Virtualization Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Virtualization Features
Describes all the exciting new capabilities in PAN-OS® 11.2 for the VM-Series and
CN-Series firewall
Intelligent Traffic Offload - NAT Support on VM-Series Firewall
May 2024
|
Intelligent Traffic Offload (ITO) is a VM-Series firewall Security
subscription that, when configured with the supported NVIDIA Bluefield infrastructure compute
platform, increases capacity throughput for the VM-Series firewall.
In previous releases, Intelligent Traffic Offload required that you deploy your VM-Series firewall in virtual wire mode. This limitation
prevented deployments of VM-Series firewalls with an ITO subscription
from using NAT for perimeter security.
This release removes that limitation by allowing you to deploy your VM-Series firewall with an Intelligent Traffic Offload subscription
in Layer 3 mode that supports NAT for IPv4. With this functionality, your ITO
subscription fully supports environments requiring robust security features that
prevent end-user devices from being exposed to outside threats. NAT support extends
to NAT44 and DIPP in for both deployments with Intelligent Traffic Offload
(DPU-based) and software cut-through for traffic inspection.
Intelligent Traffic Offload - L3 (Dynamic Routing) Support on VM-Series Firewall
May 2024
|
Intelligent Traffic Offload (ITO) is a VM-Series firewall Security
subscription that, when configured with the supported NVIDIA Bluefield infrastructure compute
platform, increases capacity throughput for the VM-Series firewall.
In previous releases, ITO required that you deploy your VM-Series
firewall in virtual wire mode. This limitation
prevented deployments in Layer 3 mode supporting dynamic routing.
This release removes that limitation by allowing you to deploy your VM-Series firewall with Intelligent Traffic Offload for L3 traffic
supporting dynamic routing. With dynamic routing, you attain stable,
high-performing, and highly available L3 routing through profile-based filtering
lists and conditional route maps which can be used across logical routers. These
profiles provide finer granularity to filter routes for each dynamic routing
protocol and improve redistribution across multiple protocols. When combined with
NAT for IPv4, you can extend security policy to protect end user devices from being
exposed to outside threats.
Virtual Systems Support on VM-Series Firewall
May 2024
|
The VM-Series firewall now supports virtual systems only with flexible license and with one
virtual system by default. Virtual systems are separate, logical firewall instances
within a single physical Palo Alto Networks firewall. Rather than using multiple
firewalls, managed service providers and enterprises can use a single pair of
firewalls (for high availability) and enable virtual systems on them. The virtual
systems are easier to manage coexisting within a firewall. The additional benefits
of virtual systems include improved scalability, segmented administration, and
reduced capital and operational expenses. For more information, see Benefits of Virtual Systems and Virtual System Components and
Segmentation.
The virtual system support on the VM-Series firewall is available on PAN-OS
version 11.1.3 and later. You must have a virtual system license to support multiple
virtual systems on the VM-Series firewall. Purchase additional licenses based on
your requirement up to a maximum number supported on a particular Tier.
Use a flexible VM-Series firewall license and Tier 3 or Tier 4 instances
supporting a minimum of 16 vCPUs or more. The VM-Series firewall in Tier 3 instance
supports a maximum of 25 virtual systems. The VM-Series firewall in Tier 4 instance,
supports a maximum of 100 virtual systems.
The virtual system support on VM-Series firewall is introduced in PAN-OS 11.2.0,
and available in PAN-OS version 11.1.3 and later on KVM platform only.
Advanced Threat Prevention (ATP) Support on CN-Series Firewall
May 2024
|
CN-Series firewall now supports real-time Advanced Threat Prevention (ATP)
for detecting malware and zero-day vulnerability exploits using the
advanced ML engines in the cloud. The CN-Series ATP is delivered as a containerized
solution for high scalability and low-latency cloud-native service.
The ATP feature is supported on PAN-OS 11.0 and later releases and all
CN-Series deployment modes:
deploying the CN-Series firewall as a Kubernetes service, Daemonset, and a
Kubernetes CNF. For the ATP feature, you need the Advanced Threat Prevention
licenses and enable the Inline Cloud Analysis.
To enable the CN-Series ATP feature, you can use the YAML files from the Palo Alto
Networks CSP for deploying the containerized firewall pods or enable the ATP feature
while configuring the CN-Series deployment on the Palo Alto Customer Service Portal
(CSP).
User-ID for CN-Series
May 2024
|
CN-Series now qualified with support for User Identity (User-ID) in the Kubernetes as
CNF mode. User-ID helps to leverage user information and provides improved
visibility into application usage. User-ID also helps with policy control and
reduced attack surface by providing need based user access and gives a complete
picture of a security incident through logging, reporting, and forensics. For more
information, see User-ID.