Policy Optimizer is available starting with PAN-OS 9.0.
If you use Panorama to manage your next-generation firewalls, you
don’t have to upgrade managed firewalls to PAN-OS 9.0 to use Policy
Optimizer. You only need to upgrade Panorama to PAN-OS 9.0, send
traffic logs from the managed firewalls to Panorama or Log Collectors
running PAN-OS 9.0, and push policy from Panorama to the firewalls.
Managed firewalls need to run PAN-OS 8.1 or later, and if they connect
to Log Collectors, the Log Collectors must run PAN-OS 9.0. This
provides a fast path for qualification so you can use Policy Optimizer
to adopt policy based on App-ID quickly.
Strata Logging Service supports Policy Optimizer for Panorama devices that run PAN-OS
10.0.4 or later with Cloud Services plugin 2.0 or later.
PA-7000
Series Firewalls support two logging cards, the PA-7000 Series Firewall
Log Processing Card (LPC) and the high-performance PA-7000 Series
Firewall Log Forwarding Card (LFC). Unlike the LPC, the LFC does
not have disks to store logs locally. Instead, the LFC forwards
all logs to one or more external logging systems, such as Panorama
or a syslog server. If you use the LFC, the application usage information
for Policy Optimizer does not display on the firewall because traffic
logs aren’t stored locally. If you use the LPC, the traffic logs
are stored locally on the firewall, so the application usage information
for Policy Optimizer displays on the firewall. In both cases, the
PA-7000 firewall can run PAN-OS 8.1 (or later) as long as the Log
Collectors and Panorama run PAN-OS 9.0 or later.