06-24-2021 04:39 PM - edited 06-25-2021 12:24 AM
Hi all,
As you probably know, paloalto recently changed the licensing of VM firewalls. With greater flexibility (and higher licensing costs), there is now also the possibility to increase only the RAM for such a VM firewall which results in higher capacity for rules, zones, concurrent sessions. Some of the specs which change with a different memory profile are written here: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...
My question@ now are: are these the only specs that change with a different memory profile? What about concurrent dercypted sessions, virtual routers, ...? Does the vm refuse to boot if there is for example 20 GB of RAM attached or does the vm simply use the highes possible amount of RAM according to the memory profile?
07-24-2021 08:18 AM
Hi @istrydom
Thanks for clarifying this with the Paloalto VM team. At least my question is now answered --> when the memory profile is increased also the maximum supported decrypted sessions will increase:
4.5 GB = 1'024 decrypted sessions
5.5 GB = 1'024 decrypted sessions
6.5 GB = 6'400 decrypted sessions
9 GB = 15'000 decrypted sessions
16 GB = 50'000 decrypted sessions
56 GB = 100'000 decrypted sessions
These sessions increase only by adding more RAM and it does not matter how many vCPUs you have licensed and added.
The virtual routers are tied to the vCPU count, so here you don't get more vrouters with more RAM.
06-25-2021 01:28 AM
Comparison Tool has spec for VMs
Here is example to compare 6 types of VMs
I can see there is difference in SSL Decryption section, Security Profiles, so on..
Regard,
Emr
06-25-2021 02:15 AM
Hi @emr_1
Thanks for your reply.
I saw that there are new options in the comparison tool, but so far these options actually are only the "old" vm-types (vm-100, vm-300, ...) with new names. My question is if only the RAM is increased. As shown in the link there are some specs which change if RAM is increased but what is about all the other specs which I mentionned (virtual router, concurrent decrypted sessions, ...)
06-25-2021 11:26 AM - edited 06-25-2021 11:47 AM
@istrydom / @sduvoisin / @vogeln
Are you able to answer this prior to anyone in the community? 😉
An answer will probably also help others and not only me ...
06-28-2021 11:58 PM
@Remo It loads the memory profile based on the memory assigned. Ex: if you assign 20G RAM, it will load 16G memory profile (one out of 6 profiles that we support)
06-30-2021 06:19 AM
@Remo Also note that nothing will change regarding virtual routers, or concurrent decryption sessions, even if more RAM is added - the VM-series license is a capacity license. Whatever it is licensed for will be the maximums for sessions and virtual routers. You will have to apply a larger license or Flex Profile to increase session capacities.
06-30-2021 12:43 PM
Hi @istrydom
This applies to the old VM licensing. With the new software NGFW credits it is possible to increase the max. zones, max concurrent session, and some more specs simply by adding more RAM. All this is documented in the link in my first post (this one: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall... )
There the following sentence is written: "The following table shows the firewall capacity for each memory profile. Unlike VM-series models, Software NGFW Credits from PAN-OS 10.0.4 onwards allow you to choose the memory profile that best fits your environment without consuming any additional credits."
So my question still is how do other specs change when you add more RAM?
06-30-2021 11:35 PM
@Remo Hi Remo, Increasing the memory and in essence the memory profile will give you some gains around certain functions handled by the control plane as per the table at the bottom of this page you shared:
https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...
The items you are asking about though are dataplane related and as such won’t see an increase. This was confirmed by the vm-series teams.
07-24-2021 08:18 AM
Hi @istrydom
Thanks for clarifying this with the Paloalto VM team. At least my question is now answered --> when the memory profile is increased also the maximum supported decrypted sessions will increase:
4.5 GB = 1'024 decrypted sessions
5.5 GB = 1'024 decrypted sessions
6.5 GB = 6'400 decrypted sessions
9 GB = 15'000 decrypted sessions
16 GB = 50'000 decrypted sessions
56 GB = 100'000 decrypted sessions
These sessions increase only by adding more RAM and it does not matter how many vCPUs you have licensed and added.
The virtual routers are tied to the vCPU count, so here you don't get more vrouters with more RAM.
12-02-2021 08:18 PM
As per my understanding VM flex license we shall chose CPU, RAM and interfaces based on credits. Is there any useful link?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
