VM-Series firewalls add support for link aggregation for ESXi and KVM environments. This feature supports multiple connections that combine into a single logical bonding device with a unique name that is associated with a network device (either physical or virtual) as secondary devices. The bonded device possesses a unique MAC address that is shared among all secondary devices.

Important things to consider:

To configure link aggregation, enable PAN-OS to change VM MAC addresses. To do this, configure MAC address changes:

Accept

.

Learn how to configure link aggregation support on the VM-Series for ESXi and KVM.

CN-Series Hyperscale Security Fabric (HSF)

introduces

dynamic routing

through BGP and BGP over BFD protocols. Using Dynamic routing, you can attain stable, high-performing, and highly available layer 3 routing through profile-based filtering lists and conditional route maps, which can be used across logical routers. These profiles provide finer granularity to filter routes for each dynamic routing protocol and improve route redistribution across multiple protocols.

BGP looks for the available paths that data could travel and picks the best route, based on IP prefixes that are available within autonomous systems. The Bidirectional Forwarding Detection (BFD) provides fast forwarding path failure detection times for BGP routing protocols between CN-GW pods and the external router.

Cortex Data Lake enables AI-based innovations for cybersecurity with the industry’s only approach to normalizing and stitching together your enterprise’s data. For more information, see About Cortex Data Lake and Cortex Data Lake for Panorama-Managed Firewalls. Cortex Data Lake (CDL) can now collect log data from CN-Series next-generation firewall. When you purchase a Cortex Data Lake license, all firewalls registered to your support account receive a Cortex Data Lake license. You will also receive a magic link that you will need to use to activate your Cortex Data Lake instance.

To get started with CN-Series firewall CDL logging, you must ensure that you Install the Kubernetes Plugin and Set up Panorama for your CN-Series Firewall. You must provide the device certificate to the CN-MGMT pod for CDL connectivity. It is important to register your CN-MGMT pod with a CSP account to ensure that CN-MGMT pod is reflected in your CDL instance. Add the valid PIN-ID and PIN-value to

pan-cn-mgmt-secret.yaml

file to successfully install the device certificate. The CN-Series firewall requires a device certificate that authorizes secure access to CDL. For more information see Install a Device Certificate on the CN-Series Firewall.

After you deploy your CN-Series firewall, verify that your CN-MGMT pod is visible on your CSP account, under

Registered Devices

. For more information see, Register the Firewall. You must ensure that you configure your CN-Series firewall with Panorama and Create a CN-Series Deployment Profile on your CSP account and use the auth code to push licenses from Panorama to your CN-Series firewall.

For Palo Alto Networks next-generation CN-Series firewall, the IoT Security solution uses machine learning (ML) to provide visibility of discovered IoT devices based on the meta-data in the logs it receives from the firewall. IoT Security also identifies vulnerabilities and assess risk in devices based on their network traffic behaviors and dynamically updated threat feeds.

You can use the policy rule recommendations that IoT Security generates as a reference when manually adding rules to your CN-Series firewall. IoT Security always generates Security policy rule recommendations regardless of the PAN-OS version.

For more information, see IoT Security Prerequisites.

Session resiliency allows the VM-Series firewall deployed in a cluster on AWS or GCP to maintain session continuity during a failure event. The AWS Gateway Load Balancer (GWLB) and GCP Network Load Balancer (NLB) can detect and deregister unhealthy VM-Series firewalls deployed in a horizontally scalable cluster behind. With session resiliency enabled, the GWLB and NLB can rehash existing traffic sessions flowing toward an unhealthy VM-Series and redirect the traffic to a healthy VM-Series firewall.

To maintain sessions failing over to healthy VM-Series firewalls, you must deploy a Redis cache accessible to your VM-Series firewalls— ElastiCache for Redis for AWS and Memorystore for Redis for GCP. The Redis cache maintains session information. When your load balancer detects an unhealthy VM-Series firewall, the load balancer rebalances traffic to a healthy VM-Series firewall. The healthy VM-Series firewall accesses the Redis cache for session information and continues to inspect and forward the existing traffic.

Enable session resiliency on the VM-Series firewall by passing the configuration as part of a bootstrapping init-cfg.txt file or in the user data field using the following new parameters.