VM-Series Firewall Licensing

Learn about licensing for flexible vCPU and fixed model licenses.
This chapter compares the following license information:

License Types

Palo Alto Networks currently supports two license types: Bring Your Own License (BYOL) and PAYG (Pay-As-You-Go, also called PayGo).
Type
Description
BYOL
Software NGFW Credits—Available on VM-Series firewalls running all PAN-OS releases. VM-Series firewalls running PAN-OS versions 10.0.4 and later offer advanced features and more flexibility. The flexible license cost is based on the number of vCPUs, the security services you have enabled, and whether you choose to provision Panorama to manage the firewall or act as a log collector.
See Software NGFW Credits for a detailed explanation.
BYOL
VM-Series Model licenses—Available for use with all PAN-OS releases. The number of vCPUs is fixed according to your chosen VM-Series model.
Flexible vCPUs, available with PAN-OS 10.0.4 and later, support advanced features and more vCPUs.
The capacity license cost is based on the VM-Series model, the device memory, storage costs, and the support entitlement. Security services and a Panorama deployment to manage your firewalls are additional costs. The capacity license types are:
  • —A comprehensive one- or three-year licensing agreement for VM-Series firewalls. An individual license can include a model, security services, a support entitlement, and an optional device management license for Panorama.
    Multi-Model ELA features a token pool from which you allocate tokens to license VM-Series firewalls. (It is unique to the ELA, and is not the same as the Software NGFW Credits pool.)
  • Perpetual VM-Series model capacity license with a support entitlement and/or security services bundle 1 or bundle 2.
  • Term firewall capacity license with a support entitlement and your choice of security services.
PayGo
Purchased from a public cloud marketplace (such as AWS, Azure, or GCP), or a Cloud Security Service Provider (CSSP). Available on the PAN-OS version your provider supports.
On PAN-OS versions earlier than 9.1.1, PayGo supported only the VM-Series VM-300 model. For PAN-OS 9.1.1 and later PayGo can support fixed Models. The traditional VM models, such as VM-100, VM-300, VM-500, and VM-700 are supported.

Flexible vCPUs and Fixed Model Licensing

What is the difference between flexible vCPU Software NGFW licensing and fixed vCPU VM-Series Model licenses? They charge for different things, and they fund them differently. The following tables provide a quick comparison, and links to greater details.
 
Flexible vCPUs
VM-Series Model (Fixed vCPUs)
Description
Cost is based on the number of vCPUs and your chosen Security services.
There is no cost for Panorama other than the vCPUs it consumes.
You purchase reusable Software NGFW credits that expire at the end of a predetermined term. After activating your credits you can portion them into credit pools.
To use your credits, choose a credit profile and create one or more deployment profiles. Choose your own combination of firewall-as-a-platform components: VM-Series vCPUs, security services, virtual Panorama for Management or Dedicated Log Collection, and a support entitlement. All firewalls deployed with a profile are licensed with the same auth code, and you can manage them from the deployment profile.
Cost is based on the VM-Series model capacity license, device memory, and storage. Panorama and Security services are separate purchases.
  • VM-Series Enterprise License Agreement (Multi-Model ELA)—A comprehensive one- or three-year licensing agreement for VM-Series firewalls.
    Multi-Model ELA features a token pool from which you allocate tokens to license VM-Series firewalls.
  • Perpetual VM-Series model capacity license with a support entitlement and/or security services bundle 1 or bundle 2.
  • Term firewall capacity license with a support entitlement and your choice of security services.
Activation
Requires an activation email. Activation and registration occur automatically.
Requires an activation email and a separate registration step after activation.
Security services
Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and other services as they become available.
When you create your deployment profile you can choose any combination of security services. You can add or remove security services from your profile at any time.
Bundle 1
: Threat Prevention and premium support entitlement.
Bundle 2
: Threat Prevention, DNS Security, GlobalProtect, WildFire, URL Filtering, SD-WAN, DLP, and premium support entitlement.
PAN-OS version
Up to 64 flexible vCPUs and advanced service options for firewalls running 10.0.4 and later.
You can deploy a VM-Series model (fixed vCPUs) on any PAN-OS version.
Funding
Reusable credits that allow you to consume firewall-as-a-platform components.
After you purchase credits you must activate them, associating them to a particular account for your organization. Activated credits fund a credit pool from which you can create a deployment profile.
When firewalls are deployed, credits are consumed. When firewalls are deactivated, the credits are released and returned to your credit pool for further use.
  • Multi-Model ELA: tokens.
  • Perpetual VM-Series model capacity license with a support entitlement and/or security services bundle 1 or bundle 2. You determine the configuration at time of purchase. You cannot change the configuration unless you purchase a new license.
  • Term firewall capacity license with a support entitlement and your choice of security services.
Deployment Configuration
Flexible. A deployment profile can be changed at any time. Changes to the profile propagate to all firewalls that share the deployment profile auth code.
VM-Series model capacity does not change, but if you have an ELA, you an can add Security services.
Perpetual and Term licenses are configured and paid for in advance and do not change.
Deployment
After credit activation, create a deployment profile for a specific environment or use case (such as “Protect my NSX Environment”) and configure firewall vCPUs, security services, and an optional virtual Panorama. You can create any number of deployment profiles and customize them at any point in time.
You must have the Customer Support Portal role Credit Administrator (applies to account management only) to activate and manage Software NGFW credits.
Accept the VM-Series ELA. Deploy and configure the VM-Series firewall. Activate the model license and register the firewall.
Panorama
When you create a deployment profile you can choose to add Panorama for management, or as a dedicated log collector for firewalls that use a deployment profile. This Panorama can manage firewalls deployed with the deployment profile’s shared auth code.
Panorama is a separate expense. A physical or virtual Panorama can be used to for firewall management or for log collection.
Upgrade or Downgrade
If the VM-Series firewall or Panorama has an internet connection, changes to your deployment profile are automatically applied to the firewall.
If the firewall does not have an internet connection, manually stop the firewall. In Assets > Software NGFW Credits change the deployment profile, then in the CSP, download the license keys, and transfer them to the VM, obtain the profile from the CSP, transfer it to the VM, restart the VM and apply the license.
You do not have to reboot the firewall in either case.
Change to a different model requires a license change and a reboot.

Flexible vCPUs and Fixed Model Deployment

The following checklists compare the deployment processes for Software NGFW credits and the VM-Series Model licensing methods.
Flexible vCPUs
Fixed vCPUs (VM-Series Model)
  1. Your organization can have many accounts to represent different cost centers. During registration you associate your credit purchase with an account.
  2. Install a Device Certificate on the VM-Series Firewall (for site licenses such as Cortex Data Lake and Auto Focus).

Recommended For You