's Guide (/content/techdocs/en_US/panorama/10-1/panorama-admin.html)
| Set Up Panorama (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama.html)
| Set Up the Panorama Virtual Appliance (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-
panorama-virtual-appliance.html)
| Install the Panorama Virtual Appliance (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-
panorama-virtual-appliance/install-the-panorama-virtual-appliance.html)
| Set Up Panorama on Alibaba Cloud (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-
virtual-appliance/install-the-panorama-virtual-appliance/set-up-panorama-on-alibaba-cloud.html)
| Install Panorama on Alibaba Cloud (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-
virtual-appliance/install-the-panorama-virtual-appliance/set-up-panorama-on-alibaba-cloud/install-panorama-on-alibaba-cloud.html)

DOWNLOAD PDF (/CONTENT/DAM/TECHDOCS/EN_US/PDF/PANORAMA/10-1/PANORAMA-ADMIN/PANORAMA-

ADMIN.PDF)

Panorama Administrator's Guide

(/content/techdocs/en_US/panorama/10-
1/panorama-admin.html)
Install Panorama on Alibaba Cloud

Table of Contents

Use the Elastic Compute Service (ECS) to create a Panorama™ virtual appliance instance on Alibaba Cloud. An ECS instance
supports a single NIC by default and automatically attached an Elastic Network Interface (ENI) to it. You must manually
upload a Panorama virtual appliance qcow2 image downloaded from the Palo Alto Networks Customer Supported Portal
(CSP) to Alibaba Cloud to successfully install the Panorama virtual appliance on Alibaba Cloud.

A Panorama virtual appliance deployed on Alibaba Cloud is Bring Your Own License (BYOL), supports all deployment modes
(Panorama, Log Collector, and Management Only), and shares the same processes and functionality as the M-Series hardware
appliances. For more information on Panorama modes, see Panorama Models (/content/techdocs/en_US/panorama/10-
1/panorama-admin/panorama-overview/panorama-models.html#id6a2d6388-f727-45aa-ae7e-ef7599379871).

Review the Setup Prerequisites for the Panorama Virtual Appliance (/content/techdocs/en_US/panorama/10-1/panorama-
admin/set-up-panorama/set-up-the-panorama-virtual-appliance/setup-prerequisites-for-the-panorama-virtual-
appliance.html#id4430de3f-a44c-4b24-b9c3-52cef1f0bc96) to determine the correct Elastic Computer Service (ECS)
instance type for your needs. The virtual resources requirement for the Panorama virtual appliance is based on the total
number of firewalls managed by the Panorama virtual appliance and the required Logs Per Second (LPS) for forwarding logs
from your managed firewalls to your Log Collector.

Palo Alto Networks supports the following instance types.

ecs.g5.xlarge, ecs.g5.2xlarge, ecs.g5.4xlarge

ecs.sn2ne.xlarge, ecs.sn2ne.2xlarge, ecs.sn2ne.4xlarge

This site uses Under-provisioning

cookies essential to itsthe Panorama
operation, virtual appliance
for analytics, will impact
and for personalized management
content performance. This includes the
and ads. By

 ❯ Cookie Settings
Panorama
continuing to browse virtual
this site, you appliance
acknowledge becoming
the use ofslow or unresponsive
cookies. depending on how under-provisioning
Privacy statement the
(https://www.paloaltonetworks.com/legal-notices/privacy)
Panorama virtual appliance is.
 STEP 1 -
Log in to the Alibaba Cloud Console (https://account.alibabacloud.com/login/login.htm).

STEP 2 -
Upload the Panorama Virtual Appliance Image to Alibaba Cloud (/content/techdocs/en_US/panorama/10-
1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/install-the-panorama-virtual-
appliance/set-up-panorama-on-alibaba-cloud/upload-the-panorama-virtual-appliance-image-to-alibaba-
cloud.html#id942eaca8-2736-486d-ac59-6538f3eed7e2).

STEP 3 -
Set up the virtual private cloud (VPC) for your network needs.

Whether you launch the Panorama virtual appliance in an existing VPC or you create a new VPC, the Panorama
virtual appliance must be able to receive traffic from other instances in the VPC and perform inbound and
outbound communication between the VPC and the internet as needed.

Refer to the Alibaba Cloud VPC documentation (https://www.alibabacloud.com/help/doc-detail/34217.htm?

spm=5176.11182172.content.2.599c4c8fj3zmZ8) for more information.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
 A Create a VPC and Configure Networks (https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-
deployment/set-up-the-vm-series-firewall-on-alibaba-cloud/deploy-the-vm-series-firewall-on-alibaba-
cloud/create-a-vpc-and-configure-networks.html) or use an existing VPC.

B Verify that the network and security components are appropriately defined.

Create an internet gateway to enable internet access to the subnet of your Panorama virtual appliance.

Internet access is required to install software and content updates, activate licenses, and leverage Palo
Alto Networks cloud services. Otherwise, you must manually install updates and activate licenses.

Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can
launch Alibaba Cloud instances. It is recommended that the Panorama virtual appliance belong to the

management subnet so that you can configure it to access the internet if needed.

Add routes to the route table for a private subnet to ensure traffic can be routed across subnets in the

VPC and from the internet if applicable.

Ensure you create routes between subnets to allow communication between:

Panorama, managed firewalls, and Log Collectors.

( Optional ) Panorama and the internet.

Ensure that the following ingress security rules are allowed for the VPC to manage VPC traffic. The
ingress traffic source for each rule is unique to your deployment topology.

See Ports Used for Panorama (https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-

admin/firewall-administration/reference-port-number-usage/ports-used-for-panorama.html) for more

information.

Allow SSH (port 22) traffic to enable access to the Panorama CLI.

Allow HTTPS (port 443 and 27280) traffic to enable access to the Panorama web interface.

Allow traffic on port 3978 to enable communication between Panorama, manage firewalls, and

managed Log Collectors. This port is also used by Log Collectors to forward logs to Panorama.

Allow traffic on port 28443 to enable managed firewalls to get software and content updates from

Panorama.

STEP 4 -
Select Elastic Compute Service > Instances & Images > Instances and click Create Instance in the upper right
corner.

STEP 5 -
Create the Panorama virtual appliance instance.

A Select Custom Launch.

B Configure the Panorama virtual appliance instance.

Billing Method—Select the desired subscription method for the instance.

This site uses cookiesRegion —Select

essential a region for
to its operation, of your choice.
analytics, and The region youcontent
for personalized select must provide
and ads. By on of the supported instance
continuing to browse types.
this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
 Instance Type—Select one of the supported instance types. You can select Type-based Selection to
search for the instance type.

Image— Select Custom Image and select the Panorama virtual appliance image you uploaded.

Storage—Choose a disk type and enter 81GiB as the system disk capacity.

( Optional ) Add Disk—Add additional logging disks.

If you intend to use the Panorama virtual appliance in Panorama mode or as a Dedicated Log Collector,
add the virtual logging disks during the initial deployment. By default, the Panorama virtual appliance is

in Panorama mode for the initial deployment when you meet the Panorama mode resource
requirements and have added at least one virtual logging disk. Otherwise, the Panorama virtual

appliance defaults to Management Only mode. Change the Panorama virtual appliance to Management
Only mode if you just want to manage devices and Dedicated Log Collectors, and to not collect logs

locally.

The Panorama virtual appliance on Alibaba Cloud only supports 2TB logging disks, and in total supports

up to 24TB of log storage. You are unable to add a logging disk smaller than 2TB, or a logging disk with a
size not divisible by the 2TB logging disk requirement. The Panorama virtual appliance partitions logging

disks larger than 2TB into 2TB partitions.

( Optional ) Snapshot—Specify how often a snapshot is automatically taken of the Panorama virtual

appliance instance to prevent risks and accidental data deletion.

Duration—Specify the duration for the Panorama virtual appliance instance.

STEP 6 -
Configure the Panorama virtual appliance network settings.

A Select Next: Networking.

B Configure the network settings for the Panorama virtual appliance instance.

Network Type—Select the VPC and management VSwitch you created.

Public IP Address—If you do not have a public IP address, enable (check) Assign Public IPv4 Address
and a public IPv4 address is automatically assigned to the Panorama virtual appliance instance.

If you must use a specific IP address, or an address in a specific range, you can request a custom IP

address. Refer to the Elastic IP Address User Guide (https://www.alibabacloud.com/help/faq-

list/65080.html).

Security Group—Select the management security group you created and enable Port 443 (HTTPS), Port
22, and Port 3389.

Elastic Network Interface—No configuration needed. The Management interface is already attached to
eth0.

STEP 7 -
Configure the Panorama virtual appliance instance system settings.

A Select Next: System Configurations.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
B Configure system settings for the Panorama virtual appliance instance.
 Logon Credentials—Select Key Pair and select the key pair. If a key pair has not already been created,
select Create Key Pair to create an new key pair on Alibaba Cloud or import an existing key pair.

Password authentication is not supported.

Instance Name—Enter a descriptive name for the Panorama virtual appliance. This the name displayed
for the instance throughout the Alibaba Cloud Console.

Host—Enter a hostname for the Panorama virtual appliance instance.

STEP 8 -
( Optional ) Select Next: Grouping to configuring grouping for all Alibaba Cloud resources associated with the
Panorama virtual appliance instance.

STEP 9 -
Select Preview to view the configuration before ordering.

STEP 10 -
View and check the ECS Terms of Service and Product Terms of Service.

STEP 11 -
Create Instance to create the Panorama virtual appliance instance.

When prompted, click Console to view the instance creation status.

STEP 12 -
Allocate Elastic IP (EIP) addresses.

The EIP is a public IP address used to connect to the Panorama virtual appliance.

This step is required only if you want to enable internet access for the Panorama virtual appliance.

A Select Elastic Compute Service > Network & Security > VPC > Elastic IP Addresses > Elastic IP Addresses.

Select Create EIP if you do not have any existing EIPs.

B In the Actions column, select Bind Resource to bind an EIP to any interface exposed to the Internet.

STEP 13 -
Log in to the Panorama CLI (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-
panorama/access-and-navigate-panorama-management-interfaces/log-in-to-the-panorama-
cli.html#id22bca7a1-2603-49f1-b937-51de02f52ae2) using the SSH to configure the Panorama virtual
appliance network settings.

You must configure the system IP address , netmask, and default gateway. Additionally, you must add the
Alibaba Cloud DNS servers (https://partners-intl.aliyun.com/help/doc-detail/174112.htm) to successfully
connect to the Palo Alto Networks update server.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
You can also access the Panorama CLI from the Alibaba console. To access the Panorama
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
CLI from the Alibaba console, select Elastic Compute Service > Instances & Images >
(https://www.paloaltonetworks.com/legal-notices/privacy)
 Instances and select the Panorama virtual appliance instance. In the Instance Details, select
Connect.

You are prompted to create a VCN password for the Panorama virtual appliance instance on
first connection from the Alibaba VCN. Be sure to save this password as it cannot be recov-
ered and is required to connect using the VCN or update the password in the future.

STEP 14 -
Configure a new administrative password for the Panorama virtual appliance.

You must configure a unique administrative password before you can access the web interface or CLI of the
Panorama virtual appliance. To access the CLI, the private key used to launch the Panorama virtual appliance is
required.

The new password must be a minimum of eight characters and include a minimum of one lowercase character,
one uppercase character, and one number or special character.
Configure a new password using the following commands and follow the on screen prompts:

admin> configure
admin# set mgt-config users admin password

STEP 15 -
Configure the initial network settings for the Panorama virtual appliance.

admin>

configure

admin#

set deviceconfig system type static

admin#

set deviceconfig system ip-address <instance-private-IP address> netmask <netmask> default-

gateway <default-gateway-IP>

The default gateway on Alibaba Cloud ends in .253. For example, if the private IP address
for your Panorama virtual appliance instance is 192.168.100.20, the default gateway is
192.168.100.253.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
 admin#

set deviceconfig system dns-setting servers primary 100.100.2.136

admin#

set deviceconfig system dns-setting servers secondary 100.100.2.138

admin#

commit

STEP 16 -
Register the Panorama virtual appliance and activate the device management license and support licenses.

A ( VM Flex Licensing Only ) Provisioning the Panorama Virtual Appliance Serial Number
(https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-

firewall/software-ngfw/provision-panorama.html).

When leveraging VM Flex licensing, this step is required to generate the Panorama virtual appliance serial

number needed to register the Panorama virtual appliance with the Palo Alto Networks Customer Support
Portal (CSP).

B Register Panorama (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-

panorama/register-panorama-and-install-licenses/register-panorama.html#ida7cedf7f-3d4e-4b8d-aa27-

e31e359c6962).

You must register the Panorama virtual appliance using the serial number provided by Palo Alto Networks in

the order fulfillment email.

This step is not required when leveraging VM Flex licensing as the serial number is automatically registered

with the CSP when generated.

C Activate the firewall management license.

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-
connected (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/register-

panorama-and-install-licenses/activateretrieve-a-firewall-management-license-on-the-panorama-

This site uses cookiesvirtual-appliance.html#id5fd6c4c0-1cc7-456d-a959-291b1726cda6).

essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
 Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-

connected (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/register-
panorama-and-install-licenses/activateretrieve-a-firewall-management-license-when-the-panorama-

virtual-appliance-is-not-internet-connected.html#id181QAN006N4).

D Activate a Panorama Support License (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-

up-panorama/register-panorama-and-install-licenses/activate-a-panorama-support-
license.html#id7ece970a-4a9a-49f5-a11a-cb16bcd2332a).

STEP 17 -
Complete configuring the Panorama virtual appliance for your deployment needs.

( Management Only mode ) Set up a Panorama Virtual Appliance in Management Only Mode
(/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-
virtual-appliance/set-up-the-panorama-virtual-appliance-in-management-only-
mode.html#id182QC0YK0ED).

( Log Collector mode ) Begin at Step 6 to Switch from Panorama mode to Log Collector mode.
(/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-
virtual-appliance/set-up-the-panorama-virtual-appliance-as-a-log-
collector.html#id17C8C0Z0H2M_id2ef0782e-1afd-4219-8e26-a8a4b02a97f6)

Enter the Public IP address of the Dedicated Log Collector when you Add the Log
Collector as a managed collector to the Panorama management server. You cannot
specify the IP Address, Netmask, or Gateway.

( Panorama and Management Only mode ) Configure a Managed Collector

(/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-log-collection/configure-a-
managed-collector.html#idf8d86697-3296-455d-93a7-16abbb3e9aa3) to add a Dedicated Log Collector to
the Panorama virtual appliance. Management Only mode does not support local log collection, and requires
a Dedicated Log Collector to store managed device logs.

STEP 18 -
Complete configuring the Panorama virtual appliance for your deployment needs.

For Panorama in Log Collector Mode.

1. Add a Virtual Disk to Panorama on Alibaba Cloud (/content/techdocs/en_US/panorama/10-

1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/expand-log-storage-
capacity-on-the-panorama-virtual-appliance/add-a-virtual-disk-to-panorama-on-alibaba-
cloud.html#id37a8f60a-ced5-43c2-9455-5197eb3fc232) as needed.

Adding at least one virtual logging disk is required before you can change the Panorama virtual appliance
to Log Collector mode.

2. Begin at Step 6 to switch to Log Collector mode. (/content/techdocs/en_US/panorama/10-1/panorama-

admin/set-up-panorama/set-up-the-panorama-virtual-appliance/set-up-the-panorama-virtual-
appliance-as-a-log-collector.html#id17C8C0Z0H2M_id2ef0782e-1afd-4219-8e26-a8a4b02a97f6)

Enter the Public IP address of the Dedicated Log Collector when you add the Log
Collector as a managed collector to the Panorama management server. You cannot
specify the IP Address, Netmask, or Gateway.

For Panorama
This site uses cookies essential toinitsPanorama mode.
operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
1. Add a Virtual Disk to Panorama on Alibaba Cloud (/content/techdocs/en_US/panorama/10-
(https://www.paloaltonetworks.com/legal-notices/privacy)
1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/expand-log-storage-
 capacity-on-the-panorama-virtual-appliance/add-a-virtual-disk-to-panorama-on-alibaba-
cloud.html#id37a8f60a-ced5-43c2-9455-5197eb3fc232) as needed.

Adding at least one virtual logging disk is required before you can change the Panorama virtual appliance
to Panorama mode.

2. Set up a Panorama Virtual Appliance in Panorama Mode (/content/techdocs/en_US/panorama/10-

1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/set-up-the-panorama-
virtual-appliance-in-panorama-mode.html#id1846A0G0Y3C).

3. Configure a Managed Collector (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-

log-collection/configure-a-managed-collector.html#idf8d86697-3296-455d-93a7-16abbb3e9aa3).

For Panorama in Management Only mode.

1. Set up a Panorama Virtual Appliance in Management Only Mode

(/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-
virtual-appliance/set-up-the-panorama-virtual-appliance-in-management-only-
mode.html#id182QC0YK0ED).

2. Configure a Managed Collector (/content/techdocs/en_US/panorama/10-1/panorama-admin/manage-

log-collection/configure-a-managed-collector.html#idf8d86697-3296-455d-93a7-16abbb3e9aa3) to
add a Dedicated Log Collector to the Panorama virtual appliance.

Management Only mode does not support local log collection, and requires a Dedicated Log Collector to
store managed device logs.

Was this information helpful?

Yes No

Previous

Upload (/content/techdocs/en_US/panorama/10-
the 1/panorama-admin/set-up-panorama/set-up- (/content/techdocs/en_US/panorama/10-
Next
Panorama the-panorama-virtual-appliance/install-the- 1/panorama-admin/set-up-panorama/set-up-
Install
Virtual panorama-virtual-appliance/set-up- the-panorama-virtual-appliance/install-the-
Panorama
Appliance panorama-on-alibaba-cloud/upload-the- panorama-virtual-appliance/install-
on AWS
Image to panorama-virtual-appliance-image-to- panorama-in-aws.html)
Alibaba alibaba-cloud.html)
Cloud

Technical Documentation Co

Release Notes (/content/techdocs/en_US/release-notes.html) Abo

Search (/content/techdocs/en_US/search.html) Care
Blog (https://www.paloaltonetworks.com/blog/category/technical- Cus
documentation/) LIVE
Compatibility Matrix (/content/techdocs/en_US/compatibility- Kno
matrix.html)
OSS Listings (/content/techdocs/en_US/oss-listings.html)
Sitemap (/content/techdocs/en_US/sitemap.html)

(https://www.facebook.com/PaloAltoNetworks) (https://w
This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
(https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA)
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
 (/content/techdocs/en_US.html) © 2025 Palo Alto Ne

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)