Virtualization Features

Describes all the exciting new capabilities in PAN-OS® 10.1 for the VM-Series firewall.
New Virtualization Feature
Intelligent Traffic Offload service for VM-Series on KVM
Intelligent Traffic Offload service (ITO) is a Security subscription that, when configured with the BlueField-2 SmartNIC, increases capacity throughput for the VM-Series firewall. The ITO service inspects the first few packets of a new flow to determine whether it benefits from inspection. If not, the service offloads the flow to the SmartNIC, decreasing the load on the VM-Series firewall.
The VM-Series firewall and the SmartNIC must be installed on the same x86 physical host, and the VM-Series firewall must be deployed in virtual wire mode. Active/Passive HA is supported.
Address Family eXpress Data Path (AF-XDP) Support on CN-Series
To increase effective throughput, the CN-Series firewall can now leverage AF XDP, an eBPF based socket that is optimized for high performance packet processing suited to cloud native services.
DPDK Support for Different NIC Types
VM-Series firewalls now support multiple NIC types and multiple queues. You can configure both SR-IOV and DPDK for all hypervisors on cloud platforms that support multiple NIC types. In addition, a single NIC type with variable queues (available on some cloud platforms) is also supported.
Please contact Technical Support if you want to use this feature.
CN-Series Firewall as a Kubernetes Service
You can now deploy the CN-Series firewall as a Kubernetes service. In Kubernetes deployments with smaller nodes with more stringent resource constraints, deploying the CN-Series as a daemonset can be difficult. The challenges associated with predicting and provisioning the necessary resources can result in firewalls consuming more resources than required to support the traffic on the cluster. By deploying the CN-Series as a service, you can start with the right amount of resources and scale dynamically when necessary. When deployed as a service, the CN-Series firewall provides complete Layer 7 visibility, application-level segmentation, and protection for traffic in your native Kubernetes, OpenShift, AKS, EKS, or GKE environments using native Kubernetes constructs.
Customize Dataplane Cores
Customize dataplane cores is an optional feature that allows you to customize the number of dataplane cores in two ways:
  • During the initial deployment, use the
    file bootstrap parameter
  • From a deployed firewall, using the VM-Series CLI command
    request plugins vm_series dp-cores <#-cores>
Typically you increase the number of dataplane cores (which decreases the number of management plane cores) to improve performance.
  • Dataplane core customization is supported on firewalls licensed with a Software NGFW credit pool for 10.0.4 and above, and running PAN-OS 10.1 or later.
  • Dataplane core customization is not supported for:
    • NSX-T
    • Intelligent Traffic Offload
IPVLAN CNI L2 Support on the CN-Series Firewall on EKS
Available with PAN-OS® 10.1.2 and later 10.1 releases
You can now use IPVLAN in Layer 2 mode with your CN-Series deployment on EKS.

Recommended For You