VM-Series Firewall Licensing
Learn about licensing for flexible vCPU and fixed model licenses.
This chapter compares the following license information:
Palo Alto Networks currently supports two license types: Bring Your Own License (BYOL) and PAYG (Pay-As-You-Go, also called PayGo).
Software NGFW Credits—Available on VM-Series firewalls running all PAN-OS releases. VM-Series firewalls running PAN-OS versions 10.0.4 and later offer advanced features and more flexibility. The flexible license cost is based on the number of vCPUs, the security services you have enabled, and whether you choose to provision Panorama to manage the firewall or act as a log collector.
See Software NGFW Credits for a detailed explanation.
VM-Series Model licenses—Available for use with all PAN-OS releases. The number of vCPUs is fixed according to your chosen VM-Series model.
Flexible vCPUs, available with PAN-OS 10.0.4 and later, support advanced features and more vCPUs.
The capacity license cost is based on the VM-Series model, the device memory, storage costs, and the support entitlement. Security services and a Panorama deployment to manage your firewalls are additional costs. The capacity license types are:
Purchased from a public cloud marketplace (such as AWS, Azure, or GCP), or a Cloud Security Service Provider (CSSP). Available on the PAN-OS version your provider supports.
On PAN-OS versions earlier than 9.1.1, PayGo supported only the VM-Series VM-300 model. For PAN-OS 9.1.1 and later PayGo can support fixed Models. The traditional VM models, such as VM-100, VM-300, VM-500, and VM-700 are supported.
Flexible vCPUs and Fixed Model Licensing
What is the difference between flexible vCPU Software NGFW licensing and fixed vCPU VM-Series Model licenses? They charge for different things, and they fund them differently. The following tables provide a quick comparison, and links to greater details.
VM-Series Model (Fixed vCPUs)
There is no cost for Panorama other than the vCPUs it consumes.
Cost is based on the number of vCPUs and your chosen Security services.
To use your credits, choose a credit profile and create one or more deployment profiles. Choose your own combination of firewall-as-a-platform components: VM-Series vCPUs, security services, virtual Panorama for Management or Dedicated Log Collection, and a support entitlement. All firewalls deployed with a profile are licensed with the same auth code, and you can manage them from the deployment profile.
You purchase reusable Software NGFW credits that expire at the end of a predetermined term. After activating your credits you can portion them into credit pools.
Cost is based on the VM-Series model capacity license, device memory, and storage. Panorama and Security services are separate purchases.
Requires an activation email. Activation and registration occur automatically.
Requires an activation email and a separate registration step after activation.
Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and other services as they become available.
When you create your deployment profile you can choose any combination of security services. You can add or remove security services from your profile at any time.
Bundle 1: Threat Prevention and premium support entitlement.
Bundle 2: Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and premium support entitlement.
Up to 32 flexible vCPUs and advanced service options for firewalls running 10.0.4 and later.
You can deploy a VM-Series model (fixed vCPUs) on any PAN-OS version.
Reusable credits that allow you to consume firewall-as-a-platform components.
After you purchase credits you must activate them, associating them to a particular account for your organization. Activated credits fund a credit pool from which you can create a deployment profile.
When firewalls are deployed, credits are consumed. When firewalls are deactivated, the credits are released and returned to your credit pool for further use.
Flexible. A deployment profile can be changed at any time. Changes to the profile propagate to all firewalls that share the deployment profile auth code.
VM-Series model capacity does not change, but if you have an ELA, you an can add Security services.
Perpetual and Term licenses are configured and paid for in advance and do not change.
After credit activation, create a deployment profile for a specific environment or use case (such as “Protect my NSX Environment”) and configure firewall vCPUs, security services, and an optional virtual Panorama. You can create any number of deployment profiles and customize them at any point in time.
You must have the Customer Support Portal role Credit Administrator (applies to account management only) to activate and manage Software NGFW credits.
Accept the VM-Series ELA. Deploy and configure the VM-Series firewall. Activate the model license and register the firewall.
When you create a deployment profile you can choose to add Panorama for management, or as a dedicated log collector for firewalls that use a deployment profile. This Panorama can manage firewalls deployed with the deployment profile’s shared auth code.
Panorama is a separate expense. A physical or virtual Panorama can be used to for firewall management or for log collection.
Upgrade or Downgrade
If the VM-Series firewall or Panorama has an internet connection, changes to your deployment profile are automatically applied to the firewall.
If the firewall does not have an internet connection, manually stop the firewall. In Assets > Software NGFW Credits change the deployment profile, then in the CSP, download the license keys, and transfer them to the VM, obtain the profile from the CSP, transfer it to the VM, restart the VM and apply the license.
You do not have to reboot the firewall in either case.
Change to a different model requires a license change and a reboot.
Flexible vCPUs and Fixed Model Deployment
The following checklists compare the deployment processes for Software NGFW credits and the VM-Series Model licensing methods.
Fixed vCPUs (VM-Series Model)