Virtualization Features
New Virtualization Features Description
VM-Series Firewall Performance Enhancements and Expanded Model Line This feature introduces improved performance, capacity, and efficiency for all VM-Series firewalls, including three new VM-Series models: VM-50, VM-500, and VM-700. The VM-Series model lineup now covers a wide variety of firewalls—from small optimized firewalls in resource-constrained environments to large, high performance firewalls for deployment in a diverse range of Network Function Virtualization (NFV) use cases. You can also leverage the expanded range of VM-Series models coupled with flexibility and per-tenant isolation of VM-Series models to deploy multi-tenant solutions. VM-50 Firewall—A virtual firewall with an optimized compute resource footprint. This firewall is ideal for use in virtual customer premises equipment (vCPE) and high density multi-tenancy solutions for managed security service providers (MSSP). VM-500 and VM-700 Firewalls—When utilizing a larger compute resource footprint, these virtual firewalls provide high performance and capacity. The VM-500 and VM-700 firewalls are ideal in NFV use cases for service provider infrastructure and data center roles. VM-100, VM-200, VM-300, VM-1000-HV Firewalls—Existing VM-Series models now feature increased performance, capacity, and efficiency when compared to the same compute resources in earlier release versions. This release also consolidates the VM-200 with the VM-100 and the VM-1000-HV with the VM-300, which means that the VM-100 and VM-200 are now functionally identical, as are the VM-300 and VM-1000-HV. In addition, VM-Series firewall models are now distinguished by session capacity and the number of maximum effective vCPU cores (instead of only session capacity).
CloudWatch Integration for the VM-Series Firewall on AWS VM-Series firewalls on AWS can now natively send PAN-OS metrics to AWS CloudWatch for advanced monitoring and auto-scaling policy decisions. The CloudWatch integration enables you to monitor the capacity, health status, and availability of the firewalls with metrics such as total number of active sessions, GlobalProtect gateway tunnel utilization, or SSL proxy utilization, so that the security tier comprising the VM-Series firewalls can scale dynamically when your EC2 workloads scale in response to demand.
Seamless VM-Series Model Upgrade This release introduces seamless license capacity upgrades of the VM-Series firewall. If a tenant’s requirements increase, you can upgrade the capacity to accommodate the changes with minimal traffic and operation disruption. Additionally, VM-Series firewalls now support HA synchronization between VM-Series firewalls of different capacities during the upgrade process.
VM-Series NSX Integration Configuration through Panorama The new Panorama VMware NSX plug-in streamlines the process of deploying VM-Series firewall for NSX and eliminates the duplicate effort in defining the security-related configuration on both Panorama and the NSX Manager or vCenter server. Panorama now serves as the single point of configuration that provides the NSX Manager with the contextual information required to redirect traffic from the guest virtual machines to the VM-Series firewall. When you commit the NSX configuration, Panorama generates a security group in the NSX environment for each qualified dynamic address group and Panorama pushes each steering rule generates NSX Manager. The NSX Manager uses the steering rules to redirect traffic from the virtual machines belonging to the corresponding NSX security group. Starting with version 8.0.5, Panorama supports VMware NSX plugin version 2.0.0 that allows you to manage up to 16 NSX Managers using a single Panorama server instead of one Panorama server per NSX Manager.
Support for NSX Security Tags on the VM-Series NSX Edition Firewall The VM-Series firewall can now dynamically tag a guest VM with NSX security tags to enable immediate isolation of compromised or infected guests. The universally unique identifier of a guest VM is now part of the Traffic and Threat logs on the firewall. By leveraging threat, antivirus, and malware detection logs on the VM-Series firewall, NSX Manager can place guests in a quarantined security group to prevent lateral movement of the threat in the virtualized data center environment.
New Serial Number Format for the VM-Series Firewall The serial number format for the VM-Series firewall now displays the name of the hypervisor on which the firewall is deployed so that you can consistently identify the firewalls for license management, and content and software updates. The new format is 15 characters in length, numeric for the bring your own license (BYOL) model, and alphanumeric for the Marketplace models (Bundle 1 or Bundle 2) available in public cloud environments. As part of this change, VM-Series firewalls in AWS now support longer instance ID formats.
VM-Series Bootstrapping with Block Storage You can now bootstrap the VM-Series firewall in ESXi, KVM, and Hyper-V using block storage. This option provides a bootstrapping solution for environments where mounting a CD-ROM is not supported.
VM-Series License Deactivation API Key To deactivate a VM-Series license, you must first install a license deactivation API key on your firewall or Panorama. The deactivation API key provides an additional layer of security for communications between the Palo Alto Networks Update Server and VM-Series firewalls and Panorama. The PAN-OS software uses this API key to authenticate with the update and licensing servers. The API key is available through the Customer Support Portal to administrators with superuser privileges.
Support for VM-Series on Azure Government and Azure China Azure Government is a public cloud platform for U.S. government and public sector agencies. The VM-Series firewall on Azure now provides the same robust security features in Azure Government as in the Azure public cloud. On the Azure Government Marketplace, the VM-Series firewall is only available as a bring your own license (BYOL) option because the Azure Government Marketplace does not support pay-as-you-go (PAYG). The VM-Series firewall is also available as a BYOL option on the Azure China marketplace.

Related Documentation