New Virtualization Feature Description
VM-Series Firewall for Microsoft Azure The VM-Series firewall can now be deployed in Azure, the Microsoft public cloud. The VM-Series firewall can be deployed as a gateway that secures and integrates your multi-tier applications and services in the Azure cloud and the corporate office or enterprise data center, and as a next-generation firewall that secures inter-application traffic within the Azure cloud. VM-Series firewall options through the Azure Marketplace include the bring your own license (BYOL) model and two options (Bundle 1 and Bundle 2) for the hourly pay-as-you-go (PAYG) model. PAN-OS 7.1.1 adds support for the VM-Series on Azure Government, which is a public cloud platform for U.S. government and public sector agencies. On the Azure Government Marketplace, the VM-Series firewall is only available as a bring your own license (BYOL) option because the Azure Government Marketplace does not support pay-as-you-go (PAYG). PAN-OS 7.1.1 also is available on the Azure China marketplace as a BYOL option.
Support for Multi-Tenancy and Multiple Sets of Policy Rules on the VM-Series NSX Edition Firewall When using the VM-Series NSX edition solution for automated provisioning of VM-Series firewalls, you can now create multiple service definitions on Panorama. You can now have separate Security policy rules for VM-Series firewalls deployed on different ESXi clusters but managed by a vCenter Server and NSX Manager. This capability allows you to define tenant-specific Security policy rules for securing guest virtual machines within an ESXi cluster. Each service definition (up to 32 are supported) includes a template, a device group, and the license auth codes for firewalls deployed using this service definition. Additionally, you can configure Access Domains on Panorama to limit administrative access to a specified set of firewalls. The VM-Series firewall now also supports multiple zones and virtual wire interface pairs, allowing you to create zone-based policy rules with a single (common) set of Security policy rules for guest virtual machines that belong to different tenants or departments; traffic separation is made possible by allocating a unique zone and pair of virtual wire interfaces for guest virtual machines that belong to a specific tenant or department. This capability also allows you to enforce policy on guest virtual machines that have overlapping IP addresses, typically seen in cases where the guest virtual machines are assigned to separate VLANs, VXLANs, or Security groups in the vSphere environment.
VM-Series Firewall for Microsoft Hyper-V To expand support for deploying the VM-Series firewall in private cloud and hybrid cloud environments, you can now deploy the VM-Series firewall on Hyper-V Server 2012 R2 (standalone edition) or Windows Server 2012 R2 (standard and datacenter editions) with the Hyper-V role that lets you create and manage virtual machines. You can deploy one or more instances of the VM-Series firewall using the Hyper-V Manager (guided user interface) or Windows PowerShell (command line interface). Tap, virtual wire, Layer 2, and Layer 3 interface modes are supported.
Support for VMware Tools on Panorama and on VM-Series Firewalls on ESXi For ease of administration, the VM-Series firewall and the Panorama virtual appliance are now bundled with a customized version of open-vm-tools. This bundle allows the virtual infrastructure administrator to: View the management IP address and PAN-OS version of the firewall and Panorama on vCenter. View resource utilization metrics for the hard disk, memory, and CPU. Monitor availability and health status of the virtual appliance using a heartbeat mechanism. Gracefully shutdown and restart the firewall and Panorama from the vCenter server.
Support for Device Group Hierarchy in the VM-Series NSX Edition Firewall With this enhancement, you can now assign the VM-Series NSX edition firewall to a template stack and a device group in a hierarchy so that the firewalls can inherit settings defined in the stack and the hierarchy. As you provision or power off virtual machines in the vSphere environment, you can enable notification of IP address changes to one or more device groups in a hierarchy. This notification allows Security policy rules that reference Dynamic Address Groups to collect information on the changes and dynamically drive policy updates to secure the network.
Support for Synchronizing VM Monitoring Information on Firewalls in HA For a pair of firewalls (VM-Series and hardware-based firewalls) deployed in a high availability (HA) configuration, dynamic data such as information about virtual machine IP addresses and other monitored attributes, can now be synchronized between HA peers.
Support for Amazon ELB on the VM-Series Firewalls in AWS To use Amazon Elastic Load Balancing (ELB) for increased fault tolerance in your AWS deployment, you can deploy the VM-Series firewall behind the Amazon ELB. Each instance of the VM-Series firewall can send traffic to one EC2 instance. To integrate with the Amazon ELB, you must swap the management interface (eth0) and dataplane interface (eth1) on the VM-Series firewall so that the primary interface (management) on the VM-Series firewall can receive dataplane traffic. A new CLI command ( set system setting mgmt-interface-swap enable yes ) allows you to swap the management interface (eth0) and dataplane interface (eth1) so that the firewall can send and receive dataplane traffic on eth0. With this change, the Amazon ELB can automatically monitor the health of the VM-Series firewalls and route traffic to healthy instances of the VM-Series firewall in the same or across Availability Zones.
VM-Series License Deactivation API Key In PAN-OS 7.1.7 and later PAN-OS 7.1 releases, to deactivate a VM-Series license you must first install a license API key on your firewall or Panorama. The deactivation API key provides an additional layer of security for communications between the Palo Alto Networks Update Server and VM-Series firewalls and Panorama. The PAN-OS software uses this API key to authenticate with the update and licensing servers. The API key is available through the Customer Support Portal to administrators with superuser privileges.

Related Documentation