VM-Series Virtual

Next-Generation Firewall
Protect applications and data deployed across a
VM-Series Virtual
wide range of public cloud, virtualization,
and NFV environments: Next-Generation
Firewalls
• Identify and control applications, grant
access based on users, and prevent known
and unknown threats.
• Segment mission-critical applications and Organizations worldwide are executing digital
data using Zero Trust principles to improve
security posture and achieve compliance. transformation initiatives that are resulting in
• Centrally manage policies across both faster, more efficient network architectures that
physical and virtual firewalls to ensure incorporate multiple public clouds, on-­premises
consistent security posture.
virtualized data centers, and, in some cases,
• Streamline workflow automation to ensure
that security keeps pace with the rate of security as a network functions virtualization
change in your cloud. (NFV) component.

Palo Alto Networks | VM-Series Virtual Next-Generation Firewalls | Datasheet 1

The benefits of cloud, virtualization, and NFV technologies Automation features and centralized management allow you
are well-known, and the risks of data loss and associated to embed security in your application development process,
business disruption remain significant challenges. To protect ensuring security can keep pace with the speed of the cloud:
your virtualized applications, workloads, and data, your • Application visibility for informed security decisions: The
organization needs cloud security that: VM-Series provides application visibility across all ports,
• Uses the application identity to enable segmentation and meaning you have far more relevant information about
allow listing. your cloud environment to help you make rapid, informed
• Controls resource access based on need and user identity. policy decisions.

• Prevents malware from gaining access and moving laterally • “Segment/Allow” applications for security and compliance:
from workload to workload. Today’s cyberthreats commonly compromise an individual
workstation or user, and then move laterally across your
• Simplifies management and can be fully automated to
network, placing your mission-critical applications and data
minimize friction as well as security policy lag as virtual
at risk wherever they are. Using segmentation and allow listing
workloads change.
policies allows you to control applications communicating
Palo Alto Networks VM-Series Virtual Next-Generation across different subnets to block lateral threat movement and
Firewalls support the same next-generation security achieve regulatory compliance.
and advanced threat prevention features available in our
• Prevent advanced attacks within allowed application flows:
hardware firewalls, allowing you to protect your applications
Attacks, much like many applications, can use any port,
and data from the network to the cloud.
rendering traditional prevention mechanisms ineffective.
The VM-Series allows native integration with our cloud-­
The VM-Series: delivered subscription services, such as Threat Prevention,
DNS Security, and WildFire® to apply application-specific
Protect Any Cloud policies that block exploits, prevent malware, and stop
previously unknown threats from infecting your cloud.
Organizations are quickly adopting multi-cloud architectures
as a means of distributing risk and taking advantage of the • Control application access with user-based policies:
core competencies of different cloud vendors. To ensure your ­Integration with a wide range of user repositories—such
applications and data are protected across public clouds, as Microsoft Exchange, Active Directory®, and LDAP—­
virtualized data centers, and NFV deployments, the VM- c­omplements application allow listing with user ­identity
Series virtual firewall has been designed to deliver industry as an added policy element that controls access to
leading throughputs at the application and network layers ­applications and data. When deployed in conjunction with
across different vCPU configurations. Palo Alto Networks GlobalProtect™ for network security at
the endpoint, the VM-Series enables you to extend your
VM-Series offers the industry’s most flexible and unique
corporate security policies to mobile devices and users,
consumption model, Software NGFW Credits, which allows
­regardless of their locations.
you to match your virtual firewall performance, security
services, and management requirements to the needs of • Policy consistency through centralized management:
your cloud infrastructure. ­Panorama™ provides centralized network security
management for your VM-Series firewalls across multiple
• Elastic throughput performance is achieved on the fly
cloud deployments, along with your physical security
from 2 vCPUs to 32 vCPUs simply by adjusting the vCPUs
appliances, ensuring policy consistency and cohesion.
requirements based on credits applied. Capacity is scaled
Rich, centralized logging and reporting capabilities provide
to your exact virtual environment needs by choosing an
visibility into virtualized applications, users, and content.
appropriate memory profile.
• Container protection for managed Kubernetes
• Cloud Delivered Security services are quickly applied, á la-
environments: The VM-Series protects containers running
carte, specifically delivering targeted Zero Trust security;
in ­Google Kubernetes® Engine and Azure® Kubernetes
protecting your growing business.
Service with the same visibility and threat prevention
• Apply credits to Centralized VM Panorama Management capabilities that can protect business-critical workloads
and Log Collection delivering consistent policy management on Google Cloud and Microsoft Azure. Container visibility
and operational efficiency across your on-premises and ­empowers security operations teams to make informed
multi-cloud deployments. security ­decisions and respond more quickly to potential
incidents. Threat Prevention, WildFire, and URL Filtering

Key VM-Series Features

policies can be used to protect Kubernetes clusters from
known and ­unknown threats. Panorama enables you to
and Capabilities automate ­policy ­updates as Kubernetes services are added
or removed, ­ensuring security keeps pace with your ­ever-
The VM-Series protects your applications and data with next- changing managed K ­ ubernetes environments.
generation security features that deliver superior visibility,
precise control, and threat prevention at the application level.

Palo Alto Networks | VM-Series Virtual Next-Generation Firewalls | Datasheet 2

—————————————————————————————— Size and Scale Security Based on
Intelligent Traffic Offload Service for Service
Providers
Immediate Needs—In Minutes
Match software firewalls and security services with the
In service provider networks and hyperscale data centers,
speed and flexibility needed for rapidly changing cloud
roughly 80% of traffic consists of traffic that cannot
requirements. Maximize your ROI on security investments
or will not benefit from security inspection. Deploying
with the industry’s most flexible way to adopt software
enough large firewalls to secure these enormous networks
NGFWs and security services. Discover unmatched flexibility
without sacrificing performance can make security costs with easy scaling and sizing of VM-Series virtual and CN-
prohibitive. Series container NGFWs, cloud-delivered Security Services,
The Intelligent Traffic Offload Service eliminates these and VM Panorama for management and log collection.
tradeoffs. The service integrates with smart network Three simple steps let you choose and deploy the right
interface cards (Smart NICs) to offload traffic that does firewalls and security services you need at any given time:
not benefit from security inspection to the Smart NIC, 1. Procure Software NGFW Credits.
reducing CAPEX by up to 150%. 2. Allocate or reallocate credits across different deployments
—————————————————————————————— to activate your choice of security products and your
choice of security services in just minutes.

Automated Security Deployment

3. Manage and monitor credits via the Palo Alto Networks
customer support portal.
and Policy Updates As needs change over time, Software NGFW Credits can
be reallocated to new and other firewall-as-a-platform
The VM-Series includes several management features solutions without having to go through additional
that ­enable you to integrate security into your application procurement cycles.
development workflows.
• Use bootstrapping to automatically provision a VM-Series
firewall with a working configuration, complete with Deployment Flexibility
licenses, subscriptions, and connectivity to Panorama for
VM-Series virtual firewalls can be deployed on a variety of
centralized management:
public clouds and hypervisors:
• Automate policy updates as workloads change, using a fully
• Public Clouds
documented API and Dynamic Address Groups to allow the
VM-Series to consume external data in the form of tags that » Amazon Web Services
can drive policy updates dynamically. » Google Cloud
• Use native cloud provider templates and services along with » Microsoft Azure
third-party tools—such as Terraform® and Ansible®—to » Oracle Cloud
fully automate VM-Series deployments and security policy
updates. » Alibaba Cloud

• Cloud native scalability and availability: In virtualization or • Hypervisors

cloud environments, scalability and availability requirements » VMware ESXi
can be addressed using a traditional two-device approach » KVM
or a cloud native approach. In public cloud environments,
» Nutanix AHV
we recommended using cloud services—such as application
gateways, load balancers, and automation—to address » Microsoft Hyper-V
scalability and availability. • Software-Defined Networking Solutions
» VMware NSX (NSX for vSphere and NSX-T)
» Cisco ACI
» Nutanix Flow
See VM-Series Hypervisor Support for the full list of the
supported public clouds and hypervisors.
See Partner Interoperability for the list of supported third-
party platforms.

Palo Alto Networks | VM-Series Virtual Next-Generation Firewalls | Datasheet 3

 Table 1: VM-Series Capacity Details by Memory Allocation

Memory (min) 5.5 GB 6.5 GB 9 GB 16 GB 56 GB

Sessions 64,000 250,000 819,200 2,000,000 10,000,000

Security Rules 250 1,500 10,000 10,000 20,000

Dynamic IP Addresses 2,500 5,000 10,000 32,000 100,000

Security Zones 15 40 40 200 200

IPsec VPN Tunnels 250 1,000 2,000 4,000 8,000

SSL VPN Tunnels 40 100 400 1,200 2,500

For full capacity specifications visit Compare VM-Series Performance Details.

Table 2: VM-Series Throughput by vCPU

VM-Series vCPUs
4 vCPU 5 vCPU 8 vCPU 16 vCPU 22 vCPU
configured

APP-ID throughput 6Gbps 6Gbps 12Gbps 19Gbps 28Gbps

Threat Prevention
3Gbps 4Gbps 6Gbps 13Gbps 15Gbps
throughput

Performance varies across different hypervisors and cloud environments. Refer to environment specific data sheets for associated
performance. For full performance specifications visit Compare VM-Series Performance Details.
For more information about capacities of the VM-Series firewall models, see the Palo Alto Networks Next-Generation Firewalls
comparison tool.

3000 Tannery Way © 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 parent_ds_vm-series-virtual-next-generation-firewalls-ds-12082021
Support: +1.866.898.9087

www.paloaltonetworks.com