Virtualization Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
- Networking Features
- Decryption Features
- Certificate Management Features
- Management Features
- Panorama Features
- Mobile Infrastructure Security Features
- SD-WAN Features
- Zone Protection Features
- GlobalProtect Features
- IoT Security Features
- Virtualization Features
- Authentication Features
- Advanced WildFire Features
- Hardware Features
-
- PAN-OS 11.1.2 Known Issues
- PAN-OS 11.1.2-h16 Addressed Issues
- PAN-OS 11.1.2-h15 Addressed Issues
- PAN-OS 11.1.2-h14 Addressed Issues
- PAN-OS 11.1.2-h12 Addressed Issues
- PAN-OS 11.1.2-h9 Addressed Issues
- PAN-OS 11.1.2-h4 Addressed Issues
- PAN-OS 11.1.2-h3 Addressed Issues
- PAN-OS 11.1.2-h1 Addressed Issues
- PAN-OS 11.1.2 Addressed Issues
Virtualization Features
Describes all the exciting new capabilities in PAN-OS® 11.1 for the VM-Series and
CN-Series firewall
ARM Support on VM-Series Firewall
|
November 2023
|
VM-Series firewall now supports ARM based instances on AWS Graviton 2 (ARM compute) instances for
public clouds and KVM hypervisor for private clouds. All
features that were available in x86 environments are now extended to ARM based
instances including Hypervisor support, DPDK and other acceleration methods that
provide better performance, while reducing the operational (OPEX) costs, power
consumption, and footprints.
ARM architecture support is currently available on VM-Flex licensing models on AWS
BYOL or KVM as Software NGFW credits on the following types of ARM instances:
| Name | Types |
|---|---|
|
AWS C6gn
|
8xLarge, 12xlarge, 16xlarge
|
|
AWS R6g
|
xlarge, 2xlarge, 4xlarge, 8xLarge, 12xlarge, and 16xlarge
|
|
AWS M6g
|
large, xlarge, 2xlarge, 4xlarge, 8xlarge, and 16xlarge
|
|
KVM
|
v8 systems such as Ampere Altra AC-106422002
|
| Drivers | Types |
|---|---|
| KVM |
i40e and mlx5
|
| AWS |
ena
|
ARM also supports the following capabilities:
- AWS automation templates such as Cloud formation and terraform templates
- AWS Gateway Load Balancer (GWLB)
- 64vCPU profiles
- Simple and full boot-strapping on AWS
- All security subscriptions currently supported in x86 based systems
- All features on KVM hypervisor currently supported on X86 based systems
- Telemetry data similar to what is currently supported on X86 based systems
Link Aggregation for VM-Series Firewall
|
November 2023
|
VM-Series firewalls add support for link aggregation for ESXi and KVM environments.
This feature supports multiple connections that combine into a single logical
bonding device with a unique name that is associated with a network device (either
physical or virtual) as secondary devices. The bonded device possesses a unique MAC
address that is shared among all secondary devices.
Important things to consider:
- An Aggregate Ethernet interface uses the MAC address from the base and not from the hypervisor. This takes effect after rebooting newly deployed and licensed VM-Series firewalls.
- An unlicensed Panorama VM uses an erroneous Aggregate Ethernet MAC address, while the licensed VM receives a proper MAC address. If the Panorama VM deploys initially without a license, the Aggregate Ethernet interface receives this erroneous MAC address. Once you procure the license, reboot the VM to retrieve the new base MAC address from the license key file.
To configure link aggregation, enable PAN-OS to change VM MAC addresses. To
do this, configure MAC address changes: Accept.
Link aggregation of HA interfaces isn't supported in public
cloud environments, like AWS, Azure or GCP.
Dynamic Routing in CN-Series HSF
|
November 2023
|
CN-Series Hyperscale Security Fabric (HSF) introduces dynamic routing through BGP and
BGP over BFD protocols. Using Dynamic routing, you can attain stable,
high-performing, and highly available layer 3 routing through profile-based
filtering lists and conditional route maps, which can be used across logical
routers. These profiles provide finer granularity to filter routes for each dynamic
routing protocol and improve route redistribution across multiple protocols.
BGP looks for the available paths that data could travel and picks the best
route, based on IP prefixes that are available within autonomous systems. The
Bidirectional Forwarding Detection (BFD) provides fast forwarding path failure
detection times for BGP routing protocols between CN-GW pods and the external
router.
Strata Logging Service with CN-Series Firewall
|
November 2023
|
Strata Logging Service enables AI-based innovations for cybersecurity with
the industry’s only approach to normalizing and stitching together your enterprise’s
data. For more information, see About Strata Logging Service and Deploy Strata Logging Service with
Panorama. Strata Logging Service can now collect log data from CN-Series next-generation firewall. When
you purchase a Strata Logging Service license, all firewalls registered to your
support account receive a Strata Logging Service. You will also receive a magic link
that you will need to use to activate your Strata Logging Service instance.
To get started with CN-Series firewall Strata Logging Service, you must
ensure that you Install the Kubernetes Plugin and Set up Panorama
for your CN-Series Firewall. You must provide the device certificate to
the CN-MGMT pod for Strata Logging Service connectivity. It is important to register
your CN-MGMT pod with a CSP account to ensure that CN-MGMT pod is reflected in your
Strata Logging Service instance. Add the valid PIN-ID and PIN-value to
pan-cn-mgmt-secret.yaml file to successfully install the device
certificate. The CN-Series firewall requires a device certificate that authorizes
secure access to Strata Logging Service. For more information see Install a Device Certificate on the CN-Series
Firewall.
After you deploy your CN-Series firewall, verify
that your CN-MGMT pod is visible on your CSP account, under Registered
Devices. For more information see, Register the Firewall. You must ensure
that you configure your CN-Series firewall with
Panorama and Create a CN-Series Deployment Profile on
your CSP account and use the auth code to push licenses from Panorama to your
CN-Series firewall.
IoT Security Support for CN-Series Firewall
|
November 2023
|
For Palo Alto Networks next-generation CN-Series firewall, the IoT Security
solution uses machine learning (ML) to provide visibility of discovered IoT devices
based on the meta-data in the logs it receives from the firewall. IoT Security also
identifies vulnerabilities and assess risk in devices based on their network traffic
behaviors and dynamically updated threat feeds.
You can use the policy rule recommendations that IoT Security generates as
a reference when manually adding rules to your CN-Series firewall. IoT Security
always generates Security policy rule recommendations regardless of the PAN-OS
version.
When using IoT Security Subscription, which stores data in
Strata Logging Service, you need one Strata Logging Service license per
account and must ensure that Strata Logging Service configuration for your CN-Series firewall
is complete.
Session Resiliency for the VM-Series on AWS and GCP
|
November 2023
|
Session resiliency allows the VM-Series firewall deployed in a cluster on AWS or GCP to maintain session continuity during
a failure event. The AWS Gateway Load Balancer (GWLB) and GCP Network Load Balancer
(NLB) can detect and deregister unhealthy VM-Series firewalls deployed in a
horizontally scalable cluster behind. With session resiliency enabled, the GWLB and
NLB can rehash existing traffic sessions flowing toward an unhealthy VM-Series and
redirect the traffic to a healthy VM-Series firewall.
To maintain sessions failing over to healthy VM-Series firewalls, you must deploy a
Redis cache accessible to your VM-Series firewalls— ElastiCache for Redis for AWS
and Memorystore for Redis for GCP. The Redis cache maintains session information.
When your load balancer detects an unhealthy VM-Series firewall, the load balancer
rebalances traffic to a healthy VM-Series firewall. The healthy VM-Series firewall
accesses the Redis cache for session information and continues to inspect and
forward the existing traffic.
Traffic inspection of the rehashed traffic flows is Layer 4
only. The VM-Series firewall inspects traffic in new sessions up to Layer 7.
Enable session resiliency on the VM-Series firewall by passing the configuration as
part of a bootstrapping init-cfg.txt file or in the user data field using the
following new parameters.
op-command-modes=mgmt-interface-swap plugin-op-commands=set-sess-ress:True redis-endpoint=<redis-IP-address:port> redis-auth=<redis-auth-code> redis-certificate=
Session resiliency can't be enabled on existing VM-Series
firewall instances; only on newly deployed instances.
Virtual Systems Support on VM-Series Firewall
|
May 2024
|
The VM-Series firewall now supports virtual systems only with flexible license and with one
virtual system by default. Virtual systems are separate, logical firewall instances
within a single physical Palo Alto Networks firewall. Rather than using multiple
firewalls, managed service providers and enterprises can use a single pair of
firewalls (for high availability) and enable virtual systems on them. The virtual
systems are easier to manage coexisting within a firewall. The additional benefits
of virtual systems include improved scalability, segmented administration, and
reduced capital and operational expenses. For more information, see Benefits of Virtual Systems and Virtual System Components and
Segmentation.
The virtual system support on the VM-Series firewall is available on PAN-OS
version 11.1.3 and later. You must have a virtual system license to support multiple
virtual systems on the VM-Series firewall. Purchase additional licenses based on
your requirement up to a maximum number supported on a particular Tier.
Use a flexible VM-Series firewall license and Tier 3 or Tier 4 instances
supporting a minimum of 16 vCPUs or more. The VM-Series firewall in Tier 3 instance
supports a maximum of 25 virtual systems. The VM-Series firewall in Tier 4 instance,
supports a maximum of 100 virtual systems.
The virtual system support on VM-Series firewall is introduced in PAN-OS 11.2.0,
and available in PAN-OS version 11.1.3 and later on KVM platform only.