Protecting your applications and data from threats and data theft.
Introducing VM-Series on the Oracle Cloud Marketplace
Palo Alto Networks is proud to announce the availability of our VM-Series virtual next-generation firewalls on Oracle Cloud Marketplace. Oracle Cloud customers can now leverage VM-Series virtual firewalls to prevent advanced threats from penetrating the perimeter of their OCI environment, segment their cloud workloads, and improve visibility into their mission-critical applications, such as Oracle E-Business Suite applications, PeopleSoft, Hyperion, and JD Edwards, as they migrate to Oracle Cloud. The VM-Series in Oracle Cloud supports the Bring Your Own License (BYOL) model, making it easy to acquire.
The Palo Alto Networks VM-Series firewall is the virtualized form factor of the industry-leading Palo Alto Networks Next-Generation firewall. VM-Series virtual firewalls can be deployed in a range of private and public cloud computing environments to prevent inbound threats, stop data exfiltration, and prevent lateral movement attacks. The VM-Series on Oracle Cloud natively analyzes all network traffic in a single pass to determine application, content and user identity. The application, content, and user context are used as core elements of your network security policy and for visibility, reporting, and incident investigation. The advanced security services available on VM-Series virtual firewalls provide best-in-breed threat protection, to secure your critical applications from both known and unknown threats, including zero-day attacks.
As you move your applications and data to Oracle Cloud, the VM-Series firewall on Oracle Cloud enables you to maintain a consistent network security posture between your Oracle Cloud environment, other public cloud environments you may use, and your on-prem or private cloud environments. Network security practitioners can manage their network security posture across all of these infrastructures from a single management console.
VM-Series on Oracle Cloud also supports the resilient firewall design of deploying two firewalls in a stateful highly available Active-Passive configuration. In a high availability configuration, a pair of firewalls share configuration and state information that allows the second firewall to take over for the first when a failure occurs, enabling seamless failover. You can also implement resiliency on Oracle Cloud for firewall-protected inbound traffic by deploying a pool of VM-Series virtual firewalls behind an external load balancer.
You can deploy four VM-Series virtual firewall flavors on four OCI shapes:
Minimum OCI Shape
VM.Standard2.4 and above
VM.Standard2.4 and above
VM.Standard2.8 and above
VM.Standard2.8 and above
You can find additional resources and deployment guides below:
VM-Series on Oracle Cloud Marketplace
Deploy the VM-Series Firewall on Oracle Cloud
Configure the VM-Series Firewall in Active/Passive HA on Oracle Cloud
Oracle A-Team: HA Deployment of VM-Series on OCI
Oracle A-Team: VM-Series on OCI Hub & Spoke Architecture Overview
... View more
VM-Series Now Integrates with GCP Packet Mirroring
Announcing New VM-Series Integration with Google Cloud Packet Mirroring Service
Google Cloud announced the general availability of a new Packet Mirroring service, allowing you to troubleshoot your existing Virtual Private Clouds (VPCs). This feature provides a non-intrusive way to monitor the network traffic to and from your Google Compute Engine and Google Kubernetes Engine (GKE).
Palo Alto Networks has built integration of our VM-Series Virtualized Next-Generation Firewall with the new Google Cloud Packet Mirroring service. The VM-Series is the industry-leading virtualized firewall protecting your applications and data with next-generation security features that deliver superior visibility, precise control, and threat prevention at the application level.
The VM-Series virtual firewall on Google Cloud deployed out of band now supports two critical security outcomes:
Granular visibility into application traffic and detection of network-borne threats through inspection of mirrored traffic.
Rapid detection and response against advanced attacks using an AI-driven approach, such as Cortex by Palo Alto Networks.
Application visibility and threat detection
The VM-Series virtual firewall on Google Cloud can analyze, filter, and process the raw traffic available through the Packet Mirroring service within Google Cloud and provide contextually rich application, content, and threat information. The need for extracting data out of Google Cloud for further processing is eliminated, saving cost and providing deep insight into network traffic. Based on this more in-depth inspection, customers can choose to enable alerts for a wide range of security issues, including:
High priority security alerts – Attacks for known exploits, for example, an attempt to exploit CVE-2017-5638 for Apache Struts-based web servers running in Google Cloud. Primarily, the VM-Series virtual firewall is serving as an intrusion detection system (IDS).
Traffic to inappropriate, malicious destinations and command-and-control systems – Detect if the source/destination is inappropriate or malicious, whether there are geo-blocking restrictions to be met or if there is Bitcoin traffic or an SSH session to a known command-and-control (C2) domain.
Based on the visibility and detection (in logs), you can filter for events and enable alerts and actions that can trigger remediation using Action-Oriented Log Forwarding using HTTP(S). This provides a webhook to create a ticket in a service desk system or a security orchestration and response tool, such as Demisto, or launch a Google Cloud function, which can quarantine by shutting down the instance or lock down the firewall rule.
Rapid detection and response against advanced attacks
The VM-Series virtual firewall supports enhanced application logging, which converts raw packet data from Google Cloud mirrored network traffic into context-aware network activity information for storage in Palo Alto Networks cloud services, including Cortex Data Lake. Security applications, such as Cortex XDR, can start analyzing the rich data collected, using analytics and machine learning to detect stealthy attacks and expedite security investigations accurately. Identified threats can be mitigated through automated response from Demisto and other security orchestration and response tools.
To learn more about VM-Series Integrating with GCP Packet Mirroring, we encourage you to follow these links:
Packet Mirroring Launch Blog
Google Cloud Packet Mirroring Overview
Using Packet Mirroring
VM-Series on Google Cloud
Action-Oriented Log Forwarding Using HTTP(S)
VM-Series on Google Cloud
... View more
Palo Alto Networks announces the VM-Series Virtual Next-Generation Firewall can now integrate with Amazon Virtual Private Cloud Ingress Routing. Got questions? Get answers on LIVEcommunity!
VM-Series Virtual Next-Generation Firewall can now integrate with Amazon Virtual Private Cloud Ingress Routing
We are excited to announce that the Palo Alto Networks VM-Series Virtual Next-Generation Firewall now integrates with the new Amazon Virtual Private Cloud (Amazon VPC) Ingress Routing feature to more efficiently protect your applications and data from inbound threats coming from the internet.
VM-Series Virtual Firewalls and Amazon VPC
VM-Series virtual firewalls augment native Amazon Web Services (AWS) security groups in your Amazon VPC to protect your web-facing applications with next-generation security features that deliver superior visibility, control, and threat prevention. The VM-Series virtual firewalls apply application-specific threat prevention policies to prevent exploits, malware, and previously unknown threats from compromising applications and exfiltrating data from your AWS environment. With the new integration between the Amazon VPC Ingress Routing feature and VM-Series virtual firewalls, you can now seamlessly insert a VM-Series virtual firewall as a bump-in-the wire in your greenfield and brownfield VPC environments.
Amazon VPC Ingress Routing
With Amazon VPC Ingress Routing, you can define routing rules at the Internet Gateway (IGW) and Virtual Private Gateway (VGW) to redirect ingress traffic to third-party appliances, such as the VM-Series virtual firewalls, before it reaches the final destination. This makes it easier for you to deploy production-grade applications with the security services you require within your Amazon VPC.
Illustration of VM-Series virtual firewall integrated with Amazon VPC Ingress Routing as a bump-in-the wire in greenfield and brownfield VPC environments.
AWS provides a wide selection of flexible and compelling services, including AWS Lambda, Amazon API Gateway, Amazon Kinesis, and more. You may have created interface endpoints (a.k.a. AWS PrivateLink) in your Amazon VPC to enable your Amazon VPC workloads to privately access these services. Additionally, you may have enabled your on-premises hosts to privately access these AWS services using these interface endpoints via the virtual private gateway in your Amazon VPC.
With the new integration between Amazon VPC Ingress Routing and the VM-Series virtual firewalls, you can now associate route tables to your virtual private gateway and add route rules to redirect all ingress traffic to AWS services through the firewalls. This redirection ensures that all on-premises traffic accessing these AWS services will pass through the firewalls, strengthening your overall security posture.
Illustration of VM-Series virtual firewall integrated with Amazon VPC Ingress Routing to ensure on-premises traffic to Amazon services (Amazon Kinesis) will be filtered by the firewall.
You can now use the Amazon VPC Ingress Routing feature with VM-Series virtual firewalls to improve the security posture of your Amazon VPC. Security is now always turned on for inbound Amazon VPC traffic from the internet and your on-premises environment.
We encourage you to read more about this integration on our TechDocs portal: Overview of HA on AWS.
You may also find more information about AWS on the LIVEcommunity VM-Series on AWS resource page.
We'd love to hear any feedback that you have.
... View more
Attention: VM-Series customers. The first PAN-OS Accelerated Feature Release (XFR) is now available. Learn what PAN-OS XFR releases are and which features are in the first ever XFR release. Got questions? Get answers on LIVEcommunity!
PAN-OS 9.0.3 XFR for VM-Series Now Available
We are thrilled to announce the first ever PAN-OS XFR feature release for the VM-Series firewall. You may be asking yourself, what is an “XFR release”? XFR stands for "accelerated feature release." To keep up with the rapid rate of change in public and private cloud environments, we've introduced PAN-OS XFR releases to deliver new VM-Series firewall features more frequently than regular PAN-OS releases can accommodate.
In PAN-OS 9.0.3 XFR, customers using VM-Series to secure AWS C5 or M5 instances and customers using VM-Series to secure Cisco ENCS 5400 environments will see major throughput performance improvements. Customers using (or considering using) VMware NSX-T for micro-segmentation can now augment their east-west traffic security between VMs and containers with threat prevention capabilities from VM-Series.
Here’s a look at the features delivered in PAN-OS 9.0.3 XFR:
Who should Care
Performance Improvements for AWS C5/M5 Instances using DPDK
Support for Intel DPDK on AWS C5/M5 instances to improve throughput performance. Provides throughput improvements of 50-100% to improve cost-performance ratio for all use cases.
Customers using AWS C5 or M5 instances who want to improve performance.
DPDK Support for VM-Series on Cisco ENCS 5400
Support for Intel DPDK on Cisco Enterprise Network Compute System (ENCS) 5400 to improve throughput performance.
Customers using Cisco ENCS 5400 who want to improve performance.
VMware NSX-T East-West (Beta)
Beta support for NSX-T East-West use cases. Customers can now secure container East-West (inter-Pod) traffic, construct DAG based policies on top of NS-groups, and manage up to 16 NSX-T environments from a single Panorama.
Sign up for beta here: Registration for Beta VM-Series NSX Beta
Customers using NSX-T who want to secure East-West traffic.
You can find the in-depth release notes for PAN-OS 9.0.3 XFR on TechDocs.
Are there any special considerations to be aware of?
Yes. If you upgrade to the PAN-OS 9.0.3 XFR release, you must also upgrade to subsequent PAN-OS XFR maintenance releases until the next regular PAN-OS release is available. There will be PAN-OS XFR maintenance releases that keep PAN-OS XFR releases in sync with regular PAN-OS maintenance releases. All PAN-OS XFR features will be aggregated into the following PAN-OS regular release.
How long will a PAN-OS XFR release be supported?
PAN-OS XFR releases will be supported for 12 months from the date of each release, at which point you must upgrade to the next regular PAN-OS release in order to continue using your XFR features.
PAN-OS XFR Release Upgrade Cadence
Should I upgrade to an XFR release?
If there are specific features of interest in the PAN-OS 9.0.3 XFR release, then you should upgrade. Otherwise, you can remain on your current PAN-OS release cadence.
For any additional questions, please feel free to reach out to your Palo Alto Networks account team.
... View more