Panorama Features

PAN-OS 8.1 introduces the following new Panorama features: Device Monitoring on Panorama, Support for Panorama Virtual Appliance in New Environments, Dedicated Log Collector in Virtual Environments, Configuration Reusability for Templates and Template Stacks.
New Panorama FeatureDescription
Device Monitoring on Panorama
Monitoring resource utilization on firewalls helps you assess the impact of substantial policy changes and operational activities, benchmark across locations with similar traffic profiles, and in proactively tracking device component health. The data needed to conduct these analyses is often aggregated in separate tools that firewall administrators cannot access. With Device Monitoring on Panorama you can now track resource utilization, environmental conditions, and other key operational metrics over time and in bulk across large deployments. With this new ability, Panorama can highlight devices operating outside their normal ranges and provide the data you need to accelerate investigation and make informed decisions.
Configuration Reusability for Templates and Template Stacks
Deploying firewalls with few differences in networking/device level configuration often requires duplication of templates on Panorama. Such duplication increases operational overhead and the chances of configuration errors. PAN-OS 8.1 introduces variables for device-specific IP values, which enable you to use the same templates in a template stack for multiple appliances that have unique configurations so that you can minimize template duplication and reduce inconsistencies between appliances.
Support for Panorama Virtual Appliance in New Environments
The Panorama virtual appliance is now supported on AWS, AWS GovCloud, Azure, Google™ Cloud Platform, KVM, and Hyper-V to provide more flexibility. The functionality and features on the Panorama virtual appliance match the hardware-based M-Series appliances so you have the option of deploying the entire Panorama environment on the newly supported hypervisors or on a mix of both physical and virtual appliances and reduce your physical footprint.
Dedicated Log Collectors in Virtual Environments
You can now deploy Dedicated Log Collectors in virtual environments to align with your business strategy and reduce capital costs. Because the virtual Dedicated Log Collectors on AWS, AWS GovCloud, Azure, Google™ Cloud Platform, KVM, Hyper-V, and VMware ESXi provide the same functionality as hardware-based M-series appliances, you now have the flexibility to scale your log collection infrastructure without the challenges associated with physically deploying hardware.
Management Only Mode
Panorama in Management Only mode is now available for you to offload logging to the Logging Service and/or your on premise distributed Log Collectors. In this mode you can continue to use Panorama for centralized configuration, device management, and deployment of your managed firewalls, Log Collectors and Wildfire clusters, and have a single pane for monitoring network and threat activity on the ACC and for generating reports. On a Panorama virtual appliance this mode provides a smaller memory footprint, and on a hardware-based Panorama appliance it frees up resources required for log collection functions. Because the log-related capabilities are not enabled in this mode, the configuration management capability on Panorama is more efficient and results in faster commit times, speedier configuration pushes, and deployment of software and content updates.
Device Management License Enforcement for Panorama
In PAN-OS 8.1, Panorama validates that a valid device management and associated support licenses exist for the firewalls you plan to manage on Panorama. New and existing Panorama virtual appliances running PAN-OS 8.1 have a 180-day grace period from deployment or upgrade to download and install the device management license if you don’t already have one installed.
Content Update Revert from Panorama
Revert content updates on one or more managed firewalls, Log Collectors, or WildFire appliances from Panorama without the need to log in to each managed appliance to revert the content version for each appliance individually. This capability reduces the time required to restore your environment when a content update negatively impacts your network operations.
Direct Query of PA-7000 Series Firewalls from Panorama
Because the PA-7000 Series firewall can now forward logs to Panorama, Panorama no longer treats the PA-7000 Series firewalls it manages as Log Collectors. If you have not configured your managed PA-7000 Series firewalls to forward logs to Panorama, by default you can only view the logs from the local firewall and not from Panorama. If you do not yet have a log forwarding infrastructure capable of handling the logging rate and volume from your PA-7000 Series firewalls, you can now enable Panorama to directly query managed PA-7000 Series firewalls so that you can view the logs directly from Panorama.

Related Documentation