PacketMMAP and DPDK Drivers on VM-Series Firewalls
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Cipher Suites
-
- PAN-OS 11.0 GlobalProtect Cipher Suites
- PAN-OS 11.0 IPSec Cipher Suites
- PAN-OS 11.0 IKE and Web Certificate Cipher Suites
- PAN-OS 11.0 Decryption Cipher Suites
- PAN-OS 11.0 Administrative Session Cipher Suites
- PAN-OS 11.0 HA1 SSH Cipher Suites
- PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.2 GlobalProtect Cipher Suites
- PAN-OS 10.2 IPSec Cipher Suites
- PAN-OS 10.2 IKE and Web Certificate Cipher Suites
- PAN-OS 10.2 Decryption Cipher Suites
- PAN-OS 10.2 Administrative Session Cipher Suites
- PAN-OS 10.2 HA1 SSH Cipher Suites
- PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.1 GlobalProtect Cipher Suites
- PAN-OS 10.1 IPSec Cipher Suites
- PAN-OS 10.1 IKE and Web Certificate Cipher Suites
- PAN-OS 10.1 Decryption Cipher Suites
- PAN-OS 10.1 Administrative Session Cipher Suites
- PAN-OS 10.1 HA1 SSH Cipher Suites
- PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 9.1 GlobalProtect Cipher Suites
- PAN-OS 9.1 IPSec Cipher Suites
- PAN-OS 9.1 IKE and Web Certificate Cipher Suites
- PAN-OS 9.1 Decryption Cipher Suites
- PAN-OS 9.1 Administrative Session Cipher Suites
- PAN-OS 9.1 HA1 SSH Cipher Suites
- PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 8.1 GlobalProtect Cipher Suites
- PAN-OS 8.1 IPSec Cipher Suites
- PAN-OS 8.1 IKE and Web Certificate Cipher Suites
- PAN-OS 8.1 Decryption Cipher Suites
- PAN-OS 8.1 Administrative Session Cipher Suites
- PAN-OS 8.1 HA1 SSH Cipher Suites
- PAN-OS 8.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode
PacketMMAP and DPDK Drivers on VM-Series Firewalls
PacketMMAP and DPDK drivers on VM-Series firewall deployments.
The VM-Series firewall supports the PacketMMAP and Data
Plane Development Kit (DPDK) drivers listed in the tables below. VM-Series
firewalls use their own drivers to communicate with the drivers
on the host. You should install host-driver versions that are equal to
or later than the driver versions on your VM-Series firewall.
To choose host drivers for SR-IOV:
- KVM—On your KVM host, install a physical function (PF) driver version that is equal to or later than the virtual function (VF) native driver version listed below.
- ESXi—Refer to the VMware Compatibility Matrix and install the latest driver for the firmware version (PF=i40e, VF=i40evf).
For more on communication between VF drivers on the VM-Series
firewall, and PF drivers on the host (the hypervisor), see PacketMMAP and DPDK Drivers on
VM-Series Firewalls in the VM-Series Deployment Guide.
SR-IOV Access Mode
VM-Series firewalls support SR-IOV Access Mode on
KVM and ESXi hypervisors. To enable single root I/O virtualization
(SR-IOV) access mode, you can include the bootstrap parameter
plugin-op-commands=sriov-access-mode-on
in
the initcfg.txt
file. - KVM—Requires PAN-OS 9.1.5 or a later PAN-OS release with VM-Series plugin 2.0.1 or a later plugin version.
- ESXi—Requires PAN-OS 9.1.5 or a later PAN-OS 9.1 release or PAN-OS 10.1 or a later PAN-OS release—with VM-Series plugin 2.0.5 or a later plugin version.
PacketMMAP Driver Versions
VM-Series firewalls use their virtual function (VF)
drivers to communicate with the host's physical function (PF) drivers during
SR-IOV. For example, i40e is a PF driver and i40evf is a VF driver.
PAN-OS Version | Driver Filename | Virtual Firewall Native Drivers (Linux Version) | Comment |
|---|---|---|---|
11.0 | bnx2x | 1.713.36-0 | |
i40e | 2.14.13 | ||
iavf | 4.0.2 | ||
igb | 5.6.0 | ||
igbvf | 2.4.0 | ||
ixgbe | 5.1.0 | The minimum version for multiple queues
is 4.2.5 | |
ixgbevf | 4.1.0 | ||
mlnx-en | 4.9 | ||
10.2 | bnx2x | 1.712.30-0 | |
i40e | 2.13.10 | ||
iavf | 3.2.3 | i40evf renamed to iavf; still compatible
with i40en host driver. | |
igb | 5.4.0 | ||
igbvf | 2.4.0 | ||
ixgbe | 5.1.0 | The minimum version for multiple queues
is 4.2.5 | |
ixgbevf | 4.1.0 | ||
mlnx-en | 4.9 | ||
10.1 | bnx2x | 1.712.30-0 | |
i40e | 2.13.10 | ||
iavf | 3.2.3 | i40evf renamed to iavf; still compatible
with i40en host driver. | |
igb | 5.4.0 | ||
igbvf | 2.4.0 | ||
ixgbe | 5.1.0 | The minimum version for multiple queues
is 4.2.5 | |
ixgbevf | 4.1.0 | ||
mlnx-en | 4.9 | ||
9.1 | bnx2x | 1.713.36-0 | |
i40e | 2.3.2 | ||
i40evf | 3.2.2 | Compatible with i40en host driver. | |
igb | 5.4.0 | ||
igbvf | 2.4.0 | ||
ixgbe | 5.1.0 | The minimum version for multiple queues
is 4.2.5 | |
ixgbevf | 4.1.0 |
DPDK Driver Versions
When the firewall is in DPDK mode, it uses DPDK drivers.
Please check the official DPDK release notes for more
information.
By default DPDK is enabled on VM-Series firewalls as stated below.
If the VM-Series firewall detects an unsupported driver, the firewall reverts
to PacketMMap mode.
Hypervisor | Virtual Driver | NIC Drivers |
|---|---|---|
KVM | virtio | ixgbe, ixgbevf, i40e, i40evf, and mlnx-en
(PAN-OS 10.1 and later) |
ESXi | VMXNET3 | ixgbe, ixgbevf, i40e, i40evf |
See VM-Series for KVM and VM-Series for VMWare vSphere
Hypervisor (ESXi) for PAN-OS versions that support DPDK,
DPDK with SR-IOV, or DPDK with Virtio.
PAN-OS Version | DPDK Version | Comment |
|---|---|---|
11.0 | 20.11.1 | |
10.2 | 20.11.1 | |
10.1 | 19.11.3 | |
9.1 | 18.11 |