Palo Alto VM-Series Virtualized Next-Generation Firewall
The VM-Series is a virtualized form factor next-generation firewall that can be deployed in a range of public and private cloud computing environments based on technologies from VMware, Cisco, Citrix, KVM, OpenStack, Amazon Web Services, Microsoft and Google.
In both private and public cloud environments, the VM-Series can be deployed as a perimeter gateway, an IPSec VPN termination point, and a segmentation gateway, preventing threats from moving from workload to workload.
Secure your virtualized data center and private cloud
Your virtualized data center is essentially a private cloud, and you are responsible for managing all aspects of the virtualization, hardware, compute, networking and security. The VM-Series allows you to protect your private cloud infrastructure using application enablement policies while simultaneously preventing known and unknown threats. The VM-Series supports the following private cloud environments: VMware® ESXi™, NSX®, Cisco® ACI™, Citrix® NetScaler® SDX™, Microsoft® Hyper-V® and KVM/OpenStack®.
Protect your public cloud deployments
Public cloud environments, such as AWS, Microsoft Azure or Google Cloud Platform, provide greater agility, scalability and infrastructure consistency than traditional data centers; yet the risk of data loss and business disruption remain, jeopardizing adoption. Embedding the VM-Series in your application development lifecycle to complement native security services can prevent data loss and business disruption, allowing your public cloud migration to accelerate. The VM-Series supports the following public cloud environments: AWS®, Google® Cloud Platform, Microsoft® Azure® and VMware® vCloud® Air™.
Get superior protection with advanced capabilities
The VM-Series offers a unique combination of visibility, control over your applications and data, and protection against both known and unknown threats. The result is an unprecedented level of security for critical deployments in private and public clouds. Specifically, the VM-Series gives you the ability to:
- Protect mission-critical applications and data: The VM-Series isolates your critical applications and data in secure segments using segmentation based on Zero Trust principles as a means of controlling access. Our zone-based policy architecture enables you to build access control policies based on the application and the user, effectively segmenting the applications and protecting east-west traffic between virtual machines.
- Block lateral movement of cyberthreats: Within your virtual network, cyberthreats move laterally from VM to VM in an east-west manner, placing your mission-critical applications and data at risk. With the VM-Series, you can exert application-level control using Zero Trust principles between your workloads to reduce the threat footprint while applying policies to block known and unknown threats.
- Automate security so it keeps pace with your business VM-Series automation features enable you to expedite the deployment of next-generation security in your private and public clouds. For example, bootstrapping can automatically provision a VM-Series with a working configuration, complete with licenses and subscriptions, and then auto-register the firewall with Panorama™ management. You can also automate VM-Series configuration changes to dynamically drive security policy updates using native cloud tools and templates based on third-party tools, such as Terraform® and Ansible®, from the LIVE Community.
PA-VM Series Comparison
• VM-50 – engineered to consume minimal resources and support CPU
oversubscription, yet deliver up to 200 Mbps of App-ID-enabled firewall
performance for customer scenarios from virtual branch office/customer
premise equipment to high-density, multi-tenant environments.
• VM-100 and VM-300 – optimized to deliver 2 Gbps and 4 Gbps of App-ID-enabled throughput, respectively, for hybrid cloud, segmentation and internet gateway use cases.
• VM-500 and VM-700 – able to deliver an industry-leading 8 Gbps to 16 Gbps of App-ID enabled firewall performance, respectively, and can be deployed as NFV security components in fully virtualized data center and service provider environments.
| VM-50 LITE | VM-50 | VM-100 | VM-200 | VM-300 | VM-500 | VM-700 | |
| MAX SESSIONS (IPV4 OR IPV6) | 50,000 | 64,000 | 250,000 | 250,000 | 819,200 | 2,000,000 | 10,000,000 |
| IPSEC-SITE TO SITE | 25 | 250 | 1000 | 1,000 | 2,000 | 4,000 | 8,000 |
| MAX TUNNELS (SSL, IPSEC & IKE WITH XAUTH) | 25 | 250 | 500 | 500 | 2,000 | 6,000 | 12,000 |
| SECURITY ZONES | 15 | 15 | 40 | 40 | 40 | 200 | 200 |
| SECURITY RULES | 200 | 250 | 1500 | 1,500 | 10,000 | 10,000 | 20,000 |
| ADDRESS OBJECTS | 2,000 | 2,500 | 10,000 | 10,000 | 10,000 | 20,000 | 40,000 |
| APP-ID FIREWALL THROUGHPUT* | 200Mbps | 200Mbps | 2 Gbps | 2 Gbps | 4 Gbps | 8 Gbps | 16 Gbps |
| THREAT PREVENTION THROUGHPUT* | 100Mbps | 100Mbps | 1Gbps | 1 Gbps | 2 Gbps | 4 Gbps | 8 Gbps |
| IPSEC VPN THROUGHPUT* | 100Mbps | 100Mbps | 1Gbps | 1 Gbps | 1.8 Gbps | 4 Gbps | 6 Gbps |
| CONNECTIONS PER SECOND* | 3,000 | 3,000 | 15,000 | 15,000 | 30,000 | 60,000 | 120,000 |
*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions.
2. Threat prevention throughput measured with App-ID, User-ID, IPS, antivirus and anti-spyware features enabled utilizing 64KB HTTP transactions.
3. New sessions per second measured with 4KB HTTP transactions. Additionally, for VM models please refer to hypervisor, cloud specific data sheet for associated performance.