Intelligent Traffic Offload (ITO) is a VM-Series firewall Security subscription that, when configured with the supported NVIDIA Bluefield infrastructure compute platform, increases capacity throughput for the VM-Series firewall. In previous releases, Intelligent Traffic Offload required that you deploy your VM-Series firewall in virtual wire mode. This limitation prevented deployments of VM-Series firewalls with an ITO subscription from using NAT for perimeter security.

This release removes that limitation by allowing you to deploy your VM-Series firewall with an Intelligent Traffic Offload subscription in Layer 3 mode that supports NAT for IPv4. With this functionality, your ITO subscription fully supports environments requiring robust security features that prevent end-user devices from being exposed to outside threats. NAT support extends to NAT44 and DIPP in for both deployments with Intelligent Traffic Offload (DPU-based) and software cut-through for traffic inspection. This release adds support for the Nvidia Bluefield-3 DPU while maintaining support for the existing Bluefield-2 DPU.

Intelligent Traffic Offload (ITO) is a VM-Series firewall Security subscription that, when configured with the supported NVIDIA Bluefield infrastructure compute platform, increases capacity throughput for the VM-Series firewall. In previous releases, ITO required that you deploy your VM-Series firewall in virtual wire mode. This limitation prevented deployments in Layer 3 mode supporting dynamic routing.

This release removes that limitation by allowing you to deploy your VM-Series firewall with Intelligent Traffic Offload for L3 traffic supporting dynamic routing. With dynamic routing, you attain stable, high-performing, and highly available L3 routing through profile-based filtering lists and conditional route maps which can be used across logical routers. These profiles provide finer granularity to filter routes for each dynamic routing protocol and improve redistribution across multiple protocols. When combined with NAT for IPv4, you can extend security policy to protect end user devices from being exposed to outside threats. This release adds support for the Nvidia Bluefield-3 DPU while maintaining support for the existing Bluefield-2 DPU.

The VM-Series firewall now supports virtual systems only with flexible license and with one virtual system by default. Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. The virtual systems are easier to manage coexisting within a firewall. The additional benefits of virtual systems include improved scalability, segmented administration, and reduced capital and operational expenses. For more information, see Benefits of Virtual Systems and Virtual System Components and Segmentation.

The virtual system support on the VM-Series firewall is available on PAN-OS version 11.1.3 and later. You must have a virtual system license to support multiple virtual systems on the VM-Series firewall. Purchase additional licenses based on your requirement up to a maximum number supported on a particular Tier.

Use a flexible VM-Series firewall license and Tier 3 or Tier 4 instances supporting a minimum of 16 vCPUs or more. The VM-Series firewall in Tier 3 instance supports a maximum of 25 virtual systems. The VM-Series firewall in Tier 4 instance, supports a maximum of 100 virtual systems.

CN-Series firewall now supports real-time Advanced Threat Prevention (ATP) for detecting malware and zero-day vulnerability exploits using the advanced ML engines in the cloud. The CN-Series ATP is delivered as a containerized solution for high scalability and low-latency cloud-native service.

The ATP feature is supported on PAN-OS 11.0 and later releases and all CN-Series deployment modes: deploying the CN-Series firewall as a Kubernetes service, Daemonset, and a Kubernetes CNF. For the ATP feature, you need the Advanced Threat Prevention licenses and enable the Inline Cloud Analysis.

To enable the CN-Series ATP feature, you can use the YAML files from the Palo Alto Networks CSP for deploying the containerized firewall pods or enable the ATP feature while configuring the CN-Series deployment on the Palo Alto Customer Service Portal (CSP).

Securing containerized workloads deployed in cloud-native environments requires applying granular security policies, but traditional controls often lack the necessary context of who is accessing which application. This visibility gap makes it difficult for security teams to enforce fine-grained access, often resulting in overly permissive rules that unnecessarily expand the attack surface. CN-Series firewalls now provide qualification and official support for User-ID™ in Kubernetes as CNF mode. This integration allows your security team to transition security enforcement from relying solely on network topology to leveraging precise user identity information. When you implement User-ID™ with CN-Series, you gain improved visibility into application usage, enabling you to apply security policy controls based on the specific user accessing the service. This capability is specifically designed for CN-Series deployments operating within the cloud-native Kubernetes platform. By binding user context to traffic, you ensure security incidents logged, reported, and analyzed provide a complete picture rooted in user actions, transforming the way you approach forensics. You reduce the attack surface significantly by enforcing need-based user access and ensure that security policies are consistently applied across your distributed microservices. For more information, see User-ID.