Virtualization Features

Describes all the exciting new capabilities in PAN-OS® 8.1 for the VM-Series firewall.
New Virtualization Features
VM-50 Lite
The VM-50 Lite is a resource optimized mode of the VM-50 firewall with a smaller memory footprint. This mode allows you to deploy the VM-Series firewall in environments where resources are limited while providing the same performance and features as the standard VM-50 firewall.
Integration with Azure Security Center
You can now deploy the VM-Series firewall directly from the Azure Security Center, which provides a consolidated view of the security posture of your Microsoft Azure workloads. This integration enables you to forward URL Filtering, Threat, and WildFire logs of high and critical severity that are generated on the firewall to Azure Security Center so that you can monitor security events from a single management console. When the firewall prevents an attack on your internet-facing web server and generates a threat log for a known vulnerability on an inbound request, for example, it forwards this log to Azure Security Center where you can directly review the security incident.
Bootstrapping Enhancements for VM-Series firewall on Azure
When bootstrapping the VM-Series firewall on Azure, you can now use Azure file storage (instead of a data disk) to store the bootstrap files. This change improves the bootstrapping workflow because it enables multiple virtual machines to simultaneously access the same bootstrap package.
Support for Azure Application Insights
To enable monitoring and alerts on the health and performance of the VM-Series firewall, you can now natively publish firewall metrics to Azure Application Insights. The integration with Azure Application Insights allows you to monitor custom PAN-OS metrics such as total number of active sessions or dataplane CPU utilization, in order to set alarms or trigger automation events.
VM Monitoring for Azure
VM Monitoring of Microsoft® Azure® resources enables you to dynamically update security policy rules to consistently enforce Security policy across all assets deployed within your Azure subscription. VM Monitoring on Azure uses a VM Monitoring script that runs on a virtual machine within the Azure public cloud. This script collects the IP address-to-tag mapping for all your Azure assets and uses the API to push the VM information to your Palo Alto Networks® firewall(s).
VM-Series Firewall on Google Cloud Platform
To secure your workloads on the Google Cloud Platform, you can now deploy the VM-Series firewall from the Google Cloud Platform Marketplace. To scale security with your workloads, deploy one or more instances of the VM-Series firewall behind Google Cloud load balancers and bootstrap the firewall with a complete configuration that includes security policies at launch.
The VM-Series firewall can also natively publish metrics to the Google Stackdriver to monitor and trigger alerts for firewall health and performance. And, to create security policy rules that automatically adapt to changes to your workloads—adds, moves, or deletions of virtual machines in a Google Cloud Platform Project VPC—you can enable VM Monitoring for instances running on Google Cloud Platform on any hardware or VM-Series firewall running PAN-OS 8.1.
Performance Enhancements for the VM-Series Firewall on NSX
The VM-Series firewall for VMware NSX can now provide higher per-host traffic throughput. In addition to PAN-OS 8.1, you must also be running VMware NSX Manager 6.3.1 or higher. NSX Manager 6.3.1 introduced NetX APIs that support multiple device channels and multi-process I/O, allowing the VM-Series firewall to use these device channels to improve performance. NSX allocates device channels equal to the number of dataplane cores assigned to the firewall. When you upgrade to 8.1, your VM-Series firewall deployed in an NSX 6.3.1 or higher environment takes full advantage of the number of maximum effective cores assigned to the dataplane.
FQDN Refresh Time Enhancement
In PAN-OS 8.1, VM-Series firewalls support a larger range for the FQDN Refresh Time than in prior releases. The range is now 60-14,399 seconds, which allows VM-Series firewalls to refresh the IP addresses for an FQDN at shorter intervals. A shorter refresh time is helpful for VM-Series firewalls in cloud deployments where IP addresses for FQDNs change frequently.
The shorter refresh time along with the support for using the FQDN of a load balancer in Destination NAT policy (Dynamic IP Address Support for Destination NAT) makes it easier for you to deploy the Amazon ELB service and any other FQDN-based load balancer to distribute sessions evenly across more than one IP address.

Recommended For You