VM-Series Firewall Licensing
Compare legacy licensing, the VM-Series Enterprise License Agreement, and Software Next-Generation Firewall credits.
Palo Alto Networks currently supports two license types: Bring Your Own License (BYOL) and PAYG (Pay-As-You-Go, also called PayGo).
Software NGFW Credits—Available on all PAN-OS releases. PAN-OS 10.0.4 and later versions offer advanced features and more flexibility.
The flexible license cost is based on the number of vCPUs, the security services you have enabled, and whether you choose to provision Panorama to manage the firewall or act as a log collector.
See Software NGFW Credits for a detailed explanation.
Purchased from a public cloud marketplace (such as AWS, Azure, or GCP), or a Cloud Security Service Provider (CSSP).
Available on the PAN-OS version your provider supports.
VM-Series Model licenses—Available for use on all PAN-OS releases. PAN-OS 10.0.4 and later versions offer advanced features and more flexibility.
The capacity license cost is based on the VM-Series model, the device memory, storage costs, and the support entitlement. Security services and whether you choose to have Panorama manage the firewall are additional costs. The capacity licensing models are:
What is the difference between Software NGFW BYOL licensing and VM-Series Model licensing? They have different consumption models and they fund them differently. The following tables provide a quick comparison, and links to greater details.
Here is a quick overview of Software NGFW characteristics.
Software NGFW Credits
Available for all PAN-OS releases. Offers advanced and more flexible consumption options for PAN-OS 10.0.4 and later.
BYOL, purchased from Palo Alto Networks.
Default Credit Pools
When you purchase the VM-Series or CN-Series firewall, activating your credits creates a credit pool.
The most flexible BYOL offering, Software Next Generation Firewall credits let you consume Palo Alto Networks firewall-as-a-platform components: VM-Series, CN-Series, security services, virtual Panorama for Management or Dedicated Log Collection, and a support entitlement.
Cost is based on the number of vCPUs.
Reusable credits that allow you to consume firewall-as-a-platform components. When firewalls are activated, the credits are consumed. When firewalls are deactivated, the credits are released and returned to your credit pool for you to allocate for other firewalls or security services.
You create a deployment profile for a specific environment or use case (such as “AWS Deployment of VM-Series”, “Protect my NSX Environment”) and configure firewall vCPUs, security services, and virtual Panorama (optional). You can create any number of deployment profiles and customize them at any point in time. To create a deployment profile, you allocate credits from your credit pool.
You must have the Customer Support Portal role Credit Administrator to activate and manage Software NGFW credits.
Panorama can optionally be deployed for management, or as a dedicated log collector.
Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and other services as they become available.
You can choose any combination of security services in your Deployment Profile, and you can add or remove security services from your profile at any time.
Upgrade or Downgrade
If the VM-Series firewall has an internet connection, changes to your deployment profile are automatically applied.
If the firewall does not have an internet connection, you must manually stop the VM, upload the new deployment profile, and restart the VM.
You do not have to reboot the firewall in either case.
VM-Series Software NGFW Credits Licensing Checklist
See the following table to compare VM-Series Model capacity licensing with Software NGFW vCPU-based licensing.
Available for all PAN-OS releases.
BYOL—purchased from Palo Alto Networks or a supported public cloud marketplace.
PAYG—available on a supported public cloud marketplace.
The VM-Series model perpetual license (capacity only), or term-based capacity and security subscriptions. You must estimate your needs and design your configuration before your purchase. Cost is based on the VM-Series model, device memory, and storage.
The VM-Series Enterprise License Agreement (Multi-Model ELA) capacity license, support entitlement, and security bundles are allocated from a token pool.
You must have the Customer Support Portal role ELA Administrator.
Panorama can be deployed for Management.
Bundle 1: Threat Prevention and premium support entitlement.
Bundle 2: Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and premium support entitlement.
Upgrade or Downgrade
Requires a license change and a reboot.
VM-Series Model Licensing Checklist
Recommended For You
Recommended videos not found.