>
    Strata Copilot
    Virtual Systems Support on VM-Series Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. Virtual Systems Support on VM-Series Firewall
    Download PDF
    VM-Series

    Virtual Systems Support on VM-Series Firewall

    Table of Contents

    Virtual Systems Support on VM-Series Firewall

    Where Can I Use This?What Do I Need?
    • VM-Series deployment
    • VM-Series 10.x or above
    • Panorama running PAN-OS 10.1.x or above versions
    • Customer Support Portal (CSP) account with one of the following user roles:
      • Superuser, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group superuser, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
      • Superuser access to the VM-Series firewall
    PAN-OS 11.1.3 and later releases Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system (vsys) is an independent, separately managed firewall with its traffic kept separate from the traffic of other virtual systems. The virtual systems are easier to manage coexisting within a firewall. The additional benefits of virtual systems include improved scalability, segmented administration, and reduced capital and operational expenses. For more information, see Benefits of Virtual Systems and Virtual System Components and Segmentation.
    The virtual system support on VM-Series firewall is available only on PAN-OS version 11.1.3 and above.

    Licensing and Prerequisites for Virtual Systems Support on VM-Series

    PAN-OS 11.1.3 and later releases Licensing Requirements

    The VM-Series firewall supports virtual systems only with flexible license with one virtual system by default. You must have a virtual system license to support multiple virtual systems. You can purchase additional licenses based on your requirement up to a maximum supported number on a particular Tier. For more information, see subscription and services.
    Use a flexible VM-Series firewall license and Tier 3 or Tier 4 instances supporting a minimum of 16 vCPUs or more.
    • VM-Series in Tier 3 instance supports a maximum of 25 virtual systems.
    • VM-Series in Tier 4 instance, supports a maximum of 100 virtual systems.
    For information on the maximum number for a particular object or resource that a single VM-Series firewall deployment can create, store, manage, or interact with based on allocated memory or tier, see Maximum Limits Based on Tier and Memory.

    PAN-OS 11.1.3 and later releases Prerequisites

    Ensure that you install the virtual system license on your VM-Series firewall, to add multiple virtual systems on your firewall web interface or on your Panorama console.

    System Requirements for Virtual Systems Support on VM-Series

    PAN-OS 11.1.3 and later releases System Requirements

    The virtual system support on VM-Series firewall is available only on KVM platform.
    Following are the system requirements for allocating the minimum hardware resources to leverage virtual system support on VM-Series firewall:
    PAN-OS
    Supported Platform
    Supported VCPUs
    Minimum Memory and Hard Drive
    11.1.3 and above
    KVM
    For more information on supported VCPUs as per your VM-Series model, see VM-Series System Requirements.
    Use a flexible VM-Series firewall license and Tier 3 or Tier 4 instances supporting a minimum of 16 vCPUs or more.
    For more information on minimum memory and hard drive requirements as per your VM-Series model, see VM-Series System Requirements.

    © 2026 Palo Alto Networks, Inc. All rights reserved.