VM-Series Virtual

Next-Generation Firewall
Protect applications and data deployed across a
VM-Series Virtual
wide range of public cloud, virtualization,
and NFV environments: Next-Generation
Firewalls
• Identify and control applications, grant
access based on users, and prevent known
and unknown threats.
• Segment mission-critical applications and Organizations worldwide are executing digital
data using Zero Trust principles to improve
security posture and achieve compliance. transformation initiatives that are resulting in
• Centrally manage policies across both faster, more efficient network architectures that
physical and virtual firewalls to ensure incorporate multiple public clouds, on-­premises
consistent security posture.
virtualized data centers, and, in some cases,
• Streamline workflow automation to ensure
that security keeps pace with the rate of security as a network functions virtualization
change in your cloud. (NFV) component.

Palo Alto Networks | VM-Series Virtual Next-Generation Firewalls | Datasheet 1

The benefits of cloud, virtualization, and NFV technologies
are well-known, and the risks of data loss and associated
business disruption remain significant challenges. To
protect your virtualized applications, workloads, and data,
your organization needs cloud security that:
• Uses the application identity to enable segmentation and
allow listing.
• Controls resource access based on need and user identity.
• Prevents malware from gaining access and moving laterally
from workload to workload.
• Simplifies management and can be fully automated to
minimize friction as well as security policy lag as virtual
workloads change.
Palo Alto Networks VM-Series Virtual Next-Generation
Firewalls support the same next-generation security
and advanced threat prevention features available in our
hardware firewalls, allowing you to protect your applications
and data from the network to the cloud.
The VM-Series:
Protect Any Cloud
Organizations are quickly adopting multi-cloud architectures
as a means of distributing risk and taking advantage of the
core competencies of different cloud vendors. To ensure your
applications and data are protected across public clouds,
virtualized data centers, and NFV deployments, the VM-
Series has been designed to deliver up to 16 Gbps of App-ID-
enabled firewall performance across five models:
• VM-50/VM-50 Lite—engineered to consume minimal
­resources and support CPU oversubscription yet deliver up
to 200 Mbps of App-ID-enabled firewall performance for
customer scenarios from virtual branch office/customer-
premises equipment to high-density, multi-tenant
environments.
• VM-100 and VM-300—optimized to deliver 2 Gbps and
4 Gbps of App-ID-enabled performance, respectively, for
­hybrid cloud, segmentation, and internet gateway use cases.
• VM-500 and VM-700—able to deliver an industry-
leading 8 Gbps and 16 Gbps of App-ID-enabled firewall
performance, respectively, and can be deployed as NFV
security components in fully virtualized data center and
service provider environments.
Key VM-Series Features
and Capabilities
The VM-Series protects your applications and data with
next-generation security features that deliver superior
visibility, precise control, and threat prevention at the
application level. Automation features and centralized
management allow you to embed security in your application
Palo Alto Networks | VM-Series Virtual Next-Generation Firewalls | Datasheet
development process, ensuring security can keep pace with
the speed of the cloud:
• Application visibility for informed security decisions: The
VM-Series provides application visibility across all ports,
meaning you have far more relevant information about
your cloud environment to help you make rapid, informed
policy decisions.
• “Segment/Allow” applications for security and compliance:
Today’s cyberthreats commonly compromise an individual
workstation or user, and then move laterally across your
network, placing your mission-critical applications and data
at risk wherever they are. Using segmentation and allow listing
policies allows you to control applications communicating
across different subnets to block lateral threat movement and
achieve regulatory compliance.
• Prevent advanced attacks within allowed application flows:
Attacks, much like many applications, can use any port,
rendering traditional prevention mechanisms ineffective.
The VM-Series allows native integration with our cloud-­
delivered subscription services, such as Threat Prevention,
DNS Security, and WildFire® to apply application-specific
policies that block exploits, prevent malware, and stop
previously unknown threats from infecting your cloud.
• Control application access with user-based policies:
­Integration with a wide range of user repositories—such
as Microsoft Exchange, Active Directory®, and LDAP—­
c­omplements application allow listing with user ­identity
as an added policy element that controls access to
­applications and data. When deployed in conjunction with
Palo Alto Networks GlobalProtect™ for network security at
the endpoint, the VM-Series enables you to extend your
corporate security policies to mobile devices and users,
­regardless of their locations.
• Policy consistency through centralized management:
­Panorama™ provides centralized network security
management for your VM-Series firewalls across multiple
cloud deployments, along with your physical security
appliances, ensuring policy consistency and cohesion.
Rich, centralized logging and reporting capabilities provide
visibility into virtualized applications, users, and content.
• Container protection for managed Kubernetes
environments: The VM-Series protects containers running
in ­Google Kubernetes® Engine and Azure® Kubernetes
Service with the same visibility and threat prevention
capabilities that can protect business-critical workloads
on Google Cloud and Microsoft Azure. Container visibility
­empowers security operations teams to make informed
security ­decisions and respond more quickly to potential
incidents. Threat Prevention, WildFire, and URL Filtering
policies can be used to protect Kubernetes clusters from
known and ­unknown threats. Panorama enables you to
automate ­policy ­updates as Kubernetes services are added
or removed, ­ensuring security keeps pace with your ­ever-
changing managed K ­ ubernetes environments.
2
——————————————————————————————
Intelligent Traffic Offload Service for Service
Providers
In service provider networks and hyperscale data centers,
roughly 80% of traffic consists of traffic that cannot
or will not benefit from security inspection. Deploying
enough large firewalls to secure these enormous networks
without sacrificing performance can make security costs
prohibitive.
The Intelligent Traffic Offload Service eliminates these
tradeoffs. The service integrates with smart network
interface cards (Smart NICs) to offload traffic that does
not benefit from security inspection to the Smart NIC,
reducing CAPEX by up to 150%.
——————————————————————————————
Size and Scale Security Based on
Immediate Needs—In Minutes
Match software firewalls and security services with the
speed and flexibility needed for rapidly changing cloud
requirements. Maximize your ROI on security investments
with the industry’s most flexible way to adopt software
NGFWs and security services. Discover unmatched flexibility
with easy scaling and sizing of VM-Series virtual and CN-
Series container NGFWs, cloud-delivered Security Services,
and VM Panorama for management and log collection.
Three simple steps let you choose and deploy the right
firewalls and security services you need at any given time:
1. Procure Software NGFW Credits.
2. Allocate or reallocate credits across different deployments
to activate your choice of security products and your
choice of security services in just minutes.

Automated Security Deployment

3. Manage and monitor credits via the Palo Alto Networks
customer support portal.
and Policy Updates As needs change over time, Software NGFW Credits can
be reallocated to new and other firewall-as-a-platform
The VM-Series includes several management features solutions without having to go through additional
that ­enable you to integrate security into your application procurement cycles.
development workflows.
• Use bootstrapping to automatically provision a VM-Series
firewall with a working configuration, complete with Deployment Flexibility
licenses, subscriptions, and connectivity to Panorama for
VM-Series virtual firewalls can be deployed on a variety of
centralized management:
public clouds and hypervisors:
• Automate policy updates as workloads change, using a fully
• Public Clouds
documented API and Dynamic Address Groups to allow the
VM-Series to consume external data in the form of tags that » Amazon Web Services
can drive policy updates dynamically. » Google Cloud
• Use native cloud provider templates and services along with » Microsoft Azure
third-party tools—such as Terraform® and Ansible®—to » Oracle Cloud
fully automate VM-Series deployments and security policy
updates. » Alibaba Cloud

• Cloud native scalability and availability: In virtualization or • Hypervisors

cloud environments, scalability and availability requirements » VMware ESXi
can be addressed using a traditional two-device approach » KVM
or a cloud native approach. In public cloud environments,
» Nutanix AHV
we recommended using cloud services—such as application
gateways, load balancers, and automation—to address » Microsoft Hyper-V
scalability and availability. • Software-Defined Networking Solutions
» VMware NSX (NSX for vSphere and NSX-T)
» Cisco ACI
» Nutanix Flow
See VM-Series Hypervisor Support for the full list of the
supported public clouds and hypervisors.
See Partner Interoperability for the list of supported third-
party platforms.

Palo Alto Networks | VM-Series Virtual Next-Generation Firewalls | Datasheet 3

 Table 1: VM-Series Resource Requirements

VM-50/
Model VM-100 VM-300 VM-500 VM-700
VM-50 Lite

Supported vCPUs 2 2 4 8 16

Memory (min) 5.5 GB / 4.5 GB 6.5 GB 9 GB 16 GB 56 GB

Disk drive 32 GB
60 GB 60 GB 60 GB 60 GB
capacity (min) (60 GB at boot)

Table 2: VM-Series Capacity Details

VM-50/
Model VM-100 VM-300 VM-500 VM-700
VM-50 Lite

Sessions 50,000 250,000 800,000 2,000,000 10,000,000

Security Rules 250 / 200 1,500 10,000 10,000 20,000

Dynamic IP Addresses 1,000 2,500 100,000 100,000 100,000

Security Zones 15 40 40 200 200

IPsec VPN Tunnels 250 / 25 1,000 2,000 4,000 8,000

SSL VPN Tunnels 250 / 25 500 2,000 6,000 12,000

For more information about capacities of the VM-Series firewall models, see the Palo Alto Networks Next-Generation Firewalls
comparison tool.

3000 Tannery Way © 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 parent_ds_vm-series-virtual-next-generation-firewalls-ds-03042021
Support: +1.866.898.9087

www.paloaltonetworks.com