Virtualization Features
Focus
Focus

Virtualization Features

Table of Contents

Virtualization Features

Describes all the exciting new capabilities in PAN-OS® 10.2 for the VM-Series and CN-Series firewall.
New Virtualization FeatureDescription
CN-Series Firewall as a Kubernetes CNF
You can now deploy the Palo Alto Networks Container Native Firewalls (CN-Series) as a Container Network Function (CNF) to protect containerized as well as non-containerized workloads. This is a new deployment mode for the CN-Series firewall that augments the previously released CN-Series-as-a-daemonset and CN-Series-as-a-kubernetes service deployment modes, limited to protecting only container workloads.
Deploying the CN-Series-as-a-Kubernetes-CNF allows customers to run CN-Series in Layer-3 mode. This enables customers to steer the traffic to CN-Series from even non containerized sources. You can build resilient network security by deploying CN-Series in an HA pair. In the CNF mode of deployment, you can take advantage of I/O acceleration techniques such as DPDK and SR-IOV to boost the firewall performance.
High Availability Support for CN-Series Firewall as a Kubernetes CNF
You can now deploy the CN-Series as a kubernetes CNF in High Availability (HA) mode. This deployment mode currently supports active/passive HA with session and configuration synchronization.
DPDK support for CN-Series Firewall
The Kubernetes CNF mode of CN-Series now supports Data Plane Development Kit (DPDK) and allows the application pods to use DPDK. DPDK provides a simple framework for fast packet processing in dataplane applications.
You can set up DPDK on on-premises worker nodes and AWS EKS cluster.
Daemonset(vwire) IPv6 Support
Using the Daemonset mode, you can now secure the interfaces of application pods having IPv6 IP addresses.
L3 IPv4 Support for CN-Series
With the Kubernetes CNF, CN-Series now supports L3 Policy Based Routing (PBR) with IPv4 IP addresses. The IP addresses to the interfaces in K8s environment are typically programmed through the CNI using DHCP.
IPv6 DAG Plugin Support (Kubernetes 3.0.0 Plugin)
With the Kubernetes 3.0.0 plugin, you can now validate Service account files, view detailed dashboards, push IP addresses for tags used in Security Policies (Tag Pruning), and retrieve IPv6 addresses that can be used in a Multus CNI setup.
47 Dataplane Cores Support for VM-Series and CN-Series Firewalls
Starting with PAN-10.2, the VM-Series and CN-Series firewalls support a maximum of 47 dataplane cores; an increase from the previous maximum of 31.
For VM-Series, if you have NUMA performance optimization enabled with custom dataplane core setting, the NUMA settings take precedence.
Elastic Memory Profile
Beginning with PAN-OS 10.2, the maximum number of sessions and capacity supported on an individual VM-Series firewall scales with the increase in the amount of memory allocated to the VM-Series instance.