VM-SERIES ON VMWARE

Virtualization technology from VMware® is fueling a significant change in

­today’s modern data centers, resulting in architectures that are commonly a
mix of ­private, public and hybrid cloud computing environments. The ­benefits
of cloud ­computing are well-known and significant. However, so are the ­
security ­challenges, e­ xemplified by the many recent high-profile data
breaches. W ­ hether stored in a physical data center or in a public, private
or hybrid cloud, your data is the c­ ybercriminal’s target.

The VM-Series on VMware ­supports
VMware NSX, ESXi stand-alone and
vCloud Air, ­allowing you to deploy
next-generation firewall security
and advanced threat prevention
within your VMware-based private,
public and hybrid cloud computing
environments.
• Identify and control applications
within your virtualized environ-
ments, limit access based on
users, and prevent known and
unknown threats.
• Isolate and segment mission-­
critical applications and data,
using Zero Trust principles.
• Streamline policy deployment
so that security keeps pace with
the rate of change within your
private, public or hybrid cloud.
Organizations are expanding their virtualization and cloud initiatives in a variety
of ways, with security remaining top of mind. Increased use dictates an effort for
more streamlined security workflows and an eye toward cloud-centric architec-
tures that are scalable and resilient.
Today, more workloads reside in on-premise private clouds than ever, and
the use of the public cloud is increasing dramatically, leading to multi-cloud
environments and increased demand on capacity. Examples include security
deployed as a virtual network function – a cost-effective alternative to securing
branch offices and data center/private cloud workloads – as well as an uptick
in multi-tenant virtualized environments. Security automation workflows have
streamlined virtualized security deployments, but they can still be complex
and involve many steps. Security, traditionally viewed as a bottleneck that
slows deployment, must more readily support the move toward cloud-centric
architectures.
Securing your VMware-based cloud introduces a range of challenges, including
a lack of application visibility, inconsistent security functionality and difficulty
keeping pace with the rate of change commonly found in cloud computing envi-
ronments. To be successful, organizations need a cloud security solution that:
• Identifies and controls applications within the cloud based on identity, not
the ports and protocols they may use.
• Stops malware from gaining
access to and moving l­aterally WEB APP DB
(east-west) within the cloud.
VM-
Series
• Determines who should be allowed
to use the ­applications, and VMware Distributed
grants access based on need and Switch
­credentials.
• Simplifies management and min- VMware ESXi Hypervisor
imizes the security ­policy lag as
VMs are added, removed or moved
within the cloud environment. Figure 1: VM-Series on VMware ESXi

Palo Alto Networks | VM-Series on VMware | Datasheet 1

 Palo Alto Networks VM-Series on VMware enables you to protect your data that resides in NSX®, ESXi™ and vCloud® Air™
environments from cyberthreats with our next-generation firewall security and advanced threat prevention features. As shown
in Figure 2, Panorama™ network security management, combined with native automation features, allows you to streamline
policy management in a manner that minimizes the lag time that may occur as virtual machines are added, removed or moved.

Virtualized Next-Generation Security at High P

­ erformance and Scale
The VM-Series virtualized next-generation firewall has been optimized and expanded to deliver App-ID™
­technology-enabled throughput that ranges from 200 Mbps to 16 Gbps across five models, which include:
• VM-50 – engineered to consume minimal resources and support CPU oversubscription, yet deliver up to 200
Mbps of App-ID-enabled firewall performance for customer scenarios from virtual branch office/customer premise
equipment to high-density, multi-tenant environments.
• VM-100 and VM-300 – optimized to deliver 2 Gbps and 4 Gbps of App-ID-enabled throughput, respectively, for hybrid
cloud, segmentation and internet gateway use cases.
• VM-500 and VM-700 – able to deliver an industry-leading 8 Gbps to 16 Gbps of App-ID-enabled firewall ­performance,
respectively, and can be deployed as NFV security components in fully virtualized data center and service provider
environments.
The Data Plane Development Kit, managed by The Linux Foundation®, has been integrated into the VM-Series on VM-
ware for enhanced packet-processing performance on x86 infrastructure. Network I/O options, such as PCI passthrough
and single-root I/O virtualization, are supported for enhanced performance.

Applying Next-Gen Security to Virtualized Environments

The VM-Series virtualized firewall is based on the same full-stack traffic classification engine that can be found in our phys-
ical form factor firewalls. The VM-Series natively classifies all traffic, inclusive of applications, threats and content, and then
ties that traffic to the user. The application, content and user – the elements that run your business – form the basis of your
virtualized security policies, resulting in improved security posture and reduced incident response time.

Isolate Mission-Critical Applications and Data Using Zero Trust Principles

Security best practices dictate that your mission-critical applications and data should be isolated in secure segments using
Zero Trust (never trust, always verify) principles at each segmentation point. The VM-Series can be deployed throughout
your virtualized environment, residing as a gateway within your virtual network or in between the VMs running in different
tiers, thereby protecting east-west traffic by exerting control based on application and user identity.
NSX
Manager

Panorama registers the VM-Series as a service with NSX Manager

PN Security Admin
Real-time, contextual updates on VM changes
Cloud Admin

VM-Series deployed automatically

by NSX; policies then steer select
traffic to VM-Series for inspection
Automated licensing, policy
deployment and updates

WEB APP DB VM-

Series

VMware NSX Distributed

Switch and Firewall

VMware ESXi Hypervisor

Figure 2: VMware NSX and Palo Alto Networks VM-Series integrated offering

Block Lateral Movement of Cyberthreats

Today’s cyberthreats will commonly compromise an individual workstation or user and then move across the network,
looking for a target. Within your virtual network, cyberthreats will rapidly move laterally from VM to VM, in an east-west
manner, placing your mission-critical applications and data at risk. Exerting application-level control using Zero Trust prin-
ciples in between VMs will reduce the threat footprint while applying policies to block both known and unknown threats.

Automated Deployment and Provisioning

A rich set of APIs can be used to integrate with external orchestration and management tools, collecting information related to
workload changes, which can then be used to dynamically drive policy updates via VM ­Monitoring and Dynamic Address Groups.

Palo Alto Networks | VM-Series on VMware | Datasheet 2

 RESTful APIs
A flexible REST-based API allows you to integrate
with third-party or custom cloud orchestration
solutions. This enables the VM-Series to be de-
ployed and configured in lockstep with virtualized
workloads.
• Network
Virtual Machine Monitoring • Application APIs
• Security
Security policies must be able to monitor and Interfaces WEB APP DB VM-
keep up with changes in virtualization environ- Series

Objects VMware Distributed

ments, including VM attributes and the addition Switch
or removal of VMs. VM Monitoring automatically Policies
VMware ESXi Hypervisor
polls your virtualization environments, such as
Licensing
vCenter®, for virtual machine inventory and
changes, collecting this data in the form of
Corporate Data Center
tags that can then be used in Dynamic Address
Groups to keep policies up to date.
Figure 3: VM-Series on VMware in ­corporate data center architecture
Dynamic Address Groups
As your virtual machines change functions or move from server to server, building security policies based on static data,
such as IP address, delivers limited value and can contain outdated information. Dynamic Address Groups allow you to
create ­policies using tags (from VM Monitoring) as identifiers for virtual machines instead of a static object definition.
Multiple tags representing virtual machine attributes, such as IP address and operating system, can be resolved within a
Dynamic Address Group, allowing you to easily apply policies to virtual machines as they are created or travel across the
network without administrative intervention.

Centrally Manage Virtualized and Physical Firewalls

Panorama enables you to manage your VM-Series deployments along with your physical security appliances, thereby
ensuring policy consistency and cohesiveness. Rich, centralized logging and reporting capabilities provide visibility into
virtualized applications, users and content.

Deployment Flexibility
The VM-Series on VMware supports NSX, ESXi and vCloud Air environments.
VM-Series on VMware NSX
The VM-Series on NSX is a tightly integrated offering that ties together the VM-Series next-generation firewall, Panora-
ma and VMware NSX to deliver on the promise of a software-defined data center. As new virtual workloads are deployed,
NSX Manager simultaneously installs a VM-Series next-generation firewall on each ESXi server. Once deployed on the
ESXi server, safe application enablement policies that identify, control and protect your virtualized applications and data
can be deployed to each VM-Series in an automated manner by Panorama. NSX will then begin steering select application
traffic to the VM-Series for more granular application-level security. As new workloads are added, removed or moved,
NSX feeds those attribute changes to Panorama, which translates them into dynamic security policy updates to the virtual
and perimeter gateway firewalls. The VM-Series for NSX supports virtual wire network interface mode, which requires
minimal network configuration and simplifies network integration. Please see the “VM-Series on VMware NSX” datasheet
for more information on this integration.

VM-Series on ESXi – Stand-Alone

The VM-Series on ESXi servers is ideal for networks where the virtual form factor may simplify deployment and provide
more flexibility. Common deployment scenarios include:
• Private or public cloud computing environments where virtualization is prevalent.
• Environments where physical space is at a premium.
• Remote locations to which shipping hardware is not practical.
The VM-Series on ESXi allows you to deploy safe application enablement policies that identify, control and protect your
virtualized applications and data. You can use Panorama and a rich set of APIs to integrate with external orchestration and
management tools, collect information related to workload changes, and use that information to dynamically drive policy
updates via Dynamic Address Groups and VM Monitoring. A range of interface types, including L2, L3 and virtual wire, allow
you to deploy the VM-Series on ESXi in a different interface mode for each virtualized server, depending on your needs.

Palo Alto Networks | VM-Series on VMware | Datasheet 3

VM-Series for vCloud Air
The VM-Series on vCloud Air lets you protect your VM-
ware-based public cloud with the same safe application WEB APP DB VM-
enablement policies that protect your E
­ SXi-based private
Series

cloud. Common use cases include:

VMware Distributed
Switch
vCloud
Air
VMware ESXi Hypervisor
• Perimeter gateway: In this use case, the VM-Series is de-
ployed as your gateway firewall, securing your vCloud Air
environment based on application, regardless of port and
protocol, while preventing known and unknown threats
and controlling access based on user identity.
• Hybrid cloud security: In this use case, the VM-Series is
configured to establish a secure, standards-based IPsec • Network
connection between your private, VMware-based cloud and • Application APIs
• Security
your vCloud Air-based public cloud. Access to the vCloud Interfaces

Air environment can then be controlled based on applica- Objects WEB APP DB VM-
Series

tion and user identity. Policies VMware NSX Distributed

Switch and Firewall
Licensing
Panorama and a rich set of APIs can integrate with external VMware ESXi Hypervisor

orchestration and management tools to collect information

Corporate Data Center
related to workload changes, which can then be used to dynam-
ically drive policy updates via Dynamic Address Groups and VM
Monitoring. Figure 4: VM-Series in hybrid cloud deployments

Flexible Licensing Options

The VM-Series on VMware supports several licensing options, including perpetual bundles and enterprise license agree-
ments. Perpetual bundle options allow you to choose any one VM-Series model, along with its associated subscriptions and
support. A VM-Series Enterprise License Agreement takes a forecast of your VM-Series firewall consumption over a one- or
three-year period, and purchase price is based on that projected usage. Included in each VM-Series ELA is a VM-Series
firewall license, subscriptions for Threat Prevention, URL Filtering, WildFire® cloud-based threat analysis service, Global-
Protect™ Gateway, and unlimited Panorama VM licenses and support. The VM-Series ELA allows you to use a single license
authorization code across all virtual environments supported by the VM-Series and is ideally suited for customers who have
large-scale, expanding virtual environments, and who want to be able to deploy VM-Series next-generation firewalls and
associated subscriptions wherever needed. The VM-Series ELA simplifies the purchasing process and provides a simplified,
predictable cost structure by establishing a single start and end date for all VM-Series licenses and subscriptions.

VM-100/ VM-300/
VM-50 VM-200 VM-1000-HV VM-500 VM-700
Performance and Capacities (0.4 core) (2 Cores) (4 Cores) (8 Cores) (16 cores)
With single-root I/O virtualization/PCI passthrough of I/O enabled
Firewall throughput (App-ID enabled) 200 Mbps 2 Gbps 4 Gbps 8 Gbps 16 Gbps
Threat Prevention throughput 100 Mbps 1 Gbps 2 Gbps 4 Gbps 8 Gbps
IPsec VPN throughput 100 Mbps 1 Gbps 1.8 Gbps 4 Gbps 6 Gbps
New sessions per second 3,000 15,000 30,000 60,000 120,000
With Distributed Virtual Switch
Firewall throughput (App-ID enabled) 100 Mbps 1 Gbps 2 Gbps 4 Gbps 8 Gbps
Threat Prevention throughput 50 Mbps 500 Mbps 1 Gbps 2 Gbps 4 Gbps
New sessions per second 1,000 8,000 15,000 30,000 60,000
Capacities
Max sessions 64,000 250,000 800,000 2,000,000 10,000,000
Max security policies 250 1,500 10,000 10,000 20,000
Max routes 5,000 10,000 20,000 64,000 200,000
IPsec tunnels 250 1,000 2,000 4,000 8,000

The performance and capacities results shown above were tested under the following conditions:
• Firewall and IPsec VPN throughput are measured with App-ID and User-ID™ technology features enabled.
• Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus and anti-spyware features enabled.
• Throughput is measured with 64KB HTTP transactions.
• Connections per second is measured with 4KB HTTP transactions.

Palo Alto Networks | VM-Series on VMware | Datasheet 4

Performance and Capacities Summary
In virtualized and cloud environments, many factors, such as type of CPU, hypervisor version, number of cores assigned,
memory, and network I/O options, can impact your performance. We recommend additional testing within your environment
to ensure your performance and capacity requirements are met.

VM-Series Specifications and Features

The tables below list all supported specifications, resource requirements and networking features on the VM-Series for VMware.

Virtualization Specifications
Image formats supported OVA

Hypervisors supported VMware ESXi 5.1, 5.5 and 6.0

VMware NSX Manager 6.0, 6.1 and 6.2

Network I/O options • VMware paravirtual drivers (vmxnet3, e1000)

• PCI passthrough
• Single-root I/O virtualization

VM-50 VM-100/ VM-300/ VM-500 VM-700

(0.4 Core) VM-200 VM-1000-HV (8 Cores) (16 Cores)
System Requirements (2 Cores) (4 Cores)
vCPU configurations supported 21 2 2, 4 2, 4 and 8 2, 4, 8 and 16
Memory (minimum) 4.5GB 6.5GB 9GB 16GB 56GB
Disk drive capacity (min/max) 32GB /2TB
2
60GB/2TB 60GB/2TB 60GB/2TB 60GB/2TB
1. CPU oversubscription is supported with up to five instances running on a 2 CPU core configuration
2. 60GB drive capacity is needed on initial boot. VM-Series instance will use 32GB drive capacity after license activation.

Networking Features

Interface Modes VLANs

• L2, L3, tap, virtual wire (transparent mode): VM-Series on ESXi • 802.1q VLAN tags per device/per interface: 4,094/4,094
• L3: vCloud Air • Max interfaces:
• Virtual wire (transparent mode): VM-Series on NSX • 4096 (VM-500/VM-700)
• 2048 (VM-100/VM-300)
• 512 (VM-50)

Routing Network Address Translation

• Modes: OSPF, RIP, BGP, static • NAT modes (IPv4): static IP, dynamic IP, dynamic IP and
• Policy-based forwarding port (port address translation)
• Multicast: PIM-SM, PIM-SSM, IGMP v1, v2 and v3 • NAT64
• Additional NAT features: dynamic IP reservation, dynamic
IP and port oversubscription

High Availability IPv6

• L2, L3, tap, virtual wire (transparent mode)
• Modes: active/passive with session synchronization
• Features: App-ID, User-ID, Content-ID™ technology,
• Failure detection: path monitoring, interface monitoring
WildFire threat analysis service and SSL decryption

To view additional information on the VM-Series security features and associated capacities, please visit
www.paloaltonetworks.com/products.

3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
of Palo Alto Networks. A list of our trademarks can be found at https://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies. vm-series-on-vmware-
ds-020218

www.paloaltonetworks.com