Virtualization Features

Virtualization Features

Table of Contents

Virtualization Features

Describes all the exciting new capabilities in PAN-OS® 11.1 for the VM-Series and CN-Series firewall

ARM Support on VM-Series Firewall

November 2023
  • Introduced for VM-Series firewalls in PAN-OS 11.1.0
VM-Series firewall now supports ARM based instances on AWS Graviton 2 (ARM compute) instances for public clouds and KVM hypervisor for private clouds. All features that were available in x86 environments are now extended to ARM based instances including Hypervisor support, DPDK and other acceleration methods that provide better performance, while reducing the operational (OPEX) costs, power consumption, and footprints.
ARM architecture support is currently available on VM-Flex licensing models on AWS BYOL or KVM as Software NGFW credits on the following types of ARM instances:
AWS C6gn
8xLarge, 12xlarge, 16xlarge
xlarge, 2xlarge, 4xlarge, 8xLarge, 12xlarge, and 16xlarge
large, xlarge, 2xlarge, 4xlarge, 8xlarge, and 16xlarge
v8 systems such as
Ampere Altra AC-106422002
i40e and mlx5
ARM also supports the following capabilities:
  • AWS automation templates such as Cloud formation and terraform templates
  • AWS Gateway Load Balancer (GWLB)
  • 64vCPU profiles
  • Simple and full boot-strapping on AWS
  • All security subscriptions currently supported in x86 based systems
  • All features on KVM hypervisor currently supported on X86 based systems
  • Telemetry data similar to what is currently supported on X86 based systems

Link Aggregation for VM-Series Firewall

November 2023
  • Introduced for VM-Series firewalls in PAN-OS 11.1.0
VM-Series firewalls add support for link aggregation for ESXi and KVM environments. This feature supports multiple connections that combine into a single logical bonding device with a unique name that is associated with a network device (either physical or virtual) as secondary devices. The bonded device possesses a unique MAC address that is shared among all secondary devices.
Important things to consider:
  • An Aggregate Ethernet interface uses the MAC address from the base and not from the hypervisor. This takes effect after rebooting newly deployed and licensed VM-Series firewalls.
  • An unlicensed Panorama VM uses an erroneous Aggregate Ethernet MAC address, while the licensed VM receives a proper MAC address. If the Panorama VM deploys initially without a license, the Aggregate Ethernet interface receives this erroneous MAC address. Once you procure the license, reboot the VM to retrieve the new base MAC address from the license key file.
To configure link aggregation, enable PAN-OS to change VM MAC addresses. To do this, configure MAC address changes:
Link aggregation of HA interfaces isn't supported in public cloud environments, like AWS, Azure or GCP.
Learn how to configure link aggregation support on the VM-Series for ESXi and KVM.

Dynamic Routing in CN-Series HSF

November 2023
  • Introduced for CN-Series firewalls in PAN-OS 11.1.0
CN-Series Hyperscale Security Fabric (HSF)
dynamic routing
through BGP and BGP over BFD protocols. Using Dynamic routing, you can attain stable, high-performing, and highly available layer 3 routing through profile-based filtering lists and conditional route maps, which can be used across logical routers. These profiles provide finer granularity to filter routes for each dynamic routing protocol and improve route redistribution across multiple protocols.
BGP looks for the available paths that data could travel and picks the best route, based on IP prefixes that are available within autonomous systems. The Bidirectional Forwarding Detection (BFD) provides fast forwarding path failure detection times for BGP routing protocols between CN-GW pods and the external router.

Strata Logging Service with CN-Series Firewall

November 2023
  • Introduced for CN-Series firewalls in PAN-OS 11.1.0
Strata Logging Service enables AI-based innovations for cybersecurity with the industry’s only approach to normalizing and stitching together your enterprise’s data. For more information, see About Strata Logging Service and Deploy Strata Logging Service with Panorama. Strata Logging Service can now collect log data from CN-Series next-generation firewall. When you purchase a Strata Logging Service license, all firewalls registered to your support account receive a Strata Logging Service. You will also receive a magic link that you will need to use to activate your Strata Logging Service instance.
To get started with CN-Series firewall Strata Logging Service, you must ensure that you Install the Kubernetes Plugin and Set up Panorama for your CN-Series Firewall. You must provide the device certificate to the CN-MGMT pod for Strata Logging Service connectivity. It is important to register your CN-MGMT pod with a CSP account to ensure that CN-MGMT pod is reflected in your Strata Logging Service instance. Add the valid PIN-ID and PIN-value to
file to successfully install the device certificate. The CN-Series firewall requires a device certificate that authorizes secure access to Strata Logging Service. For more information see Install a Device Certificate on the CN-Series Firewall.
After you deploy your CN-Series firewall, verify that your CN-MGMT pod is visible on your CSP account, under
Registered Devices
. For more information see, Register the Firewall. You must ensure that you configure your CN-Series firewall with Panorama and Create a CN-Series Deployment Profile on your CSP account and use the auth code to push licenses from Panorama to your CN-Series firewall.

IoT Security Support for CN-Series Firewall

November 2023
  • Introduced for CN-Series firewalls in PAN-OS 11.1.0
For Palo Alto Networks next-generation CN-Series firewall, the IoT Security solution uses machine learning (ML) to provide visibility of discovered IoT devices based on the meta-data in the logs it receives from the firewall. IoT Security also identifies vulnerabilities and assess risk in devices based on their network traffic behaviors and dynamically updated threat feeds.
You can use the policy rule recommendations that IoT Security generates as a reference when manually adding rules to your CN-Series firewall. IoT Security always generates Security policy rule recommendations regardless of the PAN-OS version.
When using
IoT Security Subscription
, which stores data in Strata Logging Service, you need one Strata Logging Service license per account and must ensure that Strata Logging Service configuration for your CN-Series firewall is complete.
For more information, see IoT Security Prerequisites.

Session Resiliency for the VM-Series on AWS and GCP

November 2023
  • Introduced for VM-Series firewalls in PAN-OS 11.1.0
Session resiliency allows the VM-Series firewall deployed in a cluster on AWS or GCP to maintain session continuity during a failure event. The AWS Gateway Load Balancer (GWLB) and GCP Network Load Balancer (NLB) can detect and deregister unhealthy VM-Series firewalls deployed in a horizontally scalable cluster behind. With session resiliency enabled, the GWLB and NLB can rehash existing traffic sessions flowing toward an unhealthy VM-Series and redirect the traffic to a healthy VM-Series firewall.
To maintain sessions failing over to healthy VM-Series firewalls, you must deploy a Redis cache accessible to your VM-Series firewalls— ElastiCache for Redis for AWS and Memorystore for Redis for GCP. The Redis cache maintains session information. When your load balancer detects an unhealthy VM-Series firewall, the load balancer rebalances traffic to a healthy VM-Series firewall. The healthy VM-Series firewall accesses the Redis cache for session information and continues to inspect and forward the existing traffic.
Traffic inspection of the rehashed traffic flows is Layer 4 only. The VM-Series firewall inspects traffic in new sessions up to Layer 7.
Enable session resiliency on the VM-Series firewall by passing the configuration as part of a bootstrapping init-cfg.txt file or in the user data field using the following new parameters.
op-command-modes=mgmt-interface-swap plugin-op-commands=set-sess-ress:True redis-endpoint=<redis-IP-address:port> redis-auth=<redis-auth-code> redis-certificate=
Session resiliency can't be enabled on existing VM-Series firewall instances; only on newly deployed instances.

Virtual Systems Support on VM-Series Firewall

May 2024
  • Introduced in VM-Series firewalls in PAN-OS 11.2.0.
  • Available in VM-Series firewalls with PAN-OS 11.1.3 and later.
The VM-Series firewall now supports virtual systems only with flexible license and with
virtual system by default. Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. The virtual systems are easier to manage coexisting within a firewall. The additional benefits of virtual systems include improved scalability, segmented administration, and reduced capital and operational expenses. For more information, see Benefits of Virtual Systems and Virtual System Components and Segmentation.
The virtual system support on the VM-Series firewall is available on PAN-OS version 11.1.3 and later. You must have a virtual system license to support multiple virtual systems on the VM-Series firewall. Purchase additional licenses based on your requirement up to a maximum number supported on a particular Tier.
Use a flexible VM-Series firewall license and Tier 3 or Tier 4 instances supporting a minimum of 16 vCPUs or more. The VM-Series firewall in Tier 3 instance supports a maximum of 25 virtual systems. The VM-Series firewall in Tier 4 instance, supports a maximum of 100 virtual systems.
The virtual system support on VM-Series firewall is introduced in PAN-OS 11.2.0, and available in PAN-OS version 11.1.3 and later on KVM platform only.

Recommended For You