Who rated this post

Subject: Mechanism to prevent pairing to Microsoft Azure Network Adapter (MANA) for VM-Series and AIRS Firewalls to avoid throughput degradation.

Overview

Microsoft is rolling out the new Microsoft Azure Network Adapter (MANA) hardware across existing Azure VM sizes families. While MANA is designed to enhance performance for modern workloads, certain versions of the Palo Alto Networks VM-Series firewall are not yet fully optimized for this hardware.

The Issue

On all PAN-OS versions below 12.1.5, if VM-Series instances are paired with MANA NICs the instance will default to the mmap synthetic path rather than the high-performance DPDK (Data Plane Development Kit) driver. This pairing can occur to any VMs that are stop-deallocated and restarted or redeployed.

Critical Impact: This fallback can result in a 50% or greater reduction in maximum firewall throughput, significantly impacting the performance of your security infrastructure.

Affected Configurations

• Platform: Azure VM-Series and AIRS (AI Runtime Security) instances.
• Software: Any PAN-OS version lesser than 12.1.5.
• Hardware: Any instance recently migrated by Azure to MANA-capable hardware (typically indicated by the presence of a MANA Virtual Function in the guest OS).

Required Action

To maintain current performance levels and prevent an automatic transition to the synthetic path for stop-deallocated and restarted or redeployed VMs, customers on affected versions must opt-out of MANA NIC eligibility for their instances. Please refer to FAQs provided by Microsoft https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-mana-network-virtual-... for further details.

Long-term Resolution

To take full advantage of MANA hardware and Azure Boost performance benefits without degradation, Palo Alto Networks recommends:

• Upgrading to PAN-OS 12.1.5 or higher, which includes native support for MANA NICs via optimized DPDK drivers.