Deploy Palo Alto Networks VM‑Series Firewall on ZEDEDA

Updated

Introduction

The Palo Alto Networks VM‑Series Next‑Generation Firewall (NGFW) on ZEDEDA operates as a virtual machine on an edge node to enforce north–south and east–west traffic segmentation. You use this integration to establish a zero-trust enforcement point, a DHCP server for internal VLANs, and a default gateway for OT/IT workloads while ZEDEDA manages the application lifecycle.

This article provides a step‑by‑step, production‑ready walkthrough for deploying a Palo Alto Networks VM‑Series Next‑Generation Firewall (NGFW) on ZEDEDA. It distills the official PAN–ZEDEDA integration guide into a clear, repeatable how‑to, aligned with real edge deployments.

Prerequisites 

  • You have either the SysManager or SysAdmin role in your ZEDEDA Cloud enterprise.
  • You have onboarded your edge node. 
  • The edge node must be running a supported version of EVE-OS.
  • Outbound HTTPS (port 443) connectivity is required.
  • Palo Alto Networks VM‑Series Edge App available in the ZEDEDA Global Marketplace.
  • Access to the Palo Alto Networks Support Portal to register the VM‑Series Firewall.

Architecture Overview

Deployment Model:

  • ZEDEDA orchestrates the VM‑Series firewall as a virtual machine on an edge node
  • Firewall enforces north–south and east–west traffic segmentation
  • ZEDEDA provides lifecycle management; PAN‑OS enforces security policy

The firewall acts as:

  • DHCP server for internal VLANs
  • Default gateway for OT/IT workloads
  • Enforcement point for segmentation and Zero Trust

Import and Clone the Firewall App

The Palo Alto Networks VM‑Series firewall is deployed directly from the ZEDEDA Global Marketplace. No manual QCOW2 image download or upload is required.

  1. Go to Marketplace > Edge Apps > Global Edge Apps to import the configuration to Local
  2. To clone:
    1. From Marketplace > Edge Apps > Local Edge Apps, click the app card.
    2. Click the ellipsis ().
    3. Click Clone.
    4. Modify any CPU, RAM, or network settings.

Assign Identity and Drives

Attribute Value
Name / Title pan-os_vm-series_virtual_firewall_11.2.5
Category Security
Deployment Type Standalone
VNC Connection Enable (recommended for initial bootstrap)
CPUs 2-4
Memory 8 GB
Storage 130 GB
VM Mode HVM
CPU Pinning Disabled
TPM Disabled
Drive Type The HDD drive is automatically attached, no mount path is required.

Assign Network Interfaces

From Interfaces:

  1. Check Configure Interfaces for this edge app.
  2. To assign eth0 as the management interface, select Virtual Network Interface

Confirm IP assignment under Environment after deployment.

Configure Network Access

This interface connects to the ZEDEDA default network instance (L3).

Outbound Rules:

Host/IP Protocol Port Action
0.0.0.0/0 ANY ANY Allow

Inbound Rules:

Edge Node Port App Port Protocol Action
7222 22 TCP / SSH Map
7443 443  TCP / HTTPS / GUI Map

Default Configurations

  • Leave Add Custom Config Template unchecked.
  • PAN-OS bootstrap or init-config is not required for this baseline deployment.
  • (Advanced bootstrap can be added later if needed.)

Developer Info

Populate support metadata. This is required for Marketplace hygiene but does not affect runtime behavior:

  • Name: ZEDEDA
  • Company: ZEDEDA
  • Email: support@zededa.com
  • Website: https://www.zededa.com
  • Agreement: Select applicable agreement

Deploy

Now you’re ready to deploy the firewall to your device.

  1. Go to Marketplace > Local Edge Apps > Your Firewall App.
  2. Click Deploy.
  3. Choose Project: your project, Edge Node: your onboarded device
  4. Verify resource allocation: 2-4 vCPU / 8 GB RAM.
  5. Click Deploy.

Initial PAN-OS Access

After the app is running:

  • Access the firewall UI via https://<edge-node-ip>:7443
  • Default credentials: admin / admin
  • Change the password immediately

From here, proceed with the following:

  • Interface configuration
  • VLAN sub-interfaces
  • DHCP, routing, NAT, and security policies

Conclusion

Deploying the Palo Alto Networks VM-Series firewall on ZEDEDA using the Global Marketplace provides a clean, repeatable, and enterprise-ready approach to securing edge environments. 

ZEDEDA handles the full lifecycle of the firewall VM, from deployment and upgrades to visibility and remote access. At the same time, PAN-OS delivers proven, industry-leading security controls for north–south and east–west traffic. This separation of concerns enables consistent, scalable security enforcement across distributed edge sites without sacrificing flexibility or control.

Together, ZEDEDA and Palo Alto Networks provide a robust foundation for Zero Trust at the edge, enabling standardized firewall deployments and scaling from a single site to hundreds of locations using the same proven pattern.

Was this article helpful?
0 out of 0 found this helpful