FlexVM Licensing with Software NGFW Credits

cancel
Showing results for 
Search instead for 
Did you mean: 

FlexVM Licensing with Software NGFW Credits

Cyber Elite
Cyber Elite

Hi all,

As you probably know, paloalto recently changed the licensing of VM firewalls. With greater flexibility (and higher licensing costs), there is now also the possibility to increase only the RAM for such a VM firewall which results in higher capacity for rules, zones, concurrent sessions. Some of the specs which change with a different memory profile are written here: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...

 

My question@ now are: are these the only specs that change with a different memory profile? What about concurrent dercypted sessions, virtual routers, ...? Does the vm refuse to boot if there is for example 20 GB of RAM attached or does the vm simply use the highes possible amount of RAM according to the memory profile?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @istrydom 

Thanks for clarifying this with the Paloalto VM team. At least my question is now answered --> when the memory profile is increased also the maximum supported decrypted sessions will increase:

4.5 GB = 1'024 decrypted sessions

5.5 GB = 1'024 decrypted sessions

6.5 GB = 6'400 decrypted sessions

9 GB = 15'000 decrypted sessions

16 GB = 50'000 decrypted sessions

56 GB = 100'000 decrypted sessions

These sessions increase only by adding more RAM and it does not matter how many vCPUs you have licensed and added.

The virtual routers are tied to the vCPU count, so here you don't get more vrouters with more RAM.

View solution in original post

8 REPLIES 8

L4 Transporter

Comparison Tool has spec for VMs

Here is example to compare 6 types of VMs

https://www.paloaltonetworks.com/products/product-comparison?chosen=vm-series (2 vcpu, 6.5 gb),vm-se...

 

I can see there is difference in SSL Decryption section, Security Profiles, so on..

 

Regard,

Emr

 

 

 

Hi @emr_1 

Thanks for your reply.

I saw that there are new options in the comparison tool, but so far these options actually are only the "old" vm-types (vm-100, vm-300, ...) with new names. My question is if only the RAM is increased. As shown in the link there are some specs which change if RAM is increased but what is about all the other specs which I mentionned (virtual router, concurrent decrypted sessions, ...)

Cyber Elite
Cyber Elite

@istrydom / @sduvoisin / @vogeln 

Are you able to answer this prior to anyone in the community?

An answer will probably also help others and not only me ...

@vsys_remo It loads the memory profile based on the memory assigned. Ex: if you assign 20G RAM, it will load 16G memory profile (one out of 6 profiles that we support)

@vsys_remo Also note that nothing will change regarding virtual routers, or concurrent decryption sessions, even if more RAM is added - the VM-series license is a capacity license. Whatever it is licensed for will be the maximums for sessions and virtual routers. You will have to apply a larger license or Flex Profile to increase session capacities.

Hi @istrydom 

This applies to the old VM licensing. With the new software NGFW credits it is possible to increase the max. zones, max concurrent session, and some more specs simply by adding more RAM. All this is documented in the link in my first post (this one: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall... )

There the following sentence is written: "The following table shows the firewall capacity for each memory profile. Unlike VM-series models, Software NGFW Credits from PAN-OS 10.0.4 onwards allow you to choose the memory profile that best fits your environment without consuming any additional credits."

So my question still is how do other specs change when you add more RAM?

L1 Bithead

@vsys_remo Hi Remo, Increasing the memory and in essence the memory profile will give you some gains around certain functions handled by the control plane as per the table at the bottom of this page you shared:
https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...
The items you are asking about though are dataplane related and as such won’t see an increase. This was confirmed by the vm-series teams.

Hi @istrydom 

Thanks for clarifying this with the Paloalto VM team. At least my question is now answered --> when the memory profile is increased also the maximum supported decrypted sessions will increase:

4.5 GB = 1'024 decrypted sessions

5.5 GB = 1'024 decrypted sessions

6.5 GB = 6'400 decrypted sessions

9 GB = 15'000 decrypted sessions

16 GB = 50'000 decrypted sessions

56 GB = 100'000 decrypted sessions

These sessions increase only by adding more RAM and it does not matter how many vCPUs you have licensed and added.

The virtual routers are tied to the vCPU count, so here you don't get more vrouters with more RAM.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!