Call a Specialist Today! 844-294-0778

Palo Alto Networks VM-700
Virtualized Next-Generation Firewall

Palo Alto Networks VM-Series Virtual Firewall

Sorry, this product is no longer available, please contact us for a replacement.


Tomorrows virtualized agility

Get the Leading Virtual Firewall

Safeguard cloud speed and software-defined agility. Automatable VM-Series Virtual NGFWs are scalable to seamlessly deploy in any virtual or cloud environment.

Organizations are quickly adopting multi-cloud architectures as a means of distributing risk and taking advantage of the core competencies of different cloud vendors. To ensure your applications and data are protected across public clouds, virtualized data centers, and NFV deployments, the VMSeries has been designed to deliver up to 16 Gbps of App-IDenabled firewall performance across five models:

Simple. Secure. Stronger.

VM-50/VM-50 Lite—engineered to consume minimal resources and support CPU oversubscription yet deliver up to 200 Mbps of App-ID-enabled firewall performance for customer scenarios from virtual branch office/customerpremises equipment to high-density, multi-tenant environments.

VM-100 and VM-300—optimized to deliver 2 Gbps and 4 Gbps of App-ID-enabled performance, respectively, for hybrid cloud, segmentation, and internet gateway use cases.

VM-500 and VM-700—able to deliver an industryleading 8 Gbps and 16 Gbps of App-ID-enabled firewall performance, respectively, and can be deployed as NFV security components in fully virtualized data center and service provider environments.

Simple, secure, stronger

Features and Benefits:

Detect hard-to-find threats

Go beyond simple port blocking with integrated security services. Inspect every inbound/outbound packet for known/unknown threats.

Stop outbound traffic exfiltration

Integrated DLP blocks attackers from accessing and removing sensitive data. Leverage traffic decryption for outbound inspection.

Protect against lateral movement

Go Zero Trust: Keep threats from roaming inside environments. Integrated IPS provides enhanced segmentation and microsegmentation.

The VM-Series protects your applications and data with next-generation security features that deliver superior visibility, precise control, and threat prevention at the application level. Automation features and centralized management allow you to embed security in your application development process, ensuring security can keep pace with the speed of the cloud:

  • Application visibility for informed security decisions: The VM-Series provides application visibility across all ports, meaning you have far more relevant information about your cloud environment to help you make rapid, informed policy decisions.
  • “Segment/Allow” applications for security and compliance: Today’s cyberthreats commonly compromise an individual workstation or user, and then move laterally across your network, placing your mission-critical applications and data at risk wherever they are. Using segmentation and allow listing policies allows you to control applications communicating across different subnets to block lateral threat movement and achieve regulatory compliance.
  • Prevent advanced attacks within allowed application flows: Attacks, much like many applications, can use any port, rendering traditional prevention mechanisms ineffective. The VM-Series allows native integration with our clouddelivered subscription services, such as Threat Prevention, DNS Security, and WildFire® to apply application-specific policies that block exploits, prevent malware, and stop previously unknown threats from infecting your cloud.
  • Control application access with user-based policies: Integration with a wide range of user repositories—such as Microsoft Exchange, Active Directory®, and LDAP— complements application allow listing with user identity as an added policy element that controls access to applications and data. When deployed in conjunction with Palo Alto Networks GlobalProtect™ for network security at the endpoint, the VM-Series enables you to extend your corporate security policies to mobile devices and users, regardless of their locations.
  • Policy consistency through centralized management: Panorama™ provides centralized network security management for your VM-Series firewalls across multiple cloud deployments, along with your physical security appliances, ensuring policy consistency and cohesion. Rich, centralized logging and reporting capabilities provide visibility into virtualized applications, users, and content.
  • Container protection for managed Kubernetes environments: The VM-Series protects containers running in Google Kubernetes® Engine and Azure® Kubernetes Service with the same visibility and threat prevention capabilities that can protect business-critical workloads on Google Cloud and Microsoft Azure. Container visibility empowers security operations teams to make informed security decisions and respond more quickly to potential incidents. Threat Prevention, WildFire, and URL Filtering policies can be used to protect Kubernetes clusters from known and unknown threats. Panorama enables you to automate policy updates as Kubernetes services are added or removed, ensuring security keeps pace with your everchanging managed Kubernetes environments.


Table 1: VM-Series Resource Requirements



VM-50 Lite





Supported vCPUs






Memory (min)

5.5 GB / 4.5 GB

6.5 GB

9 GB

16 GB

56 GB

Disk drive capacity(min)

32 GB

(60 GB at boot)

60 GB

60 GB

60 GB

60 GB

Table2:VM-SeriesCapacity Details



VM-50 Lite











Security Rules

250 / 200





Dynamic IP Addresses






Security Zones






IPsec VPN Tunnels

250 / 25





SSL VPN Tunnels

250 / 25





Next-Generation Firewall Solutions:

Fundamental shifts in the application and threat landscape, user behavior, and network infrastructure have steadily eroded the security that traditional port-based firewalls once provided. Your users are accessing all types of applications using a range of device types, often times to get their job done. Meanwhile, datacenter expansion, virtualization, mobility, and cloud-based initiatives are forcing you to re-think how to enable application access yet protect your network.

Traditional responses include an attempt to lock down all application traffic through an evergrowing list of point technologies in addition to the firewall, which may hinder your business; or allowing all applications, which is equally unacceptable due to increased business and security risks. The challenge that you face is that your traditional port-based firewall, even with bolt-on application blocking, does not provide an alternative to either approach. In order to strike a balance between allowing everything and denying everything, you need to safely enable applications by using business-relevant elements such as the application identity, who is using the application, and the type of content as key firewall security policy criteria.

Key safe enablement requirements:

  • Identify applications, not ports. Classify traffic, as soon as it hits the firewall, to determine the application identity, irrespective of protocol, encryption, or evasive tactic. Then use that identity as the basis for all security policies.
  • Tie application usage to user identity, not IP address, regardless of location or device. Employ user and group information from enterprise directories and other user stores to deploy consistent enablement policies for all your users, regardless of location or device.
  • Protest against all threats—both known and unknown. Prevent known vulnerability exploits, malware, spyware, malicious URLs while analyzing traffic for, and automatically delivering protection against highly targeted and previously unknown malware.
  • Simplify policy management. Safely enable applications and reduce administrative efforts with easy-to-use graphical tools, a unified policy editor, templates, and device groups.

Safe application enablement policies can help you improve your security posture, regardless of the deployment location. At the perimeter, you can reduce your threat footprint by blocking a wide range of unwanted applications and then inspecting the allowed applications for threats— both known and unknown. In the datacenter – traditional or virtualized, application enablement translates to ensuring only datacenter applications are in use by authorized users, protecting the content from threats and addressing security challenges introduced by the dynamic nature of the virtual infrastructure. Your enterprise branch offices and remote users can be protected by the same set of enablement policies deployed at the headquarters location, thereby ensuring policy consistency.

Deploy Safe Enablement Policies Across the Entire Organization

Enabling Applications to Empower the Business

Safe application enablement with Palo Alto Networks™ next-generation firewalls helps you address your business and security risks associated with the rapidly growing number of applications traversing your network. By enabling applications for users or groups of users, both local, mobile, and remote, and protecting the traffic against known and unknown threats, you can improve your security posture while growing your business.

Applications, Users and Content - All under your control
  • Classifying all applications, across all ports, all the time. Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-ID™ addresses the traffic classification visibility limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the firewall sees it, to determine the exact identity of application traversing your network, regardless of port, encryption (SSL or SSH) or evasive technique employed. The knowledge of exactly which applications are traversing your network, not just the port and protocol, becomes the basis for all your security policy decisions. Unidentified applications, typically a small percentage of traffic, yet high in potential risk, are automatically categorized for systematic management— which can include policy control and inspection, threat forensics, creation of a custom App-ID, or a packet capture for Palo Alto Networks App-ID development.
  • Integrating users and devices, not just IP addresses into policies. Creating and managing security policies based on the application and the identity of the user, regardless of device or location, is a more effective means of protecting your network than relying solely on port and IP address. Integration with a wide range of enterprise user repositories provides the identity of the Microsoft Windows, Mac OS X, Linux, Android, or iOS user accessing the application. Users who are traveling or working remotely are seamlessly protected with the same, consistent policies that are in use on the local, or corporate network. The combined visibility and control over a user's application activity means you can safely enable the use of Oracle, BitTorrent, or Gmail, or any other application traversing your network, no matter where or how the user is accessing it.
  • Protect against all threats, both known and unknown. To protect today's modern network, you must address a blend of known exploits, malware and spyware as well as completely unknown and targeted threats. This process begins by reducing the network attack surface by allowing specific applications and denying all others, either implicitly through a deny-all-else strategy or through explicit policies. Coordinated threat prevention can then be applied to all allowed traffic, blocking known malware sites, vulnerability exploits, viruses, spyware and malicious DNS queries in a single pass. Custom or otherwise unknown malware is actively analyzed and identified by executing the unknown files and directly observing more than 100 malicious behaviors in a virtualized sandbox environment. When new malware is discovered, a signature for the infecting file and related malware traffic is automatically generated and delivered to you. All threat prevention analysis uses full application and protocol context, ensuring that threats are always caught even if they attempt to hide from security in tunnels, compressed content or on non-standard ports.

Deployment and Management Flexibility

Safe application enablement functionality is available in either a purpose-built hardware platform or in a virtualized form factor. When you deploy multiple Palo Alto Networks firewalls, in either hardware or virtual form factors, you can use Panorama, an optional centralized management offering to gain visibility into traffic patterns, deploy policies, generate reports and deliver content updates from a central location.

Protecting Enabled Applications

Safe application enablement means allowing access to certain applications, then applying specific policies to block known exploits, malware and spyware – known or unknown; controlling file or data transfer, and web surfing activity. Common threat evasion tactics such as port-hopping and tunneling are addressed by executing threat prevention policies using the application and protocol context generated by the decoders in App-ID. In contrast, UTM solutions take a silo-based approach to threat prevention, with each function, firewall, IPS, AV, URL filtering, all scanning traffic without sharing any context, making them more susceptible to evasive behavior.

  • Block Known Threats: IPS and Network Antivirus/Anti-spyware. A uniform signature format and a stream-based scanning engine enables you to protect your network from a broad range of threats. Intrusion prevention system (IPS) features block network and application-layer vulnerability exploits, buffer overflows, DoS attacks, and port scans. Antivirus/Anti-spyware protection blocks millions of malware variants, as well as any malware-generated command-and-control traffic, PDF viruses, and malware hidden within compressed files or web traffic (compressed HTTP/HTTPS). Policy-based SSL decryption across any application on any port protects you against malware moving across SSL encrypted applications.
  • Block Unknown, Targeted Malware: Wildfire. Unknown or targeted malware is identified and analyzed by WildFire, which directly executes and observes unknown files in a cloud-based, virtualized sandbox environment. WildFire monitors for more than 100 malicious behaviors and the result is delivered immediately to the administrator in the form of an alert. An optional WildFire subscription offers enhanced protection, logging, and reporting. As a subscriber, you are protected within an hour when a new piece of malware is found anywhere in the world, effectively stopping the spread of new malware before it impacts you. As a subscriber, you also gain access to integrated WildFire logging and reporting and an API for submitting samples to the WildFire cloud for analysis.
  • Identify Bot-Infected Hosts. App-ID classifies all applications, across all ports, including any unknown traffic, which can often expose anomalies or threats in your network. The behavioral botnet report correlates unknown traffic, suspicious DNS and URL queries and a variety of unusual network behaviors to reveal devices that are likely infected with malware. The results are displayed in the form of a list of potentially infected hosts that can be investigated as possible members of a botnet.
  • Limit Unauthorized File and Data Transfers. Data filtering features enable your administrators to implement policies that will reduce the risks associated with unauthorized file and data transfers. File transfers can be controlled by looking inside the file (as opposed to looking only at the file extension), to determine if the transfer action should be allowed or not. Executable files, typically found in drive-by downloads, can be blocked, thereby protecting your network from unseen malware propagation. Data filtering features can detect, and control the flow of confidential data patterns (credit card or social security numbers as well as custom patterns).
  • Control Web Surfing. A fully-integrated, customizable URL filtering engine allows your administrators to apply granular web-browsing policies, complementing application visibility and control policies and safeguarding the enterprise from a full spectrum of legal, regulatory, and productivity risks. In addition, the URL categories can be leveraged into the policies to provide further granularity of control for SSL decryption, QoS, or other rule bases.

Ongoing Management and Analysis

Security best practices dictate that your administrators strike a balance between proactively managing the firewall, whether it is a single device or many hundreds, and being reactive, investigating, analyzing, and reporting on security incidents.

  • Management: Each Palo Alto Networks platform can be managed individually via a command line interface (CLI) or full-featured browser-based interface. For large-scale deployments, Panorama can be licensed and deployed as a centralized management solution that enables you to balance global, centralized control with the need for local policy flexibility using features such as templates and shared policy. Additional support for standards-based tools such as SNMP, and REST-based APIs allow you to integrate with third-party management tools. Whether using the device's web interface or Panorama's, the interface look and feel is identical, ensuring that there is no learning curve when moving from one to another. Your administrators can use any of the provided interfaces to make changes at any time without needing to worry about synchronization issues. Role-based administration is supported across all management mediums, allowing you to assign features and functions to specific individuals.
  • Reporting: Predefined reports can be used as-is, customized, or grouped together as one report in order to suit the specific requirements. All reports can be exported to CSV or PDF format and can be executed and emailed on a scheduled basis.
  • Logging: Real-time log filtering facilitates rapid forensic investigation into every session traversing your network. Log filter results can be exported to a CSV file or sent to a syslog server for offline archival or additional analysis.

Purpose-Built Hardware or Virtualized Platforms

Palo Alto Networks offers a full line of purpose-built hardware platforms that range from the PA-200, designed for enterprise remote offices to the PA-5060, which is designed for high-speed datacenters. The platform architecture is based on a single pass software engine and uses function specific processing for networking, security, threat prevention and management to deliver you predictable performance. The same firewall functionality that is delivered in the hardware platforms is also available in the VM-Series virtual firewall, allowing you to secure your virtualized and cloud-based computing environments using the same policies applied to your perimeter or remote office firewalls.


Download the Palo Alto Networks VM-Series Specsheet (PDF).