Virtualization Features

Intelligent Traffic Offload (ITO) is a VM-Series firewall Security subscription that, when configured with the supported NVIDIA Bluefield infrastructure compute platform, increases capacity throughput for the VM-Series firewall. In previous releases, Intelligent Traffic Offload required that you deploy your VM-Series firewall in virtual wire mode. This limitation prevented deployments of VM-Series firewalls with an ITO subscription from using NAT for perimeter security.

This release removes that limitation by allowing you to deploy your VM-Series firewall with an Intelligent Traffic Offload subscription in Layer 3 mode that supports NAT for IPv4. With this functionality, your ITO subscription fully supports environments requiring robust security features that prevent end-user devices from being exposed to outside threats. NAT support extends to NAT44 and DIPP in for both deployments with Intelligent Traffic Offload (DPU-based) and software cut-through for traffic inspection. This release adds support for the Nvidia Bluefield-3 DPU while maintaining support for the existing Bluefield-2 DPU.

Intelligent Traffic Offload (ITO) is a VM-Series firewall Security subscription that, when configured with the supported NVIDIA Bluefield infrastructure compute platform, increases capacity throughput for the VM-Series firewall. In previous releases, ITO required that you deploy your VM-Series firewall in virtual wire mode. This limitation prevented deployments in Layer 3 mode supporting dynamic routing.

This release removes that limitation by allowing you to deploy your VM-Series firewall with Intelligent Traffic Offload for L3 traffic supporting dynamic routing. With dynamic routing, you attain stable, high-performing, and highly available L3 routing through profile-based filtering lists and conditional route maps which can be used across logical routers. These profiles provide finer granularity to filter routes for each dynamic routing protocol and improve redistribution across multiple protocols. When combined with NAT for IPv4, you can extend security policy to protect end user devices from being exposed to outside threats. This release adds support for the Nvidia Bluefield-3 DPU while maintaining support for the existing Bluefield-2 DPU.

The VM-Series firewall now supports virtual systems only with flexible license and with one virtual system by default. Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. The virtual systems are easier to manage coexisting within a firewall. The additional benefits of virtual systems include improved scalability, segmented administration, and reduced capital and operational expenses. For more information, see Benefits of Virtual Systems and Virtual System Components and Segmentation.

The virtual system support on the VM-Series firewall is available on PAN-OS version 11.1.3 and later. You must have a virtual system license to support multiple virtual systems on the VM-Series firewall. Purchase additional licenses based on your requirement up to a maximum number supported on a particular Tier.

Use a flexible VM-Series firewall license and Tier 3 or Tier 4 instances supporting a minimum of 16 vCPUs or more. The VM-Series firewall in Tier 3 instance supports a maximum of 25 virtual systems. The VM-Series firewall in Tier 4 instance, supports a maximum of 100 virtual systems.

CN-Series firewall now supports real-time Advanced Threat Prevention (ATP) for detecting malware and zero-day vulnerability exploits using the advanced ML engines in the cloud. The CN-Series ATP is delivered as a containerized solution for high scalability and low-latency cloud-native service.

The ATP feature is supported on PAN-OS 11.0 and later releases and all CN-Series deployment modes: deploying the CN-Series firewall as a Kubernetes service, Daemonset, and a Kubernetes CNF. For the ATP feature, you need the Advanced Threat Prevention licenses and enable the Inline Cloud Analysis.

To enable the CN-Series ATP feature, you can use the YAML files from the Palo Alto Networks CSP for deploying the containerized firewall pods or enable the ATP feature while configuring the CN-Series deployment on the Palo Alto Customer Service Portal (CSP).

CN-Series now qualified with support for User Identity (User-ID) in the Kubernetes as CNF mode. User-ID helps to leverage user information and provides improved visibility into application usage. User-ID also helps with policy control and reduced attack surface by providing need based user access and gives a complete picture of a security incident through logging, reporting, and forensics. For more information, see User-ID.