Palo Alto Networks VM-50
Virtualized Next-Generation Firewall

Key VM-Series Features and Capabilities:

The VM-Series protects your applications and data with next-generation security features that deliver superior visibility, precise control, and threat prevention at the application level. Automation features and centralized management allow you to embed security into your application development process, ensuring security can keep pace with the speed of the cloud.

• Application visibility for informed security decisions:
  The VM-Series provides application visibility across all ports, meaning you have far more relevant information about your cloud environment to help you make rapid, informed policy decisions.


• Segment/Whitelist applications for security and compliance:
  Today’s cyberthreats commonly compromise an individual workstation or user, and then move laterally across your network, placing your mission-critical applications and data at risk wherever they are. Using segmentation and whitelisting policies allows you to control applications communicating across different subnets to block lateral threat movement and achieve regulatory compliance.


• Prevent advanced attacks within allowed application flows:
  Attacks, much like many applications, can use any port, rendering traditional prevention mechanisms ineffective. The VM-Series allows you to use Palo Alto Networks Threat Prevention, DNS Security, and WildFire® malware prevention service to apply application-specific policies that block exploits, malware, and previously unknown threats from infecting your cloud.


• Control application access with user-based policies:
  Integration with a wide range of user repositories—such as Microsoft Exchange, Active Directory®, and LDAP—complements application whitelisting with user identity as an added policy element that controls access to applications and data. When deployed in conjunction with Palo Alto Networks GlobalProtect™ network security for endpoints, the VM-Series enables you to extend your corporate security policies to mobile devices and users, regardless of their locations.


• Policy consistency through centralized management:
  Panorama™ network security management enables you to manage your VM-Series firewalls across multiple cloud deployments, along with your physical security appliances, ensuring policy consistency and cohesion. Rich, centralized logging and reporting capabilities provide visibility into virtualized applications, users, and content


• Container protection for managed Kubernetes environments:
  The VM-Series protects containers running in Google Kubernetes® Engine and Azure® Kubernetes Service with the same visibility and threat prevention capabilities that can protect business-critical workloads on GCP® and Microsoft Azure. Container visibility empowers security operations teams to make informed security decisions and respond more quickly to potential incidents. Threat Prevention, WildFire, and URL Filtering policies can be used to protect Kubernetes clusters from known and unknown threats. Panorama enables you to automate policy updates as Kubernetes services are added or removed, ensuring security keeps pace with your ever-changing managed Kubernetes environments.


• Automated security deployment and policy updates:
  The VM-Series includes several management features that enable you to integrate security into your application development workflows.
  • Use bootstrapping to automatically provision a VM-Series firewall with a working configuration, complete with licenses, subscriptions, and connectivity to Panorama for centralized management.
  • Automate policy updates as workloads change, using a fully documented API and Dynamic Address Groups to allow the VM-Series to consume external data in the form of tags that can drive policy updates dynamically.
  • Use native cloud provider templates and services along with third-party tools—such as Terraform® and Ansible®— to fully automate VM-Series deployments and security policy updates.


• Cloud-native scalability and availability:
  In virtualization or cloud environments, scalability and availability requirements can be addressed using a traditional two-device approach or a cloud-native approach. In public cloud environments, we recommended using cloud services—such as application gateways, load balancers, and automation—to address scalability and availability.

Palo Alto Networks VM-Series virtualized next-generation firewalls protect your Azure workloads with next-generation security features that allow you to confidently and quickly migrate your business-critical applications to the cloud. ARM templates and third-party automation tools allow you to embed the VM-Series into your application development lifecycle to prevent data loss and business disruption.

VM-SERIES ON MICROSOFT AZURE

The VM-Series allows you to embrace a prevention-based approach to protecting your applications and data on Azure. Automation and centralized management features enable you to embed next-generation security in your Azure application workflow so security can keep pace with development.

• Complete visibility improves security decisions. Understanding the applications in use on your network, including those that may be encrypted, helps you make informed security policy decisions.
• Segmentation and application whitelisting aid data security and compliance. Using application whitelisting to enforce a positive security model reduces your attack surface by allowing specific applications that align to your business needs (e.g., allow SharePoint® documents for all, but limit SharePoint administration access to the IT group). Whitelisting policies also allow you to segment applications that communicate across subnets and between virtual networks (VNETs) to stop lateral threat movement and meet compliance requirements.
• User-based policies improve security posture. Integration with on-premises user repositories—such as Microsoft Exchange, Active Directory®, and LDAP—lets you grant access to critical applications and data based on user credentials and need. For example, your developer group can have full access to the developer VNET while only IT administrators have RDP/SSH access to the production VNET. When deployed in conjunction with Palo Alto Networks GlobalProtect™ network security for endpoints, the VM-Series on Azure can extend your corporate security policies to mobile devices and users regardless of their location.
• Applications and data are protected from known and unknown threats. Attacks, like many applications, can use any port, rendering traditional prevention mechanisms ineffective. Enabling Threat Prevention, DNS Security, and WildFire® malware prevention service as segmentation policy elements will protect you against exploits, malware, and previously unknown threats from both inbound and lateral movement perspectives.
• Multiple defenses block data exfiltration and unauthorized file transfers. Data exfiltration can be prevented using a combination of application enablement, Threat Prevention, and DNS Security features. File transfers can be controlled by looking inside files, not only at their file extensions, to determine whether transfer actions should be allowed. Command and control, associated data theft, and executable files found in drive-by downloads or secondary payloads can also be blocked. Data filtering features can detect and control the flow of confidential data patterns, such as credit card and Social Security numbers, in addition to custom patterns.

Performance and Capacities

Many factors, such as the Azure virtual machine size, maximum packets per second supported, and number of cores used, can affect VM-Series performance. In addition to those noted, the performance and capacities listed in the following table have been generated under controlled lab conditions, using the recommended Azure virtual machine size, and configured with Azure Accelerated Networking using SR-IOV under the following test conditions:

• Firewall throughput and IPsec VPN are measured with App-ID™ and User-ID™ technology features enabled, utilizing 64 KB HTTP transactions.
• Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, utilizing 64K HTTP transactions.
• IPsec VPN performance is tested between two VM-Series in the same region. Performance will depend on Azure VM size and network topology, that is, whether connecting on-premises hardware to VM-Series on Azure; from VM-Series on an Azure VNET to an Azure VPN Gateway in another VNET; or VM-Series to VM-Series between regions.
• New sessions per second is measured with 1 byte HTTP transactions.

Model	VM-50/ VM-50 Lite1	VM-100/ VM-200	VM-300/ VM-1000-HV	VM-500	VM-700
Azure instance size tested (recommended)	N/A	DS3_v2	DS3s_v2	DS4_v2	DS5_v2
Firewall throughput (App-ID enabled)	N/A	750 Mbps	1 Gbps	2.5 Gbps	2.5 Gbps
Threat Prevention throughput	N/A	500 Mbps	750 Mbps	2.25 Gbps	2.25 Gbps
IPsec VPN throughput	N/A	400 Mbps	500 Mbps	1 Gbps	1.25 Gbps
Azure instance size tested (maximum)	N/A	DS5_v2	DS5_v2	DS5_v2	DS5_v2
Firewall throughput (App-ID enabled)	N/A	1 Gbps	1.5 Gbps	1.5 Gbps	2.5 Gbps
Threat Prevention throughput	N/A	750 Mbps	1.25 Gbps	1.25 Gbps	2.25 Gbps
IPsec VPN throughput	N/A	500 Mbps	750 Mbps	1 Gbps	1.25 Gbps
All instance sizes supported	VM-50/ VM-50 Lite1	VM-100/ VM-200	VM-300/ VM-1000-HV	VM-500	VM-700
New sessions per second	N/A	9K	9K	20K	40K
Max sessions	N/A	250K	800K	2M	10M
System Requirements
Cores supported (min/max	N/A	0.4/2	2/4	2/8	2/16
Memory (min)	N/A	6.5 GB	9 GB	16 GB	56 GB
Azure Managed Disk capacity (min)	N/A	32 GB	60 GB	60 GB	60 GB
Azure VM sizes supported2 (only standard Azure VM sizes supported)	N/A	DS3_v2 DS5_v2	DS3s_v3 DS5_v2	DS4_v2 DS5_v2	DS5_v2
Licensing options	N/A	BYOL or VM-Series ELA	BYOL, VM-Series ELA, or Marketplace	BYOL or VM-Series ELA	BYOL or VM-Series ELA

1. The VM-50 and VM-50 Lite are not supported on Azure
2. Refers to recommended VM size based on CPU cores, memory, and Azure prices

VM-Series On Linux KVM :

Kernel-based Virtual Machine (KVM) is a leading open source hypervisor that service providers and enterprises alike use to build and deploy cloud computing environments. Linux KVM, in conjunction with OpenStack®, represents a complete open source software-based offering that combines the cost reduction of cloud computing with the benefits of open source.

The VM-Series on KVM enables you to protect your data residing in OpenStackand KVM-based virtualized environments from cyberthreats. Panorama™ network security management, combined with native automation features, allows you to streamline policy management in a way that minimizes the policy lag time that may occur as virtual machines are added, moved, or removed.

Virtualized Next-Generation Security at High Performance and Scale

VM-Series virtualized next-generation firewalls are optimized to deliver App-ID™ technology-enabled throughput at industryleading rates ranging from 200 Mbps to 16 Gbps across five models, which include:

• VM-50—engineered to consume minimal resources and support CPU oversubscription yet deliver up to 200 Mbps of App-ID-enabled firewall performance for customer scenarios from virtual branch offices and customer-premise equipment to high-density, multi-tenant environments.
• VM-100 and VM-300—optimized to deliver 2 Gbps and 4 Gbps of App-ID-enabled throughput, respectively, for hybrid cloud, segmentation, and internet gateway use cases.
• VM-500 and VM-700—able to deliver 8 Gbps to 16 Gbps of App-ID-enabled firewall throughput, respectively, and deployable as NFV security components in fully virtualized data center and service provider environments

The Data Plane Development Kit, managed by The Linux Foundation, has been integrated into the VM-Series on KVM for enhanced packet processing performance on x86 infrastructure. Network I/O options, such as PCI passthrough and single-root I/O virtualization (SR-IOV), are supported for enhanced performance

Performance and Capacities Summary

In virtualized and cloud environments, many factors, such as type of CPU, hypervisor version, numbers of cores assigned, memory, and network I/O options, can impact your performance. Additional testing within your environment, is recommended to ensure your performance and capacity requirements are met.

td>64,000

Performance and Capacities	VM-50 (0.4 Core)	VM-100/ VM-200 (2 Cores)	VM-300/ VM-1000-HV (4 Cores)	VM-500 (8 Cores)	VM-700 (16 Cores)
With SR-IOV/PCI passthrough of I/O enabled
Firewall throughput (App-ID enabled)1	200 Mbps	2 Gbps	4 Gbps	8 Gbps	16 Gbps
Threat Prevention throughput2	100 Mbps	1 Gbps	2 Gbps	4 Gbps	8 Gbps
IPsec VPN throughput1	100 Mbps	1 Gbps	1.8 Gbps	4 Gbps	6 Gbps
New sessions per second3	3,000	15,000	30,000	60,000	120,000
With open virtual switch OVS-DPDK
Firewall throughput (App-ID enabled)1	100 Mbps	1 Gbps	2 Gbps	4 Gbps	8 Gbps
Threat Prevention throughput2	50 Mbps	500 Mbps	1 Gbps	2 Gbps	4 Gbps
New sessions per second3	1,000	8,000	15,000	30,000	60,000
Capacities
Max sessions	250,000	800,000	2,000,000	10,000,000
Max security policies	250	1,500	10,000	10,000	20,000
Max routes	5,000	10,000	20,000	64,000	200,000
IPsec tunnels	250	1,000	2,000	4,000	8,000

1. Firewall and IPsec VPN throughput are measured with App-ID and User-ID features enabled, using 64 KB HTTP transactions.
2. Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, using 64 KB HTTP transactions.
3. New sessions per second is measured with application-override utilizing 1 byte HTTP transactions.

VM-Series Specifications and Features

The following tables list all supported specifications, resource requirements, and networking features of VM-Series on KVM

Virtualization Specifications
Image formats supported	QCOW2
Hypervisors supported	KVM on CentOS Red Hat Enterprise Linux (RHEL) KVM on Ubuntu
Network I/O options	Virtio Paravirtual drivers (Intel e1000) PCI passthrough SR-IOV
Bootstrap support	XML template-based bootstrap in KVM environments “Config-drive” with nova boot in OpenStack
OpenStack distributions supported	Mirantis OpenStack v8.0 Red Hat OpenStack Platform 5,7, and 10
Other KVM based platforms/hypervisors supported	Cisco Enterprise Network Compute System (ENCS) Nutanix AHV

System Requirements	VM-50 (0.4 Core)	VM-100/ VM-200 (2 Cores)	VM-300/ VM-1000-HV (4 Cores)	VM-500 (8 Cores)	VM-700 (16 Cores)
CPU configurations supported	21	2	2 and 4	2, 4 and 8	2, 4, 8 and 16
Memory (minimum)	4.5 GB	6.5 GB	9 GB	16 GB	56 GB
Disk drive capacity (min/max)	32 GB2 / 2 TB	60 GB / 2 TB	60 GB / 2 TB	60 GB / 2 TB	60 GB / 2 TB

1. CPU oversubscription is supported with up to five instances running on a 2 CPU core configuration.
2. 60 GB drive capacity is needed on initial boot. VM-Series instance will use 32GB after license activation.

Networking Features
Interface Modes	VLANs
L2, L3, tap, and virtual wire (transparent mode)	802.1Q VLAN tags per device/per interface: 4,094/4,094 Max interfaces: 4,096 (VM-500/VM-700) 2,048 (VM-100/VM-300) 512 (VM-50)
Routing	Network Address Translation
Modes: OSPF, RIP, BGP, and Static Policy-based forwarding Multicast: PIM-SM, PIM-SSM, IGMP v1, v2, and v3	NAT modes (IPv4): static IP, dynamic IP, dynamic IP and port (port address translation) NAT64 Additional NAT features: dynamic IP reservation, dynamic IP and port oversubscription
High Availability	IPv6
Modes: active/passive with session synchronization Failure detection: path monitoring, interface monitoring	L2, L3, tap, and virtual wire (transparent mode Features: App-ID, User-ID, Content-ID, WildFire, and SSL decryption

Citrix® NetScaler® SDX™ is a service delivery networking platform for enterprise and cloud data centers. An advanced virtualized architecture supports multiple NetScaler instances on a single hardware appliance, while an advanced control plane unifies provisioning, monitoring and management to meet the most demanding multi-tenant requirements. Instead of relying on “bolted-on” capabilities or a collection of physical and virtual form factors that may compromise on features, performance and scalability, you can utilize the Citrix NetScaler SDX purpose-built platform for your data center service delivery needs.

With the VM-Series on Citrix NetScaler SDX, security and application delivery controller, or ADC, services can be consolidated on a single hardware platform. This addresses the unique application needs for business units, application owners and SP customers in a multi-tenant deployment. The VM-Series on Citrix NetScaler SDX also provides a complete, validated security and ADC offering for Citrix XenApp® and XenDesktop® deployments.

VM-Series on Citrix NetScaler SDX

The VM-Series delivers safe application enablement using the same PAN-OS® feature set that is available in physical security appliances. The core of the VM-Series is the next-generation firewall, which natively classifies all traffic, inclusive of applications, threats and content, and then ties that traffic to the user, regardless of location or device type. The application, content and user – in other words, the elements that run your business – then serve as the basis of your security policies, resulting in an improved security posture and a reduction in incident response time.

Summary

Palo Alto Networks VM-Series on Citrix NetScaler SDX provides enterprises with a powerful, best-in-class approach to secure application delivery. The full partitioning of application sets simplifies and reduces costs for application provisioning, maintenance and de-provisioning. The combined offering enables the secure delivery of all types of applications to all users in all locations while ensuring the highest levels of performance, security, availability, visibility and flexibility.

VM-Series On AWS

Introduction

As Amazon Web Services (AWS®) becomes the dominant deployment platform for your business-critical applications, protecting the increased public cloud footprint from threats, data loss, and business disruption remains challenging. The VM-Series on AWS solves these challenges, enabling you to:

• Protect your AWS workloads through unmatched application visibility and precise control.
• Prevent threats from moving laterally between workloads and stop data exfiltration.
• Eliminate security-induced application development bottlenecks with automation and centralized management.

Palo Alto Networks VM-Series virtualized next-generation firewalls protect your AWS workloads with next-generation security features that allow you to confidently and quickly migrate your business-critical applications to the cloud. AWS CloudFormation Templates and third-party automation tools allow you to embed the VM-Series in your application development lifecycle to prevent data loss and business disruption.

VM-Series on AWS

The VM-Series allows you to embrace a prevention-based approach to protecting your applications and data on AWS. Automation and centralized management features enable you to embed next-generation security in your AWS application workflow, allowing security to keep pace with development.

• Complete visibility improves security decisions. Understanding the applications in use on your network, including those that may be encrypted, helps you make informed security policy decisions.
• Segmentation and application whitelisting aid data security and compliance. Using application whitelisting to enforce a positive security model reduces your attack surface by allowing specific applications that align to your organization’s needs (e.g., allow SharePoint® documents for all, but limit SharePoint administration access to the IT group). Whitelisting policies also allow you to segment applications that communicate across subnets and between virtual private networks (VPCs) to stop lateral threat movement and meet compliance requirements.
• User-based policies improve security posture. Integration with on-premises user repositories, such as Microsoft Exchange, Active Directory®, and LDAP, lets you grant access to critical applications and data based on user credentials and need. For example, your developer group can have full access to the developer VPC while only IT administrators have RDP/SSH access to the production VPC. When deployed in conjunction with Palo Alto Networks GlobalProtect™ network security for endpoints, the VM-Series on AWS can extend your corporate security policies to mobile devices and users regardless of their location.
• Applications and data are protected from known and unknown threats. Attacks, like many applications, can use any port, rendering traditional prevention mechanisms ineffective. Enabling Threat Prevention and WildFire® malware prevention service as segmentation policy elements will protect you against exploits, malware, and previously unknown threats from both inbound and lateral movement perspectives.
• Multiple defenses block data exfiltration and unauthorized file transfers. Data exfiltration can be prevented using a combination of application enablement and Threat Prevention and DNS Security features. File transfers can be controlled by looking inside files, not only at their file extensions, to determine whether transfer actions should be allowed. Command and control, associated data theft, and executable files found in drive-by downloads or secondary payloads can also be blocked. Data filtering features can detect and control the flow of confidential data patterns, such as credit card and Social Security numbers, in addition to custom patterns.

Performance and Capacities

Many factors, such as AWS instance size, maximum packets per second supported, number of cores used, and AWS placement group, can affect performance. In addition to those noted, the performance and capacities listed in the following table have been generated under these test conditions:

• Instances use the AWS Nitro Hypervisor with Enhanced Networking Adapter (ENA) and AWS placement groups configured. SR-IOV and DPDK are optional and supported with instances running AWS Enhanced Networking (c3/m3/c4/m4).
• Firewall throughput and IPsec VPN are measured with App-ID™ and User-ID™ technology features enabled, utilizing 64 KB HTTP transactions.
• IPsec VPN performance is tested between two VM-Series instances in a placement group in the same availability zone and region. Performance will vary based on AWS instance type and connectivity topology (e.g., connecting from on-premises hardware to VM-Series on AWS; from VM-Series in an AWS VPC to an AWS VGW in another VPC; or VM-Series to VM-Series between regions).
• New sessions per second is measured with 1 byte HTTP transactions.
• Threat Prevention throughput is measured with App-ID, User-ID, IPS, antivirus, and anti-spyware features enabled, utilizing 64 KB HTTP transactions.

Model	VM-50/ VM-50 Lite1	VM-100/ VM-200	VM-300/ VM-1000-HV	VM-500	VM-700
AWS instance size tested (recommended)2	N/A	c5.xlarge	m5.xlarge	m5.2xlarge	m5.4xlarge
Firewall throughput (App-ID enabled)	N/A	800 Mbps	1 Gbps	2.5 Gbps	5 Gbps
Threat Prevention throughput	N/A	500 Mbps	1 Gbps	2 Gbps	4 Gbps
IPsec VPN throughput	N/A	500 Mbps	750 Mbps	1.25 Gbps	1.75 Gbps
AAWS instance size tested (maximum)	N/A	c5.18xlarge	c5.18xlarge	c5.18xlarge	c5.18xlarge
Firewall throughput (App-ID enabled)	N/A	1.25 Gbps	2.25 Gbps	2.25 Gbps	6 Gbps
Threat Prevention throughput	N/A	1 Gbps	1.75 Gbps	2 Gbps	4.5 Gbps
IPsec VPN throughput	N/A	1 Gbps	1.25 Gbps	1.75 Gbps	2 Gbps
All instance sizes supported	VM-50/ VM-50 Lite1	VM-100/ VM-200	VM-300/ VM-1000-HV	VM-500	VM-700
New sessions per second	N/A	9K	9K	20K	40K
Max sessions	N/A	250K	800K	2M	10M
System Requirements
Cores supported (min/max)	N/A	0.4/2	2/4	2/8	2/16
Memory (min)	N/A	6.5 GB	9 GB	16 GB	56 GB
Disk drive capacity (min)3	N/A	32 GB	60 GB	60 GB	60 GB
Minimum AWS instance sizes supported2,4	N/A	c5.18xlarge	m5.xlarge,c5.18xlarge	m5.2xlarge, c5.18xlarge	m5.4xlarge, c5.18xlarge
Licensing options	N/A	BYOL or VM-Series ELA	BYOL, VM ELA, or Marketplace	BYOL or VM-Series ELA	BYOL or VM-Series ELA

1. The VM-50 and VM-50 Lite are not supported on AWS
2. Refers to recommended AWS instance based on CPU cores, memory, and pricing; .xlarge instances support 4 ENIs and are recommended to more fully support the range of common networking scenarios
3. Disk storage using AWS Encrypted Volumes is supported
4. Older generation c3/m3 and c4/m4 instances with appropriate CPU and memory are also supported

Documentation:

Download the Palo Alto Networks VM-Series Specsheet (PDF).

Download the Palo Alto Networks VM-Series Deployment Guide (PDF).