VM-Series Firewall Licensing

Compare legacy licensing, the VM-Series Enterprise License Agreement, and Software Next-Generation Firewall credits.
Palo Alto Networks currently supports two license types: Bring Your Own License (BYOL) and PAYG (Pay-As-You-Go, also called PayGo).
BYOL
PAYG
Software NGFW Credits—Available on all PAN-OS releases. PAN-OS 10.0.4 and later versions offer advanced features and more flexibility.
The flexible license cost is based on the number of vCPUs, the security services you have enabled, and whether you choose to provision Panorama to manage the firewall or act as a log collector.
See Software NGFW Credits for a detailed explanation.
Purchased from a public cloud marketplace (such as AWS, Azure, or GCP), or a Cloud Security Service Provider (CSSP).
Available on the PAN-OS version your provider supports.
VM-Series Model licenses—Available for use on all PAN-OS releases. PAN-OS 10.0.4 and later versions offer advanced features and more flexibility.
The capacity license cost is based on the VM-Series model, the device memory, storage costs, and the support entitlement. Security services and whether you choose to have Panorama manage the firewall are additional costs. The capacity licensing models are:
  • Term firewall capacity license with a support entitlement and your choice of security services.
  • Perpetual VM-Series model capacity license with a support entitlement and/or security services bundle 1 or bundle 2.
  • VM-Series Enterprise License Agreement (Multi-Model ELA)—A comprehensive one- or three-year licensing agreement for VM-Series firewalls. An individual license can include a model, security services, a support entitlement, and an optional device management license for Panorama.
    VM-Series ELA features a token pool from which you allocate tokens to license VM-Series firewalls. (It is unique to the ELA, and is not the same as the Software NGFW Credits pool.)
What is the difference between Software NGFW BYOL licensing and VM-Series Model licensing? They have different consumption models and they fund them differently. The following tables provide a quick comparison, and links to greater details.
Here is a quick overview of Software NGFW characteristics.
Software NGFW Credits
 
PAN-OS version
Available for all PAN-OS releases. Offers advanced and more flexible consumption options for PAN-OS 10.0.4 and later.
License type
BYOL, purchased from Palo Alto Networks.
Default Credit Pools
When you purchase the VM-Series or CN-Series firewall, activating your credits creates a credit pool.
Description
The most flexible BYOL offering, Software Next Generation Firewall credits let you consume Palo Alto Networks firewall-as-a-platform components: VM-Series, CN-Series, security services, virtual Panorama for Management or Dedicated Log Collection, and a support entitlement.
Cost is based on the number of vCPUs.
Credits
Reusable credits that allow you to consume firewall-as-a-platform components. When firewalls are activated, the credits are consumed. When firewalls are deactivated, the credits are released and returned to your credit pool for you to allocate for other firewalls or security services.
Deployment
You create a deployment profile for a specific environment or use case (such as “AWS Deployment of VM-Series”, “Protect my NSX Environment”) and configure firewall vCPUs, security services, and virtual Panorama (optional). You can create any number of deployment profiles and customize them at any point in time. To create a deployment profile, you allocate credits from your credit pool.
You must have the Customer Support Portal role Credit Administrator to activate and manage Software NGFW credits.
Panorama
Panorama can optionally be deployed for management, or as a dedicated log collector.
Security services
Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and other services as they become available.
You can choose any combination of security services in your Deployment Profile, and you can add or remove security services from your profile at any time.
Upgrade or Downgrade
If the VM-Series firewall has an internet connection, changes to your deployment profile are automatically applied.
If the firewall does not have an internet connection, you must manually stop the VM, upload the new deployment profile, and restart the VM.
You do not have to reboot the firewall in either case.
VM-Series Software NGFW Credits Licensing Checklist
  1. Install a Device Certificate on the VM-Series Firewall (for site licenses such as Cortex Data Lake and Auto Focus.)
See the following table to compare VM-Series Model capacity licensing with Software NGFW vCPU-based licensing.
VM-Series Model
 
PAN-OS version
Available for all PAN-OS releases.
License type
BYOL—purchased from Palo Alto Networks or a supported public cloud marketplace.
PAYG—available on a supported public cloud marketplace.
Description
The VM-Series model perpetual license (capacity only), or term-based capacity and security subscriptions. You must estimate your needs and design your configuration before your purchase. Cost is based on the VM-Series model, device memory, and storage.
Deployment
The VM-Series Enterprise License Agreement (Multi-Model ELA) capacity license, support entitlement, and security bundles are allocated from a token pool.
You must have the Customer Support Portal role ELA Administrator.
Panorama
Panorama can be deployed for Management.
Security services
Bundle 1: Threat Prevention and premium support entitlement.
Bundle 2: Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and premium support entitlement.
Upgrade or Downgrade
Requires a license change and a reboot.
VM-Series Model Licensing Checklist
  1. Install a Device Certificate on the VM-Series Firewall (for site licenses such as Cortex Data Lake and Auto Focus.)

Recommended For You