PA VM-Series Virtualized Firewalls

Palo Alto VM-Series Virtualized Next-Generation Firewall

The VM-Series is a virtualized form factor of our next-generation firewall that can be deployed in a range of public and private cloud computing environments based on technologies from VMware, Cisco, Citrix, KVM, OpenStack, Amazon Web Services, Microsoft and Google.

In both private and public cloud environments, the VM-Series can be deployed as a perimeter gateway, an IPSec VPN termination point, and a segmentation gateway, preventing threats from moving from workload to workload. 

Secure your virtualized data center and private cloud

Your virtualized data center is essentially a private cloud, and you are responsible for managing all aspects of the virtualization, hardware, compute, networking and security. The VM-Series allows you to protect your private cloud infrastructure using application enablement policies while simultaneously preventing known and unknown threats. The VM-Series supports the following private cloud environments: VMware® ESXi™, NSX®, Cisco® ACI™, Citrix® NetScaler® SDX™, Microsoft® Hyper-V® and KVM/OpenStack®.

Protect your public cloud deployments

Public cloud environments, such as AWS, Microsoft Azure or Google Cloud Platform, provide greater agility, scalability and infrastructure consistency than traditional data centers; yet the risk of data loss and business disruption remain, jeopardizing adoption. Embedding the VM-Series in your application development lifecycle to complement native security services can prevent data loss and business disruption, allowing your public cloud migration to accelerate. The VM-Series supports the following public cloud environments: AWS®, Google® Cloud Platform, Microsoft® Azure® and VMware® vCloud® Air™.

Get superior protection with advanced capabilities

The VM-Series offers a unique combination of visibility, control over your applications and data, and protection against both known and unknown threats. The result is an unprecedented level of security for critical deployments in private and public clouds. Specifically, the VM-Series gives you the ability to: 

  • Protect mission-critical applications and data: The VM-Series isolates your critical applications and data in secure segments using segmentation based on Zero Trust principles as a means of controlling access. Our zone-based policy architecture enables you to build access control policies based on the application and the user, effectively segmenting the applications and protecting east-west traffic between virtual machines.
  • Block lateral movement of cyberthreats: Within your virtual network, cyberthreats move laterally from VM to VM in an east-west manner, placing your mission-critical applications and data at risk. With the VM-Series, you can exert application-level control using Zero Trust principles between your workloads to reduce the threat footprint while applying policies to block known and unknown threats.
  • Automate security so it keeps pace with your business VM-Series automation features enable you to expedite the deployment of next-generation security in your private and public clouds. For example, bootstrapping can automatically provision a VM-Series with a working configuration, complete with licenses and subscriptions, and then auto-register the firewall with Panorama™ management. You can also automate VM-Series configuration changes to dynamically drive security policy updates using native cloud tools and templates based on third-party tools, such as Terraform® and Ansible®, from the LIVE Community.

PA-VM Series Comparison

VM-50 – engineered to consume minimal resources and support CPU oversubscription, yet deliver up to 200 Mbps of App-ID-enabled firewall performance for customer scenarios from virtual branch office/customer premise equipment to high-density, multi-tenant environments. 

VM-100 and VM-300 – optimized to deliver 2 Gbps and 4 Gbps of App-ID-enabled throughput, respectively, for hybrid cloud, segmentation and internet gateway use cases.

VM-500 and VM-700 – able to deliver an industry-leading 8 Gbps to 16 Gbps of App-ID enabled firewall performance, respectively, and can be deployed as NFV security components in fully virtualized data center and service provider environments. 

VM-50 LITEVM-50VM-100VM-200VM-300VM-500VM-700
MAX SESSIONS (IPV4 OR IPV6)50,00064,000250,000250,000819,2002,000,00010,000,000
IPSEC-SITE TO SITE2525010001,0002,0004,0008,000
MAX TUNNELS (SSL, IPSEC & IKE WITH XAUTH)252505005002,0006,00012,000
SECURITY ZONES1515404040200200
SECURITY RULES20025015001,50010,00010,00020,000
ADDRESS OBJECTS2,0002,50010,00010,00010,00020,00040,000
APP-ID FIREWALL THROUGHPUT*200Mbps200Mbps2 Gbps2 Gbps4 Gbps8 Gbps16 Gbps
THREAT PREVENTION THROUGHPUT*100Mbps100Mbps1Gbps1 Gbps2 Gbps4 Gbps8 Gbps
IPSEC VPN THROUGHPUT*100Mbps100Mbps1Gbps1 Gbps1.8 Gbps4 Gbps6 Gbps
CONNECTIONS PER SECOND*3,0003,00015,00015,00030,00060,000120,000

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions.

2. Threat prevention throughput measured with App-ID, User-ID, IPS, antivirus and anti-spyware features enabled utilizing 64KB HTTP transactions.

3. New sessions per second measured with 4KB HTTP transactions. Additionally, for VM models please refer to hypervisor, cloud specific data sheet for associated performance.