Describes all the exciting new capabilities in PAN-OS®
10.1 for the VM-Series firewall.
New Virtualization Feature
Description
Intelligent Traffic Offload service for
VM-Series on KVM
Intelligent Traffic Offload service (ITO)
is a Security subscription that, when configured with the BlueField-2 SmartNIC,
increases capacity throughput for the VM-Series firewall. The ITO
service inspects the first few packets of a new flow to determine
whether it benefits from inspection. If not, the service offloads
the flow to the SmartNIC, decreasing the load on the VM-Series firewall.
The
VM-Series firewall and the SmartNIC must be installed on the same
x86 physical host, and the VM-Series firewall must be deployed in
virtual wire mode. Active/Passive HA is supported.
Address Family eXpress Data Path (AF-XDP)
Support on CN-Series
To increase effective throughput, the CN-Series
firewall can now leverage AF XDP, an eBPF based socket that is optimized
for high performance packet processing suited to cloud native services.
DPDK Support for Different NIC Types
VM-Series firewalls now support multiple NIC types and multiple
queues. You can configure both SR-IOV and DPDK for all hypervisors
on cloud platforms that support multiple NIC types. In addition,
a single NIC type with variable queues (available on some cloud
platforms) is also supported.
Please contact Technical Support
if you want to use this feature.
CN-Series Firewall as a Kubernetes Service
You can now deploy the CN-Series firewall as a Kubernetes
service. In Kubernetes deployments with smaller nodes with
more stringent resource constraints, deploying the CN-Series as
a daemonset can be difficult. The challenges associated with predicting
and provisioning the necessary resources can result in firewalls
consuming more resources than required to support the traffic on
the cluster. By deploying the CN-Series as a service, you can start
with the right amount of resources and scale dynamically when necessary.
When deployed as a service, the CN-Series firewall provides complete
Layer 7 visibility, application-level segmentation, and protection
for traffic in your native Kubernetes, OpenShift, AKS, EKS, or GKE environments
using native Kubernetes constructs.
Customize Dataplane Cores
Customize dataplane cores is an optional
feature that allows you to customize the number of dataplane cores
in two ways:
During the initial deployment, use the
init-cfg.txt
file bootstrap
parameter
plugin-op-commands=set-dp-cores:<#-cores>
.
From a deployed firewall, using the VM-Series CLI command
request plugins vm_series dp-cores <#-cores>
.
Typically
you increase the number of dataplane cores (which decreases the
number of management plane cores) to improve performance.
Dataplane
core customization is supported on firewalls licensed with a Software
NGFW credit pool for 10.0.4 and above, and running PAN-OS 10.1 or
later.
Dataplane core customization is not supported for:
NSX-T
Intelligent Traffic Offload
IPVLAN CNI L2 Support on the CN-Series
Firewall on EKS
(
Available with PAN-OS® 10.1.2 and later
10.1 releases
)
You can now use IPVLAN in Layer 2 mode with
your CN-Series deployment on EKS.
Increased Maximum Application Pods per
CN-NGFW Node
(
Available with PAN-OS® 10.1.9 and later
10.1 releases
)
The CN-Series firewall deployed in Daemonset
mode now secures up to 125 application pods per CN-NGFW node.