Team Leader - Nutanix Technology Champion - Nutanix NTC Storyteller

Julien DUMUR
Infrastructure in a Nutshell

Nutanix on OVHcloud: deployment and basic configuration of a Palo Alto gateway

Published: 20 July 2025
Written by Julien D.
No comments
Categories: AHV, HowTo, HowTo-AHV, Nutanix
nutanix on ovhcloud

This is one of the operations I recommend performing on an OVHcloud cluster immediately after delivery: replacing the pre-deployed gateway that will allow your cluster to connect to the internet.

In this article, we’ll see how to deploy a Palo Alto PA-VM and how to perform its basic configuration so that it’s ready to be connected to the OVHcloud RTvRack (which will be the subject of another article).

Prerequisites

Here is the list of prerequisites for deployment:

  • A Nutanix OVHcloud cluster deployed
  • The required subnets created on the cluster
  • A backup VM deployed on the cluster
  • A Palo Alto account with access to image downloads

Retrieving the PA-VM Image

The first step is to retrieve the qcow2 image, which will allow us to deploy the PA-VM on the Palo Alto site: https://support.paloaltonetworks.com/Updates/SoftwareUpdates/64685971

NOTE: You must have a registered account with them with the correct access rights; there is no “Community” or “Free” version.

VM Deployment

After transferring the newly downloaded image to the cluster, we create a VM with the following characteristics:

For VM sizing, I invite you to consult the documentation to adapt it to your context: https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/license-the-vm-series-firewall/vm-series-models/vm-series-system-requirements

The disk to add is the one downloaded in qcow2 format from the Palo Alto website.

Also select the subnets that will be connected to your gateway. The first interface you add will always be the PA-VM’s management interface, so make sure you select the correct subnet, which ideally will be a subnet dedicated to management interfaces. Your backup VM must have an interface in this subnet to access the PA-VM’s web interface. Here, for example, is what I would recommend for configuring the interfaces:

Management

  • ethernet1/1 (subnet 0 created by default on the cluster, for the WAN output)
  • ethernet1/2 (internal subnet 1, often the one corresponding to your Nutanix infrastructure)
  • ethernet1/3 (internal subnet 2)

Little tips

Adding an interface to the virtual machine will require a reboot of the Palo Alto appliance for it to take effect. I therefore recommend adding 25 network interfaces when creating the virtual machine and assigning the interfaces to a “PARKING” subnet that is not deployed on the network. You will then simply need to change the subnet on the interface on the Nutanix side to configure a “new interface”.

It’s important to select “Legacy BIOS Mode” when creating the VM, otherwise it won’t boot!

Select “Use this VM as an Agent VM” so that it boots first.

Validate the settings, the virtual machine is ready to be started.

Initializing the PA-VM

Start the VM and launch the console from the Nutanix interface. Wait while the operating system boots.

The first login is via the CLI with the following credentials:

  • Username: admin
  • Password: admin

The system will ask you to change the password.de passe par défaut. On passe ensuite en mode configuration :

configure

Next, configure the management IP in static mode:

set deviceconfig system type static

Configuring the management interface parameters:

set deviceconfig system ip-address <Firewall-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>

At this point, the firewall can be accessed from the bounce machine’s web browser at: https://<Firewall-IP>

CAUTION: This only works if the bounce VM has a pin in the same subnet as the Management interface.

Don’t forget to commit, either from the web interface or from the command line:

commit

You can now continue the configuration on the web interface.

Basic PA-VM Configurations

Let’s start with the basic PA-VM configuration.

On the web interface, in “Device > Setup”, edit the “General Settings” widget to enter at least the Hostname and the Timezone:

Then go to the “Services” tab and edit the “Services” widget to add DNS servers and NTP servers:

All that’s left is to commit the changes; the basic configuration of the Palo Alto gateway is complete.

I want to point out that this is a basic configuration, and there are many other configuration points to complete to ensure a perfectly configured and secure gateway that allows your cluster to access the internet, including authentication, password complexity, VPN, firewall rules, and more.

In a future article, we’ll see how to connect your Palo Alto PA-VM gateway to the OVHcloud RTvRack to allow your cluster to access the internet.

0 comments

Leave a Reply