When using the VM-Series NSX edition solution for automated provisioning of VM-Series firewalls, you can now create multiple service definitions on Panorama. You can now have separate Security policy rules for VM-Series firewalls deployed on different ESXi clusters but managed by a vCenter Server and NSX Manager. This capability allows you to define tenant-specific Security policy rules for securing guest virtual machines within an ESXi cluster. Each service definition (up to 32 are supported) includes a template, a device group, and the license auth codes for firewalls deployed using this service definition. Additionally, you can configure Access Domains on Panorama to limit administrative access to a specified set of firewalls.The VM-Series firewall now also supports multiple zones and virtual wire interface pairs, allowing you to create zone-based policy rules with a single (common) set of Security policy rules for guest virtual machines that belong to different tenants or departments; traffic separation is made possible by allocating a unique zone and pair of virtual wire interfaces for guest virtual machines that belong to a specific tenant or department. This capability also allows you to enforce policy on guest virtual machines that have overlapping IP addresses, typically seen in cases where the guest virtual machines are assigned to separate VLANs, VXLANs, or Security groups in the vSphere environment.

To expand support for deploying the VM-Series firewall in private cloud and hybrid cloud environments, you can now deploy the VM-Series firewall on Hyper-V Server 2012 R2 (standalone edition) or Windows Server 2012 R2 (standard and datacenter editions) with the Hyper-V role that lets you create and manage virtual machines. You can deploy one or more instances of the VM-Series firewall using the Hyper-V Manager (guided user interface) or Windows PowerShell (command line interface). Tap, virtual wire, Layer 2, and Layer 3 interface modes are supported.

For ease of administration, the VM-Series firewall and the Panorama virtual appliance are now bundled with a customized version of open-vm-tools. This bundle allows the virtual infrastructure administrator to:

View the management IP address and PAN-OS version of the firewall and Panorama on vCenter.
View resource utilization metrics for the hard disk, memory, and CPU.
Monitor availability and health status of the virtual appliance using a heartbeat mechanism.
Gracefully shutdown and restart the firewall and Panorama from the vCenter server.

With this enhancement, you can now assign the VM-Series NSX edition firewall to a template stack and a device group in a hierarchy so that the firewalls can inherit settings defined in the stack and the hierarchy. As you provision or power off virtual machines in the vSphere environment, you can enable notification of IP address changes to one or more device groups in a hierarchy. This notification allows Security policy rules that reference Dynamic Address Groups to collect information on the changes and dynamically drive policy updates to secure the network.

For a pair of firewalls (VM-Series and hardware-based firewalls) deployed in a high availability (HA) configuration, dynamic data such as information about virtual machine IP addresses and other monitored attributes, can now be synchronized between HA peers.

To use Amazon Elastic Load Balancing (ELB) for increased fault tolerance in your AWS deployment, you can deploy the VM-Series firewall behind the Amazon ELB. Each instance of the VM-Series firewall can send traffic to one EC2 instance.To integrate with the Amazon ELB, you must swap the management interface (eth0) and dataplane interface (eth1) on the VM-Series firewall so that the primary interface (management) on the VM-Series firewall can receive dataplane traffic. A new CLI command (set system setting mgmt-interface-swap enable yes) allows you to swap the management interface (eth0) and dataplane interface (eth1) so that the firewall can send and receive dataplane traffic on eth0. With this change, the Amazon ELB can automatically monitor the health of the VM-Series firewalls and route traffic to healthy instances of the VM-Series firewall in the same or across Availability Zones.