Call a Specialist Today! 1300 505 257
Free Delivery! Free Delivery!

Palo Alto Networks VM-50
Virtualized Next-Generation Firewall

Palo Alto Networks VM-Series Virtual Firewall

Palo Alto Networks Products

Palo Alto Networks VM-Series

Click here to jump to more pricing!

Please Note: All Prices are Inclusive of GST

Overview:

The VM-Series supports the exact same next-generation firewall and advanced threat prevention features available in our physical form factor appliances, allowing you to safely enable applications flowing into, and across your private, public and hybrid cloud computing environments.

Automation features such as VM monitoring, dynamic address groups and a REST-based API allow you to proactively monitor VM changes dynamically feeding that context into security policies, thereby eliminating the policy lag that may occur when your VMs change.

The VM-Series Virtualized Next-Generation Firewall

Protect applications and data deployed across a wide range of public cloud, virtualization, and NFV environments.

  • Identify and control applications, grant access based on users, and prevent known and unknown threats.
  • Segment mission-critical applications and data using Zero Trust principles to improve security posture and achieve compliance
  • Centrally manage policies across both physical and virtualized firewalls to ensure consistent security posture.
  • Streamline workflow automation to ensure that security keeps pace with the rate of change in your cloud.

The VM-Series: Protect Any Cloud

Organizations are quickly adopting multi-cloud architectures as a means of distributing risk and taking advantage of the core competencies of different cloud vendors. To ensure your applications and data are protected across public cloud, virtualized data centers, and NFV deployments, the VM-Series has been designed to deliver up to 16 Gbps of App-ID-enabled firewall performance across five models:

  • VM-50/VM-50 Lite — engineered to consume minimal resources and support CPU oversubscription yet deliver up to 200 Mbps of App-ID-enabled firewall performance for customer scenarios from virtual branch office/customer-premises equipment to high-density, multi-tenant environments
  • VM-100 and VM-300 — optimized to deliver 2 Gbps and 4 Gbps of App-ID-enabled performance, respectively, for hybrid cloud, segmentation, and internet gateway use cases.
  • VM-500 and VM-700 — able to deliver an industry-leading 8 Gbps to 16 Gbps of App-ID-enabled firewall performance, respectively, and can be deployed as NFV security components in fully virtualized data center and service provider environments.

VM-Series Models

To make sure that you purchase the correct model for your network requirements, use the following table to understand the maximum capacity for each model and the capacity differences by model:

Model Sessions Security Rules Dynamic IP Addresses Security Zones IPSec VPN Tunnels SSL VPN Tunnels
VM-50 50,000 250 1,000 15 250 250
VM-100
VM-200
250,000 1,500 2,500 40 1,000 500
VM-300
VM-1000-HV
800,000 10,000 100,000 40 2,000 2,000
VM-500 2,000,000 10,000 100,000 200 4,000 6,000
VM-700 10,000,000 20,000 100,000 200 8,000 12,000

VM-Series System Requirements

VM-Series Model Supported Hypervisors Supported vCPUs Minimum Memory Minimum Hard Drive
VM-50 ESXi, KVM, HyperV 2 4.5GB 32GB (60GB at boot)
VM-100
VM-200
ESXi, KVM, HyperV, AWS, Azure, NSX, SDX 2 6.5GB 60GB
VM-300
VM-1000-HV
ESXi, KVM, HyperV, AWS, Azure, NSX, SDX 2, 4 9GB 60GB
VM-500 ESXi, KVM, HyperV, AWS, Azure, NSX 2, 4, 8 16GB 60GB
VM-700 ESXi, KVM, HyperV, AWS, Azure 2, 4, 8, 16 56GB 60GB

Key VM-Series Features and Capabilities:

The VM-Series protects your applications and data with next-generation security features that deliver superior visibility, precise control, and threat prevention at the application level. Automation features and centralized management allow you to embed security into your application development process, ensuring security can keep pace with the speed of the cloud.

  • Application visibility for informed security decisions:
    The VM-Series provides application visibility across all ports, meaning you have far more relevant information about your cloud environment to help you make rapid, informed policy decisions.

  • Segment/Whitelist applications for security and compliance:
    Today's cyberthreats commonly compromise an individual workstation or user, and then move laterally across your network, placing your mission-critical applications and data at risk wherever they are. Using segmentation and whitelisting policies allows you to control applications communicating across different subnets to block lateral threat movement and achieve regulatory compliance.

  • Prevent advanced attacks within allowed application flows:
    Attacks, much like many applications, can use any port, rendering traditional prevention mechanisms ineffective. The VM-Series allows you to use Palo Alto Networks Threat Prevention, DNS Security, and WildFire® malware prevention service to apply application-specific policies that block exploits, malware, and previously unknown threats from infecting your cloud.

  • Control application access with user-based policies:
    Integration with a wide range of user repositories-such as Microsoft Exchange, Active Directory®, and LDAP-complements application whitelisting with user identity as an added policy element that controls access to applications and data. When deployed in conjunction with Palo Alto Networks GlobalProtect™ network security for endpoints, the VM-Series enables you to extend your corporate security policies to mobile devices and users, regardless of their locations.

  • Policy consistency through centralized management:
    Panorama™ network security management enables you to manage your VM-Series firewalls across multiple cloud deployments, along with your physical security appliances, ensuring policy consistency and cohesion. Rich, centralized logging and reporting capabilities provide visibility into virtualized applications, users, and content

  • Container protection for managed Kubernetes environments:
    The VM-Series protects containers running in Google Kubernetes® Engine and Azure® Kubernetes Service with the same visibility and threat prevention capabilities that can protect business-critical workloads on GCP® and Microsoft Azure. Container visibility empowers security operations teams to make informed security decisions and respond more quickly to potential incidents. Threat Prevention, WildFire, and URL Filtering policies can be used to protect Kubernetes clusters from known and unknown threats. Panorama enables you to automate policy updates as Kubernetes services are added or removed, ensuring security keeps pace with your ever-changing managed Kubernetes environments.

  • Automated security deployment and policy updates:
    The VM-Series includes several management features that enable you to integrate security into your application development workflows.
    • Use bootstrapping to automatically provision a VM-Series firewall with a working configuration, complete with licenses, subscriptions, and connectivity to Panorama for centralized management.
    • Automate policy updates as workloads change, using a fully documented API and Dynamic Address Groups to allow the VM-Series to consume external data in the form of tags that can drive policy updates dynamically.
    • Use native cloud provider templates and services along with third-party tools-such as Terraform® and Ansible®- to fully automate VM-Series deployments and security policy updates.

  • Cloud-native scalability and availability:
    In virtualization or cloud environments, scalability and availability requirements can be addressed using a traditional two-device approach or a cloud-native approach. In public cloud environments, we recommended using cloud services-such as application gateways, load balancers, and automation-to address scalability and availability.

Palo Alto Networks VM-Series virtualized next-generation firewalls protect your Azure workloads with next-generation security features that allow you to confidently and quickly migrate your business-critical applications to the cloud. ARM templates and third-party automation tools allow you to embed the VM-Series into your application development lifecycle to prevent data loss and business disruption.

VM-SERIES ON MICROSOFT AZURE

The VM-Series allows you to embrace a prevention-based approach to protecting your applications and data on Azure. Automation and centralized management features enable you to embed next-generation security in your Azure application workflow so security can keep pace with development.

  • Complete visibility improves security decisions. Understanding the applications in use on your network, including those that may be encrypted, helps you make informed security policy decisions.
  • Segmentation and application whitelisting aid data security and compliance. Using application whitelisting to enforce a positive security model reduces your attack surface by allowing specific applications that align to your business needs (e.g., allow SharePoint® documents for all, but limit SharePoint administration access to the IT group). Whitelisting policies also allow you to segment applications that communicate across subnets and between virtual networks (VNETs) to stop lateral threat movement and meet compliance requirements.
  • User-based policies improve security posture. Integration with on-premises user repositories-such as Microsoft Exchange, Active Directory®, and LDAP-lets you grant access to critical applications and data based on user credentials and need. For example, your developer group can have full access to the developer VNET while only IT administrators have RDP/SSH access to the production VNET. When deployed in conjunction with Palo Alto Networks GlobalProtect™ network security for endpoints, the VM-Series on Azure can extend your corporate security policies to mobile devices and users regardless of their location.
  • Applications and data are protected from known and unknown threats. Attacks, like many applications, can use any port, rendering traditional prevention mechanisms ineffective. Enabling Threat Prevention, DNS Security, and WildFire® malware prevention service as segmentation policy elements will protect you against exploits, malware, and previously unknown threats from both inbound and lateral movement perspectives.
  • Multiple defenses block data exfiltration and unauthorised file transfers. Data exfiltration can be prevented using a combination of application enablement, Threat Prevention, and DNS Security features. File transfers can be controlled by looking inside files, not only at their file extensions, to determine whether transfer actions should be allowed. Command and control, associated data theft, and executable files found in drive-by downloads or secondary payloads can also be blocked. Data filtering features can detect and control the flow of confidential data patterns, such as credit card and Social Security numbers, in addition to custom patterns.

Performance and Capacities

Many factors, such as the Azure virtual machine size, maximum packets per second supported, and number of cores used, can affect VM-Series performance. In addition to those noted, the performance and capacities listed in the following table have been generated under controlled lab conditions, using the recommended Azure virtual machine size, and configured with Azure Accelerated Networking using SR-IOV under the following test conditions:

  • Firewall throughput and IPsec VPN are measured with App-ID™ and User-ID™ technology features enabled, utilizing 64 KB HTTP transactions.
  • Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, utilizing 64K HTTP transactions.
  • IPsec VPN performance is tested between two VM-Series in the same region. Performance will depend on Azure VM size and network topology, that is, whether connecting on-premises hardware to VM-Series on Azure; from VM-Series on an Azure VNET to an Azure VPN Gateway in another VNET; or VM-Series to VM-Series between regions.
  • New sessions per second is measured with 1 byte HTTP transactions.
Model VM-50/ VM-50 Lite1 VM-100/ VM-200 VM-300/ VM-1000-HV VM-500 VM-700
Azure instance size tested (recommended) N/A DS3_v2 DS3s_v2 DS4_v2 DS5_v2
Firewall throughput (App-ID enabled) N/A 750 Mbps 1 Gbps 2.5 Gbps 2.5 Gbps
Threat Prevention throughput N/A 500 Mbps 750 Mbps 2.25 Gbps 2.25 Gbps
IPsec VPN throughput N/A 400 Mbps 500 Mbps 1 Gbps 1.25 Gbps
Azure instance size tested (maximum) N/A DS5_v2 DS5_v2 DS5_v2 DS5_v2
Firewall throughput (App-ID enabled) N/A 1 Gbps 1.5 Gbps 1.5 Gbps 2.5 Gbps
Threat Prevention throughput N/A 750 Mbps 1.25 Gbps 1.25 Gbps 2.25 Gbps
IPsec VPN throughput N/A 500 Mbps 750 Mbps 1 Gbps 1.25 Gbps
All instance sizes supported VM-50/ VM-50 Lite1 VM-100/ VM-200 VM-300/ VM-1000-HV VM-500 VM-700
New sessions per second N/A 9K 9K 20K 40K
Max sessions N/A 250K 800K 2M 10M
System Requirements
Cores supported (min/max N/A 0.4/2 2/4 2/8 2/16
Memory (min) N/A 6.5 GB 9 GB 16 GB 56 GB
Azure Managed Disk capacity (min) N/A 32 GB 60 GB 60 GB 60 GB
Azure VM sizes supported2
(only standard Azure VM sizes supported)
N/A DS3_v2
DS5_v2
DS3s_v3
DS5_v2
DS4_v2
DS5_v2
DS5_v2
Licensing options N/A BYOL or VM-Series ELA BYOL, VM-Series ELA, or Marketplace BYOL or VM-Series ELA BYOL or VM-Series ELA
  1. The VM-50 and VM-50 Lite are not supported on Azure
  2. Refers to recommended VM size based on CPU cores, memory, and Azure prices

VM-Series On Linux KVM :

Kernel-based Virtual Machine (KVM) is a leading open source hypervisor that service providers and enterprises alike use to build and deploy cloud computing environments. Linux KVM, in conjunction with OpenStack®, represents a complete open source software-based offering that combines the cost reduction of cloud computing with the benefits of open source.

The VM-Series on KVM enables you to protect your data residing in OpenStackand KVM-based virtualized environments from cyberthreats. Panorama™ network security management, combined with native automation features, allows you to streamline policy management in a way that minimizes the policy lag time that may occur as virtual machines are added, moved, or removed.

Virtualized Next-Generation Security at High Performance and Scale

VM-Series virtualized next-generation firewalls are optimized to deliver App-ID™ technology-enabled throughput at industryleading rates ranging from 200 Mbps to 16 Gbps across five models, which include:

  • VM-50-engineered to consume minimal resources and support CPU oversubscription yet deliver up to 200 Mbps of App-ID-enabled firewall performance for customer scenarios from virtual branch offices and customer-premise equipment to high-density, multi-tenant environments.
  • VM-100 and VM-300-optimized to deliver 2 Gbps and 4 Gbps of App-ID-enabled throughput, respectively, for hybrid cloud, segmentation, and internet gateway use cases.
  • VM-500 and VM-700-able to deliver 8 Gbps to 16 Gbps of App-ID-enabled firewall throughput, respectively, and deployable as NFV security components in fully virtualized data center and service provider environments

The Data Plane Development Kit, managed by The Linux Foundation, has been integrated into the VM-Series on KVM for enhanced packet processing performance on x86 infrastructure. Network I/O options, such as PCI passthrough and single-root I/O virtualization (SR-IOV), are supported for enhanced performance

Performance and Capacities Summary

In virtualized and cloud environments, many factors, such as type of CPU, hypervisor version, numbers of cores assigned, memory, and network I/O options, can impact your performance. Additional testing within your environment, is recommended to ensure your performance and capacity requirements are met.

td>64,000
Performance and Capacities VM-50 (0.4 Core) VM-100/ VM-200 (2 Cores) VM-300/ VM-1000-HV (4 Cores) VM-500 (8 Cores) VM-700 (16 Cores)
With SR-IOV/PCI passthrough of I/O enabled
Firewall throughput (App-ID enabled)1 200 Mbps 2 Gbps 4 Gbps 8 Gbps 16 Gbps
Threat Prevention throughput2 100 Mbps 1 Gbps 2 Gbps 4 Gbps 8 Gbps
IPsec VPN throughput1 100 Mbps 1 Gbps 1.8 Gbps 4 Gbps 6 Gbps
New sessions per second3 3,000 15,000 30,000 60,000 120,000
With open virtual switch OVS-DPDK
Firewall throughput (App-ID enabled)1 100 Mbps 1 Gbps 2 Gbps 4 Gbps 8 Gbps
Threat Prevention throughput2 50 Mbps 500 Mbps 1 Gbps 2 Gbps 4 Gbps
New sessions per second3 1,000 8,000 15,000 30,000 60,000
Capacities
Max sessions 250,000 800,000 2,000,000 10,000,000
Max security policies 250 1,500 10,000 10,000 20,000
Max routes 5,000 10,000 20,000 64,000 200,000
IPsec tunnels 250 1,000 2,000 4,000 8,000
  1. Firewall and IPsec VPN throughput are measured with App-ID and User-ID features enabled, using 64 KB HTTP transactions.
  2. Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, using 64 KB HTTP transactions.
  3. New sessions per second is measured with application-override utilizing 1 byte HTTP transactions.

VM-Series Specifications and Features

The following tables list all supported specifications, resource requirements, and networking features of VM-Series on KVM

Virtualization Specifications
Image formats supported QCOW2
Hypervisors supported KVM on CentOS
Red Hat Enterprise Linux (RHEL)
KVM on Ubuntu
Network I/O options
  • Virtio
  • Paravirtual drivers (Intel e1000)
  • PCI passthrough
  • SR-IOV
Bootstrap support
  • XML template-based bootstrap in KVM environments
  • "Config-drive" with nova boot in OpenStack
OpenStack distributions supported
  • Mirantis OpenStack v8.0
  • Red Hat OpenStack Platform 5,7, and 10
Other KVM based platforms/hypervisors supported
  • Cisco Enterprise Network Compute System (ENCS)
  • Nutanix AHV
System Requirements VM-50 (0.4 Core) VM-100/ VM-200 (2 Cores) VM-300/ VM-1000-HV (4 Cores) VM-500 (8 Cores) VM-700 (16 Cores)
CPU configurations supported 21 2 2 and 4 2, 4 and 8 2, 4, 8 and 16
Memory (minimum) 4.5 GB 6.5 GB 9 GB 16 GB 56 GB
Disk drive capacity (min/max) 32 GB2 / 2 TB 60 GB / 2 TB 60 GB / 2 TB 60 GB / 2 TB 60 GB / 2 TB
  1. CPU oversubscription is supported with up to five instances running on a 2 CPU core configuration.
  2. 60 GB drive capacity is needed on initial boot. VM-Series instance will use 32GB after license activation.
Networking Features
Interface Modes VLANs
  • L2, L3, tap, and virtual wire (transparent mode)
  • 802.1Q VLAN tags per device/per interface: 4,094/4,094
  • Max interfaces:
    • 4,096 (VM-500/VM-700)
    • 2,048 (VM-100/VM-300)
    • 512 (VM-50)
Routing Network Address Translation
  • Modes: OSPF, RIP, BGP, and Static
  • Policy-based forwarding
  • Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3
  • NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port (port address translation)
  • NAT64
  • Additional NAT features: dynamic IP reservation, dynamic IP and port oversubscription
High Availability IPv6
  • Modes: active/passive with session synchronization
  • Failure detection: path monitoring, interface monitoring
  • L2, L3, tap, and virtual wire (transparent mode
  • Features: App-ID, User-ID, Content-ID, WildFire, and SSL decryption

Citrix® NetScaler® SDX™ is a service delivery networking platform for enterprise and cloud data centers. An advanced virtualized architecture supports multiple NetScaler instances on a single hardware appliance, while an advanced control plane unifies provisioning, monitoring and management to meet the most demanding multi-tenant requirements. Instead of relying on "bolted-on" capabilities or a collection of physical and virtual form factors that may compromise on features, performance and scalability, you can utilize the Citrix NetScaler SDX purpose-built platform for your data center service delivery needs.

With the VM-Series on Citrix NetScaler SDX, security and application delivery controller, or ADC, services can be consolidated on a single hardware platform. This addresses the unique application needs for business units, application owners and SP customers in a multi-tenant deployment. The VM-Series on Citrix NetScaler SDX also provides a complete, validated security and ADC offering for Citrix XenApp® and XenDesktop® deployments.

VM-Series on Citrix NetScaler SDX

The VM-Series delivers safe application enablement using the same PAN-OS® feature set that is available in physical security appliances. The core of the VM-Series is the next-generation firewall, which natively classifies all traffic, inclusive of applications, threats and content, and then ties that traffic to the user, regardless of location or device type. The application, content and user - in other words, the elements that run your business - then serve as the basis of your security policies, resulting in an improved security posture and a reduction in incident response time.

VM-Series on Citrix NetScaler SDX


Summary

Palo Alto Networks VM-Series on Citrix NetScaler SDX provides enterprises with a powerful, best-in-class approach to secure application delivery. The full partitioning of application sets simplifies and reduces costs for application provisioning, maintenance and de-provisioning. The combined offering enables the secure delivery of all types of applications to all users in all locations while ensuring the highest levels of performance, security, availability, visibility and flexibility.

VM-Series On AWS

Introduction

As Amazon Web Services (AWS®) becomes the dominant deployment platform for your business-critical applications, protecting the increased public cloud footprint from threats, data loss, and business disruption remains challenging. The VM-Series on AWS solves these challenges, enabling you to:

  • Protect your AWS workloads through unmatched application visibility and precise control.
  • Prevent threats from moving laterally between workloads and stop data exfiltration.
  • Eliminate security-induced application development bottlenecks with automation and centralized management.

Palo Alto Networks VM-Series virtualized next-generation firewalls protect your AWS workloads with next-generation security features that allow you to confidently and quickly migrate your business-critical applications to the cloud. AWS CloudFormation Templates and third-party automation tools allow you to embed the VM-Series in your application development lifecycle to prevent data loss and business disruption.

VM-Series on AWS

The VM-Series allows you to embrace a prevention-based approach to protecting your applications and data on AWS. Automation and centralized management features enable you to embed next-generation security in your AWS application workflow, allowing security to keep pace with development.

  • Complete visibility improves security decisions. Understanding the applications in use on your network, including those that may be encrypted, helps you make informed security policy decisions.
  • Segmentation and application whitelisting aid data security and compliance. Using application whitelisting to enforce a positive security model reduces your attack surface by allowing specific applications that align to your organization's needs (e.g., allow SharePoint® documents for all, but limit SharePoint administration access to the IT group). Whitelisting policies also allow you to segment applications that communicate across subnets and between virtual private networks (VPCs) to stop lateral threat movement and meet compliance requirements.
  • User-based policies improve security posture. Integration with on-premises user repositories, such as Microsoft Exchange, Active Directory®, and LDAP, lets you grant access to critical applications and data based on user credentials and need. For example, your developer group can have full access to the developer VPC while only IT administrators have RDP/SSH access to the production VPC. When deployed in conjunction with Palo Alto Networks GlobalProtect™ network security for endpoints, the VM-Series on AWS can extend your corporate security policies to mobile devices and users regardless of their location.
  • Applications and data are protected from known and unknown threats. Attacks, like many applications, can use any port, rendering traditional prevention mechanisms ineffective. Enabling Threat Prevention and WildFire® malware prevention service as segmentation policy elements will protect you against exploits, malware, and previously unknown threats from both inbound and lateral movement perspectives.
  • Multiple defenses block data exfiltration and unauthorised file transfers. Data exfiltration can be prevented using a combination of application enablement and Threat Prevention and DNS Security features. File transfers can be controlled by looking inside files, not only at their file extensions, to determine whether transfer actions should be allowed. Command and control, associated data theft, and executable files found in drive-by downloads or secondary payloads can also be blocked. Data filtering features can detect and control the flow of confidential data patterns, such as credit card and Social Security numbers, in addition to custom patterns.

Performance and Capacities

Many factors, such as AWS instance size, maximum packets per second supported, number of cores used, and AWS placement group, can affect performance. In addition to those noted, the performance and capacities listed in the following table have been generated under these test conditions:

  • Instances use the AWS Nitro Hypervisor with Enhanced Networking Adapter (ENA) and AWS placement groups configured. SR-IOV and DPDK are optional and supported with instances running AWS Enhanced Networking (c3/m3/c4/m4).
  • Firewall throughput and IPsec VPN are measured with App-ID™ and User-ID™ technology features enabled, utilizing 64 KB HTTP transactions.
  • IPsec VPN performance is tested between two VM-Series instances in a placement group in the same availability zone and region. Performance will vary based on AWS instance type and connectivity topology (e.g., connecting from on-premises hardware to VM-Series on AWS; from VM-Series in an AWS VPC to an AWS VGW in another VPC; or VM-Series to VM-Series between regions).
  • New sessions per second is measured with 1 byte HTTP transactions.
  • Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, utilizing 64 KB HTTP transactions.
Model VM-50/ VM-50 Lite1 VM-100/ VM-200 VM-300/ VM-1000-HV VM-500 VM-700
AWS instance size tested (recommended)2 N/A c5.xlarge m5.xlarge m5.2xlarge m5.4xlarge
Firewall throughput (App-ID enabled) N/A 800 Mbps 1 Gbps 2.5 Gbps 5 Gbps
Threat Prevention throughput N/A 500 Mbps 1 Gbps 2 Gbps 4 Gbps
IPsec VPN throughput N/A 500 Mbps 750 Mbps 1.25 Gbps 1.75 Gbps
AAWS instance size tested (maximum) N/A c5.18xlarge c5.18xlarge c5.18xlarge c5.18xlarge
Firewall throughput (App-ID enabled) N/A 1.25 Gbps 2.25 Gbps 2.25 Gbps 6 Gbps
Threat Prevention throughput N/A 1 Gbps 1.75 Gbps 2 Gbps 4.5 Gbps
IPsec VPN throughput N/A 1 Gbps 1.25 Gbps 1.75 Gbps 2 Gbps
All instance sizes supported VM-50/ VM-50 Lite1 VM-100/ VM-200 VM-300/ VM-1000-HV VM-500 VM-700
New sessions per second N/A 9K 9K 20K 40K
Max sessions N/A 250K 800K 2M 10M
System Requirements
Cores supported (min/max) N/A 0.4/2 2/4 2/8 2/16
Memory (min) N/A 6.5 GB 9 GB 16 GB 56 GB
Disk drive capacity (min)3 N/A 32 GB 60 GB 60 GB 60 GB
Minimum AWS instance sizes supported2,4 N/A c5.18xlarge m5.xlarge,c5.18xlarge m5.2xlarge, c5.18xlarge m5.4xlarge, c5.18xlarge
Licensing options N/A BYOL or VM-Series ELA BYOL, VM ELA, or Marketplace BYOL or VM-Series ELA BYOL or VM-Series ELA
  1. The VM-50 and VM-50 Lite are not supported on AWS
  2. Refers to recommended AWS instance based on CPU cores, memory, and pricing; .xlarge instances support 4 ENIs and are recommended to more fully support the range of common networking scenarios
  3. Disk storage using AWS Encrypted Volumes is supported
  4. Older generation c3/m3 and c4/m4 instances with appropriate CPU and memory are also supported

Pricing Notes:

Palo Alto Networks Products

Palo Alto Networks VM-Series