Compatibility Matrix
Panorama Plugins
Table of Contents
Panorama Plugins
Learn about compatibility information for Panorama™ plugins.
The following tables describe the features and functionality
introduced with the Panorama™ extensible plugin architecture.
- Cisco ACI
- Cisco TrustSec
- Panorama CloudConnector Plugin (Formerly, AIOps Plugin for Panorama)
- Cloud Services
- Enterprise Data Loss Prevention (DLP)
- Panorama Interconnect
- IPS Signature Converter
- Kubernetes
- Clustering Plugin
- Network Discovery
- Nutanix
- OpenConfig
- Panorama Software Firewall License Plugin
- Public Cloud—AWS, Azure, and GCP
- SD-WAN
- VMware NSX
- VMware vCenter
- Zero Touch Provisioning (ZTP)
For more information on Panorama plugin versions, refer to the VM-Series and Panorama Plugins
Release Notes.
Cisco ACI
Learn about the Panorama™ plugin for Cisco ACI.
The following table shows the features introduced in
each version of the Panorama™ plugin for Cisco ACI. The plugin uses
device groups on Panorama to push the configuration to the managed
firewalls.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | Supported Cisco ACI Version | Panorama PAN-OS Version (Minimum) | Maximum Panorama PAN-OS Version | Features |
---|---|---|---|---|
3.0.1
|
6.0.x
|
10.2 (10.2.7)
|
Latest
|
Introduces support for Endpoint Security Group (ESG) tags and
fixes to known issues.
|
|
10.2 (10.2.0)
| |||
3.0.0
|
|
10.2 (10.2.4)
|
Latest
|
Introduces enhancements to increase reliability and
robustness.
|
| 10.2 (10.2.0) | |||
2.0.3
|
|
10.1 (10.1.9)
|
Latest
|
Introduces a fix for a known issue.
You can do a new deployment of Cisco
ACI 2.0.3 on Panorama 9.0 or later. You can also upgrade
from Cisco ACI 2.0.x to Cisco ACI 2.0.3. However, if you
need to upgrade from Cisco ACI 1.0.0 or Cisco ACI 1.0.1, you
will need to upgrade your Panorama to 10.0 or later, and
then upgrade the ACI plugin to 2.0.3. |
| 10.1 9.1 | |||
2.0.2 |
| 10.1 9.1 | Latest | Introduces Cisco ACI 5.1 support and fixes
for known issues. You can do a new deployment of Cisco
ACI 2.0.2 on Panorama 9.0 or later. You can also upgrade from Cisco
ACI 2.0.x to Cisco ACI 2.0.2. However, if you need to upgrade from
Cisco ACI 1.0.0 or Cisco ACI 1.0.1, you will need to upgrade your
Panorama to 10.0 or later, and then upgrade the ACI plugin to 2.0.2. |
2.0.1 |
| 10.1 9.1 | Latest | Introduces fixes for known issues. |
2.0.0 |
| 10.1 9.1 | Latest | Introduces the Panorama Plugin for Cisco
ACI Dashboard and two new monitored attributes—L2 external endpoint
groups and subnets under bridge domains. |
1.0.1 |
| 9.1 | 9.1 | Introduces support for multiple IP addresses per
endpoint and Cisco ACI 4.0 and later. |
1.0.0 |
| 9.1 | 9.1 | Enables support for Endpoint Monitoring from
Panorama. Configure the Panorama plugin for Cisco ACI to monitor
endpoints so that you can consistently enforce security policy that automatically
adapts to changes within your ACI deployment. |
Cisco TrustSec
Learn about the Panorama™ plugin for Cisco TrustSec.
The following table shows the features introduced in
each version of Panorama™ plugin for Cisco TrustSec.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | Minimum Panorama PAN-OS Version | Qualified Cisco ISE Versions | Features |
---|---|---|---|
2.0.1
|
10.2
|
|
Introduces fixes for known issues.
|
2.0.0 | 10.2 |
| Introduces support for Panorama 10.2.x. Introduces
support for security group tags (SGT). Use these tags as match criteria
for placing IP addresses in dynamic address groups. |
1.0.3 | 9.1 |
| Introduces a fix for one issue. |
1.0.2 | 9.1 |
| Introduces the PubSub monitoring mode, which parses
notifications directly from the server. The plugin enables PubSub
mode when v1.0.2 is running on Panorama 10.0.0 and later. If v1.0.2
is running on a Panorama version earlier than 10.0.0, the monitoring
mode is Bulk Sync. |
1.0.1 |
| ||
1.0.0 | Enables support for endpoint monitoring from
Panorama. Configure the Panorama plugin for Cisco TrustSec to monitor
endpoints so that you can consistently enforce security policy that
automatically adapts to changes within your TrustSec environment. |
Panorama CloudConnector Plugin (Formerly, AIOps Plugin for Panorama)
Learn about CloudConnector.
The following table shows the features introduced in
each version of the plugin for AIOps.
Plugin Version | Panorama PAN-OS Version (Minimum) |
Maximum Panorama PAN-OS Version
| New Features or Changes |
---|---|---|---|
2.0.1
|
10.2 (10.2.3)
|
Latest
|
Introduces enhancements for Cloud NGFW for AWS integration with
Panorama.
|
2.0.0 | 10.2 (10.2.3) | Latest | Enables you to use the Panorama AWS plugin 5.0.0 to author and push device group based policies to Cloud NGFW for AWS resources. |
1.1.0 | 10.2 (10.2.3) | Latest | Enables the policy analyzer feature
that helps you to check if a new security rule meets your intended
purpose and that it does not duplicate, shadow, or conflict with
your existing rules (pre-commit). You can also check for duplication
and other anomalies across your current Security policy rulebase
(post-commit). |
1.0.0 | 10.2 (10.2.1) | Latest | Enables you to proactively enforce best practice
checks by validating your commits and letting you know if
a policy needs work before pushing it to your Panorama. |
Cloud Services
Review minimum plugin versions depending on whether you use the plugin for both Cortex™
Data Lake and Prisma™ Access or for only Strata Logging Service (formerly Cortex®
Data Lake).
You use the Cloud Services plugin to activate Panorama Managed Prisma Access and to retrieve logs
from Panorama-managed firewalls using Strata Logging Service. Review the
following table to see the minimum Panorama and plugin versions for your deployment
type.
Deployment Type | Panorama and Plugin requirements |
---|---|
Panorama Managed Prisma Access | Dependent on plugin version. Review the Minimum Required Panorama Software Versions required for the plugin you
are running. To find the plugin version you are running, select PanoramaCloud ServicesConfigurationService Setup and find the plugin version in the
Plugin Alert area. |
Strata Logging Service log retrieval from Panorama-managed firewalls only | Strata Logging Service Software Compatibility has the minimum Panorama and plugin requirements. |
Enterprise Data Loss Prevention (DLP)
Learn about the Panorama™ plugin for Enterprise Data
Loss Prevention (DLP).
The following table shows the features introduced in
each version of the Panorama™ plugin for Enterprise Data Loss Prevention
(DLP).
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version
|
PAN-OS Version
(Minimum)
|
Maximum PAN-OS Version
|
Cloud Services Plugin (Minimum)
|
Features
|
---|---|---|---|---|
5.0.5
|
11.2.5
|
Latest 11.2
|
Cloud Services 5.0 Preferred
|
Minor bug and performance fixes.
|
5.0.4
|
11.1.0
|
Latest 11.2
|
Cloud Services 5.0 Preferred
|
Upgrade to Enterprise DLP plugin 5.0.4 to use AI Access Security for
Prisma Access (Managed by Panorama).
AI Access Security
enables organizations to safely adopt GenAI applications by
employees by mitigating the risks posed by inadvertent data
leakage in prompts and malicious content in responses.
Fine-grained data exfiltration and access control policies let
you to control the data exposed to GenAI apps while
simultaneously allowing you to block access when necessary. A
robust dashboard with detailed monitoring capabilities provides
paralleled insights in to how GenAI apps are used across your
organization.
|
5.0.3
|
11.1.0
|
Latest 11.2
|
Cloud Services 5.0 Preferred
|
Upgrade to Enterprise DLP plugin 5.0.3 to use AI Access Security for
NGFW (Managed by Panorama).
AI Access Security
enables organizations to safely adopt GenAI applications by
employees by mitigating the risks posed by inadvertent data
leakage in prompts and malicious content in responses.
Fine-grained data exfiltration and access control policies let
you to control the data exposed to GenAI apps while
simultaneously allowing you to block access when necessary. A
robust dashboard with detailed monitoring capabilities provides
paralleled insights in to how GenAI apps are used across your
organization.
|
5.0.2
|
11.1.0
|
11.2.2
|
Cloud Services 5.0 Preferred
|
Minor bug and performance fixes.
|
5.0.1
|
11.1.0
|
Latest 11.1 Release
|
Cloud Services 5.0 Preferred
|
Minor bug and performance fixes.
|
5.0.0
|
11.1.0
|
Latest 11.1 Release
|
Cloud Services 5.0 Preferred
|
You must upgrade to Enterprise DLP 5.0 plugin to upgrade to
PAN-OS 11.1. Additionally, you must download the Enterprise DLP
5.0 plugin before you attempt to install PAN-OS 11.1.
|
4.0.4
|
11.0.3
|
Latest 11.0 Release
|
Cloud Services 4.0 Preferred
|
Minor bug and performance fixes.
|
4.0.3
|
11.0.3
|
Latest 11.0 Release
|
Cloud Services 4.0 Preferred
|
Minor bug and performance fixes.
|
4.0.2
|
11.0.3
|
Latest 11.0 Release
|
Cloud Services 4.0 Preferred
|
The data pattern character limit for a data profile is removed.
Data profiles no longer limit the number of data pattern match
criteria based on the number of alphanumeric characters in the
data pattern name, description, regular expressions, and
proximity keywords.
|
4.0.1
|
11.0.2
|
11.0.2
|
Cloud Services 4.0 Preferred
|
Enterprise Data Loss Prevention (E-DLP) now supports creating a
file type include or exclude list for data filtering
profiles configured for file-based inspection. This
allows you to select one of two modes:
|
4.0.0
|
11.0.0
|
11.0.1
|
Cloud Services 4.0 Preferred
|
You must upgrade to Enterprise DLP 4.0 plugin to upgrade to
PAN-OS 11.0. Additionally, you must download the Enterprise DLP
4.0 plugin before you attempt to install PAN-OS 11.0.
|
3.0.9
|
10.2.8
|
Latest 10.2 Release
|
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later
releases)
|
Minor bug and performance fixes.
|
3.0.8
|
10.2.4-h3
|
10.2.7
|
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later
releases)
|
Minor bug and performance fixes.
|
3.0.8
|
10.2.4-h3
|
10.2.7
|
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later
releases)
|
Minor bug and performance fixes.
|
3.0.7
|
10.2.4-h3
|
10.2.7
|
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later
releases)
|
Minor bug and performance fixes.
|
3.0.6
|
10.2.4-h3
|
10.2.7
|
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later
releases)
|
The data pattern character limit for a data profile is removed.
Data profiles no longer limit the number of data pattern match
criteria based on the number of alphanumeric characters in the
data pattern name, description, regular expressions, and
proximity keywords.
|
3.0.5
|
10.2.4-h3
|
10.2.7
|
Cloud Services 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
|
Minor bug and performance fixes.
|
3.0.4
| 10.2.4 | 10.2.4-h3 |
Cloud Services 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
|
Enterprise DLP now supports new applications, expanded
download support and large file inspection for many existing
applications, and FedRAMP High compliance.
|
3.0.3
|
10.2.3-h4
|
10.2.4
|
Prisma Access 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
|
Enterprise DLP now supports upload inspection of files up to
100MB in size for the Box Web App and Web Browsing
applications.
|
3.0.2
|
10.2.3
|
Latest 10.2.3-h4
|
Cloud Services 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
|
Enterprise DLP now supports inspection of file and non-file based
HTTP/2 traffic.
|
3.0.1
|
10.2.1
|
10.2.3
|
Cloud Services 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
|
The Panorama plugin for Enterprise DLP supports creating a data
filtering profile to scan non-file based traffic for sensitive
data.
|
3.0.0
|
10.2.0
|
10.2.1
|
Not Supported
|
Upgrade to the Enterprise DLP plugin to increase reliability.
Enterprise DLP plugin 3.0 is required to upgrade to PAN-OS 10.2
and is supported only on PAN-OS 10.2 and later releases.
|
1.0.8
|
10.1.11
|
Latest 10.1 Release
|
Cloud Services 2.2
|
Minor bug and performance fixes.
|
1.0.7
|
10.1
|
Latest 10.1 Release
|
Cloud Services 2.2
|
Minor bug and performance fixes.
|
1.0.6
|
10.1
|
Latest 10.1 Release
|
Cloud Services 2.2
|
Minor bug and performance fixes.
|
1.0.5
|
10.1
|
Latest 10.1 Release
|
Cloud Services 2.2
|
Minor bug and performance fixes.
|
1.0.4
|
10.1
|
Latest 10.1 Release
|
Cloud Services 2.2
|
Minor bug and performance fixes.
|
1.0.3
|
10.1
|
Latest 10.1 Release
|
Cloud Services 2.2
|
The Panorama plugin for
DLP supports the integration of Enterprise DLP with
Prisma Access.
|
1.0.2
|
10.1
|
Latest 10.1 Release
|
Not Supported
|
No new features were added for this release.
|
1.0.1
|
10.1
|
Latest 10.1 Release
|
Not Supported
|
Enables support for Enterprise DLP from Panorama. Configure the
Panorama plugin for Enterprise DLP to
protect against unauthorized access, misuse, extraction, and
sharing of sensitive information and effectively filter network
traffic to block or generate an alert before sensitive
information leaves the network.
|
Panorama Interconnect
The Panorama™ minimum supported version for the Panorama
Interconnect plugin.
The following table shows the features introduced in
each version of the Panorama™ Interconnect plugin.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | Minimum PAN-OS Version | Maximum PAN-OS Version | New Features or Changes |
---|---|---|---|
2.0.0
|
10.2.4 (PAN-OS 10.2 release)
|
Latest 10.2 version (PAN-OS 10.2 release)
|
You must upgrade to Panorama Interconnect 2.0.0 plugin to upgrade
to PAN-OS 10.2.
|
1.1.0 | 10.0.0 | Latest 10.1 version | Enables you to selectively push device groups, template
stacks, and some common Panorama configurations from the Panorama
Controller to the Panorama Nodes to avoid pushing extraneous configurations
to Panorama Nodes to minimize configuration bloat and operational delays
across your Panorama Interconnect deployment. |
1.0.2 |
9.1
|
Latest 10.1 version
| Minor bug and performance fixes. |
1.0.1 | Minor bug and performance fixes. | ||
1.0.0 | First plugin introduced to support a two-tier Panorama
deployment for a horizontal scale-out architecture. |
IPS Signature Converter
Learn about the Panorama IPS Signature Converter plugin.
The following table shows the features introduced in
each version of the Panorama™ IPS Signature Converter plugin.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | Minimum PAN-OS Version | Features |
---|---|---|
2.0.3
| 10.2 |
|
2.0.2
|
10.2
|
Supports SMTP and FTP protocols.
|
2.0.1
| 10.2 | Supports HTTP sticky buffers. Now
converts Snort rules that have commas separating content patterns and
their associated suboption. |
2.0.0 | 10.2 | Uses Python 3 for compatibility with PAN-OS
10.2. |
1.0.7
|
10.1
|
|
1.0.6
| 10.1 | Supports SMTP and FTP protocols. |
1.0.5
| 10.1 | Supports HTTP sticky buffers. Now
converts Snort rules that have commas separating content patterns and
their associated suboption. |
1.0.4 | 10.1 | No significant changes in functionality. |
1.0.3 | 10.1 | Converts rules into SSL custom signatures
if their port is 443. Converts server-to-client
HTTP rules without content modifiers into custom signatures with
the http-rsp-status-line and http-rsp-headers contexts. Converts
Suricata TLS rules into TLS custom signatures and supports additional
TLS and file data sticky buffers. |
1.0.2 | 10.1 | Converts rules that use the smb protocol
or port 445. Supports HTTP sticky buffer
keywords in Suricata rules. Converts HTTP rules into HTTP
custom signatures if either the port in the rule is HTTP-_PORTS or
the protocol is http. |
1.0.1 | 10.1 | Identifies whether newly converted signatures
are already included as part of your Palo Alto Networks Threat Prevention
subscription. |
1.0.0 | 10.1 | Enables support for third-party IPS signature conversion from
Panorama. Use the Panorama IPS Signature Converter plugin to gain
immediate protection against newly discovered threats by converting
third-party IPS rules into Palo Alto Networks custom threat signatures
and distributing them to your Panorama-managed firewalls. |
Kubernetes
Learn about the Panorama Kubernetes plugin.
The following table displays the features introduced
in each version of the Panorama™ Kubernetes plugin.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | Minimum Panorama PAN-OS Version | Maximum Panorama PAN-OS Version | Features |
---|---|---|---|
4.0.0
|
11.0
|
Latest
|
Introduces new features like CN-Series Hyperscale Security
Fabric, (HSF), Tag Length Enhancement, Shared DAG Support, and
Nested DAG Support.
|
3.0.3
|
10.2
|
Latest
|
Introduces fixes for known issues.
|
3.0.2
|
10.2
|
Latest
|
Introduces fixes for known issues.
|
3.0.1 | Introduces support for shared dynamic address groups. | ||
3.0.0 | Introduces Retrieving IPv6 Addresses for
Multus CNI Setup, Tag Pruning, Service Account Validation, and advanced Dashboard
features. | ||
2.0.2 |
10.1
|
10.1
| K8s plugin 2.0.2 creates a new template
on Panorama called K8S-Network-Setup-V1-125.
This template creates 250 vwire interfaces and 125 vwires. |
2.0.1 | Introduces fixes for known issues. | ||
2.0.0 | Introduces Core-Based Licensing, Multiple Interface
Support, and Custom Certificate Chaining. | ||
1.0.5 | Introduces fixes for known issues. | ||
1.0.4 | Introduces fixes for known issues. | ||
1.0.3 | Introduces fixes for known issues. | ||
1.0.2 | Introduces fixes for known issues. | ||
1.0.1 | Introduces the ability to disable the creation
of service objects on Panorama, and support for offline licensing
of CN-Series firewalls with Panorama. | ||
1.0.0 | Manages licenses for the CN-Series firewall
and enables you to monitor clusters and leverage Kubernetes labels
that you use to organize Kubernetes objects. The plugin communicates
with the API server and retrieves metadata, which gives you visibility
into applications running within a cluster. |
Clustering Plugin
The following table shows the features introduced in Panorama Clustering plugin.
Plugin Version |
Panorama PAN-OS Version
(Minimum)
| Maximum Panorama PAN-OS Version | Features |
---|---|---|---|
2.0.0
|
11.1.5
|
Latest
|
Provides a migration process that allows you to migrate from a
non-PA-7500 Series firewall with an existing Panorama
non-clustering template to a PA-7500 Series firewall with a
Panorama clustering template. The release also provides support
for MACsec on the HSCI ports that connect the firewalls in the
NGFW cluster. MACsec provides data confidentiality and integrity
between the two endpoints.
|
2.0.0
|
11.1.3
|
Latest
|
Provides visibility to the NGFW clusters (also known as PA-Series
clusters) in PA-7500 Series firewalls.
|
1.0.0
|
11.0
|
Latest
| Provides the visibility to the Hyper Scale Security Fabric (HSF) clusters in CN-Series. |
Network Discovery
The PAN-OS minimum supported version for the PAN-OS Network Discovery Plugin.
The following table shows the features introduced in each version of the Panorama™
plugin for Network Discovery.
Plugin Version |
Panorama PAN-OS Version
(Minimum)
| Maximum Panorama PAN-OS Version | Features |
---|---|---|---|
2.1.0
|
10.2.14
11.2.4
|
Latest 10.2 release
Latest 11.2 release
|
Introduces support for multiple entry switches and multiple
SNMP credentials.
Supports site creation and site overwrite for existing subnets
learned through SNMP crawling.
|
2.0.2
|
11.1
|
Latest
|
Introduces new protocols for device polling.
Introduces new settings options for configuring SNMP network
discovery and network data refreshment jobs.
Includes a fix for a known issue.
|
2.0.1
|
Introduces debug logs and fixes for a known issue.
| ||
2.0.0
|
Introduces device polling using various protocols. Use polling
to learn new device attributes to send to IoT Security.
| ||
1.0.1
|
Introduces the capability to specify a network discovery
protocol using the CLI.
| ||
1.0.0
|
Introduces SNMP querying for switches and network devices. Use
SNMP querying to learn bindings and network data to send to
IoT Security.
|
Nutanix
Learn about the Panorama™ plugin for Nutanix.
The following table shows the features introduced in
each version of the Panorama™ plugin for Nutanix.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version
| Panorama PAN-OS Version (Minimum) |
Maximum Panorama PAN-OS Version
|
Features
|
---|---|---|---|
2.0.2
|
10.2
|
Latest
|
Introduces fixes for known issues.
|
2.0.1 |
10.2
|
Latest
| Introduces fixes for known issues. |
2.0.0 | Introduces enhancements to increase reliability
and robustness. | ||
1.0.0 | 9.0 (9.0.4) | Latest | Enables support for VM Monitoring from Panorama.
Configure the Panorama plugin for Nutanix to monitor VM workloads
so that you can consistently enforce security policy that automatically
adapts to changes within your Nutanix environment. |
OpenConfig
The PAN-OS minimum supported version for the PAN-OS OpenConfig
plugin.
The following table shows the features introduced in
each version of the OpenConfig plugin.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | PAN-OS Version (Minimum) | New Features or Changes |
---|---|---|
2.1.1
|
10.2.11
| Support for XML API and File-upload custom PAN-OS data models. |
2.1.0
|
10.2.11
| General improvements and bug fixes. |
2.0.2
|
10.2.11
| Plugin support for PAN-OS version 10.2.11 and later. |
2.0.1
|
11.0.4
| Plugin support for PAN-OS version 11.0.4 and later. |
2.0
|
11.1
| Enables Panorama suppport and telemetry streaming with PAN-OS custom data models for logging, PCAP, and config data. Starting with 2.0, the OpenConfig plugin also comes prepackaged with PAN-OS. |
1.3 (Firewall Only)
|
10.1
|
Enables support for all streaming modes with the
OpenConfig-routing-policy model.
|
1.2.0 (Firewall Only)
|
Enables support for protobuf and unbundling.
| |
1.1.0 (Firewall Only) | Enables support for these standard OpenConfig
models:
| |
1.0.0 (Firewall Only) | Enables support for the OpenConfig plugin on PAN-OS
firewalls so that you can use standard OpenConfig models to automate
configuration and stream telemetry. |
Panorama Software Firewall License Plugin
Learn about the Panorama™ Software Firewall License plugin.
The following table shows the features introduced in
each version of the Panorama™ Software Firewall License plugin.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | Panorama PAN-OS Version (Minimum) | Maximum Panorama PAN-OS Version | Minimum VM-Series Plugin Version | Features |
---|---|---|---|---|
1.1.2 |
10.0 (10.0.4)
| Latest |
2.0.4
|
Introduces fixes for known issues.
|
1.1.1 |
10.1
|
Latest
|
2.0.4
| Introduces fixes for known issues. |
1.1.0 | Introduces fixes for known issues. | |||
1.0.0 | The Panorama Software Firewall License plugin
allows you to automatically license a VM-Series firewall when it connects
to Panorama. |
Public Cloud—AWS, Azure, and GCP
Learn about the different public cloud plugins supported
on Panorama™.
The following table shows the features introduced in
each version of the Panorama™ plugin for Amazon Web Services (AWS),
Microsoft Azure, and Google Cloud Platform (GCP). The plugins use
device groups and templates on Panorama to push the configuration
to the managed firewalls.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Public Cloud Platform
|
AWS Plugin Version
|
Panorama PAN-OS Version (Minimum)
|
Maximum Panorama PAN-OS Version
|
VM-Series Plugin Version (Minimum)
|
Features
|
---|---|---|---|---|---|
AWS
|
5.3.1
| 10.2 (10.2.3) | Latest |
3.0.0
|
Introduces fixes for known issues.
|
5.3.0
| 10.2 (10.2.3) | Latest |
3.0.0
| Adds support for Egress NAT and Zone-based Policy Rules on the Cloud NGFW for AWS. Introduces fixes for known issues. | |
5.2.2
| 10.2 (10.2.3) | Latest |
3.0.0
|
Introduces fixes for known issues.
| |
5.2.1
| 10.2 (10.2.3) | Latest |
3.0.0
|
Introduces fixes for known issues.
| |
5.1.3
| 10.2 (10.2.3) | Latest |
3.0.0
|
Introduces fixes for known issues.
| |
5.1.2
| 10.2 (10.2.3) | Latest |
3.0.0
|
Introduces fixes for known issues.
| |
5.1.1
| 10.2 (10.2.3) | Latest |
3.0.0
|
Introduces enhancements for Cloud NGFW for AWS integration with
Panorama.
| |
5.0.1
| 10.2 (10.2.3) | Latest |
3.0.0
|
Introduces enhancements for Cloud NGFW for AWS integration with
Panorama.
| |
5.0.0
| 10.2 (10.2.3) | Latest |
3.0.0
|
Introduces support for Panorama integration with
Cloud NGFW for AWS.
| |
4.1.0
|
10.2
|
Latest
|
3.0.0
|
Introduces support for nested dynamic address groups and tag
pruning.
| |
4.0.0
|
10.2
|
Latest
|
3.0.0
|
Introduces enhancements to increase reliability and
robustness.
| |
3.0.3 | 10.1 | 10.1 |
2.0.6
|
Introduces shared dynamic address groups support and bug
fixes.
| |
3.0.2
| 10.1 | 10.1 |
2.0.6
|
Introduces proxy support and bug fixes.
| |
3.0.1 | 10.1 | 10.1 |
2.0.6
| Introduces enhancements and bug fixes. | |
3.0.0 | 10.1 | 10.1 |
2.0.6
|
Introduces Panorama Orchestration and new monitoring
parameters.
| |
2.0.2
|
10.1
|
10.1
|
2.0.2
|
Introduces fixes for known issues.
| |
9.1 (9.1.2)
|
1.0.8
| ||||
2.0.1
|
1.0.4
|
Introduces a fix for a known issue.
| |||
2.0.0
|
9.1 (9.1.2)
|
10.1
|
1.0.8
|
Enables support for:
|
Public Cloud Platform | Azure Plugin Version | Panorama PAN-OS Version (Minimum) | Maximum Panorama PAN-OS Version | VM-Series Plugin Version (Minimum) | Features |
---|---|---|---|---|---|
Azure
|
5.2.2
| 10.2.4 | Latest |
4.0.0
| Adds support for Strata Logging Service. Introduces fixes for known issues. |
5.2.1
| 10.2.4 | Latest |
4.0.0
| Adds permission validation for private endpoint read access. Introduces new tags used for monitoring. Introduces fixes for known issues. | |
5.2.0
| 10.2.4 | Latest |
4.0.0
| Introduces an automated workflow for maintaining the life cycle of the VM auth key. | |
5.1.2
| 10.2.4 | Latest |
4.0.0
|
Introduces loopback zone support and DNS proxy support on Cloud
NGFW for Azure.
| |
5.1.1
| 10.2.4 | Latest |
4.0.0
|
Introduces tag pruning feature to increase the scalability and
the number of tags collected by the Azure plugin.
| |
5.0.0
| 10.2.4 | Latest |
4.0.0
|
Introduces support for Panorama integration with Cloud NGFW for
Azure.
| |
4.2.0
| 10.2 (10.2.3) |
Latest
|
3.0.1
| Introduces support for Azure Workspace-based Application Insights. | |
4.1.0 |
10.2
|
Latest
|
Latest
| Increased the number of front-end applications per VM-Series for Azure deployment. | |
4.0.0 |
10.2
|
Latest
|
Latest
| Introduces enhancements to increase reliability and robustness. | |
3.2.2
|
10.1
|
10.1
|
2.1.0
| Introduces fixes for a known issue. | |
2.0.1
| |||||
3.2.1
|
10.1
|
10.1
|
2.1.0
| Introduces fixes for known issues. | |
2.0.1
| |||||
3.2.0
|
10.1
|
10.1
|
2.1.0
| Introduces proxy support and fix for a known issue. | |
2.0.1 | |||||
3.1.0
|
10.1
|
10.1
| 2.1.0 | Introduces fixes for a known issue. | |
2.0.1 | |||||
3.0.1 |
10.1
|
10.1
| 2.1.0 | Introduces fixes for known
issues. | |
2.0.1 | |||||
3.0.0
(Upgrade from 2.0.0 to 3.0.0 is not supported.) |
10.1
|
10.1
| 2.1.0 | Introduces Panorama Orchestration. | |
2.0.1 | |||||
2.0.3
|
10.1
|
10.1
| 2.1.0 |
Introduces a fix for a known issue.
| |
2.0.0 | |||||
9.1 (9.1.2) | 1.0.8 | ||||
9.1 |
1.0.4
| ||||
2.0.2 |
9.1
|
10.1
|
1.0.4
| Introduces fixes for known issues. | |
2.0.1 |
9.1
|
10.1
|
1.0.4
| Introduces fixes for known issues. | |
2.0.0
|
9.1
|
10.1
|
1.0.4
|
Enables support for:
|
Public Cloud Platform | GCP Plugin Version | Panorama PAN-OS Version (Minimum) | Maximum Panorama PAN-OS Version | VM-Series Plugin Version | Features |
---|---|---|---|---|---|
GCP
|
3.1.1
|
10.2
|
Latest
|
3.0.0
| Introduces performance and status enhancements in monitoring definitions. |
3.1.0
|
10.2
|
Latest
|
3.0.0
| Introduces monitoring of shared VPC deployments. | |
3.0.0 | 10.2 | Latest | 3.0.0 | Introduces enhancements to increase reliability
and robustness. | |
2.0.0 (Upgrade from 1.0.0 to 2.0.0 is
not supported.) | 9.1 | Latest | 1.0.4 | Enables you to monitor and secure VMs or GKE
clusters deployed in GCP.
|
SD-WAN
Learn about the Panorama™ plugin for SD-WAN.
The following table shows the features introduced in
each version of the Panorama™ plugin for SD-WAN.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | PAN-OS Version (Minimum) | Maximum PAN-OS Version | Features |
---|---|---|---|
3.3.2
|
11.2.4
|
Latest
|
To use the following feature or enhancements, you require
PAN-OS 11.2.4 and later 11.2 releases.
|
3.3.1
|
11.2.3
|
Latest
|
To use the following feature or enhancements, you require
PAN-OS 11.2.3 and later 11.2 releases.
|
3.3.0
|
11.2
|
Latest
|
To use the following feature or enhancements, you require
PAN-OS 11.2.0 and later releases.
|
3.2.2
| 11.1.5 (11.1.5) |
Latest
|
To use the following feature or enhancements, you require
PAN-OS 11.1.5 and later releases.
|
3.2.1
| 11.1 (11.1.3) |
Latest
|
To use the following feature or enhancements, you require
PAN-OS 11.1.3 and later 11.1 releases.
|
3.2.0
|
11.1
|
Latest
|
|
3.1.3
|
11.0 (11.0.4)
|
Latest
|
To use the following feature or enhancements, you require
PAN-OS 11.0.4 and later 11.0 releases.
|
3.1.2
|
11.0 (11.0.2)
|
Latest
|
Bug and performance fixes.
|
3.1.1
|
11.0 (11.0.2)
|
Latest
|
SD-WAN IPv6 Basic Connectivity
|
3.0.1-h6
|
11.0 (11.0.1)
|
Latest
|
Bug and performance fixes.
|
3.1.0-h6
|
11.0 (11.0.1)
|
Latest
|
Enables Advanced Routing Engine support.
|
3.0.8
|
10.2.11
|
Latest
|
Improvements and bug fixes
|
3.0.7
|
10.2 (10.2.8)
|
Latest
|
To use the following feature or enhancements, you require
PAN-OS 10.2.8 and later releases.
|
3.0.6
|
10.2 (10.2.7)
|
Latest
|
Bug fixes.
|
3.0.6
|
10.2 (10.2.6)
|
Latest
|
Bug fixes.
|
3.0.5
|
10.2 (10.2.5)
|
Latest
|
Bug and performance fixes.
|
3.0.4
|
10.2 (10.2.4)
|
Latest
|
Bug and performance fixes.
|
3.0.3 | 10.2 (10.2.1) | Latest | Bug and performance fixes. |
3.0.2 | 10.2 (10.2.1) | Latest | Bug and performance fixes. |
3.0.1 | 10.2 (10.2.1) | Latest | Copy ToS Header Support. |
3.0.0 | 10.2 | Latest | Upgrade to the SD-WAN plugin to increase reliability.
SD-WAN plugin 3.0 is required to upgrade to PAN-OS 10.2 and is supported
only on PAN-OS 10.2 and later releases. |
2.2.7
|
10.1.3-h1
|
Latest
|
Improvements and bug fixes
|
2.2.6
|
10.1 (10.1.11)
|
Latest
|
Bug and performance fixes.
|
2.2.5
|
10.1 (10.1.11)
|
Latest
|
Bug and performance fixes.
|
2.2.4
|
10.1 (10.1.10)
|
Latest
|
Bug and performance fixes.
|
2.2.3 | 10.1 (10.1.9) | Latest | Bug and performance fixes. |
2.2.2 | 10.1 (10.1.5-h1) | Latest | Bug and performance fixes. |
2.2.1 | 10.1 (10.1.5-h1) | Latest | Copy ToS Header support. |
2.2.0 | 10.1 (10.1.4) | Latest | Prisma Access Hub support. |
2.1.1 | 10.1 | Latest | Minor bug and performance fixes. |
2.1.0 | 10.1 | Latest | SD-WAN supports Aggregated Ethernet (AE) interfaces
with or without subinterfaces for link redundancy. AE interfaces allow
you to tag for different ISP services to achieve end-to-end traffic segmentation.
SD-WAN also supports Layer 3 subinterfaces for end-to-end traffic segmentation. |
2.0.3 | 10.1 | Latest | Minor bug and performance fixes. |
2.0.2 | 10.1 | Latest | Includes support so you can control whether
Auto VPN configuration enables or disables the Remove Private
AS setting for all BGP peer groups on a branch or hub. |
2.0.1 | 10.1 | Latest | Includes support for full mesh VPN cluster
with DDNS service, auto-VPN configuration with branch behind NAT,
and Direct Internet Access (DIA) AnyPath. |
2.0.0 | 10.1 | Latest | Maintain high-quality application experience
by leveraging Forward Error Correction (FEC) and packet duplication
and by accurately measuring SaaS and Cloud applications when you have
an SD-WAN firewall with Direct Internet Access (DIA) links. |
1.0.6 | 9.1 (9.1.4) | Latest | Minor bug and performance fixes. |
1.0.5 | 9.1 (9.1.4) | Latest | Minor bug and performance fixes. |
1.0.4 | 9.1 (9.1.4) | Latest | In an SD-WAN VPN cluster that has more than
one hub, you must assign a priority to each hub, which determines
the primary hub and hub failover order. Panorama maps the priority
to a BGP local preference and pushes the local preference to the branches
in the cluster. |
1.0.3 | 9.1 (9.1.3) | 9,1 | When the SD-WAN hub is behind a NAT device,
the plugin supports an upstream NAT IP address or FQDN for Auto
VPN configuration to use as a tunnel endpoint. |
1.0.2 | 9.1 (9.1.2-h1) | 9.1.3 | Improves ease of use, such as an automatic Security
policy rule to allow BGP between branches and hubs, ability to refresh
the IKE preshared key for VPN cluster members, specifying VPN tunnel
IP address ranges, and more. |
1.0.1 | 9.1 (9.1.1) | 9.1.2 | Improves monitoring experience and search filtering,
and adds an option to display HA peers consecutively. |
1.0.0 | 9.1 | 9.1.2 | Enables support for SD-WAN from Panorama. Configure
the Panorama plugin for SD-WAN to provide intelligent
and dynamic path selection on top of the industry-leading security that
PAN-OS software already delivers. Provide the optimal end user experience
by leveraging multiple ISP links to ensure application performance
and scale capacity. |
VMware NSX
Review the features introduced in each version of the
VM-Series firewall VMware NSX plugin.
The following table shows the features introduced in
each version of the VM-Series firewall VMware NSX plugin.
For additional information about each plugin, see the release notes
on the Customer Support Portal.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | Panorama Version (Minimum) | Panorama Version (Maximum) | Managed VM-Series PAN-OS Version (Minimum) | New Features or Changes |
---|---|---|---|---|
5.0.1
|
|
|
|
Introduces support for PAN-OS and Panorama 10.2.x.
|
5.0.0 | Introduces support for PAN-OS and Panorama
10.2.x. | |||
4.0.3 |
|
|
| Introduces fixes for known issues. |
4.0.2 | Introduces fixes for known issues. | |||
4.0.1 | Introduces fixes for known issues. | |||
4.0.0 | Introduces Security-Centric Deployment Workflow (East-West)
for the VM-Series on VMware NSX-T. | |||
3.2.4 |
|
|
| Introduces fixes for known issues. |
3.2.3 | Introduces fixes for known issues. | |||
3.2.1 |
| Introduces fixes for known issues. | ||
3.2.0 |
|
|
| Introduces Security Policy Extension Between
NSX-V and NSX-T and Device Certificate Support on the VM-Series
for NSX. The following VM-Series firewall for NSX OVFs require
that you enable device certificates.
|
3.1.0 | 9.1 |
|
| Introduces the VM-Series firewall on VMware
NSX-T for East-West traffic protection. |
VMware vCenter
Learn about the Panorama™ plugin for VMware vCenter.
The following table shows the features introduced in
each version of the Panorama™ plugin for VMware vCenter.
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version | Panorama PAN-OS Version (Minimum) | Maximum Panorama PAN-OS Version | Features |
---|---|---|---|
2.1.0
|
10.2
|
Latest
| Introduces fixes for known issues. |
2.0.0 | Introduces enhancements to increase reliability
and robustness. | ||
1.0.0 | 9.1 | Latest | Enables support for VM Monitoring from Panorama.
Configure the Panorama plugin for VMware vCenter to monitor VM workloads
so that you can consistently enforce security policy that automatically
adapts to changes within your vCenter environment. |
Zero Touch Provisioning (ZTP)
Learn about the Panorama™ plugin for Zero Touch Provisioning
(ZTP).
The following table shows the features introduced in
each version of the Panorama™ plugin for Zero Touch Provisioning
(ZTP).
End-of-life (EoL) software versions are included in this
table. Review the Software End-of-Life Summary
website to check whether we are still supporting your software
version.
Plugin Version
|
PAN-OS Version Minimum
|
Maximum PAN-OS Version
|
Features
|
---|---|---|---|
3.0.1
|
11.2.0
|
Latest
|
Minor bug and performance fixes.
|
3.0.0
|
11.2.0
|
Latest
|
ZTP 3.0 introduces enhancements to the ZTP onboarding experience
by allowing you to activate applicable licenses and install the
latest content updates when the firewall first connects to
Panorama.
|
2.0.4
|
11.0.1
10.2.4
|
Latest
|
Minor bug and performance fixes.
|
2.0.3
|
11.0.1
10.2.4
|
Latest
|
Minor bug and performance fixes.
|
2.0.2
|
10.2.0
|
10.2.3
|
Minor bug and performance fixes.
|
2.0.1
|
10.2.0
|
10.2.3
|
Minor bug and performance fixes.
|
2.0.0
|
10.2.0
|
10.2.3
|
Upgrade to the ZTP plugin to increase reliability. ZTP plugin 2.0
is required to upgrade to PAN-OS 10.2 and is supported only on
PAN-OS 10.2 and later releases.
|
1.0.2
|
10.1.0
|
Latest 10.1 release
|
Minor bug and performance fixes.
|
1.0.1
|
10.1.0
|
Latest 10.1 release
|
Minor bug and performance fixes.
|
1.0.0
|
9.1.4
|
Latest 9.1 release
|
Enables support for ZTP from Panorama. Configure the Panorama
plugin for ZTP to simplify and
streamline initial firewall deployment by automating the new
managed firewall on-boarding without the need for network
administrators to manually provision the firewall.
|