Learn about the VM-Series plugin for VM-Series firewalls and Panorama.
The VM-Series firewall now supports the VM-Series plugin—a built-in plugin architecture for integration with public clouds or private cloud hypervisors. You can upgrade the VM-Series plugin independent of PAN-OS, which enables accelerated releases of new features, fixes, and new integrations with public clouds or private hypervisors.
The VM-Series plugin manages cloud-specific interactions between the VM-Series firewalls and public clouds (such as Google Cloud Platform (GCP), Azure, and AWS) and private cloud hypervisors (such as KVM and ESXi). Some of the capabilities that the plugin enables include bootstrapping, configuring user credential provisioning information from public cloud environments, seamless updates for cloud libraries or agents on PAN-OS, and publishing custom metrics to cloud monitoring services such as AWS CloudWatch.
The VM-Series plugin is part of PAN-OS, which means that you can upgrade or downgrade the plugin but you cannot remove it. You can configure the VM-Series plugin locally on your virtual firewall, or you can manage the plugin configuration centrally from Panorama. The VM-Series plugin is optional on Panorama so you must install it manually if you want to centrally configure plugins. See the following topics for a comparison of old and new functionality, and the plugin upgrade details.
VM-Series Plugin on the VM-Series Firewall
On the VM-Series firewall, the VM-Series plugin is automatically installed during a new VM-Series 9.0 installation or an upgrade from PAN-OS 8.1 to PAN-OS 9.0. You can view the VM-Series plugin version on the Dashboard or from
In previous releases, you configured integrations for AWS CloudWatch or Google Stackdriver Monitoring from
. Starting in PAN-OS 9.0, you configure the integration from the
node, as shown in the VM-Series firewall comparison below.
In the PAN-OS 9.0 screenshot, the VM-Series node is selected and a tab displays the public cloud hosting the VM-Series firewall (Google) along with the configuration settings for the plugin (Stackdriver Monitoring).
VM-Series Plugin on Panorama
If you want Panorama to manage the VM-Series plugin on your managed firewalls, you must install the VM-Series plugin manually.
- If your Panorama installation running PAN-OS 8.1 does not have any integrations configured when you upgrade to PAN-OS 9.0, the VM-Series plugin will not be installed. However, you can manually install the plugin from.PanoramaPlugins
- If your Panorama installation running PAN-OS 8.1 has an existing plugin configuration, the VM-Series plugin is automatically installed when you upgrade to PAN-OS 9.0. For example, if you configured AWS CloudWatch in PAN-OS 8.1.3, the upgrade to PAN-OS 9.0 will migrate your legacy integration to the VM-Series plugin.
You can view the versions for all plugins on the Panorama
In previous releases, you configured cloud integrations in Panorama from
. If the VM-Series plugin is installed, you can view all the cloud platform integrations from
The following screenshot contrasts Panorama running PAN-OS 8.1 versus PAN-OS 9.0. In PAN-OS 8.1, the
Operationstab shows AWS, Google, and Azure configuration panes. In PAN-OS 9.0,
displays each cloud configuration on a separate tab.
Whenever we release a new VM-Series plugin version, you must manually upgrade the VM-Series plugin independent of a PAN-OS or Panorama update.
Because the VM-Series plugin manages multiple cloud integrations, a new plugin version might not apply to the public cloud integrations you are using. For example, if a VM-Series plugin update release contains fixes for AWS only, upgrade only your VM-Series firewalls on AWS—do not update the plugin on VM-Series firewalls in other clouds.
Refer to the release notes and install only those upgrades that are pertinent to your configuration.
Recommended For You
Recommended videos not found.