Software NGFW Credits
Learn about Software NGFW credits, and the licenses they
fund.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- VM-Series 10.x or above
- Panorama running PAN-OS 10.1.x or above versions
- Customer Support Portal (CSP) account with one of the following
user roles:
- Super User, Standard User, Limited User, Threat
Researcher, AutoFocus Trial Role, Group Super User,
Group Standard User, Group Limited User, Group Threat
Researcher, Authorized Support Center (ASC) User, and
ASC Full Service User.
- Superuser access to the VM-Series firewall
|
Software NGFW credits can be used to fund Software NGFWs
(VM-Series and CN-Series), Cloud-Delivered Security Services (CDSS),
or virtual Panorama appliances in networks with or without internet
access (air-gapped networks, for example).
You create a deployment profile to configure one or more firewalls based on:
- PAN-OS version
- Number of vCPUs per firewall
- Total number of firewalls supported by the deployment profile
- Panorama management or log collection
- Security services
All the VMs created with a deployment profile share the same auth code.
Fixed vCPUs—Compatible with all PAN-OS versions. Based
on
VM-Series Models and security
service bundles. Changing the model or service options requires
a new license.
Flexible vCPUs—Select a flexible number of vCPUs, and a flexible selection of security services.
You can modify the deployment profile to add or decrease the number of vCPUs,
add new services as they become available, or remove services. The maximum
number of vCPUs for a deployment profile is 64.
Software NGFW credits are term-based and you can define terms for any amount of time 1-5 years.
Both allocated and unallocated credits expire at the end of the agreed-upon term. You
can purchase additional credits for a credit pool but the expiration date must be the
same as the target pool. Use
Software NGFW Credit Estimator to calculate
and get credits for your deployment profile.
If you have an internet connection to the license server and you stop using a firewall, a
security service, or Panorama deployment; the credits allocated to that resource are
refunded to the credit pool and can be reallocated to a new resource.
If you don't have an internet connection and can't connect to the Palo Alto Networks update
server (for example, you're in an air-gapped network) you can manage the VM-Series
firewall locally from its user interface, or from Panorama. Your administrator must then
log in to the Customer Support Portal to return the license token so the funds can be
reused.
Use the Supported Hypervisor table below and the Total
vCPUs on Dataplane tables that follow to ensure that you allocate
the necessary hardware resources for your chosen number of vCPUs.
| Tier | Memory |
|---|
Tier 1 | 4.5 GB, 5 GB, 5 GB, 5.5 GB, 6 GB, 6.5 GB,
7 GB, 8 GB |
Tier 2 | 9 GB, 10 GB, 12 GB, 14 GB, 16 GB, 18 GB |
Tier 3 | 20 GB, 24 GB, 28 GB, 32 GB, 36 GB, 40 GB, 44 GB, 48 GB, 52 GB, 56 GB, 60 GB, 64 GB |
|
Memory Profile | Supported Hypervisors | Minimum Hard Drive |
Tier 1 (4.5 GB, 5 GB, 5.5 GB, 6 GB memory) | ESXi, Hyper-V, KVM | |
Tier 1 | AWS, Azure, ESXi, Google Cloud Platform,
Hyper-V, KVM, OCI, Alibaba Cloud, Cisco ACI, Cisco CSP, Cisco ENCS,
NSX-T | 60 GB |
Tier 2 | AWS, Azure, ESXi, Google Cloud Platform,
Hyper-V, KVM, OCI, Alibaba Cloud, Cisco ACI, Cisco CSP, Cisco ENCS,
NSX-T | 60 GB |
Tier 3 | AWS, Azure, ESXi, Google Cloud Platform,
Hyper-V, KVM, OCI, Alibaba Cloud, Cisco ACI, Cisco CSP, NSX-T | 60 GB |
Tier 4 | AWS, Azure, ESXi, Google Cloud Platform,
Hyper-V, KVM, OCI, Alibaba Cloud, Cisco ACI, Cisco CSP, NSX-T | 60 GB |
For all memory profiles listed above, the minimum vCPUs are 2.
Tier 1 requires a minimum 32 GB of hard drive space. However, because the VM-Series base image is
common for all vCPU combinations, you must allocate 60 GB of hard drive space until
you license a VM-Series firewall with 4.5 GB memory.
To achieve the best performance, the required cores should be available on a single CPU
socket.
By default, management plane and dataplane vCPUs are assigned on a one to three ratio, unless you
assign four or fewer vCPUs. Additionally, the maximum dataplane vCPUs are tied to the
allocated memory, as described in the tables below. For example, if you assign 16 vCPUs
to a VM-Series firewall, then four vCPUs are allocated to the management plane and 12
are allocated to the dataplane. If you allocate 20 vCPUs and 20 GB of memory to a
VM-Series firewall, 12 vCPUs are allocated to the dataplane, and the remaining are
assigned to the management plane.
Alternatively, you can use the VM-Series firewall CLI to
Customize Dataplane Cores. This allows
you to specify the number of vCPUs are assigned to the dataplane
on your VM-Series firewall.
The maximum number of total cores (management plane and
dataplane) is 64, regardless of memory profile.
| Tier 1 | 4.5 GB | 5 GB | 5.5 GB | 6 GB | 6.5 GB | 7 GB | 8 GB |
|---|
Default Dataplane vCPUs | 1 | 1 | 1 | 1 | 2 | 2 | 2 |
Default Management Plane vCPUs | 1 | 1 | 1 | 1 | 2 | 2 | 2 |
| Tier 2 | 9 GB | 10 GB | 12 GB | 14 GB | 16 GB | 18 GB | 20 GB |
|---|
Default Dataplane vCPUs | 4 | 4 | 4 | 4 | 12 | 12 | 12 |
Default Management Plane vCPUs | 2 | 2 | 2 | 2 | 4 | 4 | 4 |
| Tier 3 | 20 GB | 24 GB | 28 GB | 32 GB | 36 GB | 40 GB | 44 GB | 48 GB | 52 GB | 56 GB | 64 GB |
|---|
Default Dataplane vCPUs | 12 | 12 | 12 | 12 | 12 | 12 | 12 | 12 | 12 | 24 | 47 |
Default Management Plane vCPUs | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 4 | 8 | 17 |
| Tier 4 | 121-128 GB |
|---|
Default Dataplane vCPUs | 47 |
Default Management Plane vCPUs | 17 |
