Panorama Plugins
Focus
Focus
Compatibility Matrix

Panorama Plugins

Table of Contents

Panorama Plugins

Learn about compatibility information for Panorama™ plugins.
The following tables describe the features and functionality introduced with the Panorama™ extensible plugin architecture.
For more information on Panorama plugin versions, refer to the VM-Series and Panorama Plugins Release Notes.

Cisco ACI

Learn about the Panorama™ plugin for Cisco ACI.
The following table shows the features introduced in each version of the Panorama™ plugin for Cisco ACI. The plugin uses device groups on Panorama to push the configuration to the managed firewalls.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Supported Cisco ACI Version
Panorama PAN-OS Version
(Minimum)
Maximum Panorama PAN-OS Version
Features
3.0.1
6.0.x
10.2 (10.2.7)
Latest
Introduces support for Endpoint Security Group (ESG) tags and fixes to known issues.
  • 5.2.x
10.2 (10.2.0)
3.0.0
  • 6.0.x
10.2 (10.2.4)
Latest
Introduces enhancements to increase reliability and robustness.
  • 5.2.x
  • 5.1.x
10.2 (10.2.0)
2.0.3
  • 6.0.x
10.1 (10.1.9)
Latest
Introduces a fix for a known issue.
You can do a new deployment of Cisco ACI 2.0.3 on Panorama 9.0 or later. You can also upgrade from Cisco ACI 2.0.x to Cisco ACI 2.0.3. However, if you need to upgrade from Cisco ACI 1.0.0 or Cisco ACI 1.0.1, you will need to upgrade your Panorama to 10.0 or later, and then upgrade the ACI plugin to 2.0.3.
  • 5.2.x
  • 5.1.x
  • 5.0.x
  • 4.2.x
  • 4.1.x
  • 4.0.x
  • 3.2
10.1
9.1
2.0.2
  • 5.1.x
  • 5.0.x
  • 4.2.x
  • 4.1.x
  • 4.0.x
  • 3.2
10.1
9.1
Latest
Introduces Cisco ACI 5.1 support and fixes for known issues.
You can do a new deployment of Cisco ACI 2.0.2 on Panorama 9.0 or later. You can also upgrade from Cisco ACI 2.0.x to Cisco ACI 2.0.2. However, if you need to upgrade from Cisco ACI 1.0.0 or Cisco ACI 1.0.1, you will need to upgrade your Panorama to 10.0 or later, and then upgrade the ACI plugin to 2.0.2.
2.0.1
  • 5.0.x
  • 4.2.x
  • 4.1.x
  • 4.0.x
  • 3.2
10.1
9.1
Latest
Introduces fixes for known issues.
2.0.0
  • 5.0.x
  • 4.2.x
  • 4.1.x
  • 4.0.x
  • 3.2
10.1
9.1
Latest
Introduces the Panorama Plugin for Cisco ACI Dashboard and two new monitored attributes—L2 external endpoint groups and subnets under bridge domains.
1.0.1
  • 5.0.x
  • 4.0.x
  • 3.2
  • 3.1
  • 2.3(1e)
9.1
9.1
Introduces support for multiple IP addresses per endpoint and Cisco ACI 4.0 and later.
1.0.0
  • 5.0.x
  • 3.2
  • 3.1
  • 2.3(1e)
9.1
9.1
Enables support for Endpoint Monitoring from Panorama. Configure the Panorama plugin for Cisco ACI to monitor endpoints so that you can consistently enforce security policy that automatically adapts to changes within your ACI deployment.

Cisco TrustSec

Learn about the Panorama™ plugin for Cisco TrustSec.
The following table shows the features introduced in each version of Panorama™ plugin for Cisco TrustSec.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Minimum Panorama PAN-OS Version
Qualified Cisco ISE Versions
Features
2.0.1
10.2
  • ISE 3.3
  • ISE 3.2
  • ISE 3.1
  • ISE 2.7
Introduces fixes for known issues.
2.0.0
10.2
  • ISE 3.2
  • ISE 3.1
  • ISE 2.7
Introduces support for Panorama 10.2.x.
Introduces support for security group tags (SGT). Use these tags as match criteria for placing IP addresses in dynamic address groups.
1.0.3
9.1
  • ISE 3.1
  • ISE 2.7
Introduces a fix for one issue.
1.0.2
9.1
  • ISE 2.4
  • ISE2.6
Introduces the PubSub monitoring mode, which parses notifications directly from the server. The plugin enables PubSub mode when v1.0.2 is running on Panorama 10.0.0 and later. If v1.0.2 is running on a Panorama version earlier than 10.0.0, the monitoring mode is Bulk Sync.
1.0.1
1.0.0
Enables support for endpoint monitoring from Panorama. Configure the Panorama plugin for Cisco TrustSec to monitor endpoints so that you can consistently enforce security policy that automatically adapts to changes within your TrustSec environment.

Panorama CloudConnector Plugin (Formerly, AIOps Plugin for Panorama)

Learn about CloudConnector.
The following table shows the features introduced in each version of the plugin for AIOps.
Plugin Version
Panorama PAN-OS Version
(Minimum)
Maximum Panorama PAN-OS Version
New Features or Changes
2.0.1
10.2 (10.2.3)
Latest
Introduces enhancements for Cloud NGFW for AWS integration with Panorama.
2.0.0
10.2 (10.2.3)
Latest
Enables you to use the Panorama AWS plugin 5.0.0 to author and push device group based policies to Cloud NGFW for AWS resources.
1.1.0
10.2 (10.2.3)
Latest
Enables the policy analyzer feature that helps you to check if a new security rule meets your intended purpose and that it does not duplicate, shadow, or conflict with your existing rules (pre-commit). You can also check for duplication and other anomalies across your current Security policy rulebase (post-commit).
1.0.0
10.2 (10.2.1)
Latest
Enables you to proactively enforce best practice checks by validating your commits and letting you know if a policy needs work before pushing it to your Panorama.

Cloud Services

Review minimum plugin versions depending on whether you use the plugin for both Cortex™ Data Lake and Prisma™ Access or for only Strata Logging Service (formerly Cortex® Data Lake).
You use the Cloud Services plugin to activate Panorama Managed Prisma Access and to retrieve logs from Panorama-managed firewalls using Strata Logging Service. Review the following table to see the minimum Panorama and plugin versions for your deployment type.
Deployment TypePanorama and Plugin requirements
Panorama Managed Prisma Access
Dependent on plugin version. Review the Minimum Required Panorama Software Versions required for the plugin you are running. To find the plugin version you are running, select PanoramaCloud ServicesConfigurationService Setup and find the plugin version in the Plugin Alert area.
Strata Logging Service log retrieval from Panorama-managed firewalls onlyStrata Logging Service Software Compatibility has the minimum Panorama and plugin requirements.

Enterprise Data Loss Prevention (DLP)

Learn about the Panorama™ plugin for Enterprise Data Loss Prevention (DLP).
The following table shows the features introduced in each version of the Panorama™ plugin for Enterprise Data Loss Prevention (DLP).
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
PAN-OS Version
(Minimum)
Maximum PAN-OS Version
Cloud Services Plugin (Minimum)
Features
5.0.5
11.2.5
Latest 11.2
Cloud Services 5.0 Preferred
Minor bug and performance fixes.
5.0.4
11.1.0
Latest 11.2
Cloud Services 5.0 Preferred
Upgrade to Enterprise DLP plugin 5.0.4 to use AI Access Security for Prisma Access (Managed by Panorama).
AI Access Security enables organizations to safely adopt GenAI applications by employees by mitigating the risks posed by inadvertent data leakage in prompts and malicious content in responses. Fine-grained data exfiltration and access control policies let you to control the data exposed to GenAI apps while simultaneously allowing you to block access when necessary. A robust dashboard with detailed monitoring capabilities provides paralleled insights in to how GenAI apps are used across your organization.
5.0.3
11.1.0
Latest 11.2
Cloud Services 5.0 Preferred
Upgrade to Enterprise DLP plugin 5.0.3 to use AI Access Security for NGFW (Managed by Panorama).
AI Access Security enables organizations to safely adopt GenAI applications by employees by mitigating the risks posed by inadvertent data leakage in prompts and malicious content in responses. Fine-grained data exfiltration and access control policies let you to control the data exposed to GenAI apps while simultaneously allowing you to block access when necessary. A robust dashboard with detailed monitoring capabilities provides paralleled insights in to how GenAI apps are used across your organization.
5.0.2
11.1.0
11.2.2
Cloud Services 5.0 Preferred
Minor bug and performance fixes.
5.0.1
11.1.0
Latest 11.1 Release
Cloud Services 5.0 Preferred
Minor bug and performance fixes.
5.0.0
11.1.0
Latest 11.1 Release
Cloud Services 5.0 Preferred
You must upgrade to Enterprise DLP 5.0 plugin to upgrade to PAN-OS 11.1. Additionally, you must download the Enterprise DLP 5.0 plugin before you attempt to install PAN-OS 11.1.
4.0.4
11.0.3
Latest 11.0 Release
Cloud Services 4.0 Preferred
Minor bug and performance fixes.
4.0.3
11.0.3
Latest 11.0 Release
Cloud Services 4.0 Preferred
Minor bug and performance fixes.
4.0.2
11.0.3
Latest 11.0 Release
Cloud Services 4.0 Preferred
The data pattern character limit for a data profile is removed. Data profiles no longer limit the number of data pattern match criteria based on the number of alphanumeric characters in the data pattern name, description, regular expressions, and proximity keywords.
4.0.1
11.0.2
11.0.2
Cloud Services 4.0 Preferred
Enterprise Data Loss Prevention (E-DLP) now supports creating a file type include or exclude list for data filtering profiles configured for file-based inspection. This allows you to select one of two modes:
  • Inclusion Mode—Allow only specified file types be scanned by Enterprise DLP.
  • Exclusion Mode—Allow all supported files to be scanned by Enterprise DLP by default but excluding the file types you specify.
    Exclusion Mode includes True File Type Support and does not rely on file extensions to determine file types.
4.0.0
11.0.0
11.0.1
Cloud Services 4.0 Preferred
You must upgrade to Enterprise DLP 4.0 plugin to upgrade to PAN-OS 11.0. Additionally, you must download the Enterprise DLP 4.0 plugin before you attempt to install PAN-OS 11.0.
3.0.9
10.2.8
Latest 10.2 Release
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
Minor bug and performance fixes.
3.0.8
10.2.4-h3
10.2.7
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
Minor bug and performance fixes.
3.0.8
10.2.4-h3
10.2.7
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
Minor bug and performance fixes.
3.0.7
10.2.4-h3
10.2.7
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
Minor bug and performance fixes.
3.0.6
10.2.4-h3
10.2.7
Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
The data pattern character limit for a data profile is removed. Data profiles no longer limit the number of data pattern match criteria based on the number of alphanumeric characters in the data pattern name, description, regular expressions, and proximity keywords.
3.0.5
10.2.4-h3
10.2.7
Cloud Services 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
Minor bug and performance fixes.
3.0.4
10.2.410.2.4-h3
Cloud Services 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
Enterprise DLP now supports new applications, expanded download support and large file inspection for many existing applications, and FedRAMP High compliance.
3.0.3
10.2.3-h4
10.2.4
Prisma Access 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
Enterprise DLP now supports upload inspection of files up to 100MB in size for the Box Web App and Web Browsing applications.
3.0.2
10.2.3
Latest 10.2.3-h4
Cloud Services 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
Enterprise DLP now supports inspection of file and non-file based HTTP/2 traffic.
3.0.1
10.2.1
10.2.3
Cloud Services 3.1.0-h50
(PAN-OS 10.2.2-h1 and later releases)
The Panorama plugin for Enterprise DLP supports creating a data filtering profile to scan non-file based traffic for sensitive data.
3.0.0
10.2.0
10.2.1
Not Supported
Upgrade to the Enterprise DLP plugin to increase reliability. Enterprise DLP plugin 3.0 is required to upgrade to PAN-OS 10.2 and is supported only on PAN-OS 10.2 and later releases.
1.0.8
10.1.11
Latest 10.1 Release
Cloud Services 2.2
Minor bug and performance fixes.
1.0.7
10.1
Latest 10.1 Release
Cloud Services 2.2
Minor bug and performance fixes.
1.0.6
10.1
Latest 10.1 Release
Cloud Services 2.2
Minor bug and performance fixes.
1.0.5
10.1
Latest 10.1 Release
Cloud Services 2.2
Minor bug and performance fixes.
1.0.4
10.1
Latest 10.1 Release
Cloud Services 2.2
Minor bug and performance fixes.
1.0.3
10.1
Latest 10.1 Release
Cloud Services 2.2
The Panorama plugin for DLP supports the integration of Enterprise DLP with Prisma Access.
1.0.2
10.1
Latest 10.1 Release
Not Supported
No new features were added for this release.
1.0.1
10.1
Latest 10.1 Release
Not Supported
Enables support for Enterprise DLP from Panorama. Configure the Panorama plugin for Enterprise DLP to protect against unauthorized access, misuse, extraction, and sharing of sensitive information and effectively filter network traffic to block or generate an alert before sensitive information leaves the network.

Panorama Interconnect

The Panorama™ minimum supported version for the Panorama Interconnect plugin.
The following table shows the features introduced in each version of the Panorama™ Interconnect plugin.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Minimum PAN-OS Version
Maximum PAN-OS Version
New Features or Changes
2.0.0
10.2.4 (PAN-OS 10.2 release)
Latest 10.2 version (PAN-OS 10.2 release)
You must upgrade to Panorama Interconnect 2.0.0 plugin to upgrade to PAN-OS 10.2.
1.1.0
10.0.0
Latest 10.1 version
Enables you to selectively push device groups, template stacks, and some common Panorama configurations from the Panorama Controller to the Panorama Nodes to avoid pushing extraneous configurations to Panorama Nodes to minimize configuration bloat and operational delays across your Panorama Interconnect deployment.
1.0.2
9.1
Latest 10.1 version
Minor bug and performance fixes.
1.0.1
Minor bug and performance fixes.
1.0.0
First plugin introduced to support a two-tier Panorama deployment for a horizontal scale-out architecture.

IPS Signature Converter

Learn about the Panorama IPS Signature Converter plugin.
The following table shows the features introduced in each version of the Panorama™ IPS Signature Converter plugin.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Minimum PAN-OS Version
Features
2.0.3
10.2
  • Supports the Startswith and Endswith keywords.
  • Supports DNS protocol and the dns_query keyword.
2.0.2
10.2
Supports SMTP and FTP protocols.
2.0.1
10.2
Supports HTTP sticky buffers.
Now converts Snort rules that have commas separating content patterns and their associated suboption.
2.0.0
10.2
Uses Python 3 for compatibility with PAN-OS 10.2.
1.0.7
10.1
  • Supports the Startswith and Endswith keywords.
  • Supports DNS protocol and the dns_query keyword.
1.0.6
10.1
Supports SMTP and FTP protocols.
1.0.5
10.1
Supports HTTP sticky buffers.
Now converts Snort rules that have commas separating content patterns and their associated suboption.
1.0.4
10.1
No significant changes in functionality.
1.0.3
10.1
Converts rules into SSL custom signatures if their port is 443.
Converts server-to-client HTTP rules without content modifiers into custom signatures with the http-rsp-status-line and http-rsp-headers contexts.
Converts Suricata TLS rules into TLS custom signatures and supports additional TLS and file data sticky buffers.
1.0.2
10.1
Converts rules that use the smb protocol or port 445.
Supports HTTP sticky buffer keywords in Suricata rules.
Converts HTTP rules into HTTP custom signatures if either the port in the rule is HTTP-_PORTS or the protocol is http.
1.0.1
10.1
Identifies whether newly converted signatures are already included as part of your Palo Alto Networks Threat Prevention subscription.
1.0.0
10.1
Enables support for third-party IPS signature conversion from Panorama. Use the Panorama IPS Signature Converter plugin to gain immediate protection against newly discovered threats by converting third-party IPS rules into Palo Alto Networks custom threat signatures and distributing them to your Panorama-managed firewalls.

Kubernetes

Learn about the Panorama Kubernetes plugin.
The following table displays the features introduced in each version of the Panorama™ Kubernetes plugin.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Minimum Panorama PAN-OS Version
Maximum Panorama PAN-OS Version
Features
4.0.0
11.0
Latest
Introduces new features like CN-Series Hyperscale Security Fabric, (HSF), Tag Length Enhancement, Shared DAG Support, and Nested DAG Support.
3.0.3
10.2
Latest
Introduces fixes for known issues.
3.0.2
10.2
Latest
Introduces fixes for known issues.
3.0.1
Introduces support for shared dynamic address groups.
3.0.0
Introduces Retrieving IPv6 Addresses for Multus CNI Setup, Tag Pruning, Service Account Validation, and advanced Dashboard features.
2.0.2
10.1
10.1
K8s plugin 2.0.2 creates a new template on Panorama called K8S-Network-Setup-V1-125. This template creates 250 vwire interfaces and 125 vwires.
2.0.1
Introduces fixes for known issues.
2.0.0
Introduces Core-Based Licensing, Multiple Interface Support, and Custom Certificate Chaining.
1.0.5
Introduces fixes for known issues.
1.0.4
Introduces fixes for known issues.
1.0.3
Introduces fixes for known issues.
1.0.2
Introduces fixes for known issues.
1.0.1
Introduces the ability to disable the creation of service objects on Panorama, and support for offline licensing of CN-Series firewalls with Panorama.
1.0.0
Manages licenses for the CN-Series firewall and enables you to monitor clusters and leverage Kubernetes labels that you use to organize Kubernetes objects. The plugin communicates with the API server and retrieves metadata, which gives you visibility into applications running within a cluster.

Clustering Plugin

The following table shows the features introduced in Panorama Clustering plugin.
Plugin Version
Panorama PAN-OS Version
(Minimum)
Maximum Panorama PAN-OS VersionFeatures
2.0.0
11.1.5
Latest
Provides a migration process that allows you to migrate from a non-PA-7500 Series firewall with an existing Panorama non-clustering template to a PA-7500 Series firewall with a Panorama clustering template. The release also provides support for MACsec on the HSCI ports that connect the firewalls in the NGFW cluster. MACsec provides data confidentiality and integrity between the two endpoints.
2.0.0
11.1.3
Latest
Provides visibility to the NGFW clusters (also known as PA-Series clusters) in PA-7500 Series firewalls.
1.0.0
11.0
Latest
Provides the visibility to the Hyper Scale Security Fabric (HSF) clusters in CN-Series.

Network Discovery

The PAN-OS minimum supported version for the PAN-OS Network Discovery Plugin.
The following table shows the features introduced in each version of the Panorama™ plugin for Network Discovery.
Plugin Version
Panorama PAN-OS Version
(Minimum)
Maximum Panorama PAN-OS Version
Features
2.1.0
10.2.14
11.2.4
Latest 10.2 release
Latest 11.2 release
Introduces support for multiple entry switches and multiple SNMP credentials.
Supports site creation and site overwrite for existing subnets learned through SNMP crawling.
2.0.2
11.1
Latest
Introduces new protocols for device polling.
Introduces new settings options for configuring SNMP network discovery and network data refreshment jobs.
Includes a fix for a known issue.
2.0.1
Introduces debug logs and fixes for a known issue.
2.0.0
Introduces device polling using various protocols. Use polling to learn new device attributes to send to IoT Security.
1.0.1
Introduces the capability to specify a network discovery protocol using the CLI.
1.0.0
Introduces SNMP querying for switches and network devices. Use SNMP querying to learn bindings and network data to send to IoT Security.

Nutanix

Learn about the Panorama™ plugin for Nutanix.
The following table shows the features introduced in each version of the Panorama™ plugin for Nutanix.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Panorama PAN-OS Version
(Minimum)
Maximum Panorama PAN-OS Version
Features
2.0.2
10.2
Latest
Introduces fixes for known issues.
2.0.1
10.2
Latest
Introduces fixes for known issues.
2.0.0
Introduces enhancements to increase reliability and robustness.
1.0.0
9.0 (9.0.4)
Latest
Enables support for VM Monitoring from Panorama. Configure the Panorama plugin for Nutanix to monitor VM workloads so that you can consistently enforce security policy that automatically adapts to changes within your Nutanix environment.

OpenConfig

The PAN-OS minimum supported version for the PAN-OS OpenConfig plugin.
The following table shows the features introduced in each version of the OpenConfig plugin.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
PAN-OS Version
(Minimum)
New Features or Changes
2.1.1
10.2.11
Support for XML API and File-upload custom PAN-OS data models.
2.1.0
10.2.11
General improvements and bug fixes.
2.0.2
10.2.11
Plugin support for PAN-OS version 10.2.11 and later.
2.0.1
11.0.4
Plugin support for PAN-OS version 11.0.4 and later.
2.0
11.1
Enables Panorama suppport and telemetry streaming with PAN-OS custom data models for logging, PCAP, and config data. Starting with 2.0, the OpenConfig plugin also comes prepackaged with PAN-OS.
1.3 (Firewall Only)
10.1
Enables support for all streaming modes with the OpenConfig-routing-policy model.
1.2.0 (Firewall Only)
Enables support for protobuf and unbundling.
1.1.0 (Firewall Only)
Enables support for these standard OpenConfig models:
  • openconfig-ha
  • openconfig-zones
  • openconfig-network-instances
  • openconfig-routing-policy
  • openconfig-ospfv2
1.0.0 (Firewall Only)
Enables support for the OpenConfig plugin on PAN-OS firewalls so that you can use standard OpenConfig models to automate configuration and stream telemetry.

Panorama Software Firewall License Plugin

Learn about the Panorama™ Software Firewall License plugin.
The following table shows the features introduced in each version of the Panorama™ Software Firewall License plugin.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Panorama PAN-OS Version
(Minimum)
Maximum Panorama PAN-OS Version
Minimum VM-Series Plugin Version
Features
1.1.2
10.0 (10.0.4)
Latest
2.0.4
Introduces fixes for known issues.
1.1.1
10.1
Latest
2.0.4
Introduces fixes for known issues.
1.1.0
Introduces fixes for known issues.
1.0.0
The Panorama Software Firewall License plugin allows you to automatically license a VM-Series firewall when it connects to Panorama.

Public Cloud—AWS, Azure, and GCP

Learn about the different public cloud plugins supported on Panorama™.
The following table shows the features introduced in each version of the Panorama™ plugin for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The plugins use device groups and templates on Panorama to push the configuration to the managed firewalls.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Public Cloud Platform
AWS Plugin Version
Panorama PAN-OS Version (Minimum)
Maximum Panorama PAN-OS Version
VM-Series Plugin Version (Minimum)
Features
AWS
5.3.1
10.2 (10.2.3)Latest
3.0.0
Introduces fixes for known issues.
5.3.0
10.2 (10.2.3)Latest
3.0.0
Adds support for Egress NAT and Zone-based Policy Rules on the Cloud NGFW for AWS. Introduces fixes for known issues.
5.2.2
10.2 (10.2.3)Latest
3.0.0
Introduces fixes for known issues.
5.2.1
10.2 (10.2.3)Latest
3.0.0
Introduces fixes for known issues.
5.1.3
10.2 (10.2.3)Latest
3.0.0
Introduces fixes for known issues.
5.1.2
10.2 (10.2.3)Latest
3.0.0
Introduces fixes for known issues.
5.1.1
10.2 (10.2.3)Latest
3.0.0
Introduces enhancements for Cloud NGFW for AWS integration with Panorama.
5.0.1
10.2 (10.2.3)Latest
3.0.0
Introduces enhancements for Cloud NGFW for AWS integration with Panorama.
5.0.0
10.2 (10.2.3)Latest
3.0.0
4.1.0
10.2
Latest
3.0.0
Introduces support for nested dynamic address groups and tag pruning.
4.0.0
10.2
Latest
3.0.0
Introduces enhancements to increase reliability and robustness.
3.0.310.110.1
2.0.6
Introduces shared dynamic address groups support and bug fixes.
3.0.2
10.110.1
2.0.6
Introduces proxy support and bug fixes.
3.0.110.110.1
2.0.6
Introduces enhancements and bug fixes.
3.0.010.110.1
2.0.6
Introduces Panorama Orchestration and new monitoring parameters.
2.0.2
10.1
10.1
2.0.2
Introduces fixes for known issues.
9.1 (9.1.2)
1.0.8
2.0.1
1.0.4
Introduces a fix for a known issue.
2.0.0
9.1 (9.1.2)
10.1
1.0.8
Enables support for:
Public Cloud Platform
Azure Plugin Version
Panorama PAN-OS Version (Minimum)
Maximum Panorama PAN-OS Version
VM-Series Plugin Version
(Minimum)
Features
Azure
5.2.2
10.2.4Latest
4.0.0
Adds support for Strata Logging Service. Introduces fixes for known issues.
5.2.1
10.2.4Latest
4.0.0
Adds permission validation for private endpoint read access. Introduces new tags used for monitoring. Introduces fixes for known issues.
5.2.0
10.2.4Latest
4.0.0
Introduces an automated workflow for maintaining the life cycle of the VM auth key.
5.1.2
10.2.4Latest
4.0.0
Introduces loopback zone support and DNS proxy support on Cloud NGFW for Azure.
5.1.1
10.2.4Latest
4.0.0
Introduces tag pruning feature to increase the scalability and the number of tags collected by the Azure plugin.
5.0.0
10.2.4Latest
4.0.0
Introduces support for Panorama integration with Cloud NGFW for Azure.
4.2.0
10.2 (10.2.3)
Latest
3.0.1
Introduces support for Azure Workspace-based Application Insights.
4.1.0
10.2
Latest
Latest
Increased the number of front-end applications per VM-Series for Azure deployment.
4.0.0
10.2
Latest
Latest
Introduces enhancements to increase reliability and robustness.
3.2.2
10.1
10.1
2.1.0
Introduces fixes for a known issue.
2.0.1
3.2.1
10.1
10.1
2.1.0
Introduces fixes for known issues.
2.0.1
3.2.0
10.1
10.1
2.1.0
Introduces proxy support and fix for a known issue.
2.0.1
3.1.0
10.1
10.1
2.1.0
Introduces fixes for a known issue.
2.0.1
3.0.1
10.1
10.1
2.1.0
Introduces fixes for known issues.
2.0.1
3.0.0
(Upgrade from 2.0.0 to 3.0.0 is not supported.)
10.1
10.1
2.1.0
Introduces Panorama Orchestration.
2.0.1
2.0.3
10.1
10.1
2.1.0
Introduces a fix for a known issue.
2.0.0
9.1 (9.1.2)
1.0.8
9.1
1.0.4
2.0.2
9.1
10.1
1.0.4
Introduces fixes for known issues.
2.0.1
9.1
10.1
1.0.4
Introduces fixes for known issues.
2.0.0
9.1
10.1
1.0.4
Enables support for:
Public Cloud Platform
GCP Plugin Version
Panorama PAN-OS Version (Minimum)
Maximum Panorama PAN-OS Version
VM-Series Plugin Version
Features
GCP
3.1.1
10.2
Latest
3.0.0
Introduces performance and status enhancements in monitoring definitions.
3.1.0
10.2
Latest
3.0.0
Introduces monitoring of shared VPC deployments.
3.0.0
10.2
Latest
3.0.0
Introduces enhancements to increase reliability and robustness.
2.0.0
(Upgrade from 1.0.0 to 2.0.0 is not supported.)
9.1
Latest
1.0.4
Enables you to monitor and secure VMs or GKE clusters deployed in GCP.
  • Deploy auto scaling for VM instance groups or GKE clusters using auto scaling templates for both firewall and application deployments.
  • VM Monitoring for GCP assets.

SD-WAN

Learn about the Panorama™ plugin for SD-WAN.
The following table shows the features introduced in each version of the Panorama™ plugin for SD-WAN.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
PAN-OS Version (Minimum)
Maximum PAN-OS Version
Features
3.3.2
11.2.4
Latest
To use the following feature or enhancements, you require PAN-OS 11.2.4 and later 11.2 releases.
  • Prisma Access Hub Support for SD-WAN enabled Cellular Interfaces (4G/5G).
  • Improvements and bug fixes.
3.3.1
11.2.3
Latest
To use the following feature or enhancements, you require PAN-OS 11.2.3 and later 11.2 releases.
3.3.0
11.2
Latest
To use the following feature or enhancements, you require PAN-OS 11.2.0 and later releases.
  • Supports monitoring the bandwidth of a tunnel and a physical interface for a selected site (by default) in addition to existing jitter, latency, and packet loss performance measures.
  • Supports multiple virtual routers on the SD-WAN hubs that enable you to have overlapping IP subnet addresses on branch devices connecting to the same SD-WAN hub.
  • Additional SD-WAN hubs supported for VPN cluster.
  • Additional private link types supported for SD-WAN interface profile.
  • Bug and performance fixes.
3.2.2
11.1.5
(11.1.5)
Latest
To use the following feature or enhancements, you require PAN-OS 11.1.5 and later releases.
  • Supports monitoring the bandwidth of a tunnel and a physical interface for a selected site (by default) in addition to existing jitter, latency, and packet loss performance measures.
  • Bug fixes.
3.2.1
11.1
(11.1.3)
Latest
To use the following feature or enhancements, you require PAN-OS 11.1.3 and later 11.1 releases.
3.2.0
11.1
Latest
  • SD-WAN IKEv2 certificate-based authentication support.
  • Public cloud SD-WAN high availability support.
  • Enable SD-WAN on IPv6 interfaces and IPv6 tunnel support.
  • Bug and performance fixes.
3.1.3
11.0 (11.0.4)
Latest
To use the following feature or enhancements, you require PAN-OS 11.0.4 and later 11.0 releases.
3.1.2
11.0 (11.0.2)
Latest
Bug and performance fixes.
3.1.1
11.0 (11.0.2)
Latest
SD-WAN IPv6 Basic Connectivity
3.0.1-h6
11.0 (11.0.1)
Latest
Bug and performance fixes.
3.1.0-h6
11.0 (11.0.1)
Latest
Enables Advanced Routing Engine support.
3.0.8
10.2.11
Latest
Improvements and bug fixes
3.0.7
10.2 (10.2.8)
Latest
To use the following feature or enhancements, you require PAN-OS 10.2.8 and later releases.
3.0.6
10.2 (10.2.7)
Latest
Bug fixes.
3.0.6
10.2 (10.2.6)
Latest
Bug fixes.
3.0.5
10.2 (10.2.5)
Latest
Bug and performance fixes.
3.0.4
10.2 (10.2.4)
Latest
Bug and performance fixes.
3.0.3
10.2 (10.2.1)
Latest
Bug and performance fixes.
3.0.2
10.2 (10.2.1)
Latest
Bug and performance fixes.
3.0.1
10.2 (10.2.1)
Latest
Copy ToS Header Support.
3.0.0
10.2
Latest
Upgrade to the SD-WAN plugin to increase reliability. SD-WAN plugin 3.0 is required to upgrade to PAN-OS 10.2 and is supported only on PAN-OS 10.2 and later releases.
2.2.7
10.1.3-h1
Latest
Improvements and bug fixes
2.2.6
10.1 (10.1.11)
Latest
Bug and performance fixes.
2.2.5
10.1 (10.1.11)
Latest
Bug and performance fixes.
2.2.4
10.1 (10.1.10)
Latest
Bug and performance fixes.
2.2.3
10.1 (10.1.9)
Latest
Bug and performance fixes.
2.2.2
10.1 (10.1.5-h1)
Latest
Bug and performance fixes.
2.2.1
10.1 (10.1.5-h1)
Latest
Copy ToS Header support.
2.2.0
10.1 (10.1.4)
Latest
Prisma Access Hub support.
2.1.1
10.1
Latest
Minor bug and performance fixes.
2.1.0
10.1
Latest
SD-WAN supports Aggregated Ethernet (AE) interfaces with or without subinterfaces for link redundancy. AE interfaces allow you to tag for different ISP services to achieve end-to-end traffic segmentation. SD-WAN also supports Layer 3 subinterfaces for end-to-end traffic segmentation.
2.0.3
10.1
Latest
Minor bug and performance fixes.
2.0.2
10.1
Latest
Includes support so you can control whether Auto VPN configuration enables or disables the Remove Private AS setting for all BGP peer groups on a branch or hub.
2.0.1
10.1
Latest
Includes support for full mesh VPN cluster with DDNS service, auto-VPN configuration with branch behind NAT, and Direct Internet Access (DIA) AnyPath.
2.0.0
10.1
Latest
Maintain high-quality application experience by leveraging Forward Error Correction (FEC) and packet duplication and by accurately measuring SaaS and Cloud applications when you have an SD-WAN firewall with Direct Internet Access (DIA) links.
1.0.6
9.1 (9.1.4)
Latest
Minor bug and performance fixes.
1.0.5
9.1 (9.1.4)
Latest
Minor bug and performance fixes.
1.0.4
9.1 (9.1.4)
Latest
In an SD-WAN VPN cluster that has more than one hub, you must assign a priority to each hub, which determines the primary hub and hub failover order. Panorama maps the priority to a BGP local preference and pushes the local preference to the branches in the cluster.
1.0.3
9.1 (9.1.3)
9,1
When the SD-WAN hub is behind a NAT device, the plugin supports an upstream NAT IP address or FQDN for Auto VPN configuration to use as a tunnel endpoint.
1.0.2
9.1 (9.1.2-h1)
9.1.3
Improves ease of use, such as an automatic Security policy rule to allow BGP between branches and hubs, ability to refresh the IKE preshared key for VPN cluster members, specifying VPN tunnel IP address ranges, and more.
1.0.1
9.1 (9.1.1)
9.1.2
Improves monitoring experience and search filtering, and adds an option to display HA peers consecutively.
1.0.0
9.1
9.1.2
Enables support for SD-WAN from Panorama. Configure the Panorama plugin for SD-WAN to provide intelligent and dynamic path selection on top of the industry-leading security that PAN-OS software already delivers. Provide the optimal end user experience by leveraging multiple ISP links to ensure application performance and scale capacity.

VMware NSX

Review the features introduced in each version of the VM-Series firewall VMware NSX plugin.
The following table shows the features introduced in each version of the VM-Series firewall VMware NSX plugin. For additional information about each plugin, see the release notes on the Customer Support Portal.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Panorama Version (Minimum)
Panorama Version (Maximum)
Managed VM-Series PAN-OS Version (Minimum)
New Features or Changes
5.0.1
  • NSX-V: 10.2 (10.2.2)
  • NSX-T N/S: 10.2 (10.2.2)
  • NSX-T E/W: 10.2 (10.2.2)
  • NSX-V: 10.2
  • NSX-T N/S: 10.2
  • NSX-T E/W: 10.2
  • NSX-V: 9.1
  • NSX-T N/S: 9.1
  • NSX-T E/W: 9.1
Introduces support for PAN-OS and Panorama 10.2.x.
5.0.0
Introduces support for PAN-OS and Panorama 10.2.x.
4.0.3
  • NSX-V: 10.1
  • NSX-T N/S: 10.1
  • NSX-T E/W: 10.1
  • NSX-V: 10.1
  • NSX-T N/S: 10.1
  • NSX-T E/W: 10.1
  • NSX-V: 9.1
  • NSX-T N/S: 9.1
  • NSX-T E/W: 9.1
Introduces fixes for known issues.
4.0.2
Introduces fixes for known issues.
4.0.1
Introduces fixes for known issues.
4.0.0
Introduces Security-Centric Deployment Workflow (East-West) for the VM-Series on VMware NSX-T.
3.2.4
  • NSX-V: 10.1
  • NSX-T N/S: 10.1
  • NSX-T E/W: 10.1
  • NSX-V: 10.1
  • NSX-T N/S: 10.1
  • NSX-T E/W: 10.1
  • NSX-V: 9.1
  • NSX-T N/S: 9.1
  • NSX-T E/W: 9.1
Introduces fixes for known issues.
3.2.3
Introduces fixes for known issues.
3.2.1
  • NSX-V: 9.1
  • NSX-T N/S: 9.1
  • NSX-T E/W: 9.1
Introduces fixes for known issues.
3.2.0
  • NSX-V: 9.1
  • NSX-T N/S: 9.1
  • NSX-T E/W: 9.1
  • NSX-V: 10.1
  • NSX-T N/S: 10.1
  • NSX-T E/W: 10.1
  • NSX-V: 9.1
  • NSX-T N/S: 9.1
  • NSX-T E/W: 9.1
Introduces Security Policy Extension Between NSX-V and NSX-T and Device Certificate Support on the VM-Series for NSX.
The following VM-Series firewall for NSX OVFs require that you enable device certificates.
  • 10.1 or later
  • 9.1.5 or later
3.1.0
9.1
  • NSX-V: 10.1
  • NSX-T N/S: 10.2
  • NSX-T E/W: 10.2
  • NSX-V: 9.1
  • NSX-T N/S: 9.1
  • NSX-T E/W: 9.1
Introduces the VM-Series firewall on VMware NSX-T for East-West traffic protection.

VMware vCenter

Learn about the Panorama™ plugin for VMware vCenter.
The following table shows the features introduced in each version of the Panorama™ plugin for VMware vCenter.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
Panorama PAN-OS Version (Minimum)
Maximum Panorama PAN-OS VersionFeatures
2.1.0
10.2
Latest
Introduces fixes for known issues.
2.0.0
Introduces enhancements to increase reliability and robustness.
1.0.0
9.1
Latest
Enables support for VM Monitoring from Panorama. Configure the Panorama plugin for VMware vCenter to monitor VM workloads so that you can consistently enforce security policy that automatically adapts to changes within your vCenter environment.

Zero Touch Provisioning (ZTP)

Learn about the Panorama™ plugin for Zero Touch Provisioning (ZTP).
The following table shows the features introduced in each version of the Panorama™ plugin for Zero Touch Provisioning (ZTP).
End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
Plugin Version
PAN-OS Version Minimum
Maximum PAN-OS Version
Features
3.0.1
11.2.0
Latest
Minor bug and performance fixes.
3.0.0
11.2.0
Latest
ZTP 3.0 introduces enhancements to the ZTP onboarding experience by allowing you to activate applicable licenses and install the latest content updates when the firewall first connects to Panorama.
2.0.4
11.0.1
10.2.4
Latest
Minor bug and performance fixes.
2.0.3
11.0.1
10.2.4
Latest
Minor bug and performance fixes.
2.0.2
10.2.0
10.2.3
Minor bug and performance fixes.
2.0.1
10.2.0
10.2.3
Minor bug and performance fixes.
2.0.0
10.2.0
10.2.3
Upgrade to the ZTP plugin to increase reliability. ZTP plugin 2.0 is required to upgrade to PAN-OS 10.2 and is supported only on PAN-OS 10.2 and later releases.
1.0.2
10.1.0
Latest 10.1 release
Minor bug and performance fixes.
1.0.1
10.1.0
Latest 10.1 release
Minor bug and performance fixes.
1.0.0
9.1.4
Latest 9.1 release
Enables support for ZTP from Panorama. Configure the Panorama plugin for ZTP to simplify and streamline initial firewall deployment by automating the new managed firewall on-boarding without the need for network administrators to manually provision the firewall.