New Virtualization Features
VM-Series Firewall Performance Enhancements and Expanded Model Line
This feature introduces improved performance, capacity, and efficiencyforall VM-Series firewalls, including three new VM-Series models: VM-50, VM-500, and VM-700. The VM-Series model lineup now covers a wide variety of firewalls—from small optimized firewalls in resource-constrained environments to large, high performance firewalls for deployment in a diverse range of Network Function Virtualization (NFV) use cases. You can also leverage the expanded range of VM-Series models coupled with flexibility and per-tenant isolation of VM-Series models to deploy multi-tenant solutions.
In addition, VM-Series firewall models are now distinguished by session capacity and the number of maximum effective vCPU cores (instead of only session capacity).
CloudWatch Integration for the VM-Series Firewall on AWS
VM-Series firewalls on AWS can now natively send PAN-OS metrics to AWS CloudWatch for advanced monitoring and auto-scaling policy decisions. The CloudWatch integration enables you to monitor the capacity, health status, and availability of the firewalls with metrics such as total number of active sessions, GlobalProtect gateway tunnel utilization, or SSL proxy utilization, so that the security tier comprising the VM-Series firewalls can scale dynamically when your EC2 workloads scale in response to demand.
Seamless VM-Series Model Upgrade
This release introduces seamless license-capacity upgrades for VM-Series firewalls. If a tenant’s requirements increase, you can upgrade the capacity to accommodate the changes with minimal traffic and operation disruption. Additionally, VM-Series firewalls now support HA synchronization between VM-Series firewalls of different capacities during the upgrade process.
VM-Series NSX Integration Configuration through Panorama
The new Panorama™ VMware NSX plug-in streamlines the process of deploying VM-Series firewall for NSX and eliminates the duplicate effort in defining the security-related configuration on both Panorama and the NSX Manager or vCenter server. Panorama now serves as the single point of configuration that provides the NSX Manager with the contextual information required to redirect traffic from the guest virtual machines to the VM-Series firewall. When you commit the NSX configuration, Panorama generates a security group in the NSX environment for each qualified dynamic address group and Panorama pushes each steering rule generates NSX Manager. The NSX Manager uses the steering rules to redirect traffic from the virtual machines belonging to the corresponding NSX security group.
Support for NSX Security Tags on the VM-Series NSX Edition Firewall
The VM-Series firewall can now dynamically tag a guest VM with NSX securitytags to enable immediate isolation of compromised or infected guests. The universally unique identifier of a guest VM is now part of the Traffic and Threat logs on the firewall. By leveraging threat, antivirus, and malware detection logs on the VM-Series firewall, NSX Manager can place guests in a quarantined security group to prevent lateral movement of the threat in the virtualized data center environment.
New Serial Number Format for the VM-Series Firewall
The serial number format for the VM-Series firewall now displays the name of the hypervisor on which the firewall is deployed so that you can consistently identify the firewalls for license management, and content and software updates. The new format is 15 characters in length, numeric for the bring your own license (BYOL) model, and alphanumeric for the Marketplace models (Bundle 1 or Bundle 2) available in public cloud environments. As part of this change, VM-Series firewalls in AWS now support longer instance ID formats.
VM-Series Bootstrapping with Block Storage
VM-Series License Deactivation API Key
To deactivate a VM-Series license, you must first install a license deactivation API key on your firewall or Panorama. The deactivation API key provides an additional layer of security for communications between the Palo Alto Networks® Update Server and VM-Series firewalls and Panorama. The PAN-OS software uses this API key to authenticate with the update and licensing servers.
The API key is available through the Customer Support Portal to administrators with superuser privileges.
Support for VM-Series on Azure Government and Azure China
Azure Government is a public cloud platform for U.S. government and public sector agencies. The VM-Series firewall on Azure now provides the same robust security features in Azure Government as in the Azure public cloud. On the Azure Government Marketplace, the VM-Series firewall is only available as a bring your own license (BYOL) option because the Azure Government Marketplace does not support pay-as-you-go (PAYG).
The VM-Series firewall is also available as a BYOL option on the Azure China marketplace.
VM Monitoring on Azure
VM Monitoring of Microsoft® Azure® resources enables you to dynamically update security policy rulesto consistently enforce Security policy across all assets deployed within your Azure subscription. VM Monitoring on Azure uses a VM Monitoring script that runs on a virtual machine within the Azure public cloud. This script collects the IP address-to-tag mapping for all your Azure assets and uses the API to push the VM information to your Palo Alto Networks® firewall(s).