>
    Strata Copilot
    Panorama Plugins
    Focus
    Download PDF
    Focus
    1. Home
    2. Compatibility Matrix
    3. Panorama
    4. Panorama Plugins
    Download PDF
    Compatibility Matrix

    Panorama Plugins

    Table of Contents

    Panorama Plugins

    Learn about compatibility information for Panorama™ plugins.
    The following tables describe the features and functionality introduced with the Panorama™ extensible plugin architecture.
    For more information on Panorama plugin versions, refer to the VM-Series and Panorama Plugins Release Notes.

    Plugins Bundled in Panorama 12.1

    For PAN-OS 12.1, most plugins are bundled with the software package. The following plugins are part of the PAN-OS 12.1 package and available for installation from PanoramaPlugins. The following table provides examples of the plugin versions provided for different PAN-OS releases. This information is available from your Panorama dashboard.
    Bundled PluginsPAN-OS 12.1.2PAN-OS 12.1.7
    Advanced SD-WAN3.4.03.4.2
    AWS6.0.16.0.4
    Azure6.0.16.0.3
    Cisco ACI4.0.04.0.1
    Cisco TrustSec3.0.03.0.1
    CloudConnector2.1.13.0.1
    Clustering3.0.03.0.2
    Enterprise Data Loss Prevention (DLP)6.0.16.0.3
    GCP4.0.04.0.1
    IPS Signature Converter3.0.03.0.1
    Kubernetes5.0.15.1.1
    Network Discovery3.0.03.0.0
    Nutanix3.0.03.0.1
    OpenConfig2.1.42.1.5
    Panorama Software Firewall License1.2.11.2.3
    Software Firewall Orchestration1.0.11.1.3
    VM-Series6.1.06.1.4
    VMware NSX6.0.06.0.1
    VMware VCenter3.0.03.0.1
    Zero Touch Provisioning4.0.04.0.2
    Cloud Services 6.0.0-h206.1.0-h7

    Cisco ACI

    Learn about the Panorama™ plugin for Cisco ACI.
    The following table shows the features introduced in each version of the Panorama™ plugin for Cisco ACI. The plugin uses device groups on Panorama to push the configuration to the managed firewalls.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    Supported Cisco ACI Version
    Panorama PAN-OS Version
    (Minimum)
    Maximum Panorama PAN-OS Version
    Features
    3.0.1
    6.0.x, 6.1
    10.2 (10.2.7)
    Latest
    Introduces support for Endpoint Security Group (ESG) tags and fixes to known issues.
    • 5.1.x, 5.2.x
    10.2 (10.2.0)
    3.0.0
    • 6.0.x
    10.2 (10.2.4)
    Latest
    Introduces enhancements to increase reliability and robustness.
    • 5.2.x
    • 5.1.x
    10.2 (10.2.0)
    2.0.3
    • 6.0.x
    10.1 (10.1.9)
    Latest
    Introduces a fix for a known issue.
    You can do a new deployment of Cisco ACI 2.0.3 on Panorama 9.0 or later. You can also upgrade from Cisco ACI 2.0.x to Cisco ACI 2.0.3. However, if you need to upgrade from Cisco ACI 1.0.0 or Cisco ACI 1.0.1, you will need to upgrade your Panorama to 10.0 or later, and then upgrade the ACI plugin to 2.0.3.
    • 5.2.x
    • 5.1.x
    • 5.0.x
    • 4.2.x
    • 4.1.x
    • 4.0.x
    • 3.2
    10.1
    9.1
    2.0.2
    • 5.1.x
    • 5.0.x
    • 4.2.x
    • 4.1.x
    • 4.0.x
    • 3.2
    10.1
    9.1
    Latest
    Introduces Cisco ACI 5.1 support and fixes for known issues.
    You can do a new deployment of Cisco ACI 2.0.2 on Panorama 9.0 or later. You can also upgrade from Cisco ACI 2.0.x to Cisco ACI 2.0.2. However, if you need to upgrade from Cisco ACI 1.0.0 or Cisco ACI 1.0.1, you will need to upgrade your Panorama to 10.0 or later, and then upgrade the ACI plugin to 2.0.2.
    2.0.1
    • 5.0.x
    • 4.2.x
    • 4.1.x
    • 4.0.x
    • 3.2
    10.1
    9.1
    Latest
    Introduces fixes for known issues.
    2.0.0
    • 5.0.x
    • 4.2.x
    • 4.1.x
    • 4.0.x
    • 3.2
    10.1
    9.1
    Latest
    Introduces the Panorama Plugin for Cisco ACI Dashboard and two new monitored attributes—L2 external endpoint groups and subnets under bridge domains.
    1.0.1
    • 5.0.x
    • 4.0.x
    • 3.2
    • 3.1
    • 2.3(1e)
    9.1
    9.1
    Introduces support for multiple IP addresses per endpoint and Cisco ACI 4.0 and later.
    1.0.0
    • 5.0.x
    • 3.2
    • 3.1
    • 2.3(1e)
    9.1
    9.1
    Enables support for Endpoint Monitoring from Panorama. Configure the Panorama plugin for Cisco ACI to monitor endpoints so that you can consistently enforce security policy that automatically adapts to changes within your ACI deployment.

    Cisco TrustSec

    Learn about the Panorama™ plugin for Cisco TrustSec.
    The following table shows the features introduced in each version of Panorama™ plugin for Cisco TrustSec.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    Minimum Panorama PAN-OS Version
    Qualified Cisco ISE Versions
    Features
    3.0.012.1.2Latest
    (PAN-OS 12.1.2 or later releases) Upgrading the Cisco TrustSec plugin version manually is no longer required. Cisco TrustSec 3.0.0 and later plugin versions are managed by Panorama.
    2.0.3
    10.2
    • ISE 3.4
    • ISE 3.3
    • ISE 3.2
    • ISE 3.1
    • ISE 2.7
    Introduces fixes for known issues.
    2.0.2
    10.2
    • ISE 3.4
    • ISE 3.3
    • ISE 3.2
    • ISE 3.1
    • ISE 2.7
    Introduces fixes for known issues.
    2.0.1
    10.2
    • ISE 3.3
    • ISE 3.2
    • ISE 3.1
    • ISE 2.7
    Introduces fixes for known issues.
    2.0.0
    10.2
    • ISE 3.2
    • ISE 3.1
    • ISE 2.7
    Introduces support for Panorama 10.2.x.
    Introduces support for security group tags (SGT). Use these tags as match criteria for placing IP addresses in dynamic address groups.
    1.0.3
    9.1
    • ISE 3.1
    • ISE 2.7
    Introduces a fix for one issue.
    1.0.2
    9.1
    • ISE 2.4
    • ISE2.6
    Introduces the PubSub monitoring mode, which parses notifications directly from the server. The plugin enables PubSub mode when v1.0.2 is running on Panorama 10.0.0 and later. If v1.0.2 is running on a Panorama version earlier than 10.0.0, the monitoring mode is Bulk Sync.
    1.0.1
    1.0.0
    Enables support for endpoint monitoring from Panorama. Configure the Panorama plugin for Cisco TrustSec to monitor endpoints so that you can consistently enforce security policy that automatically adapts to changes within your TrustSec environment.

    Panorama CloudConnector Plugin (Formerly, AIOps Plugin for Panorama)

    Learn about CloudConnector.
    The following table shows the features introduced in each version of the plugin for AIOps.
    Plugin Version
    Panorama PAN-OS Version
    (Minimum)
    Maximum Panorama PAN-OS Version
    New Features or Changes
    2.1.0
    10.2 (10.2.3)
    Latest
    Supports proxy configuration settings from Panorama.
    2.0.1
    10.2 (10.2.3)
    Latest
    Introduces enhancements for Cloud NGFW for AWS integration with Panorama.
    2.0.0
    10.2 (10.2.3)
    Latest
    		Enables you to use the Panorama AWS plugin 5.0.0 to author and push device group based policies to Cloud NGFW for AWS resources.
    1.1.0
    10.2 (10.2.3)
    Latest
    Enables the policy analyzer feature that helps you to check if a new security rule meets your intended purpose and that it does not duplicate, shadow, or conflict with your existing rules (pre-commit). You can also check for duplication and other anomalies across your current Security policy rulebase (post-commit).
    1.0.0
    10.2 (10.2.1)
    Latest
    Enables you to proactively enforce best practice checks by validating your commits and letting you know if a policy needs work before pushing it to your Panorama.

    Cloud Services

    Review minimum plugin versions depending on whether you use the plugin for both Cortex™ Data Lake and Prisma™ Access or for only Strata Logging Service (formerly Cortex® Data Lake).
    You use the Cloud Services plugin to activate Panorama Managed Prisma Access and to retrieve logs from Panorama-managed firewalls using Strata Logging Service. Review the following table to see the minimum Panorama and plugin versions for your deployment type.
    Deployment TypePanorama and Plugin requirements
    Panorama Managed Prisma Access
    Dependent on plugin version. Review the Minimum Required Panorama Software Versions required for the plugin you are running. To find the plugin version you are running, select PanoramaCloud ServicesConfigurationService Setup and find the plugin version in the Plugin Alert area.
    Strata Logging Service log retrieval from Panorama-managed firewalls onlyStrata Logging Service Software Compatibility has the minimum Panorama and plugin requirements.

    Enterprise Data Loss Prevention (DLP)

    Learn about the Panorama™ plugin for Enterprise Data Loss Prevention (DLP).
    The following table shows the features introduced in each version of the Panorama™ plugin for Enterprise Data Loss Prevention (DLP).
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    PAN-OS Version
    (Minimum)
    Maximum PAN-OS Version
    Cloud Services Plugin (Minimum)
    Features
    6.0.3
    12.1.7
    Latest
    Cloud Services 6.0
    WebSocket support for non-file based traffic allows the detection engine to examine WebSocket persistent streams in real time to identify sensitive patterns previously hidden within the open connection.
    6.0.2
    12.1.5
    Latest
    Cloud Services 6.0
    Minor bug and performance fixes.
    6.0.1
    12.1.2
    Latest
    Cloud Services 6.0
    Granular data profiles enhance Enterprise DLP detection capabilities by allow you to apply differentiated inline content inspection requirements and response actions with the same Security policy rule.
    5.0.8
    11.1.0
    Latest 11.2
    Cloud Services 5.0 Preferred
    Minor bug and performance fixes.
    5.0.7
    11.1.0
    Latest 11.2
    Cloud Services 5.0 Preferred
    Minor bug and performance fixes.
    5.0.6
    11.1.0
    Latest 11.2
    Cloud Services 5.0 Preferred
    Minor bug and performance fixes.
    5.0.5
    11.1.0
    Latest 11.2
    Cloud Services 5.0 Preferred
    Minor bug and performance fixes.
    5.0.4
    11.1.0
    Latest 11.2
    Cloud Services 5.0 Preferred
    Upgrade to Enterprise DLP plugin 5.0.4 to use AI Access Security for Prisma Access (Managed by Panorama).
    AI Access Security enables organizations to safely adopt GenAI applications by employees by mitigating the risks posed by inadvertent data leakage in prompts and malicious content in responses. Fine-grained data exfiltration and access control policies let you to control the data exposed to GenAI apps while simultaneously allowing you to block access when necessary. A robust dashboard with detailed monitoring capabilities provides paralleled insights in to how GenAI apps are used across your organization.
    5.0.3
    11.1.0
    Latest 11.2
    Cloud Services 5.0 Preferred
    Upgrade to Enterprise DLP plugin 5.0.3 to use AI Access Security for NGFW (Managed by Panorama).
    AI Access Security enables organizations to safely adopt GenAI applications by employees by mitigating the risks posed by inadvertent data leakage in prompts and malicious content in responses. Fine-grained data exfiltration and access control policies let you to control the data exposed to GenAI apps while simultaneously allowing you to block access when necessary. A robust dashboard with detailed monitoring capabilities provides paralleled insights in to how GenAI apps are used across your organization.
    5.0.2
    11.1.0
    11.2.2
    Cloud Services 5.0 Preferred
    Minor bug and performance fixes.
    5.0.1
    11.1.0
    Latest 11.1 Release
    Cloud Services 5.0 Preferred
    Minor bug and performance fixes.
    5.0.0
    11.1.0
    Latest 11.1 Release
    Cloud Services 5.0 Preferred
    You must upgrade to Enterprise DLP 5.0 plugin to upgrade to PAN-OS 11.1. Additionally, you must download the Enterprise DLP 5.0 plugin before you attempt to install PAN-OS 11.1.
    4.0.4
    11.0.3
    Latest 11.0 Release
    Cloud Services 4.0 Preferred
    Minor bug and performance fixes.
    4.0.3
    11.0.3
    Latest 11.0 Release
    Cloud Services 4.0 Preferred
    Minor bug and performance fixes.
    4.0.2
    11.0.3
    Latest 11.0 Release
    Cloud Services 4.0 Preferred
    The data pattern character limit for a data profile is removed. Data profiles no longer limit the number of data pattern match criteria based on the number of alphanumeric characters in the data pattern name, description, regular expressions, and proximity keywords.
    4.0.1
    11.0.2
    11.0.2
    Cloud Services 4.0 Preferred
    Enterprise Data Loss Prevention (E-DLP) now supports creating a file type include or exclude list for data filtering profiles configured for file-based inspection. This allows you to select one of two modes:
    • Inclusion Mode—Allow only specified file types be scanned by Enterprise DLP.
    • Exclusion Mode—Allow all supported files to be scanned by Enterprise DLP by default but excluding the file types you specify.
      Exclusion Mode includes True File Type Support and does not rely on file extensions to determine file types.
    4.0.0
    11.0.0
    11.0.1
    Cloud Services 4.0 Preferred
    You must upgrade to Enterprise DLP 4.0 plugin to upgrade to PAN-OS 11.0. Additionally, you must download the Enterprise DLP 4.0 plugin before you attempt to install PAN-OS 11.0.
    3.0.10
    10.2.8
    Latest 10.2 Release
    Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
    Minor bug and performance fixes.
    3.0.9
    10.2.8
    Latest 10.2 Release
    Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
    Minor bug and performance fixes.
    3.0.8
    10.2.4-h3
    10.2.7
    Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
    Minor bug and performance fixes.
    3.0.8
    10.2.4-h3
    10.2.7
    Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
    Minor bug and performance fixes.
    3.0.7
    10.2.4-h3
    10.2.7
    Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
    Minor bug and performance fixes.
    3.0.6
    10.2.4-h3
    10.2.7
    Cloud Services 3.1.0-h50 (PAN-OS 10.2.2-h1 and later releases)
    The data pattern character limit for a data profile is removed. Data profiles no longer limit the number of data pattern match criteria based on the number of alphanumeric characters in the data pattern name, description, regular expressions, and proximity keywords.
    3.0.5
    10.2.4-h3
    10.2.7
    Cloud Services 3.1.0-h50
    (PAN-OS 10.2.2-h1 and later releases)
    Minor bug and performance fixes.
    3.0.4
    		10.2.410.2.4-h3
    Cloud Services 3.1.0-h50
    (PAN-OS 10.2.2-h1 and later releases)
    Enterprise DLP now supports new applications, expanded download support and large file inspection for many existing applications, and FedRAMP High compliance.
    3.0.3
    10.2.3-h4
    10.2.4
    Prisma Access 3.1.0-h50
    (PAN-OS 10.2.2-h1 and later releases)
    Enterprise DLP now supports upload inspection of files up to 100MB in size for the Box Web App and Web Browsing applications.
    3.0.2
    10.2.3
    Latest 10.2.3-h4
    Cloud Services 3.1.0-h50
    (PAN-OS 10.2.2-h1 and later releases)
    Enterprise DLP now supports inspection of file and non-file based HTTP/2 traffic.
    3.0.1
    10.2.1
    10.2.3
    Cloud Services 3.1.0-h50
    (PAN-OS 10.2.2-h1 and later releases)
    The Panorama plugin for Enterprise DLP supports creating a data filtering profile to scan non-file based traffic for sensitive data.
    3.0.0
    10.2.0
    10.2.1
    Not Supported
    Upgrade to the Enterprise DLP plugin to increase reliability. Enterprise DLP plugin 3.0 is required to upgrade to PAN-OS 10.2 and is supported only on PAN-OS 10.2 and later releases.
    1.0.8
    10.1.11
    Latest 10.1 Release
    Cloud Services 2.2
    Minor bug and performance fixes.
    1.0.7
    10.1
    Latest 10.1 Release
    Cloud Services 2.2
    Minor bug and performance fixes.
    1.0.6
    10.1
    Latest 10.1 Release
    Cloud Services 2.2
    Minor bug and performance fixes.
    1.0.5
    10.1
    Latest 10.1 Release
    Cloud Services 2.2
    Minor bug and performance fixes.
    1.0.4
    10.1
    Latest 10.1 Release
    Cloud Services 2.2
    Minor bug and performance fixes.
    1.0.3
    10.1
    Latest 10.1 Release
    Cloud Services 2.2
    The Panorama plugin for DLP supports the integration of Enterprise DLP with Prisma Access.
    1.0.2
    10.1
    Latest 10.1 Release
    Not Supported
    No new features were added for this release.
    1.0.1
    10.1
    Latest 10.1 Release
    Not Supported
    Enables support for Enterprise DLP from Panorama. Configure the Panorama plugin for Enterprise DLP to protect against unauthorized access, misuse, extraction, and sharing of sensitive information and effectively filter network traffic to block or generate an alert before sensitive information leaves the network.

    IPS Signature Converter

    Learn about the Panorama IPS Signature Converter plugin.
    The following table shows the features introduced in each version of the Panorama™ IPS Signature Converter plugin.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    Minimum PAN-OS Version
    Features
    2.0.3
    10.2
    • Supports the Startswith and Endswith keywords.
    • Supports DNS protocol and the dns_query keyword.
    2.0.2
    10.2
    Supports SMTP and FTP protocols.
    2.0.1
    10.2
    Supports HTTP sticky buffers.
    Now converts Snort rules that have commas separating content patterns and their associated suboption.
    2.0.0
    10.2
    Uses Python 3 for compatibility with PAN-OS 10.2.
    1.0.7
    10.1
    • Supports the Startswith and Endswith keywords.
    • Supports DNS protocol and the dns_query keyword.
    1.0.6
    10.1
    Supports SMTP and FTP protocols.
    1.0.5
    10.1
    Supports HTTP sticky buffers.
    Now converts Snort rules that have commas separating content patterns and their associated suboption.
    1.0.4
    10.1
    		No significant changes in functionality.
    1.0.3
    10.1
    Converts rules into SSL custom signatures if their port is 443.
    Converts server-to-client HTTP rules without content modifiers into custom signatures with the http-rsp-status-line and http-rsp-headers contexts.
    Converts Suricata TLS rules into TLS custom signatures and supports additional TLS and file data sticky buffers.
    1.0.2
    10.1
    Converts rules that use the smb protocol or port 445.
    Supports HTTP sticky buffer keywords in Suricata rules.
    Converts HTTP rules into HTTP custom signatures if either the port in the rule is HTTP-_PORTS or the protocol is http.
    1.0.1
    10.1
    Identifies whether newly converted signatures are already included as part of your Palo Alto Networks Threat Prevention subscription.
    1.0.0
    10.1
    Enables support for third-party IPS signature conversion from Panorama. Use the Panorama IPS Signature Converter plugin to gain immediate protection against newly discovered threats by converting third-party IPS rules into Palo Alto Networks custom threat signatures and distributing them to your Panorama-managed firewalls.

    Kubernetes

    Learn about the Panorama Kubernetes plugin.
    The following table displays the features introduced in each version of the Panorama™ Kubernetes plugin.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    Minimum Panorama PAN-OS Version
    Maximum Panorama PAN-OS Version
    Features
    4.0.0
    11.0
    Latest
    Introduces new features like CN-Series Hyperscale Security Fabric, (HSF), Tag Length Enhancement, Shared DAG Support, and Nested DAG Support.
    3.1.3
    10.2
    Latest
    Introduces fixes for known issues.
    3.1.2
    10.2
    Latest
    Introduces fixes for known issues.
    3.0.4
    10.2
    Latest
    Introduces fixes for known issues.
    3.0.3
    10.2
    Latest
    Introduces fixes for known issues.
    3.0.2
    10.2
    Latest
    Introduces fixes for known issues.
    3.0.1
    Introduces support for shared dynamic address groups.
    3.0.0
    Introduces Retrieving IPv6 Addresses for Multus CNI Setup, Tag Pruning, Service Account Validation, and advanced Dashboard features.
    2.0.2
    10.1
    10.1
    K8s plugin 2.0.2 creates a new template on Panorama called K8S-Network-Setup-V1-125. This template creates 250 vwire interfaces and 125 vwires.
    2.0.1
    Introduces fixes for known issues.
    2.0.0
    Introduces Core-Based Licensing, Multiple Interface Support, and Custom Certificate Chaining.
    1.0.5
    Introduces fixes for known issues.
    1.0.4
    Introduces fixes for known issues.
    1.0.3
    Introduces fixes for known issues.
    1.0.2
    Introduces fixes for known issues.
    1.0.1
    Introduces the ability to disable the creation of service objects on Panorama, and support for offline licensing of CN-Series firewalls with Panorama.
    1.0.0
    Manages licenses for the CN-Series firewall and enables you to monitor clusters and leverage Kubernetes labels that you use to organize Kubernetes objects. The plugin communicates with the API server and retrieves metadata, which gives you visibility into applications running within a cluster.

    Clustering Plugin

    The following table shows the features introduced in Panorama Clustering plugin.
    Plugin Version
    Panorama PAN-OS Version
    (Minimum)
    		Maximum Panorama PAN-OS VersionFeatures
    2.0.0
    11.1.5
    Latest
    Provides a migration process that allows you to migrate from a non-PA-7500 Series firewall with an existing Panorama non-clustering template to a PA-7500 Series firewall with a Panorama clustering template. The release also provides support for MACsec on the HSCI ports that connect the firewalls in the NGFW cluster. MACsec provides data confidentiality and integrity between the two endpoints.
    2.0.0
    11.1.3
    Latest
    Provides visibility to the NGFW clusters (also known as PA-Series clusters) in PA-7500 Series firewalls.
    1.0.0
    11.0
    Latest
    		Provides the visibility to the Hyper Scale Security Fabric (HSF) clusters in CN-Series.

    Network Discovery

    The PAN-OS minimum supported version for the PAN-OS Network Discovery Plugin.
    The following table shows the features introduced in each version of the Panorama™ plugin for Network Discovery.
    Plugin Version
    Panorama PAN-OS Version
    (Minimum)
    Maximum Panorama PAN-OS Version
    Features
    3.1.0
    12.1.2
    Latest 12 release
    Parity with Network Discovery 2.3.0, to include:
    • Introduces configurable multi-threading for SNMP neighbor discovery jobs.
    • Includes fixes for known issues.
    3.0.1
    12.1.2
    Latest 12 release
    Parity with Network Discovery 2.2.3, to include:
    • Introduces option to exclude IP phones from neighbor discovery when doing SNMP crawling.
    • Includes fixes for known issues.
    3.0.0
    12.1.2
    Latest 12 release
    Parity with Network Discovery 2.2.2.
    2.3.3
    10.2.17
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes fixes for known issues.
    2.3.2
    10.2.17
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes fixes for known issues.
    2.3.1
    10.2.17
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes fixes for known issues.
    2.3.0
    10.2.17
    11.1
    Latest 10.2 release
    Latest 11 release
    Introduces configurable multi-threading for SNMP neighbor discovery jobs.
    Includes a fix for a known issue.
    2.2.5
    10.2.17
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes a fix for a known issue.
    2.2.4
    10.2.17
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes a fix for a known issue.
    2.2.3
    10.2.17
    11.1
    Latest 10.2 release
    Latest 11 release
    Introduces option to exclude IP phones from neighbor discovery when doing SNMP crawling.
    Includes fixes for known issues.
    2.2.2
    10.2.17
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes fixes for known issues.
    2.2.1
    10.2.14
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes fixes for known issues.
    2.2.0
    10.2.14
    11.1
    Latest 10.2 release
    Latest 11 release
    Introduces new protocols for device polling.
    2.1.2
    10.2.14
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes fixes for known issues.
    2.1.1
    10.2.14
    11.1
    Latest 10.2 release
    Latest 11 release
    Includes fixes for known issues.
    2.1.0
    10.2.14
    11.1
    Latest 10.2 release
    Latest 11 release
    Introduces support for multiple entry switches and multiple SNMP credentials.
    Supports site creation and site overwrite for existing subnets learned through SNMP crawling.
    2.0.2
    11.1
    Latest 11 release
    Introduces new protocols for device polling.
    Introduces new settings options for configuring SNMP network discovery and network data refreshment jobs.
    Includes a fix for a known issue.
    2.0.1
    11.1
    Latest 11 release
    Introduces debug logs and fixes for a known issue.
    2.0.0
    11.1
    Latest 11 release
    Introduces device polling using various protocols. Use polling to learn new device attributes to send to Device Security.
    1.0.1
    11.1
    Latest 11 release
    Introduces the capability to specify a network discovery protocol using the CLI.
    1.0.0
    11.1
    Latest 11 release
    Introduces SNMP querying for switches and network devices. Use SNMP querying to learn bindings and network data to send to Device Security.

    Nutanix

    Learn about the Panorama™ plugin for Nutanix.
    The following table shows the features introduced in each version of the Panorama™ plugin for Nutanix.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    Panorama PAN-OS Version
    (Minimum)
    Maximum Panorama PAN-OS Version
    Features
    2.0.2
    10.2
    Latest
    Introduces fixes for known issues.
    2.0.1
    10.2
    Latest
    Introduces fixes for known issues.
    2.0.0
    Introduces enhancements to increase reliability and robustness.
    1.0.0
    9.0 (9.0.4)
    Latest
    Enables support for VM Monitoring from Panorama. Configure the Panorama plugin for Nutanix to monitor VM workloads so that you can consistently enforce security policy that automatically adapts to changes within your Nutanix environment.

    OpenConfig

    The PAN-OS minimum supported version for the PAN-OS OpenConfig plugin.
    The following table shows the features introduced in each version of the OpenConfig plugin.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    PAN-OS Version
    (Minimum)
    New Features or Changes
    2.1.2
    10.2.11
    		A number of improvements and bug fixes.
    2.1.1
    10.2.11
    		Support for XML API and File-upload custom PAN-OS data models.
    2.1.0
    10.2.11
    		General improvements and bug fixes.
    2.0.2
    10.2.11
    		Plugin support for PAN-OS version 10.2.11 and later.
    2.0.1
    11.0.4
    		Plugin support for PAN-OS version 11.0.4 and later.
    2.0
    11.1
    		Enables Panorama suppport and telemetry streaming with PAN-OS custom data models for logging, PCAP, and config data. Starting with 2.0, the OpenConfig plugin also comes prepackaged with PAN-OS.
    1.3 (Firewall Only)
    10.1
    Enables support for all streaming modes with the OpenConfig-routing-policy model.
    1.2.0 (Firewall Only)
    Enables support for protobuf and unbundling.
    1.1.0 (Firewall Only)
    Enables support for these standard OpenConfig models:
    • openconfig-ha
    • openconfig-zones
    • openconfig-network-instances
    • openconfig-routing-policy
    • openconfig-ospfv2
    1.0.0 (Firewall Only)
    Enables support for the OpenConfig plugin on PAN-OS firewalls so that you can use standard OpenConfig models to automate configuration and stream telemetry.

    Panorama Software Firewall License Plugin

    Learn about the Panorama™ Software Firewall License plugin.
    The following table shows the features introduced in each version of the Panorama™ Software Firewall License plugin.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    Panorama PAN-OS Version
    (Minimum)
    Maximum Panorama PAN-OS Version
    Minimum VM-Series Plugin Version
    Features
    1.2.0
    10.0 (10.0.4)
    		Latest
    2.0.4
    Introduces fixes for known issues.
    1.1.3
    10.0 (10.0.4)
    		Latest
    2.0.4
    Introduces fixes for known issues.
    1.1.2
    10.0 (10.0.4)
    		Latest
    2.0.4
    Introduces fixes for known issues.
    1.1.1
    10.1
    Latest
    2.0.4
    Introduces fixes for known issues.
    1.1.0
    Introduces fixes for known issues.
    1.0.0
    The Panorama Software Firewall License plugin allows you to automatically license a VM-Series firewall when it connects to Panorama.

    Public Cloud—AWS, Azure, and GCP

    Learn about the different public cloud plugins supported on Panorama™.
    The following table shows the features introduced in each version of the Panorama™ plugin for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The plugins use device groups and templates on Panorama to push the configuration to the managed firewalls.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Public Cloud Platform
    AWS Plugin Version
    Panorama PAN-OS Version (Minimum)
    Maximum Panorama PAN-OS Version
    VM-Series Plugin Version (Minimum)
    Features
    AWS
    5.4.3
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.4.2
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces support for an automated firewall software version compatibility check on Panorama fixes for known issues.
    5.4.1
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.3.4
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.3.2
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.3.1
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.3.0
    		10.2 (10.2.3)Latest
    3.0.0
    		Adds support for Egress NAT and Zone-based Policy Rules on the Cloud NGFW for AWS. Introduces fixes for known issues.
    5.2.2
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.2.1
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.1.3
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.1.2
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces fixes for known issues.
    5.1.1
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces enhancements for Cloud NGFW for AWS integration with Panorama.
    5.0.1
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces enhancements for Cloud NGFW for AWS integration with Panorama.
    5.0.0
    		10.2 (10.2.3)Latest
    3.0.0
    Introduces support for Panorama integration with Cloud NGFW for AWS.
    4.1.0
    10.2
    Latest
    3.0.0
    Introduces support for nested dynamic address groups and tag pruning.
    4.0.0
    10.2
    Latest
    3.0.0
    Introduces enhancements to increase reliability and robustness.
    3.0.310.110.1
    2.0.6
    Introduces shared dynamic address groups support and bug fixes.
    3.0.2
    		10.110.1
    2.0.6
    Introduces proxy support and bug fixes.
    3.0.110.110.1
    2.0.6
    		Introduces enhancements and bug fixes.
    3.0.010.110.1
    2.0.6
    Introduces Panorama Orchestration and new monitoring parameters.
    2.0.2
    10.1
    10.1
    2.0.2
    Introduces fixes for known issues.
    9.1 (9.1.2)
    1.0.8
    2.0.1
    1.0.4
    Introduces a fix for a known issue.
    2.0.0
    9.1 (9.1.2)
    10.1
    1.0.8
    Enables support for:
    Public Cloud Platform
    Azure Plugin Version
    Panorama PAN-OS Version (Minimum)
    Maximum Panorama PAN-OS Version
    VM-Series Plugin Version
    (Minimum)
    Features
    Azure
    5.2.3
    		10.2.4Latest
    4.0.0
    Introduces fixes for known issues.
    5.2.2
    		10.2.4Latest
    4.0.0
    		Adds support for Strata Logging Service. Introduces fixes for known issues.
    5.2.1
    		10.2.4Latest
    4.0.0
    		Adds permission validation for private endpoint read access. Introduces new tags used for monitoring. Introduces fixes for known issues.
    5.2.0
    		10.2.4Latest
    4.0.0
    		Introduces an automated workflow for maintaining the life cycle of the VM auth key.
    5.1.2
    		10.2.4Latest
    4.0.0
    Introduces loopback zone support and DNS proxy support on Cloud NGFW for Azure.
    5.1.1
    		10.2.4Latest
    4.0.0
    Introduces tag pruning feature to increase the scalability and the number of tags collected by the Azure plugin.
    5.0.0
    		10.2.4Latest
    4.0.0
    Introduces support for Panorama integration with Cloud NGFW for Azure.
    4.2.0
    		10.2 (10.2.3)
    Latest
    3.0.1
    		Introduces support for Azure Workspace-based Application Insights.
    4.1.0
    10.2
    Latest
    Latest
    		Increased the number of front-end applications per VM-Series for Azure deployment.
    4.0.0
    10.2
    Latest
    Latest
    		Introduces enhancements to increase reliability and robustness.
    3.2.2
    10.1
    10.1
    2.1.0
    		Introduces fixes for a known issue.
    2.0.1
    3.2.1
    10.1
    10.1
    2.1.0
    		Introduces fixes for known issues.
    2.0.1
    3.2.0
    10.1
    10.1
    2.1.0
    		Introduces proxy support and fix for a known issue.
    2.0.1
    3.1.0
    10.1
    10.1
    2.1.0
    		Introduces fixes for a known issue.
    2.0.1
    3.0.1
    10.1
    10.1
    2.1.0
    Introduces fixes for known issues.
    2.0.1
    3.0.0
    (Upgrade from 2.0.0 to 3.0.0 is not supported.)
    10.1
    10.1
    2.1.0
    		Introduces Panorama Orchestration.
    2.0.1
    2.0.3
    10.1
    10.1
    2.1.0
    Introduces a fix for a known issue.
    2.0.0
    9.1 (9.1.2)
    1.0.8
    9.1
    1.0.4
    2.0.2
    9.1
    10.1
    1.0.4
    Introduces fixes for known issues.
    2.0.1
    9.1
    10.1
    1.0.4
    Introduces fixes for known issues.
    2.0.0
    9.1
    10.1
    1.0.4
    Enables support for:
    Public Cloud Platform
    GCP Plugin Version
    Panorama PAN-OS Version (Minimum)
    Maximum Panorama PAN-OS Version
    VM-Series Plugin Version
    Features
    GCP
    3.1.2
    10.2
    Latest
    3.0.0
    		Addresses a known issue.
    3.1.1
    10.2
    Latest
    3.0.0
    		Introduces performance and status enhancements in monitoring definitions.
    3.1.0
    10.2
    Latest
    3.0.0
    		Introduces monitoring of shared VPC deployments.
    3.0.0
    10.2
    Latest
    3.0.0
    Introduces enhancements to increase reliability and robustness.
    2.0.0
    (Upgrade from 1.0.0 to 2.0.0 is not supported.)
    9.1
    Latest
    1.0.4
    Enables you to monitor and secure VMs or GKE clusters deployed in GCP.
    • Deploy auto scaling for VM instance groups or GKE clusters using auto scaling templates for both firewall and application deployments.
    • VM Monitoring for GCP assets.

    SD-WAN

    Learn about the Panorama™ plugin for SD-WAN.
    The following table shows the features introduced in each version of the Panorama™ plugin for SD-WAN.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    PAN-OS Version (Minimum)
    Maximum PAN-OS Version
    Features
    3.4.1
    		12.1.5Latest
    (PAN-OS 12.1.5 and later versions and plugin 3.4.1 and later versions) Capacity Settings allows more flexible and efficient SD-WAN deployments by allowing you to customize device capacity settings. By adjusting the balance between SD-WAN rules, interfaces, and members, you can scale your network to support up to 16 members per VIF while maintaining optimal system performance.
    3.4.0
    12.1.3
    Latest
    (PAN-OS 12.1.3 or later releases) ADEM plugin version 1.1.0-h3 is compatible with PAN-OS 12.1.3. You need the following compatible versions to use all the ADEM functionalities in your SD-WAN firewalls:
    • PAN-OS 12.1.3 or later versions
    • ADEM plugin 1.1.0-h3 or later versions
    • SD-WAN plugin 3.4.0 or later versions
    3.4.0
    12.1.2
    Latest
    (PAN-OS 12.1.2 or later releases) Upgrading the SD-WAN plugin version manually is no longer required. SD-WAN 3.4.0 and later plugin versions are managed by Panorama.
    To use the following feature or enhancements, you require PAN-OS 12.1.2 or later releases.
    3.3.4-h1
    11.2.10-h3
    Latest
    Bug fixes.
    3.3.4
    11.2.11
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.2.11 and later versions and plugin 3.3.4 and later versions.
    • Hybrid SASE Failover routes internal private resource traffic between Prisma Access and SD- WAN branch devices based on real-time path quality metrics. This feature ensures continuous connectivity for private applications during path degradation.
    • Supports dedicated tunnel to Panorama for establishing a persistent and dedicated IPSec tunnels from your branch devices to Panorama through designated termination devices using DIA interfaces.
    • Bug fixes.
    3.3.3-h2
    11.2.7-h4
    Latest
    Bug fixes.
    3.3.3-h1
    11.2.5 or 11.2.4-h4
    Latest
    Bug fixes.
    3.3.3
    11.2.5
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.2.5 or later 11.2 releases.
    3.3.2
    11.2.4
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.2.4 or later 11.2 releases.
    • Prisma Access Hub Support for SD-WAN enabled Cellular Interfaces (4G/5G).
    • Improvements and bug fixes.
    3.3.1
    11.2.3
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.2.3 or later 11.2 releases.
    3.3.0
    11.2
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.2.0 or later releases.
    • Supports monitoring the bandwidth of a tunnel and a physical interface for a selected site (by default) in addition to existing jitter, latency, and packet loss performance measures.
    • Supports multiple virtual routers on the SD-WAN hubs that enable you to have overlapping IP subnet addresses on branch devices connecting to the same SD-WAN hub.
    • Additional SD-WAN hubs supported for VPN cluster.
    • Additional private link types supported for SD-WAN interface profile.
    • Bug and performance fixes.
    3.2.4-h211.1.13LatestBug fixes
    3.2.4-h111.1.10-h5LatestBug fixes
    3.2.4
    11.1.8
    (11.1.8)
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.1.8 or later 11.1 releases.
    • Supports dedicated tunnel to Panorama for establishing a persistent and dedicated IPSec tunnels from your branch devices to Panorama through designated termination devices using DIA interfaces.
    • Bug fixes.
    3.2.3-h2
    11.1.8
    (11.1.8)
    Latest
    Bug fixes.
    3.2.3
    11.1.8
    (11.1.8)
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.1.8 or later 11.1 releases.
    3.2.2-h1
    11.1.5
    (11.1.5)
    Latest
    Bug fixes.
    3.2.2
    11.1.5
    (11.1.5)
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.1.5 or later releases.
    • Supports monitoring the bandwidth of a tunnel and a physical interface for a selected site (by default) in addition to existing jitter, latency, and packet loss performance measures.
    • Supports MongoDB related HA peer synchronization CLI commands.
    • SD-WAN plugin improvements.
    • Bug fixes.
    3.2.1
    11.1
    (11.1.3)
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.1.3 or later 11.1 releases.
    3.2.0
    11.1
    Latest
    • SD-WAN IKEv2 certificate-based authentication support.
    • Public cloud SD-WAN high availability support.
    • Enable SD-WAN on IPv6 interfaces and IPv6 tunnel support.
    • Bug and performance fixes.
    3.1.3
    11.0 (11.0.4)
    Latest
    To use the following feature or enhancements, you require PAN-OS 11.0.4 or later 11.0 releases.
    3.1.2
    11.0 (11.0.2)
    Latest
    Bug and performance fixes.
    3.1.1
    11.0 (11.0.2)
    Latest
    SD-WAN IPv6 basic connectivity
    3.0.1-h6
    11.0 (11.0.1)
    Latest
    Bug and performance fixes.
    3.1.0-h6
    11.0 (11.0.1)
    Latest
    Enables Advanced Routing Engine support.
    3.0.9-h1
    10.2.16-h2
    Latest
    Bug fixes.
    3.0.9
    10.2.16-h2
    Latest
    Bug fixes.
    3.0.8-h2
    10.2.11
    Latest
    Bug fixes.
    3.0.8
    10.2.11
    Latest
    Improvements and bug fixes
    3.0.7
    10.2 (10.2.8)
    Latest
    To use the following feature or enhancements, you require PAN-OS 10.2.8 or later releases.
    3.0.6
    10.2 (10.2.7)
    Latest
    Bug fixes.
    3.0.6
    10.2 (10.2.6)
    Latest
    Bug fixes.
    3.0.5
    10.2 (10.2.5)
    Latest
    Bug and performance fixes.
    3.0.4
    10.2 (10.2.4)
    Latest
    Bug and performance fixes.
    3.0.3
    10.2 (10.2.1)
    Latest
    Bug and performance fixes.
    3.0.2
    10.2 (10.2.1)
    Latest
    Bug and performance fixes.
    3.0.1
    10.2 (10.2.1)
    Latest
    Copy ToS Header Support.
    3.0.0
    10.2
    Latest
    Upgrade to the SD-WAN plugin to increase reliability. SD-WAN plugin 3.0 is required to upgrade to PAN-OS 10.2 and is supported only on PAN-OS 10.2 and later releases.
    2.2.7-h5
    10.1.14-h2
    Latest
    Bug fixes.
    2.2.7
    10.1.3-h1
    Latest
    Improvements and bug fixes
    2.2.6
    10.1 (10.1.11)
    Latest
    Bug and performance fixes.
    2.2.5
    10.1 (10.1.11)
    Latest
    Bug and performance fixes.
    2.2.4
    10.1 (10.1.10)
    Latest
    Bug and performance fixes.
    2.2.3
    10.1 (10.1.9)
    Latest
    Bug and performance fixes.
    2.2.2
    10.1 (10.1.5-h1)
    Latest
    Bug and performance fixes.
    2.2.1
    10.1 (10.1.5-h1)
    Latest
    Copy ToS Header support.
    2.2.0
    10.1 (10.1.4)
    Latest
    Prisma Access Hub support.
    2.1.1
    10.1
    Latest
    Minor bug and performance fixes.
    2.1.0
    10.1
    Latest
    SD-WAN supports Aggregated Ethernet (AE) interfaces with or without subinterfaces for link redundancy. AE interfaces allow you to tag for different ISP services to achieve end-to-end traffic segmentation. SD-WAN also supports Layer 3 subinterfaces for end-to-end traffic segmentation.
    2.0.3
    10.1
    Latest
    Minor bug and performance fixes.
    2.0.2
    10.1
    Latest
    Includes support so you can control whether Auto VPN configuration enables or disables the Remove Private AS setting for all BGP peer groups on a branch or hub.
    2.0.1
    10.1
    Latest
    Includes support for full mesh VPN cluster with DDNS service, auto-VPN configuration with branch behind NAT, and Direct Internet Access (DIA) AnyPath.
    2.0.0
    10.1
    Latest
    Maintain high-quality application experience by leveraging Forward Error Correction (FEC) and packet duplication and by accurately measuring SaaS and Cloud applications when you have an SD-WAN firewall with Direct Internet Access (DIA) links.
    1.0.6
    9.1 (9.1.4)
    Latest
    Minor bug and performance fixes.
    1.0.5
    9.1 (9.1.4)
    Latest
    Minor bug and performance fixes.
    1.0.4
    9.1 (9.1.4)
    Latest
    In an SD-WAN VPN cluster that has more than one hub, you must assign a priority to each hub, which determines the primary hub and hub failover order. Panorama maps the priority to a BGP local preference and pushes the local preference to the branches in the cluster.
    1.0.3
    9.1 (9.1.3)
    9,1
    When the SD-WAN hub is behind a NAT device, the plugin supports an upstream NAT IP address or FQDN for Auto VPN configuration to use as a tunnel endpoint.
    1.0.2
    9.1 (9.1.2-h1)
    9.1.3
    Improves ease of use, such as an automatic Security policy rule to allow BGP between branches and hubs, ability to refresh the IKE preshared key for VPN cluster members, specifying VPN tunnel IP address ranges, and more.
    1.0.1
    9.1 (9.1.1)
    9.1.2
    Improves monitoring experience and search filtering, and adds an option to display HA peers consecutively.
    1.0.0
    9.1
    9.1.2
    Enables support for SD-WAN from Panorama. Configure the Panorama plugin for SD-WAN to provide intelligent and dynamic path selection on top of the industry-leading security that PAN-OS software already delivers. Provide the optimal end user experience by leveraging multiple ISP links to ensure application performance and scale capacity.

    VMware NSX

    Review the features introduced in each version of the VM-Series firewall VMware NSX plugin.
    The following table shows the features introduced in each version of the VM-Series firewall VMware NSX plugin. For additional information about each plugin, see the release notes on the Customer Support Portal.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    Panorama Version (Minimum)
    Panorama Version (Maximum)
    Managed VM-Series PAN-OS Version (Minimum)
    New Features or Changes
    5.0.1
    • NSX-V: 10.2 (10.2.2)
    • NSX-T N/S: 10.2 (10.2.2)
    • NSX-T E/W: 10.2 (10.2.2)
    • NSX-V: 10.2
    • NSX-T N/S: 10.2
    • NSX-T E/W: 10.2
    • NSX-V: 9.1
    • NSX-T N/S: 9.1
    • NSX-T E/W: 9.1
    Introduces support for PAN-OS and Panorama 10.2.x.
    5.0.0
    Introduces support for PAN-OS and Panorama 10.2.x.
    4.0.3
    • NSX-V: 10.1
    • NSX-T N/S: 10.1
    • NSX-T E/W: 10.1
    • NSX-V: 10.1
    • NSX-T N/S: 10.1
    • NSX-T E/W: 10.1
    • NSX-V: 9.1
    • NSX-T N/S: 9.1
    • NSX-T E/W: 9.1
    Introduces fixes for known issues.
    4.0.2
    Introduces fixes for known issues.
    4.0.1
    Introduces fixes for known issues.
    4.0.0
    Introduces Security-Centric Deployment Workflow (East-West) for the VM-Series on VMware NSX-T.
    3.2.4
    • NSX-V: 10.1
    • NSX-T N/S: 10.1
    • NSX-T E/W: 10.1
    • NSX-V: 10.1
    • NSX-T N/S: 10.1
    • NSX-T E/W: 10.1
    • NSX-V: 9.1
    • NSX-T N/S: 9.1
    • NSX-T E/W: 9.1
    Introduces fixes for known issues.
    3.2.3
    Introduces fixes for known issues.
    3.2.1
    • NSX-V: 9.1
    • NSX-T N/S: 9.1
    • NSX-T E/W: 9.1
    Introduces fixes for known issues.
    3.2.0
    • NSX-V: 9.1
    • NSX-T N/S: 9.1
    • NSX-T E/W: 9.1
    • NSX-V: 10.1
    • NSX-T N/S: 10.1
    • NSX-T E/W: 10.1
    • NSX-V: 9.1
    • NSX-T N/S: 9.1
    • NSX-T E/W: 9.1
    Introduces Security Policy Extension Between NSX-V and NSX-T and Device Certificate Support on the VM-Series for NSX.
    The following VM-Series firewall for NSX OVFs require that you enable device certificates.
    • 10.1 or later
    • 9.1.5 or later
    3.1.0
    9.1
    • NSX-V: 10.1
    • NSX-T N/S: 10.2
    • NSX-T E/W: 10.2
    • NSX-V: 9.1
    • NSX-T N/S: 9.1
    • NSX-T E/W: 9.1
    Introduces the VM-Series firewall on VMware NSX-T for East-West traffic protection.

    VMware vCenter

    Learn about the Panorama™ plugin for VMware vCenter.
    The following table shows the features introduced in each version of the Panorama™ plugin for VMware vCenter.
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    Panorama PAN-OS Version (Minimum)
    		Maximum Panorama PAN-OS VersionFeatures
    2.1.0
    10.2
    Latest
    		Introduces fixes for known issues.
    2.0.0
    Introduces enhancements to increase reliability and robustness.
    1.0.0
    9.1
    Latest
    Enables support for VM Monitoring from Panorama. Configure the Panorama plugin for VMware vCenter to monitor VM workloads so that you can consistently enforce security policy that automatically adapts to changes within your vCenter environment.

    Zero Touch Provisioning (ZTP)

    Learn about the Panorama™ plugin for Zero Touch Provisioning (ZTP).
    The following table shows the features introduced in each version of the Panorama™ plugin for Zero Touch Provisioning (ZTP).
    End-of-life (EoL) software versions are included in this table. Review the Software End-of-Life Summary website to check whether we are still supporting your software version.
    Plugin Version
    PAN-OS Version Minimum
    Maximum PAN-OS Version
    Features
    4.0.012.1.2Latest
    (PAN-OS 12.1.2 or later releases) Upgrading the Zero Touch Provisioning (ZTP) version manually is no longer required. Zero Touch Provisioning (ZTP) 4.0.0 and later plugin versions are managed by Panorama.
    3.0.3
    11.2.11
    Latest
    Minor bug and performance fixes.
    3.0.1
    11.2.0
    Latest
    Minor bug and performance fixes.
    3.0.0
    11.2.0
    Latest
    ZTP 3.0 introduces enhancements to the ZTP onboarding experience by allowing you to activate applicable licenses and install the latest content updates when the firewall first connects to Panorama.
    2.0.6
    		11.1.13
    Latest
    Minor bug and performance fixes.
    2.0.4
    11.0.1
    10.2.4
    Latest
    Minor bug and performance fixes.
    2.0.3
    11.0.1
    10.2.4
    Latest
    Minor bug and performance fixes.
    2.0.2
    10.2.0
    10.2.3
    Minor bug and performance fixes.
    2.0.1
    10.2.0
    10.2.3
    Minor bug and performance fixes.
    2.0.0
    10.2.0
    10.2.3
    Upgrade to the ZTP plugin to increase reliability. ZTP plugin 2.0 is required to upgrade to PAN-OS 10.2 and is supported only on PAN-OS 10.2 and later releases.
    1.0.2
    10.1.0
    Latest 10.1 release
    Minor bug and performance fixes.
    1.0.1
    10.1.0
    Latest 10.1 release
    Minor bug and performance fixes.
    1.0.0
    9.1.4
    Latest 9.1 release
    Enables support for ZTP from Panorama. Configure the Panorama plugin for ZTP to simplify and streamline initial firewall deployment by automating the new managed firewall on-boarding without the need for network administrators to manually provision the firewall.

    © 2026 Palo Alto Networks, Inc. All rights reserved.