Describes all the exciting new capabilities in PAN-OS®
10.2 for the VM-Series and CN-Series firewall.
New Virtualization Feature
Description
CN-Series Firewall as a Kubernetes CNF
You can now deploy the Palo Alto Networks Container
Native Firewalls (CN-Series) as a Container Network Function (CNF)
to protect containerized as well as non-containerized workloads.
This is a new deployment mode for the CN-Series firewall that augments
the previously released CN-Series-as-a-daemonset and CN-Series-as-a-kubernetes
service deployment modes, limited to protecting only container workloads.
Deploying
the CN-Series-as-a-Kubernetes-CNF allows customers to run CN-Series
in Layer-3 mode. This enables customers to steer the traffic to
CN-Series from even non containerized sources. You can build resilient network
security by deploying CN-Series in an HA pair. In the CNF mode of
deployment, you can take advantage of I/O acceleration techniques
such as DPDK and SR-IOV to boost the firewall performance.
High Availability Support for CN-Series
Firewall as a Kubernetes CNF
You can now deploy the CN-Series as a kubernetes CNF
in High Availability (HA) mode. This deployment mode currently supports
active/passive HA with session and configuration synchronization.
DPDK support for CN-Series Firewall
The Kubernetes CNF mode of CN-Series now supports
Data Plane Development Kit (DPDK) and allows the application pods
to use DPDK. DPDK provides a simple framework for fast packet processing
in dataplane applications.
You can set up DPDK on on-premises
worker nodes and AWS EKS cluster.
Daemonset(vwire) IPv6 Support
Using the Daemonset mode, you can now secure
the interfaces of application pods having IPv6 IP addresses.
L3 IPv4 Support for CN-Series
With the Kubernetes CNF, CN-Series
now supports L3 Policy Based Routing (PBR) with IPv4 IP addresses.
The IP addresses to the interfaces in K8s environment are typically
programmed through the CNI using DHCP.
IPv6 DAG Plugin Support (Kubernetes 3.0.0 Plugin)
With the Kubernetes 3.0.0 plugin, you can now
validate Service account files, view detailed dashboards, push IP addresses
for tags used in Security Policies (Tag Pruning), and retrieve IPv6
addresses that can be used in a Multus CNI setup.
47 Dataplane Cores Support for VM-Series
and CN-Series Firewalls
Starting with PAN-10.2, the VM-Series and CN-Series
firewalls support a maximum of 47 dataplane cores; an increase from
the previous maximum of 31.
For VM-Series, if you have
NUMA performance optimization enabled with custom dataplane core setting,
the NUMA settings take precedence.
Elastic Memory Profile
Beginning with PAN-OS 10.2, the maximum
number of sessions and capacity supported on an individual VM-Series
firewall scales with the increase in the amount of memory allocated
to the VM-Series instance.