VM-Series Firewall Licenses for Public Clouds
Learn about BYOL and PAYG licenses for public cloud marketplaces.
The VM-Series firewall licensing strategy is the same
for AWS, Azure, and Google Cloud Platform. There are different license
types (see License
Types—VM-Series Firewalls), and Bring Your Own License and
Pay-as-you-go licensing methods:
- Bring Your Own License (BYOL)—A license that is purchased from a partner, reseller, or directly from Palo Alto Networks. BYOL supports individual capacity licenses, support licenses, and subscription bundles.
- For individual BYOL licenses, you must apply the auth code after you deploy the VM-Series firewall.
- A BYOL license bundle has a single auth code you can include in the bootstrap package (see Bootstrap the VM-Series Firewall). All the subscriptions included in the bundle are licensed when the firewall launches.
A BYOL license for the VM-Series firewall on OCI GovCloud requires PAN-OS 10.1.2 or later for FIPS and non-FIPS modes. - Pay-as-you-go (PAYG)—Also called usage-based or pay-per-use licensing. PAYG licenses can be purchased from your Cloud provider:
- AWS: Purchase from AWS Marketplace. Supports hourly and annual PAYG options.
- Azure: Purchase from Azure Marketplace. Supports the hourly PAYG option.
- Google Cloud Platform: Purchase from Google Cloud Platform Marketplace. Google Cloud Platform supports per-minute PAYG option.
- Oracle Cloud Infrastructure: (PAN-OS 10.0.3 or later) Purchase from Oracle Cloud Marketplace.The VM-Series on OCI PAYG license does not support the VM-100.
With the PAYG license bundles, the firewall is prelicensed and ready for use as soon as you deploy it; you do not receive an auth code. When you stop or terminate the firewall from your Cloud console, PAYG licenses are suspended or terminated.A PAYG license applies a VM-Series capacity license based on the hardware allocated to the instance. the PAYG instance checks the amount of hardware resources available to the instance and applies the largest VM-Series firewall capacity license allowed for the resources available. For example, if the instance has 2 vCPUs and 16GB of memory, a VM-100 capacity license is applied based on the number of vCPUs. However, if the instance has 16 vCPUs and 16GB of memory, a VM-500 license is applied based on the amount of memory. For more information about VM-Series model resource requirements, see VM-Series System Requirements.Downgrading PAN-OS is not supported on a PAYG firewall instance that was initially deployed running PAN-OS 9.1.2. Firewall instances deployed prior to PAN-OS 9.1.2 can be downgraded to older versions of PAN-OS.The PAYG licenses are bundled as follows:License FeaturesBundle 1Bundle 2VM-Series firewall capacity licenseVM-100, VM-300, VM-500, VM-700VM-100, VM-300, VM-500, VM-700Premium Support
Threat Prevention (AV, IPS, and malware prevention)GlobalProtectPAN-DB URL FilteringWildFireDNS Security
When using the VM-Series firewall CLI to view your applied
PAYG license, the command
show system info
displays
a different value from the output displayed for the command request license info
.
For PAN-OS versions 9.1.1 and earlier the command request license info
always
displays the model as VM-300, regardless of the VM-Series model
that has been applied. You cannot switch between the PAYG and the BYOL licenses. To
move from PAYG to BYOL, contact your Palo Alto Networks channel
partner or sales representative to purchase a BYOL license and get
a BYOL auth code that you can use to license your firewall. If you
have deployed your firewall and want to switch the license, see Switch
Between the BYOL and the PAYG Licenses.
If you have an evaluation copy of the VM-Series firewall
and would like to convert it to a fully licensed (purchased) copy
for the same license type (BYOL to BYOL), you can deactivate the
evaluation license and activate the purchased license in its place.
See Upgrade
the VM-Series Firewall for instructions.
