This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

CUSTOMER ADVISORY: Required Action for Azure hosted VM-Series & AIRS Instances

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CUSTOMER ADVISORY: Required Action for Azure hosted VM-Series & AIRS Instances

vsivetskiy
L0 Member

‎03-18-2026 04:45 PM

Subject: Mechanism to prevent pairing to Microsoft Azure Network Adapter (MANA) for VM-Series and AIRS Firewalls to avoid throughput degradation.

Overview

Microsoft is rolling out the new Microsoft Azure Network Adapter (MANA) hardware across existing Azure VM sizes families. While MANA is designed to enhance performance for modern workloads, certain versions of the Palo Alto Networks VM-Series firewall are not yet fully optimized for this hardware.

The Issue

On all PAN-OS versions below 12.1.5, if VM-Series instances are paired with MANA NICs the instance will default to the mmap synthetic path rather than the high-performance DPDK (Data Plane Development Kit) driver. This pairing can occur to any VMs that are stop-deallocated and restarted or redeployed.

Critical Impact: This fallback can result in a 50% or greater reduction in maximum firewall throughput, significantly impacting the performance of your security infrastructure.

Affected Configurations

  • Platform: Azure VM-Series and AIRS (AI Runtime Security) instances.
  • Software: Any PAN-OS version lesser than 12.1.5.
  • Hardware: Any instance recently migrated by Azure to MANA-capable hardware (typically indicated by the presence of a MANA Virtual Function in the guest OS).

Required Action

To maintain current performance levels and prevent an automatic transition to the synthetic path for stop-deallocated and restarted or redeployed VMs, customers on affected versions must opt-out of MANA NIC eligibility for their instances. Please refer to FAQs provided by Microsoft https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-mana-network-virtual-... for further details.

Long-term Resolution

To take full advantage of MANA hardware and Azure Boost performance benefits without degradation, Palo Alto Networks recommends:

  • Upgrading to PAN-OS 12.1.5 or higher, which includes native support for MANA NICs via optimized DPDK drivers.
3 people had this problem.
(2)
7 REPLIES 7

zahmed01
L2 Linker

‎03-23-2026 10:55 AM

will this affect VM Panoramas and VM Log Collectors on Azure as well? If not, why only the VM Firewalls. I have a customer that uses Azure and these two questions will be asked. 

Customer Success Engineer, NGFW
0 Likes Likes

BenNikkel
L0 Member
In response to zahmed01

‎03-24-2026 06:33 AM

Do you use accelerated networking on the VM Panoramas and VM Log Collectors? If not, then those VMs wouldn't/shouldn't be in-scope from my understanding of this situation. That's my scenario at least. We only enable accelerated networking on our firewall data interface(s).

0 Likes Likes

Mrhall
L0 Member

‎03-24-2026 11:34 AM

For those of you out there waiting for the 12.1 track to become a preferred track, you should pay close attention to the Microsoft article linked in the original post. Specifically, the fact that the tag opting out will only be recognized until the end of September 2026. 

 

"The tag will be usable until the end of September 2026. After this time, the systems will be updated to ignore the tag, allowing the NVAs to be deployed on MANA-enabled hardware."

 

 

 

0 Likes Likes

ePANGMS
L0 Member

‎04-14-2026 08:42 PM

For me did not work it. I'm with 12.1.5 and when I associated/map the NIC to the interfaces and restarting VM for take the changes, the VM did not upload and some reboots were launched automatically in loop  until the Maintance mode menu appears on cli console. When we unassigned NICs in azure and restarted VM, it works. 

I cannot find the solution. 

 

Preview file
58 KB
0 Likes Likes

vsivetskiy
L0 Member
In response to ePANGMS

‎04-15-2026 08:13 AM

Could you please create TAC ticket for this, we'd like to investigate.

0 Likes Likes

BenNikkel
L0 Member
In response to Mrhall

‎04-22-2026 04:05 PM

During our weekly call with PAN this week I was informed that Microsoft has no longer made Sep 2026 the deadline. Have you heard the same?

0 Likes Likes

cerberus
L0 Member

‎05-05-2026 07:56 AM

Mini Update: After speaking with MSFT the following has been communicated via Account Management Channels. 

[Important Note] This communication has not yet been reflected on MSFT portal hence the older dates (seen in FAQs sections etc) are now superseded  by the following  . . . . 

[Start]

Following our previous communication on April 17th, we are providing an update on the planned deployment of the Microsoft Azure Network Adapter (MANA) for existing VM families.
 
This message relates to the following VM families: Dsv5, Dv5, Ddsv5, Ddv5, Dlsv5, Dldsv5, Esv5, Ev5, Edsv5, Edv5, Ebsv5, Ebdsv5, Dsv4, Dv4, Ddsv4, Ddv4, Esv4, Ev4, Edsv4, Edv4, Dsv3, Dv3, Esv3, Ev3, Bsv2, Dv2, Dsv2, Av2, Fsv2, Fs, F, G, GS, Ls. In addition, the following Cobalt 100-based VM families are now included: Dpsv6, Dpdsv6, Dplsv6, Dpldsv6, Epsv6, Epdsv6.
 
Previously, we stated that customers should prepare for MANA enablement as documented.  The ‘opt-out’ mitigation is another path but is a temporary option.
 
Customers now have until July 31, 2026 to update to an OS with the MANA driver, migrate to a product version that supports MANA, or apply the opt-out mitigation. Starting August 1, 2026, any of the VMs listed above may be deployed on MANA-capable hardware unless they have gone through the opt out mitigation.  At this time, the VM instances must go through the stop/deallocate/start process to enable the tag. We are working on a solution where customers will be able to use reapply instead.  We will provide a communication via email when this solution is available.  Timing for this is estimated in the next 3-4 weeks.
 
Workloads that have already been tagged via the ‘opt-out’ mitigation and redeployed will continue to work normally. Workloads that have only been tagged should follow the process here prior to August 1st.
 
The opt-out mitigation will sunset on May 31, 2027. Beginning June 1, 2027, all VMs listed above, regardless of tagging, may be deployed on MANA-capable hardware.
These timelines apply to Azure public cloud only; non-public cloud dates will be announced later.
 
We will provide a formal email communication in mid-May to all customers using these VMs.
 
Key Dates:
  • July 31, 2026 – Customers should update to an OS with the MANA driver, migrate to a product version that supports MANA, or apply the opt-out mitigation.  As of August 1, 2026, any of the above VMs which have not been opted out may run on MANA-capable hardware.
  • May 31, 2027 – The opt-out mitigation will sunset.  Any of the above VMs may run on MANA-capable hardware starting June 1st, 2027.

[End] 

So the question now becomes which version of PAN-OS 12.1.x 

  • 12318 Views
  • 7 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks