What’s New in VM-Series Plugin 2.0.1

The VM-Series plugin version 2.0.1 introduces the following new features:

AWS Active-Passive High Availability Using Secondary-IP

You can now configure active-passive high availability on the VM-Series firewall on AWS that moves a secondary IP address from the failed firewall to the new active upon failover. Secondary-IP HA allows you to take advantage of DPDK to improve the performance of your VM-Series firewall instances. AWS does not support movement of Elastic Network Interfaces (ENI) with DPDK enabled; by moving a secondary IP address instead of an ENI, you can enable DPDK on your interfaces. Additionally, secondary-IP HA provides shorter failover times compared to interface-move HA. Failover triggers API calls to the AWS infrastructure to move the configured secondary IP addresses from the dataplane interfaces of the failed peer to itself. Additionally, AWS updates the route tables to ensure that traffic is directed to the active firewall instance. These two operations ensure that inbound and outbound traffic sessions are restored after failover.

Basic Configuration with User Data for Bootstrapping

A basic configuration is a minimal configuration that enables you to launch, license, and register the VM-Series firewall, and connect with Panorama, if applicable. Bootstrapping with user data is an alternative way to bootstrap a basic configuration. Instead of creating a bootstrap package and an init-cfg.txt file to provide bootstrap configuration parameters, you enter them as key-value pairs directly into the AWS or GCP user interface when you launch a VM-Series firewall. Azure has a similar process with which you provide the bootstrap parameters in a template or other text file accessed from the Azure CLI.
You can enter any of the key-value pairs you ordinarily put in an init-cfg.txt file, and you can also enter
values (which are normally configured from the CLI) as user data. Some use cases for using bootstrapping with user data are: test deployments, one-off deployments, or short-term deployments.
Each cloud has a different term for user data, and uses different separators between bootstrap parameters.
  • AWS User Data—Input key-value pairs into the User Data field, separated by a semicolon, or a newline (\n).
  • Azure Custom Data— Use a template or the CLI to pass the bootstrap parameters. Use a semicolon to separate key-value pairs.
  • GCP Metadata—In the Metadata for the instance, add each key value pair. In the CLI, if you are calling a text file, put each key-value pair on a new line (\n).

VLAN Access Mode with SR-IOV

When you bootstrap the VM-Series firewalls on KVM, you can include the new bootstrap parameter
in the init-cfg.txt file.
Requires PAN-OS 9.1.5 and later, or 10.0.1 and later.


DPDK is the default packet-io mode for all newly deployed VM-Series firewalls with VM Series Plugin 2.0.1 on AWS. If HA is enabled on a vm-series firewall, the default HA mode is Secondary IP Move. Interface Move is still supported but you must first disable DPDK and change failover mode to interface-move using the command
request plugins vm_series aws ha failover-mode interface-move
before configuring HA. If your VM-Series firewalls are deployed using bootstrapping and you are using interface move HA, you can add
to the init-cfg.txt file to deploy the firewall with DPDK disabled.

Recommended For You