FlexVM Licensing with Software NGFW Credits

vsys_remo · ‎06-24-2021

Hi all,

As you probably know, paloalto recently changed the licensing of VM firewalls. With greater flexibility (and higher licensing costs), there is now also the possibility to increase only the RAM for such a VM firewall which results in higher capacity for rules, zones, concurrent sessions. Some of the specs which change with a different memory profile are written here: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...

My question@ now are: are these the only specs that change with a different memory profile? What about concurrent dercypted sessions, virtual routers, ...? Does the vm refuse to boot if there is for example 20 GB of RAM attached or does the vm simply use the highes possible amount of RAM according to the memory profile?

istrydom · ‎06-30-2021

@vsys_remo Also note that nothing will change regarding virtual routers, or concurrent decryption sessions, even if more RAM is added - the VM-series license is a capacity license. Whatever it is licensed for will be the maximums for sessions and virtual routers. You will have to apply a larger license or Flex Profile to increase session capacities.

vsys_remo · ‎06-30-2021

Hi @istrydom

This applies to the old VM licensing. With the new software NGFW credits it is possible to increase the max. zones, max concurrent session, and some more specs simply by adding more RAM. All this is documented in the link in my first post (this one: https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall... )

There the following sentence is written: "The following table shows the firewall capacity for each memory profile. Unlike VM-series models, Software NGFW Credits from PAN-OS 10.0.4 onwards allow you to choose the memory profile that best fits your environment without consuming any additional credits."

So my question still is how do other specs change when you add more RAM?

istrydom · ‎06-30-2021

@vsys_remo Hi Remo, Increasing the memory and in essence the memory profile will give you some gains around certain functions handled by the control plane as per the table at the bottom of this page you shared:
https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/license-the-vm-series-firewall...
The items you are asking about though are dataplane related and as such won’t see an increase. This was confirmed by the vm-series teams.

vsys_remo · ‎07-24-2021

Hi @istrydom

Thanks for clarifying this with the Paloalto VM team. At least my question is now answered --> when the memory profile is increased also the maximum supported decrypted sessions will increase:

4.5 GB = 1'024 decrypted sessions

5.5 GB = 1'024 decrypted sessions

6.5 GB = 6'400 decrypted sessions

9 GB = 15'000 decrypted sessions

16 GB = 50'000 decrypted sessions

56 GB = 100'000 decrypted sessions

These sessions increase only by adding more RAM and it does not matter how many vCPUs you have licensed and added.

The virtual routers are tied to the vCPU count, so here you don't get more vrouters with more RAM.

Ramakrishnan · ‎12-02-2021

As per my understanding VM flex license we shall chose CPU, RAM and interfaces based on credits. Is there any useful link?

FlexVM Licensing with Software NGFW Credits

FlexVM Licensing with Software NGFW Credits

Show your appreciation!