|
|
|
|
|
|
Document:PAN-OS® New Features Guide
Support for Multi-Tenancy and Multiple Sets of Policy Rules on the VM-Series NSX Edition Firewall
Last Updated:
Mon Jul 06 14:59:42 PDT 2020
Current Version:
7.1 (EoL)
Table of Contents
Search the Table of Contents
-
- Upgrade/Downgrade Considerations
- Upgrade the Firewall to PAN-OS 7.1
- Upgrade Firewalls Using Panorama
- Upgrade a Firewall to PAN-OS 7.1
- Upgrade an HA Firewall Pair to PAN-OS 7.1
- Downgrade from PAN-OS 7.1
- Downgrade to a Previous Maintenance Release
- Downgrade to a Previous Feature Release
- Downgrade While Maintaining Enhanced Capacities on PA-3050 Firewalls and PA-3020 Firewalls
-
- Support for ELB on the VM-Series Firewalls in AWS
- Support for Multi-Tenancy and Multiple Sets of Policy Rules on the VM-Series NSX Edition Firewall
- VM-Series for Microsoft Hyper-V
- Support for VMware Tools on Panorama and VM-Series on ESXi
- Support for Device Group Hierarchy in the VM-Series NSX edition firewall
- VM-Series Firewall in Microsoft Azure
- Support for Bootstrapping VM-Series Firewalls
-
- GlobalProtect App for Chrome OS
- GlobalProtect App for Windows Phone
- Simplified GlobalProtect Agent User Interface for Windows and Mac OS
- Dynamic GlobalProtect App Customization
- Enhanced Two-Factor Authentication
- Client Authentication Configuration by Operating System or Browser
- Kerberos for Internal Gateway for Windows
- Customizable Password Expiry Notification Message
- Enhanced Authentication Challenge Support for Android and iOS Devices
- Block Access from Lost or Stolen and Unknown Devices
- Certificate Selection by OID
- Save Username Only Option
- Use Address Objects in a GlobalProtect Gateway Client Configuration
- Maximum Internal Gateway Connection Retry Attempts
- GlobalProtect Notification Suppression on Windows
- Disable GlobalProtect Without Comment
- Pre-logon then On-Demand Connect Method
- Enforce GlobalProtect for Network Access
- Connection Behavior on Smart Card Removal
-
- Failure Detection with BFD
- LACP and LLDP Pre-Negotiation on an HA Passive Firewall
- Binding a Floating IP Address to an HA Active-Primary Firewall
- Multicast Route Setup Buffering
- Per-VLAN Spanning Tree (PVST+) BPDU Rewrite
- Configurable MSS Adjustment Size
- DHCP Client Support on Management Interface
- PA-3000 Series and PA-500 Firewall Capacity Increases
- SSL/SSH Session End Reasons
- Fast Identification and Mitigation of Sessions That Overutilize the Packet Buffer
Beginning with PAN-OS 7.1, the VM-Series NSX edition firewall includes support for multi-tenancy, which means that you can use the VM-Series firewall to secure traffic from multiple tenants (or sub-tenants) hosted in the vSphere environment. The VM-Series NSX edition firewall allows you to create up to 32 service definitions, each with a unique device group and template. The device group allows you to create and manage policy rules for a tenant (or sub-tenant) and the template allows you to define one or more zones so that you can isolate traffic for each tenant or sub-tenant. Each tenant (or sub-tenant) is mapped to a specific zone on Panorama, and the zone becomes available as a service profile on the NSX Manager; the NSX security administrator can select the appropriate service profile to logically isolate traffic and redirect it to the VM-Series firewall.
In previous releases, the VM-Series NSX edition firewalls were all assigned to one service definition with a single template (with one default zone and, hence, a single service profile for redirecting traffic) and a single device group (one set of security policies). With the support for multiple service definitions in PAN-OS 7.1, whether you have a shared compute infrastructure and need shared security policies, or you have a dedicated compute infrastructure and need dedicated security policies, or you have shared compute infrastructure and need dedicated security policies (multiple instances of the VM-Series firewall per host in an ESXi cluster), you can configure the firewall for your needs.
For details on multi-tenant deployment options, see
What is Multi-Tenant Support on the VM-Series NSX Edition Firewall?