: Software NGFW Credits
Focus
Focus

Software NGFW Credits

Table of Contents

Software NGFW Credits

Learn about Software NGFW credits, and the licenses they fund.
Software NGFW credits can be used to fund Software NGFWs (VM-Series and CN-Series), Cloud-Delivered Security Services (CDSS), or virtual Panorama appliances in networks with or without internet access (air-gapped networks, for example).
You create a deployment profile to configure one or more firewalls based on PAN-OS version, the number of vCPUs per firewall, the total number of firewalls supported by the deployment profile, Panorama management or log collection, and security services. All the VMs created with a deployment profile share the same authcode.
  • Fixed vCPUs—Compatible with all PAN-OS versions. Based on VM-Series Models and security service bundles. Changing the model or service options requires a new license.
  • Flexible vCPUs— Select a flexible number of vCPUs, and a flexible selection of security services. You can modify the deployment profile to add or decrease the number of vCPUs, add new services as they become available, or remove services. The maximum number of vCPUs for a deployment profile is 64.
Software NGFW credits are term-based. Terms can be defined for any amount of time between 1 and 5 years. Both allocated and unallocated credits expire at the end of the agreed upon term. You can purchase additional credits for a credit pool but the expiration date must be the same as the target pool. Use Software NGFW Credit Estimator to calculate and get credits for your deployment profile.
If you have an internet connection to the license server and you stop using a firewall, a security service, or Panorama deployment, the credits allocated to that resource are refunded to the credit pool and can be reallocated to a new resource.
If you do not have an internet connection and cannot connect to the Palo Alto Networks update server (for example, you are in an air-gapped network) you can manage the VM-Series firewall locally from its user interface, or from Panorama. Your administrator must then log in to the Customer Support Portal to return the license token so the funds can be reused.
Use the
Supported Hypervisor
table below and the
Total vCPUs on Dataplane
tables that follow to ensure that you allocate the necessary hardware resources for your chosen number of vCPUs.
Tier
Memory
Tier 1
4.5 GB, 5 GB, 5 GB, 5.5 GB, 6 GB, 6.5 GB, 7 GB, 8 GB
Tier 2
9 GB, 10 GB, 12 GB, 14 GB, 16 GB, 18 GB
Tier 3
20 GB, 24, GB, 28 GB, 32 GB, 36 GB, 40 GB, 44 GB, 48 GB, 52 GB, 56 GB, 60 GB, 64 GB
Tier 4
128 GB
Memory Profile
Supported Hypervisors
Minimum Hard Drive
Tier 1
(4.5GB, 5 GB, 5.5GB, 6GB memory)
ESXi, Hyper-V, KVM
  • With 4.5 GB Mem: 32GB (60GB at boot)
  • 60GB
Tier 1
AWS, Azure, ESXi, Google Cloud Platform, Hyper-V, KVM, OCI, Alibaba Cloud, Cisco ACI, Cisco CSP, Cisco ENCS, NSX-T
60GB
Tier 2
AWS, Azure, ESXi, Google Cloud Platform, Hyper-V, KVM, OCI, Alibaba Cloud, Cisco ACI, Cisco CSP, Cisco ENCS, NSX-T
60GB
Tier 3
AWS, Azure, ESXi, Google Cloud Platform, Hyper-V, KVM, OCI, Alibaba Cloud, Cisco ACI, Cisco CSP, NSX-T
60GB
Tier 4
AWS, Azure, ESXi, Google Cloud Platform, Hyper-V, KVM, OCI, Alibaba Cloud, Cisco ACI, Cisco CSP, NSX-T
60GB
For all memory profiles listed above, the minimum vCPUs is 2.
Tier 1 withrequires minimum 32GB of hard drive space. However, because the VM-Series base image is common for all vCPU combinations, you must allocate 60GB of hard drive space until you license a VM-Series firewall with 4.5GB memory.
To achieve the best performance, all of the required cores should be available on a single CPU socket.
By default, management plane and dataplane vCPUs are assigned on one to three ratio, unless you assign four or fewer vCPUs. Additionally, the maximum dataplane vCPUs is tied to the allocated memory, as described in the tables below. For example, if you assign 16 vCPUs to a VM-Series firewall, four vCPUs are allocated to the management plane and 12 are allocated to the dataplane. If you 20 vCPUs and 20GB of memory to a VM-Series firewall, 12 vCPUs are allocated to the dataplane and the remaining are assigned to the management plane.
Alternatively, you can use the VM-Series firewall CLI to Customize Dataplane Cores. This allows you to specify the number of vCPUs are assigned to the dataplane on your VM-Series firewall.
The maximum number of total cores (management plane and dataplane) is 64, regardless of memory profile.
Tier 1
4.5 GB
5 GB
5.5 GB
6 GB
6.5 GB
7 GB
8 GB
Default Dataplane vCPUs
1
1
1
1
2
2
2
Tier 2
9 GB
10 GB
12 GB
14 GB
16 GB
18 GB
20 GB
Default Dataplane vCPUs
4
4
4
4
12
12
12
Tier 3
20 GB
24 GB
28 GB
32 GB
36 GB
40 GB
44 GB
48 GB
52 GB
56 GB
64 GB
Default Dataplane vCPUs
12
12
12
12
12
12
12
12
12
24
47
Tier 4
121 - 128 GB
Default Dataplane vCPUs
47
Continue to Software NGFW tasks:

Recommended For You