: VM-Series Firewall Licenses for Public Clouds
Focus
Focus

VM-Series Firewall Licenses for Public Clouds

Table of Contents

VM-Series Firewall Licenses for Public Clouds

Learn about BYOL and PAYG licenses for public cloud marketplaces.
The VM-Series firewall licensing strategy is the same for AWS, Azure, and Google Cloud Platform. There are different license types (see License Types—VM-Series Firewalls), and Bring Your Own License and Pay-as-you-go licensing methods:
  • Bring Your Own License (BYOL)—A license that is purchased from a partner, reseller, or directly from Palo Alto Networks. BYOL supports individual capacity licenses, support licenses, and subscription bundles.
    • For individual BYOL licenses, you must apply the auth code after you deploy the VM-Series firewall.
    • A BYOL license bundle has a single auth code you can include in the bootstrap package (see Bootstrap the VM-Series Firewall). All the subscriptions included in the bundle are licensed when the firewall launches.
    A BYOL license for the VM-Series firewall on OCI GovCloud requires PAN-OS 10.1.2 or later for FIPS and non-FIPS modes.
  • Pay-as-you-go (PAYG)—Also called usage-based or pay-per-use licensing. PAYG licenses can be purchased from your Cloud provider:
    With the PAYG license bundles, the firewall is prelicensed and ready for use as soon as you deploy it; you do not receive an auth code. When you stop or terminate the firewall from your Cloud console, PAYG licenses are suspended or terminated.
    A PAYG license applies a VM-Series capacity license based on the hardware allocated to the instance. the PAYG instance checks the amount of hardware resources available to the instance and applies the largest VM-Series firewall capacity license allowed for the resources available. For example, if the instance has 2 vCPUs and 16GB of memory, a VM-100 capacity license is applied based on the number of vCPUs. However, if the instance has 16 vCPUs and 16GB of memory, a VM-500 license is applied based on the amount of memory. For more information about VM-Series model resource requirements, see VM-Series System Requirements.
    Downgrading PAN-OS is not supported on a PAYG firewall instance that was initially deployed running PAN-OS 9.1.2. Firewall instances deployed prior to PAN-OS 9.1.2 can be downgraded to older versions of PAN-OS.
    The PAYG licenses are bundled as follows:
    License FeaturesBundle 1Bundle 2Bundle 3
    VM-Series firewall capacity licenseVM-100, VM-300, VM-500, VM-700VM-100, VM-300, VM-500, VM-700VM-100, VM-300, VM-500, VM-700
    Premium Support
    Threat Prevention (AV, IPS, and malware prevention)
    GlobalProtect
    PAN-DB URL Filtering
    WildFire
    DNS Security
    Advanced URL Filtering
    Advanced Threat Prevention
When using the VM-Series firewall CLI to view your applied PAYG license, the command show system info displays a different value from the output displayed for the command request license info. For PAN-OS versions 9.1.1 and earlier the command request license info always displays the model as VM-300, regardless of the VM-Series model that has been applied.
You cannot switch between the PAYG and the BYOL licenses. To move from PAYG to BYOL, contact your Palo Alto Networks channel partner or sales representative to purchase a BYOL license and get a BYOL auth code that you can use to license your firewall. If you have deployed your firewall and want to switch the license, see Switch Between the BYOL and the PAYG Licenses.
If you have an evaluation copy of the VM-Series firewall and would like to convert it to a fully licensed (purchased) copy for the same license type (BYOL to BYOL), you can deactivate the evaluation license and activate the purchased license in its place. See Upgrade the VM-Series Firewall for instructions.