03-18-2026 04:45 PM
Subject: Mechanism to prevent pairing to Microsoft Azure Network Adapter (MANA) for VM-Series and AIRS Firewalls to avoid throughput degradation.
Microsoft is rolling out the new Microsoft Azure Network Adapter (MANA) hardware across existing Azure VM sizes families. While MANA is designed to enhance performance for modern workloads, certain versions of the Palo Alto Networks VM-Series firewall are not yet fully optimized for this hardware.
On all PAN-OS versions below 12.1.5, if VM-Series instances are paired with MANA NICs the instance will default to the mmap synthetic path rather than the high-performance DPDK (Data Plane Development Kit) driver. This pairing can occur to any VMs that are stop-deallocated and restarted or redeployed.
Critical Impact: This fallback can result in a 50% or greater reduction in maximum firewall throughput, significantly impacting the performance of your security infrastructure.
To maintain current performance levels and prevent an automatic transition to the synthetic path for stop-deallocated and restarted or redeployed VMs, customers on affected versions must opt-out of MANA NIC eligibility for their instances. Please refer to FAQs provided by Microsoft https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-mana-network-virtual-... for further details.
To take full advantage of MANA hardware and Azure Boost performance benefits without degradation, Palo Alto Networks recommends:
03-23-2026 10:55 AM
will this affect VM Panoramas and VM Log Collectors on Azure as well? If not, why only the VM Firewalls. I have a customer that uses Azure and these two questions will be asked.
03-24-2026 06:33 AM
Do you use accelerated networking on the VM Panoramas and VM Log Collectors? If not, then those VMs wouldn't/shouldn't be in-scope from my understanding of this situation. That's my scenario at least. We only enable accelerated networking on our firewall data interface(s).
03-24-2026 11:34 AM
For those of you out there waiting for the 12.1 track to become a preferred track, you should pay close attention to the Microsoft article linked in the original post. Specifically, the fact that the tag opting out will only be recognized until the end of September 2026.
"The tag will be usable until the end of September 2026. After this time, the systems will be updated to ignore the tag, allowing the NVAs to be deployed on MANA-enabled hardware."
04-14-2026 08:42 PM
For me did not work it. I'm with 12.1.5 and when I associated/map the NIC to the interfaces and restarting VM for take the changes, the VM did not upload and some reboots were launched automatically in loop until the Maintance mode menu appears on cli console. When we unassigned NICs in azure and restarted VM, it works.
I cannot find the solution.
04-15-2026 08:13 AM
Could you please create TAC ticket for this, we'd like to investigate.
04-22-2026 04:05 PM
During our weekly call with PAN this week I was informed that Microsoft has no longer made Sep 2026 the deadline. Have you heard the same?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
.png){kind=link}