Virtualization Features
Focus
Focus

Virtualization Features

Table of Contents
End-of-Life (EoL)

Virtualization Features

Describes all the exciting new capabilities in PAN-OS® 9.2 for the VM-Series firewall.
New Virtualization FeaturesDescription
Containerized Next-Generation Firewall for Securing Kubernetes Deployments
As you adopt Kubernetes and containers for application development and operational agility, you can now automate the deployment of the next-generation firewalls in environments such as OpenShift, native Kubernetes, GKE, AKS, or EKS, using native Kubernetes constructs. The CN-Series firewall is the containerized form factor of the next-generation firewall that provides complete Layer 7 visibility, application-level segmentation, and protection from advanced threats for traffic going between trust zones in public cloud or data center environments. The containerized form factor has a distributed PAN-OS architecture with CN-Mgmt and CN-NGFW pods that integrate into your CI/CD pipeline and help you secure traffic going from containerized applications running in Kubernetes clusters to VMs, bare metal servers, or to other containerized applications.
The CN-Series firewall requires Panorama and the Kubernetes plugin on Panorama to enable centralized management, licensing, and security policy enforcement. Panorama and the CN-Series firewall use the Kubernetes APIs for a tight integration whereby the CN-NGFW pods that you deploy as a DaemonSet, use CNI-chaining for integrating into the container namespace and retrieve Kubernetes labels for enabling metadata-driven policies with dynamic address groups in Security policy.
Automatic Site License Activation on the VM-Series Firewalls with Pay-As-You-Go (PAYG)
To support the automatic license activationworkflows for VM-Series use cases such as bootstrapping and autoscaling, the site licenses for AutoFocus and Cortex Data Lake can now be automatically activated for the Pay-as-you-go (PAYG) marketplace firewalls. With the support for enterprise wide (site) licenses on the VM-Series PAYG firewalls, these firewalls can now access the cloud-based threat intelligence service (AutoFocus) and logging infrastructure (Cortex Data Lake) within your enterprise. When you provide the auto-registration pin ID and value as part of the bootstrapping process, the firewall is automatically registered to the Customer Support Account so that it can retrieve the site licenses that have already been registered on the Customer Support Portal. You can also manually retrieve the license directly on the firewall.
Panorama Support for Multiple IP-Tag Sources
Panorama now supports security policies within the same device group for multiple IP-tag sources, such as AWS, VMware NSX, and Cisco TrustSec plugins. If you have Panorama monitoring VMs in multiple cloud environments or receiving IP-tags from other sources, you can now aggregate and push them to the appropriate device groups.
vMotion Support for the VM-Series Firewall on VMware ESXi and VMware NSX-T
(Available with PAN-OS 10.0.1 and later releases)
You can now use VMware’s vMotion functionality to move the VM-Series firewall deployed in ESXi or NSX-T without impacting active traffic sessions.
Traffic Inspection for Pods with Multiple Network Interfaces using Multus CNI
(Available with PAN-OS 10.0.1 and later releases)
In OpenShift deployments where application pods have multiple interfaces, you can configure the CN-Series firewall to inspect traffic from all the interfaces or a selected number of interfaces. To secure traffic going through secondary interfaces on a multi-homed pod, the Multus container networking interface (CNI) is required with a bridge-based connection to the additional networks.
5G-Native Security on CN-Series
(Available with PAN-OS 10.0.3 and later releases)
To secure the highly distributed 5G networks, including edge clouds and across multi-vendor and multi-cloud environments, you can enable network slice security, equipment ID security, and subscriber ID security on the CN-Series. Security policy rules and correlation based on 5G network slice, equipment ID, and subscriber ID are supported. You can also enable RAN-based security with SCTP and GTP Security for 5G user-plane tunnel content inspection and threat prevention.
The CN-Series firewall is supported on VMWare's VMware Tanzu Kubernetes Grid (TKG) platform with the Intel x710, macvlan and Multus CNI's available as part of TKG - SR-IOV.
Tagged VLAN Traffic Inspection on CN-Series
(Available with PAN-OS 10.0.4 and later releases)
You can now configure the CN-Series firewall to inspect tagged VLAN traffic on your containerized network.
Overlay Routing for the VM-Series Firewall Integrated with the AWS Gateway Load Balancer
(Available with PAN-OS 10.0.5 and later releases)
You can now Enable Overlay Routing for the VM-Series on AWS integrated with Gateway Load Balancer. Using overlay routing in your VM-Series firewall integration the AWS GWLB allows you to use two-zone policy to inspect traffic leaving (egressing) your AWS environment.