>
    Virtualization Features
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Features Introduced in PAN-OS 10.1
    4. Virtualization Features
    Download PDF

    Virtualization Features

    Table of Contents

    Virtualization Features

    Describes all the exciting new capabilities in PAN-OS® 10.1 for the VM-Series firewall.
    New Virtualization FeatureDescription
    Intelligent Traffic Offload service for VM-Series on KVM
    Intelligent Traffic Offload service (ITO) is a Security subscription that, when configured with the BlueField-2 SmartNIC, increases capacity throughput for the VM-Series firewall. The ITO service inspects the first few packets of a new flow to determine whether it benefits from inspection. If not, the service offloads the flow to the SmartNIC, decreasing the load on the VM-Series firewall.
    The VM-Series firewall and the SmartNIC must be installed on the same x86 physical host, and the VM-Series firewall must be deployed in virtual wire mode. Active/Passive HA is supported.
    Address Family eXpress Data Path (AF-XDP) Support on CN-Series
    To increase effective throughput, the CN-Series firewall can now leverage AF XDP, an eBPF based socket that is optimized for high performance packet processing suited to cloud native services.
    DPDK Support for Different NIC Types
    VM-Series firewalls now support multiple NIC types and multiple queues. You can configure both SR-IOV and DPDK for all hypervisors on cloud platforms that support multiple NIC types. In addition, a single NIC type with variable queues (available on some cloud platforms) is also supported.
    Please contact Technical Support if you want to use this feature.
    CN-Series Firewall as a Kubernetes Service
    You can now deploy the CN-Series firewall as a Kubernetes service. In Kubernetes deployments with smaller nodes with more stringent resource constraints, deploying the CN-Series as a daemonset can be difficult. The challenges associated with predicting and provisioning the necessary resources can result in firewalls consuming more resources than required to support the traffic on the cluster. By deploying the CN-Series as a service, you can start with the right amount of resources and scale dynamically when necessary. When deployed as a service, the CN-Series firewall provides complete Layer 7 visibility, application-level segmentation, and protection for traffic in your native Kubernetes, OpenShift, AKS, EKS, or GKE environments using native Kubernetes constructs.
    Customize Dataplane Cores
    Customize dataplane cores is an optional feature that allows you to customize the number of dataplane cores in two ways:
    • During the initial deployment, use the init-cfg.txt file bootstrap parameter plugin-op-commands=set-dp-cores:<#-cores>.
    • From a deployed firewall, using the VM-Series CLI command request plugins vm_series dp-cores <#-cores>.
    Typically you increase the number of dataplane cores (which decreases the number of management plane cores) to improve performance.
    • Dataplane core customization is supported on firewalls licensed with a Software NGFW credit pool for 10.0.4 and above, and running PAN-OS 10.1 or later.
    • Dataplane core customization is not supported for:
      • NSX-T
      • Intelligent Traffic Offload
    IPVLAN CNI L2 Support on the CN-Series Firewall on EKS
    (Available with PAN-OS® 10.1.2 and later 10.1 releases)
    You can now use IPVLAN in Layer 2 mode with your CN-Series deployment on EKS.
    Increased Maximum Application Pods per CN-NGFW Node
    (Available with PAN-OS® 10.1.9 and later 10.1 releases)
    The CN-Series firewall deployed in Daemonset mode now secures up to 125 application pods per CN-NGFW node.

    © 2024 Palo Alto Networks, Inc. All rights reserved.