Compatibility Matrix Reference

Palo Alto Networks Compatibility
Matrix
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2016-2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
December 4, 2024
Palo Alto Networks Compatibility Matrix 2 ©2024 Palo Alto Networks, Inc.
Table of Contents
Supported OS Releases by Model................................................................. 9
Palo Alto Networks Next-Generation Firewalls................................................................ 10
Palo Alto Networks Appliances............................................................................................. 13
WF-500 Appliance Analysis Environment Support............................................... 13
Palo Alto Networks PA-7000 Series Cards........................................................................ 15
Palo Alto Networks PA-5450 Cards.....................................................................................17
Palo Alto Networks PA-7500 Cards.....................................................................................18
HA Port and Processor Support............................................................................................19
Breakout Port Support.............................................................................................................23
VM-Series Firewalls.........................................................................................27
VM-Series Firewall Hypervisor Support.............................................................................. 28
Private Cloud Deployments........................................................................................ 28
Public Cloud Deployments.......................................................................................... 36
VM-Series Firewall for VMware Cloud on AWS....................................................37
PacketMMAP and DPDK Drivers on VM-Series Firewalls............................................. 39
SR-IOV Access Mode................................................................................................... 39
PacketMMAP Driver Versions....................................................................................39
DPDK Driver Versions..................................................................................................42
Partner Interoperability for VM-Series Firewalls...............................................................43
Palo Alto Networks Certified Integrations.............................................................. 43
Partner-Qualified Integrations.................................................................................... 49
VM-Series Plugin....................................................................................................................... 54
VM-Series Plugin 5.1.x................................................................................................. 54
AWS Regions..............................................................................................................................61
Azure Regions............................................................................................................................ 63
Google Cloud Regions..............................................................................................................64
Alibaba Cloud Regions............................................................................................................. 65
VM-Series Firewall Amazon Machine Images (AMI).........................................................66
PAN-OS Images for AWS GovCloud........................................................................ 66
CN-Series Firewalls......................................................................................... 69
CN-Series Supported Environments.....................................................................................70
Table of Contents
CN-Series Firewall Image and File Compatibility.............................................................. 76
Panorama............................................................................................................77
Panorama Plugins...................................................................................................................... 78
Cisco ACI..........................................................................................................................78
Cisco TrustSec................................................................................................................ 82
Panorama CloudConnector Plugin (Formerly, AIOps Plugin for
Panorama)........................................................................................................................ 84
Cloud Services................................................................................................................ 85
Enterprise Data Loss Prevention (DLP)....................................................................85
Panorama Interconnect................................................................................................ 92
IPS Signature Converter...............................................................................................93
Kubernetes.......................................................................................................................95
Clustering Plugin............................................................................................................ 97
Network Discovery........................................................................................................97
Nutanix............................................................................................................................. 99
OpenConfig..................................................................................................................... 99
Panorama Software Firewall License Plugin.........................................................100
Public Cloud—AWS, Azure, and GCP.....................................................................101
SD-WAN........................................................................................................................ 107
VMware NSX................................................................................................................115
VMware vCenter......................................................................................................... 117
Zero Touch Provisioning (ZTP)................................................................................ 118
Compatible Plugin Versions for PAN-OS 10.2................................................................ 120
Panorama Management Compatibility.............................................................................. 125
Panorama Hypervisor Support............................................................................................ 127
Device Certificate for a Palo Alto Networks Cloud Service.........................................131
MFA Vendor Support................................................................................... 133

Supported Cipher Suites..............................................................................135
Cloud Identity Engine Cipher Suites.................................................................................. 136
Cipher Suites Supported in PAN-OS 11.2........................................................................137
PAN-OS 11.2 GlobalProtect Cipher Suites...........................................................137
PAN-OS 11.2 IPSec Cipher Suites.......................................................................... 139
PAN-OS 11.2 IKE and Web Certificate Cipher Suites....................................... 140
PAN-OS 11.2 Decryption Cipher Suites................................................................142
PAN-OS 11.2 Administrative Session Cipher Suites.......................................... 145
PAN-OS 11.2 HA1 SSH Cipher Suites...................................................................147
PAN-OS 11.2 PAN-OS-to-Panorama Connection Cipher Suites.....................147
PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode................................148
Table of Contents

Cipher Suites Supported in PAN-OS 9.1.......................................................................... 206
PAN-OS 9.1 GlobalProtect Cipher Suites............................................................. 206
PAN-OS 9.1 IPSec Cipher Suites............................................................................ 208
PAN-OS 9.1 IKE and Web Certificate Cipher Suites..........................................209
PAN-OS 9.1 Decryption Cipher Suites.................................................................. 210
PAN-OS 9.1 Administrative Session Cipher Suites.............................................212
Table of Contents
PAN-OS 9.1 HA1 SSH Cipher Suites..................................................................... 214

PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites....................... 215
PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode.................................. 215
GlobalProtect..................................................................................................219
Where Can I Install the GlobalProtect App?....................................................................220
Apple macOS................................................................................................................ 220
Microsoft Windows.................................................................................................... 222
Linux................................................................................................................................223
Apple iOS and iPadOS............................................................................................... 228
Google Android............................................................................................................229
Google Chrome............................................................................................................231
Internet of Things (IoT)..............................................................................................231
Hypervisors................................................................................................................... 232
Third-Party VPN Client Support......................................................................................... 233
What Third-Party VPN Clients are Supported?................................................... 233
What GlobalProtect Features Do Third-Party Clients Support?......................233
How Many Third-Party Clients Does Each Firewall Model Support?............. 234
What Features Does GlobalProtect Support?................................................................. 237
TEST: What Features Does GlobalProtect Support?..................................................... 252
Authentication Features............................................................................................ 252
Single Sign-On..............................................................................................................254
What Features Does GlobalProtect Support for IoT?................................................... 255
What GlobalProtect Features Do Third-Party Mobile Device Management Systems
Support?.................................................................................................................................... 258
Prisma Access.................................................................................................259
What Features Does Prisma Access Support?................................................................ 260
Prisma Access Feature Support.......................................................................................... 261
Management.............................................................................................................................262
Remote Networks...................................................................................................................264
Service Connections...............................................................................................................265
Mobile Users—GlobalProtect............................................................................................... 266
Mobile Users—Explicit Proxy............................................................................................... 269
Security Services..................................................................................................................... 270
Network Services....................................................................................................................273
Identity Services......................................................................................................................275
Policy Objects.......................................................................................................................... 278
Logs.............................................................................................................................................281
Reports.......................................................................................................................................282
Integration with Other Palo Alto Networks Products................................................... 283
Table of Contents
Multitenancy Unsupported Features and Functionality................................................284

Prisma Access and Panorama Version Compatibility.....................................................285
Supported IKE Cryptographic Parameters........................................................................286
Minimum Required Panorama Software Versions.......................................................... 288
End-of-Support (EoS) Dates for Panorama Software Version Compatibility with
Prisma Access.......................................................................................................................... 289
Strata Cloud Manager and Panorama Feature Parity...........................291

User-ID Agent................................................................................................ 295
Where Can I Install the User-ID Agent?........................................................................... 296
Which Servers Can the User-ID Agent Monitor?........................................................... 297
Where Can I Install the User-ID Credential Service?.....................................................299
Terminal Server (TS) Agent.........................................................................301

Where Can I Install the Terminal Server (TS) Agent?.................................................... 302
How Many TS Agents Does My Firewall Support?........................................................303
Strata Logging Service Software Compatibility..................................... 305

Cortex XDR..................................................................................................... 307
Endpoint Security Manager (ESM)............................................................ 309
Where Can I Install the Endpoint Security Manager (ESM)?........................................310
Where Can I Install the Cortex XDR Agent?................................................................... 311
IPv6 Support by Feature............................................................................. 313

Mobile Network Infrastructure Feature Support.................................. 319
PAN-OS Releases by Model that Support GTP, SCTP, and 5G Security................... 320
PAN-OS Releases by Model that Support Intelligent Security Correlation (PFCP,
RADIUS, and GTP)..................................................................................................................322
3GPP TS References for GTP Security............................................................................. 323
3GPP TS References for 5G Security................................................................................ 324
3GPP TS References for 5G Multi-Edge Security.......................................................... 325
3GPP TS References for UE-to-IP Address Correlation with PFCP in 4G................ 326
Table of Contents
Supported OS Releases by Model
Use the tables throughout this Palo Alto Networks Compatibility Matrix to determine support for
Palo Alto Networks Next-Generation Firewalls, appliances, and agents. Additionally, refer to the
product comparison tool for detailed information about Palo Alto Networks firewalls by model,
including specifications for throughput, maximum number of sessions, rules, objects, tunnels, and
zones.
For supported operating systems on firewalls and appliances and for high-availability (HA) port
and processor support on firewalls, review the following topics:
• Palo Alto Networks Next-Generation Firewalls
• Palo Alto Networks Appliances
• WF-500 Appliance Analysis Environment Support
• Palo Alto Networks PA-7000 Series Firewall Cards
• HA Port and Processor Support
• Breakout Port Support
9
Palo Alto Networks Next-Generation Firewalls

The following table shows the PAN-OS® releases supported for each of the Palo Alto Networks
Next-Generation Firewall hardware, VM-Series, and CN-Series models. You can also review
PAN-OS support for PA-7000 Series cards and PA-5450 firewall cards as well as for Palo Alto
Networks appliances.
Palo Alto Networks PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Firewall Model 9.1 10.1 10.2 11.0 11.1 11.2
Hardware Firewalls
PA-220 Firewall √ √ √ — — —
PA-220R Firewall √ √ √ — — —
PA-410 Firewall — √ √ √ √ √
10.1.2 &
later
PA-410R Firewall — — — — √ √
11.1.3 &
later
PA-410R-5G — — — — √ √
Firewall
11.1.4 &
later
PA-415-5G — — — — √ √
Firewall
PA-415 and — — — √ √ √
PA-445 Firewalls
PA-440, PA-450, — √ √ √ √ √
and PA-460
Firewalls
PA-450R Firewall — — — — √ √
PA-450R-5G — — — — √ √
PA-455 Firewall — — — — √ √
PA-455-5G — — — — — √

Firewall Model 9.1 10.1 10.2 11.0 11.1 11.2
11.2.3 &
later
PA-800 Series √ √ √ √ √ —
Firewalls
PA-1400 Series — — — √ √ √
Firewalls
PA-3200 Series √ √ √ √ √ —
Firewalls
PA-3400 Series — — √ √ √ √
Firewalls
PA-5200 Series √ √ √ √ √ √
Firewalls
PA-5410, — — √ √ √ √
PA-5420, and
PA-5430 Firewalls
PA-5440 Firewall — — — √ √ √
PA-5445 Firewall — — — — √ √
PA-5450 Firewall — √ √ √ √ √
PA-7000 Series √ √ √ √ √ √
Firewalls
PA-7500 Firewall — — — — √ √
VM-Series Firewalls
Flexible vCPU — √ √ √ √ √
Firewalls
(Up to 32 cores)
Flexible vCPU — — √ √ √ √
Firewalls
(Up to 64 cores)
VM-50 Firewall √ √ √ √ √ √

Firewall Model 9.1 10.1 10.2 11.0 11.1 11.2
VM-100 Firewall √ √ √ √ √ √
VM-200 Firewall √ √ √ √ √ √
VM-300 Firewall √ √ √ √ √ √
VM-500 Firewall √ √ √ √ √ √
VM-700 Firewall √ √ √ √ √ √
VM-1000-HV √ √ √ √ √ √
Firewall
CN-Series Firewall
CN-Series Small — √ √ √ √ √
CN-MGMT Mem:
2GB
CN-NGFW Mem:
2 to 2.5GB
CN-Series — √ √ √ √ √
Medium
CN-MGMT Mem:
2GB
CN-NGFW Mem:
6GB
CN-Series Large — √ √ √ √ √
CN-MGMT Mem:
4GB
CN-NGFW Mem:
48GB
* You should also review the hardware EoL information for more specific information about
firewalls and appliances that have reached end-of-sale (EoS) status.
Palo Alto Networks Appliances

The following table shows PAN-OS® release support for each Palo Alto Networks (non-firewall)
appliance. You can also review PAN-OS release support for Palo Alto Networks Next-Generation
Firewalls.
Palo Alto Networks Release Release Release Release Release Release

Appliance 9.1* 10.1 10.2 11.0 11.1 11.2
Panorama Virtual √ √ √ √ √ √
Appliance
M-200 Appliance √ √ √ √ √ √
M-300 Appliance — — √ √ √ √
M-500 Appliance √ √ — — — —
(EoS**)
M-600 Appliance √ √ √ √ √ √
M-700 Appliance — — √ √ √ √
WF-500 √ √ √ √ √ √
Appliance(*)
10.2.2 &
later
WF-500-B — — √ √ √ √
Appliance(*)
10.2.2 &
later
* WF-500 appliances have optional guest VM images that provide support for additional analysis
environments. For information about which VMs are available for a specific PAN-OS® (WildFire®)
release, refer to WF-500 Appliance Analysis Environment Support.
** For more specific information about firewalls and appliances that have reached end-of-sale
(EoS) status, review our hardware EoL web page.
WF-500 Appliance Analysis Environment Support

We support the following WildFire® guest VM images (analysis environments) in PAN-OS®
(WildFire) releases. When ready, upgrade your WF-500 appliances to the appropriate image.
Make sure to download and install the correct WildFire VM image for your WF-500
appliances. Installing a WildFire VM image that the PAN-OS (WildFire) release running on
your appliance does not support will produce error messages, fail to process samples, and
won't detect malware as expected.
WF-500 Appliance VM ID WF-500 Appliance Guest VM Filename Minimum

Analysis Environment Compatible
PAN-OS
Version
Windows XP (Adobe vm-3 WFWinXpAddon3_m-1.0.1.xpaddon3 10.2.2 and

Reader 11, Flash 11, later
Office 2010)
WFWinXpAddon3_m-1.0.0.xpaddon3* 10.1 and
earlier
Windows 7 x64 SP1 vm-5 WFWin7_64Addon1_m-1.0.1.7_64addon1 10.2.2 and

(Adobe Reader 11, Flash later
11, Office 2010)
WFWin7_64Addon1_m-1.0.0.7_64addon1 10.1 and
earlier
WFWin7_64Base_m-1.0.0.7_64base 10.1 and

earlier
This is a required base
VM image package for
the proper function of
the Windows 7 analysis
environment.
Windows XP (Internet vm-6* WFWinXpGf_m-1.0.0.xpgf 10.1 and

Explorer 8, Flash 11, earlier
Elink analysis support)
WFWinXpGf_m-1.0.1.xpgf 10.2.2 and
later
Windows 10 x64 vm-7 WFWin10Base_m-1.0.1.10base 10.2.2 and

(Adobe Reader 11, Flash later
11, Office 2010)
WFWin10Base_m-1.0.0-c2.10base 10.1 and
earlier
* You cannot select this WF-500 appliance analysis environment through the WF-500
appliance CLI.
Palo Alto Networks PA-7000 Series Cards

The following table shows the PAN-OS® releases supported for each of the system cards and for
each of the network and data processing cards available for PA-7000 Series firewalls. You can
also review PAN-OS support for each Palo Alto Networks Next-Generation Firewall, for all other
Palo Alto Networks appliances, and for the data processing cards for the PA-5450 firewall or the
PA-7500 firewall.
PA-7000 Series Firewall PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Cards 9.1 10.1 10.2 11.0 11.1 11.2
Network and Data Processing Cards
PAN- √ √ — — — —
PA-7000-20GXM-NPC
PAN- √ √ — — — —
PA-7000-20GQXM-
NPC
PAN-PA-7000-100G- √ √ √ √ √ √
NPC-A
PAN-PA-7000-DPC-A — √ √ √ √ √
System Cards
PAN-PA-7050-SMC √ √* — — — —
(*until
February
28,
2026)
PAN-PA-7050-SMC √ √* — — — —
(v2)
(*until
February
28,
2026)
PAN-PA-7050-SMC-B √ √ √ √ √ √
PAN-PA-7080-SMC √ √* — — — —
(*until
February
28,
2026)
PA-7000 Series Firewall PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Cards 9.1 10.1 10.2 11.0 11.1 11.2
PAN-PA-7080-SMC √ √* — — — —
(v2)
(*until
February
28,
2026)
PAN-PA-7080-SMC-B √ √ √ √ √ √
PAN-PA-7000-LPC √ √* — — — —
(*until
February
28,
2026)
PAN-PA-7000-LFC-A √ √ √ √ √ √
Palo Alto Networks PA-5450 Cards

The following table shows the PAN-OS® releases supported for each of the system, network, and
data processing cards available for the PA-5450 firewall. You can also review PAN-OS support
for each Palo Alto Networks Next-Generation Firewall, each of our other Palo Alto Networks
appliances, and for the data processing cards for the PA-7000 Series firewalls or the PA-7500
firewall.
PA-5450 Firewall Cards PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

10.1 10.2 11.0 11.1 11.2
PAN-PA-5400-NC-A √ √ √ √ √
PAN-PA-5400-DPC-A √ √ √ √ √
System Cards
PAN-PA-5400-BC-A √ √ √ √ √
PAN-PA-5400-MPC-A √ √ √ √ √
Palo Alto Networks PA-7500 Cards

The following table shows the PAN-OS® releases supported for each of the system, network, and
data processing cards available for the PA-7500 firewall. You can also review PAN-OS support
for each Palo Alto Networks Next-Generation Firewall, each of our other Palo Alto Networks
appliances, and for the data processing cards for the PA-7000 Series firewalls or the PA-5450
firewall.
PA-7500 Firewall Cards PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0 PAN-OS 11.1
PAN-PA-7500-NPC-A — — — √
PAN-PA-7500-DPC-A — — — √
System Cards
PAN-PA-7500-MPC-A — — — √
PAN-PA-7500-SFC-A — — — √
HA Port and Processor Support

The following table identifies which Palo Alto Networks Next-Generation Firewall (NGFW) can
support the HA ports and processor functionality you require in your network.
Additionally, some firewall models and PA-7000 Series firewall cards include an offload processor
—a Content Engine (CE) for accelerating signature matches or a Crypto Accelerator (CA) for
accelerating SSL processing; some firewalls support either one but none can support both
simultaneously.
Palo Alto Networks Separate Network Offload First HA1 HA2 HSCI
Firewall Model Mgmt Processor Processor Packet Port Port Port
Plane Processor
Processor
Firewalls
PA-220 (EoS)* — — — — — — —
PA-220R (EoS)* — — — — — — —
PA-410 — — — — — — —
PA-415 — — — — — — —
PA-415-5G — — — — — — —
PA-440 — — — — — — —
PA-445 — — — — — — —
PA-450 — — — — — — —
PA-450R — — — — — — —
PA-455 — — — — — — —
PA-455-5G — — — — — — —
PA-460 — — — — — — —
PA-820* — — — — √ √ —
PA-850* — — — — √ √ —
PA-1410 — — — — √ — √
(x2)
Plane Processor
Processor
PA-1420 — — — — √ — √
(x2)
PA-3220 (EoS)* √ √ — — √ — √
(x2)
PA-3250 (EoS)* √ √ √ — √ — √
(CE) (x2)
PA-3260 (EoS)* √ √ √ — √ — √
(CE) (x2)
PA-3410 √ √ — — √ — √
(x2)
PA-3420 √ √ — — √ — √
(x2)
PA-3430 √ √ — — √ — √
(x2)
PA-3440 √ √ — — √ — √
(x2)
PA-5220 (EoS)* √ √ √ √ √ — √
(CE or (x2)
CA)
PA-5250 (EoS)* √ √ √ √ √ — √
(CE or (x2)
CA)
PA-5260 (EoS)* √ √ √ √ √ — √
(CE or (x2)
CA)
PA-5280 (EoS)* √ √ √ √ √ — √
Plane Processor
Processor
(CE or (x2)
CA)
PA-5410 — — — — √ — √
(x2)
PA-5420 — — — — √ — √
(x2)
PA-5430 — — — — √ — √
(x2)
PA-5440 — — — — √ — √
(x2)
PA-5445 — — — — √ — √
(x2)
PA-5450 √ √ √ √ √ — √
(CE or (x2) (x2)
CA)
PA-7050 √ √ √ √ √ — √
(CE or (x2) (x2)
CA)
PA-7080 √ √ √ √ √ — √
(CE or (x2) (x2)
CA)
PA-7500 √ √ √ √ — — √
(CE or (x2)
CA)
PA-7000 Series Firewall Cards
PA-7050-SMC √ — — √ √ — √
(EoS)* (x2) (x2)
Plane Processor
Processor
PA-7080-SMC √ — — √ √ — √
(EoS)* (x2) (x2)
PA-7050-SMC-B √ — — √ √ — √
(x2) (x2)
PA-7080-SMC-B √ — — √ √ — √
(x2) (x2)
PA-7000-20GXM- — √ √ — — — —
NPC
(CE x2)
(EoS)*
PA-7000-20GQXM- — √ √ — — — —
NPC
(CE x2)
(EoS)*
PA-7000-100G- — √ √ — — — —
NPC-A
(CE or
CA)
PA-7000-DPC-A — — √ — — — —
(CA x2)
* Some of the firewalls and firewall cards in this table have reached end-of-sale (EoS), are not
supported in newer versions of PAN-OS software, or both. Be sure to review the specific
information for your firewalls, firewall cards, and appliances on the hardware EoL web page.
Breakout Port Support

The following table identifies which Palo Alto Networks Next-Generation Firewalls (NGFWs)
support the breakout feature of the QSFP+/QSFP28 ports. When a port is broken out using
a breakout cable, the port functions as four new independent interfaces whose speeds are a
quarter of the speed of the broken out port. This allows you to split your network connections
into additional, lower speed channels that link to multiple network switches or devices.
Palo Alto Networks Breakout Breakout Ports Breakout Speed

Firewall Model Support
PA-220 — — —
PA-220R — — —
PA-410 — — —
PA-410R — — —
PA-410R-5G — — —
PA-415 — — —
PA-415-5G — — —
PA-440 — — —
PA-445 — — —
PA-450 — — —
PA-450R — — —
PA-450R-5G — — —
PA-455 — — —
PA-455-5G — — —
PA-460 — — —
PA-820 — — —
PA-850 — — —
PA-1410 — — —

PA-1420 — — —
PA-3220 — — —
PA-3250 — — —
PA-3260 — — —
PA-3410 — — —
PA-3420 — — —
PA-3430 √ • Port 35 — Ports 27, 28, 29, and 10Gbps/25Gbps

30
• Port 36 — Ports 31, 32, 33, and
34

30
• Port 36 — Ports 31, 32, 33, and
34
PA-5220 — — —
PA-5250 — — —
PA-5260 — — —
PA-5280 — — —

28
• Port 42 — Ports 29, 30, 31, and
32
• Port 43 — Ports 33, 34, 35, and
36
• Port 44 — Ports 37, 38, 39, and
40

28
• Port 42 — Ports 29, 30, 31, and
32

• Port 43 — Ports 33, 34, 35, and
36
• Port 44 — Ports 37, 38, 39, and
40

28
• Port 42 — Ports 29, 30, 31, and
32
• Port 43 — Ports 33, 34, 35, and
36
• Port 44 — Ports 37, 38, 39, and
40

28
• Port 42 — Ports 29, 30, 31, and
32
• Port 43 — Ports 33, 34, 35, and
36
• Port 44 — Ports 37, 38, 39, and
40

28
• Port 42 — Ports 29, 30, 31, and
32
• Port 43 — Ports 33, 34, 35, and
36
• Port 44 — Ports 37, 38, 39, and
40
PA-5450 √ • Port 25 — Ports 5, 6, 7, and 8 10Gbps/25Gbps

(PA-5400 NC-A) • Port 26 — Ports 9, 10, 11, and 12

(PA-7000 100G-NPC) PAN- • Port 26 — Ports 13, 14, 15, and
OS 16
10.2 & • Port 27 — Ports 17, 18, 19, and
later 20

• Port 28 — Ports 21, 22, 23, and
24
PA-7050 √ • Port 9 — Ports 1, 2, 3, and 4 10Gbps

(PA-7000 LFC) PAN- • Port 10 — Ports 5, 6, 7, and 8
OS
10.2 &
later

(PA-7000 100G-NPC) PAN- • Port 26 — Ports 13, 14, 15, and
OS 16
10.2 & • Port 27 — Ports 17, 18, 19, and
later 20
• Port 28 — Ports 21, 22, 23, and
24
PA-7080 √ • Port 9 — Ports 1, 2, 3, and 4 10Gbps

(PA-7000 LFC) PAN- • Port 10 — Ports 5, 6, 7, and 8
OS
10.2 &
later
PA-7500 √ • Port 1 — Ports 21, 22, 23, and 24 10Gbps/25Gbps/100Gbps

(PA-7500 NPC) • Port 2 — Ports 25, 26, 27, and 28
• Port 3 — Ports 29, 30, 31, and 32
• Port 4 — Ports 33, 34, 35, and 36
• Port 11 — Ports 37, 38, 39, and
40
• Port 12 — Ports 41, 42, 43, and
44
• Port 13 — Ports 45, 46, 47, and
48
• Port 14 — Ports 49, 50, 51, and
52
VM-Series Firewalls
The hypervisors and the public cloud regions in which you can deploy the VM-Series firewalls:
• VM-Series Firewall Hypervisor Support
• PacketMMAP and DPDK Drivers on VM-Series Firewalls
• Partner Interoperability for VM-Series Firewalls
• VM-Series Plugin
• AWS and AWS Gov Cloud Regions
• Azure Regions
• Google Cloud Regions
• Alibaba Cloud Regions
• AWS CFT Amazon Machine Images (AMI) List
For the best instance types for optimal VM-Series capacity and performance, review the
VM-Series Capacity & Performance document.
27
VM-Series Firewalls
VM-Series Firewall Hypervisor Support

Palo Alto Networks offers hypervisor version support on VM-Series firewalls for both of the
following deployments:
• Private Cloud Deployments
• Public Cloud Deployments
Private Cloud Deployments

The following Private Clouds require a PAN-OS for VM-Series base image from the Palo Alto
Networks Support Portal:
• VM-Series for VMware vSphere Hypervisor (ESXi)
• VM-Series for VMware NSX-V
• VM-Series for VMware NSX (Formerly NSX-T)
• VM-Series for KVM
• VM-Series for Nutanix
• VM-Series for Hyper-V
• VM-Series for OpenStack
• Cisco ACI: Hardware and VM-Series Firewalls in Cisco ACI
In the compatibility matrix below, the PAN-OS Version Support column displays the range of
versions and the (Minimum) version in parentheses. For example, if the PAN-OS Version Support
column displays PAN-OS 11.1.x (11.1.3), it indicates that the integration supports PAN-OS 11.1
versions beginning with PAN-OS 11.1.3.
Further I/O Enhancement support is detailed in the list of PacketMMAP and DPDK Drivers on
VM-Series Firewalls.
VM-Series for VMware vSphere Hypervisor (ESXi)

This ESXi version support list does not include NSX. For NSX, see VM-Series for VMware NSX-V
or VM-Series for VMware NSX (Formerly NSX-T).
You can download base images from the Palo Alto Networks Support Portal.
Access mode with SR-IOV on VMware ESXi is supported on PAN-OS 9.1.5 and later PAN-
OS 9.1 versions and all later PAN-OS versions but only with VM-Series plugin 2.0.5 and
later plugin versions. However, you must enable VLAN access mode for ESXi where
needed.
VM-Series Firewalls
PAN-OS Version VMware VMware I/O Base Image

Support ESXi Version Virtual Machine Enhancement
Support Hardware Support
(Minimum)
Version
PAN-OS 11.1.x 7.0 vmx-19 SR-IOV, Panorama-

(11.1.5) DPDK ESX-11.1.3.ova
PAN-OS 11.1.x 6.7, 7.0, 8.0 • vmx-10 SR-IOV, PA-VM-

(11.1.0) DPDK ESX-11.1.0.ova
• vmx-15
vmx-15 PA-VM-
requires ESX-11.1.3.ova
PAN-OS
11.1.3 base
image
PAN-OS 10.2.x 6.7, 7.0, 8.0 vmx-10 SR-IOV, PA-VM-

(10.2.0) DPDK ESX-10.2.0.ova
PAN-OS 11.0.x PA-VM-
(11.0.0) ESX-11.0.0.ova
PAN-OS 9.1.x (9.1.0) 6.7, 7.0 vmx-10 SR-IOV, PA-VM-

DPDK ESX-9.1.0.ova
PAN-OS 10.1.x
(10.1.0) PA-VM-
ESX-10.1.0.ova
PAN-OS 9.1.x (9.1.0) 6.5, 6.7 vmx-10 SR-IOV, PA-VM-

DPDK ESX-9.1.0.ova
VM-Series for VMware NSX-V

vSphere with VMware NSX is available on all VM-Series firewalls except the VM-50 and VM-700
firewalls.
Palo Alto Networks approves the vSphere with VMware NSX and Panorama combinations listed
below with the following criteria. You can download base images from the Palo Alto Networks
Support Portal.
For versions of PAN-OS certified by VMware, see the VMware Compatibility Guide.
• Panorama management servers running PAN-OS 9.1 and later versions require the VMware
NSX plugin. For more plugin version information, see Panorama Plugins for VMware NSX.
VM-Series Firewalls
• VMware has announced EoS for NSX-V and Palo Alto Networks will continue to support the
VM-Series on NSX-V running PAN-OS 9.1 when managed by Panorama management servers
running PAN-OS 10.1 or PAN-OS 10.2 software.
• Palo Alto Networks does not support VMware NSX-V on Panorama management servers
running PAN-OS 11.0 or later versions.
• There aren't any VM-Series for VMware NSX-V base images for PAN-OS 10.1 or later PAN-
OS versions.
• You cannot upgrade the VM-Series firewall for NSX-V to PAN-OS 10.1 or later PAN-OS
versions.
• The Panorama management server running PAN-OS 10.1 or PAN-OS 10.2 supports PAN-
OS 9.1 base images until June 30, 2024.
See the Palo Alto Networks End-of-Life Summary for more information about the PAN-OS EoL
schedule.
SupportedPAN-OS Version PanoramaVMware vSphere VMware Minimum Base I/O

PanoramaSupport Plugin NSX-V Virtual Image Enhancement
Versions for NSX Manager Machine Support
Hardware
Version
10.2.x 9.1.0 to 9.1.6 5.0.0 6.4.1 • 6.5 vmx-10 PA-VM- LRO

and to • 6.7 NSX-9.1.0.zip
later 6.4.7
• 9.1.x 9.1.7 to latest 3.2.0 6.4.8 • 6.5 vmx-10 PA-VM- LRO

• 10.1.x 9.1.x to and • 6.7 NSX-9.1.9.zip
latest later
4.0.x • 7.0
• 9.1.x 9.1.0 to 9.1.6 3.2.0 6.4.1 • 6.5 vmx-10 PA-VM- LRO

• 10.1.x to to • 6.7 NSX-9.1.0.zip
latest 6.4.7
4.0.x
VM-Series for VMware NSX (Formerly NSX-T)

Palo Alto Networks approves the VMware NSX-T and Panorama combinations listed below. You
can download base images from the Palo Alto Networks Support Portal.
For versions of PAN-OS certified by VMware, see the VMware Compatibility Guide.
VMware NSX 4.0.x Service Deployments for partner Service Virtual Machines (SVM)
sometimes experience a known traffic redirect issue. Contact VMware NSX Technical
Support for details.
VM-Series Firewalls
Panorama Panorama VMware VMware PAN-OS Latest Base Image

Version Plugin for NSX-T Virtual Version
Support NSX Version Machine Support
Support Hardware (Minimum)
Version
11.0.x 5.0.1 and 3.2.x, vmx-10 PAN-OS PA-VM-

later 4.1.x 10.1.x NST-10.2.4-
(10.1.9-h1) vmwaresigned.zip
PAN-OS
10.2.x
(10.2.4)
10.2.x 5.0.0 and 3.2.x, vmx-10 PAN-OS PA-VM-

later 4.0.x, 10.1.x NST-10.2.4-
4.1.x (10.1.0) vmwaresigned.zip
NSX
PAN-OS PA-VM-
4.1.x
10.2.x NST-10.1.9-h1-
with
(10.2.4) vmwaresigned.zip
PAN-
OS
10.2
requires
NSX
plugin
5.0.1
or
later.
10.1.x 3.2.0 to 2.5.x, vmx-10 PAN-OS PA-VM-

4.0.x 3.0.x, 10.1.x NST-10.1.9-h1-
3.1.x, (10.1.0) vmwaresigned.zip
3.2.x
PA-VM-NST-9.1.9-
vmwaresigned.zip
4.0.x 4.0.x vmx-10 PAN-OS PA-VM-

10.1.x NST-10.1.9-h1-
(10.1.9-h1) vmwaresigned.zip
9.1.x 3.2.0 to 2.5.x, vmx-10 PAN-OS PA-VM-

4.0.x 3.0.x, 9.1.x (9.1.0) NST-9.1.9.zip
3.1.x
VM-Series for KVM

VM-Series Firewalls
PAN-OS Version VM-Series for KVM I/O Enhancement Support PAN-OS for VM-
Support (Minimum) Version Support Series KVM Base
(Minimum) Images
PAN-OS 11.1.4 Oracle Linux 8.10 DPDK Virtio PA-VM-

(11.1.4) KVM-11.1.4-
h7.qcow2
PAN-OS 11.0.4 RHEL 9.2 • DPDK with SR-IOV PA-VM-

(11.0.4) • DPDK with Virtio KVM-11.0.4.qcow2
(10.2.5) KVM-10.2.5-
h1.qcow2
PAN-OS 10.1.x
(10.1.11) PA-VM-
KVM-10.1.11-
h1.qcow2
PAN-OS 11.1.x Ubuntu 20.04 • DPDK with SR-IOV PA-VM-

(11.1.0) • DPDK with Virtio KVM-11.1.0.qcow2
for ARM
PA-VM-
KVM-11.1.x.qcow2
for x86

(10.2.0) • DPDK with Virtio KVM-10.2.x.qcow2
(11.0.0) KVM-11.0.0.qcow2
PAN-OS 10.2.x CentOS/Red Hat • DPDK with SR-IOV PA-VM-

(10.2.0) Enterprise Linux KVM-10.2.x.qcow2
• DPDK with Virtio
9.1.x (9.1.x)
(11.0.0) KVM-11.0.0.qcow2

(10.1.0) Enterprise Linux: • DPDK with Virtio KVM-10.1.x.qcow2
PAN-OS 10.2.x • 7.x.x (7.6.x) PA-VM-
(10.2.0) • 8.x.x (8.0.x) KVM-10.2.x.qcow2
PAN-OS 11.0.x • 9.0.x (9.0.x) PA-VM-
(11.0.0) KVM-11.0.0.qcow2

VM-Series Firewalls
PAN-OS Version VM-Series for KVM I/O Enhancement Support PAN-OS for VM-
Support (Minimum) Version Support Series KVM Base
(Minimum) Images
PAN-OS 10.1.x SUSE Enterprise • MacVTap PA-VM-

(10.1.0) Server 15 with KVM-10.1.x.qcow2
• Virtio
QEMU 3.1.1

(10.1.0) KVM-10.1.x.qcow2

(9.1.0) Enterprise Linux: • DPDK with Virtio KVM-9.1.x.qcow2
• 7.x.x (7.6.x)
• 8.x.x (8.0.x)
VM-Series for Nutanix

The VM-Series firewall for Nutanix uses the VM-Series firewall for KVM base image
(qcow2).
PAN-OS Version VM-Series for I/O Enhancement Support VM-Series for KVM
Support (Minimum) Nutanix Version Base Image
Support (Minimum)
PAN-OS 10.1.x Nutanix AOS DPDK supported PA-VM-

(10.1.0) Version 5.20 KVM-10.1.x.qcow2
PAN-OS 10.2.x Nutanix PA-VM-
(10.2.0) AHV Release KVM-10.2.x.qcow2
20201105.2030
Layer 3
deployments,
and virtual wire
deployments with
Service Chaining.
PAN-OS 10.1.x Nutanix AOS 6.5 L3 mode only PA-VM-

(10.1.0) version 6.0.5 in VPC KVM-10.1.x.qcow2
mode
Layer 3
deployments,
and virtual wire
VM-Series Firewalls
PAN-OS Version VM-Series for I/O Enhancement Support VM-Series for KVM
Support (Minimum) Nutanix Version Base Image
Support (Minimum)
deployments with
Service Chaining.
PAN-OS 9.1.x Nutanix AOS DPDK supported PA-VM-

(9.1.0) Version 5.10, 5.15 KVM-9.1.0.qcow2
PAN-OS 10.1.x Nutanix PA-VM-
(10.1.0) AHV Release KVM-10.1.x.qcow2
20170830.185
Layer 3
deployments,
and virtual wire
deployments with
Service Chaining.
VM-Series for Hyper-V

PAN-OS Version VM-Series for Hyper-V I/O Enhancement Base Image

Support Version Support Support
(Minimum) (Minimum)
PAN-OS 11.2.x Windows Server 2022 • DPDK with SR- PA-VM

(11.2.0) with Hyper-V role or IOV supported HPV-11.2.0.vhdx
Hyper-V 2022 • Packet MMAP
with Virtio
supported
• Packet MMAP
with SR-IOV
supported
PAN-OS 10.1.x • Windows Server 2012 • DPDK with SR- PA-VM-

(10.1.0) R2 with Hyper-V role IOV supported HPV-10.1.0.vhdx
or Hyper-V 2012 R2 • Packet MMAP
(10.2.0) • Windows Server 2016 with Virtio HPV-10.2.0.vhdx
with Hyper-V role or supported
PAN-OS 11.0.x Hyper-V 2016 PA-VM-
(11.0.0) • Packet MMAP HPV-11.0.0.vhdx
• Windows Server 2019 with SR-IOV
with Hyper-V role or
supported
Hyper-V 2019
VM-Series Firewalls
PAN-OS Version VM-Series for Hyper-V I/O Enhancement Base Image

Support Version Support Support
(Minimum) (Minimum)
PAN-OS 9.1.x (9.1.0) • Windows Server 2012 • Packet MMAP PA-VM-

R2 with Hyper-V role supported HPV-9.1.0.vhdx
or Hyper-V 2012 R2 • DPDK not
• Windows Server 2016 supported
Hyper-V 2016
• Windows Server 2019
Hyper-V 2019
VM-Series for OpenStack

PAN-OS Version VM-Series for I/O Enhancement Base Image

Support (Minimum) OpenStack Version Support
Support (Minimum)
PAN-OS 10.1.x Redhat OpenStack • DPDK with PA-VM-KVM-10.1.3.qcow2

(10.1.3) Train 16 Virtio
• DPDK with
SR-IOV
• Packet
MMAP with
Virtio
• Packet
MMAP with
SR-IOV
PAN-OS 9.1.x (9.1.5) Redhat OpenStack • DPDK with PA-VM-KVM-9.1.5.qcow2

Queens 13 Virtio
PAN-OS 10.1.x PA-VM-KVM-10.1.0.qcow2
(10.1.0) • DPDK with
SR-IOV
• Packet
MMAP with
Virtio
• Packet
MMAP with
SR-IOV
VM-Series Firewalls
Cisco ACI: Hardware and VM-Series Firewalls in Cisco ACI

Review the Cisco ACI plugins information for supported PAN-OS, Panorama, and Cisco ACI plugin
versions.
Public Cloud Deployments

Palo Alto Networks supports the following public cloud deployments:
• Public Cloud Deployments Available from a Marketplace—AWS, Azure, GCP, Oracle, IBM, and
Tencent Cloud China
• Public Cloud Deployments Requiring a Base Image—Alibaba, Oracle, vCloud Air
• VM-Series Firewall for VMware Cloud on AWS
Public Cloud Deployments Available from a Marketplace—AWS, Azure, GCP, Oracle,

IBM, and Tencent Cloud China
Public Cloud Deployment PAN-OS Version I/O Enhancement Support

Support (Minimum)
VM-Series on AWS PAN-OS 9.1.x (9.1.0) In PAN-OS 11.1.x (11.1.0) and later,
ARM support is available on AWS
List of supported AWS PAN-OS 10.1.x (10.1.0)
Graviton 3 and AWS Graviton 2
Regions.
PAN-OS 10.2.x (10.2.0) instances.
Support for AWS Outposts
PAN-OS 11.0.x (11.0.0)
on PAN-OS 9.1 and later.
PAN-OS 11.1.x (11.1.0)
VM-Series on Azure PAN-OS 9.1.x (9.1.0) DPDK is supported in PAN-OS 9.1

and later PAN-OS releases.
List of supported Azure PAN-OS 10.1.x (10.1.0)
Regions.
PAN-OS 10.2.x (10.2.0)
PAN-OS 11.0.x (11.0.0)
Azure Stack Edge:
PAN-OS 10.1.x (10.1.5)
VM-Series on Google PAN-OS 9.1.x (9.1.0) DPDK is supported and enabled by

CloudList of supported default.
PAN-OS 10.1.x (10.1.0)
Google Cloud Regions
PAN-OS 10.2.x (10.2.0)
PAN-OS 11.0.x (11.0.0)
VM-Series on Oracle Cloud PAN-OS 9.1.x (9.1.0) • DPDK is supported and enabled
Infrastructure by default.
PAN-OS 10.1.x (10.1.0)
VM-Series Firewalls
Public Cloud Deployment PAN-OS Version I/O Enhancement Support

Support (Minimum)
PAN-OS 10.2.x (10.2.0) • SR-IOV and MMAP mode is
supported with jumbo and non-
PAN-OS 11.0.x (11.0.0)
jumbo frames on PAN-OS 9.1.x
and PAN-OS 10.1.x and later
Oracle Gov Cloud:
with VM-Series plugin 2.1.0 and
PAN-OS 9.1.x (9.1.3) later.
PAN-OS 10.1.x (10.1.2)
PAN-OS 10.2.x (10.2.0)
PAN-OS 11.0.x (11.0.0)
VM-Series on IBM Cloud PAN-OS 10.1.x (10.1.0) —
VM-Series on Tencent Cloud PAN-OS —

China 10.2.10(10.2.10)
Further I/O Enhancement support is detailed in PacketMMAP and DPDK Drivers on VM-Series
Firewalls.
To view the hypervisor support for Panorama versions, see Panorama Hypervisor Support. To
view the Panorama plugin requirements for public clouds, see Public Cloud-AWS, Azure, GCP.
Public Cloud Deployments Requiring a Base Image—Alibaba, Oracle, vCloud Air

The following Public Clouds require a PAN-OS for VM-Series base image from the Palo Alto
Networks Support Portal.
Public Cloud PAN-OS Version I/O Enhancement Base Image

Deployment Support (Minimum) Support
VM-Series on PAN-OS 9.1.x (9.1.0) DPDK and Packet PA-VM-KVM-9.1.0.qcow2

Alibaba Cloud MMAP are
supported. DPDK is
enabled by default.
Further I/O Enhancement support is detailed in the list of PacketMMAP and DPDK Drivers on
VM-Series Firewalls.
VM-Series Firewall for VMware Cloud on AWS

You can deploy the VM-Series firewall on VMware Cloud on AWS. Set Up a VM-Series Firewall
on an ESXi Server to deploy the VM-Series firewall. Review also the supported VMware ESXi
versions for the VM-Series for VMware vSphere Hypervisor (ESXi).
VM-Series Firewalls
VMware Cloud on AWS does not support the VM-Series firewall on VMware NSX-V or
NSX-T.
PAN-OS Version Support I/0 Enhancement Documentation

Support
PAN-OS 9.1.x (9.1.0) DPDK and SR-IOV • VMware Cloud on AWS

Documentation
• VM-Series Firewall on
VMware ESXi
VM-Series Firewalls
PacketMMAP and DPDK Drivers on VM-Series Firewalls

The VM-Series firewall supports the PacketMMAP and Data Plane Development Kit (DPDK)
drivers listed in the tables below. VM-Series firewalls use their own drivers to communicate with
the drivers on the host. You should install host-driver versions that are equal to or later than the
driver versions on your VM-Series firewall.
To choose host drivers for SR-IOV:
• KVM—On your KVM host, install a physical function (PF) driver version that is equal to or later
than the virtual function (VF) native driver version listed below.
• ESXi—Refer to the VMware Compatibility Matrix and install the latest driver for the firmware
version (PF=i40e, VF=i40evf).
For more information about communication between VF drivers on the VM-Series firewall and PF
drivers on the host (the hypervisor), review the list of PacketMMAP and DPDK Drivers on VM-
Series Firewalls in the VM-Series Deployment Guide.
• SR-IOV Access Mode
• PacketMMAP Driver Versions
• DPDK Driver Versions
SR-IOV Access Mode

VM-Series firewalls support SR-IOV Access Mode on KVM and ESXi hypervisors. To enable
single root I/O virtualization (SR-IOV) access mode, you can include the bootstrap parameter file:
plugin-op-commands=sriov-access-mode-on in the initcfg.txt
• KVM—Requires PAN-OS 9.1.5 or a later PAN-OS version with VM-Series plugin 2.0.1 or a later
plugin version.
• ESXi—Requires PAN-OS 9.1.5 or a later PAN-OS 9.1 version or PAN-OS 10.1 or a later PAN-
OS version with VM-Series plugin 2.0.5 or a later plugin version.
PacketMMAP Driver Versions

VM-Series firewalls use their virtual function (VF) drivers to communicate with the host's physical
function (PF) drivers during SR-IOV. For example, i40e is a PF driver and i40evf is a VF driver.
PAN-OS Driver ARM Driver Virtual Firewall Comment

Version Filename Filename Native Drivers
(Linux Version)
11.2 bnx2x mlx5 1.713.36-0
i40e i40e 2.14.13
iavf 4.0.2
VM-Series Firewalls

(Linux Version)
igb 5.6.0
igbvf 2.4.0
ixgbe 5.1.0 The minimum version for

multiple queues is 4.2.5
ixgbevf 4.1.0
mlnx-en 4.9
11.1 bnx2x mlx5 1.713.36-0
i40e i40e 2.14.13
iavf 4.0.2
igb 5.6.0
igbvf 2.4.0

ixgbevf 4.1.0
mlnx-en 4.9
11.0 bnx2x 1.713.36-0
i40e 2.14.13
iavf 4.0.2
igb 5.6.0
igbvf 2.4.0

ixgbevf 4.1.0
mlnx-en 4.9
10.2 bnx2x 1.712.30-0
VM-Series Firewalls

(Linux Version)
i40e 2.13.10
iavf 3.2.3 i40evf renamed to iavf; still

compatible with i40en host
driver.
igb 5.4.0
igbvf 2.4.0

ixgbevf 4.1.0
mlnx-en 4.9
10.1 bnx2x 1.712.30-0
i40e 2.13.10
iavf 3.2.3 i40evf renamed to iavf; still

compatible with i40en host
driver.
igb 5.4.0
igbvf 2.4.0

ixgbevf 4.1.0
mlnx-en 4.9
9.1 bnx2x 1.713.36-0
i40e 2.3.2
i40evf 3.2.2 Compatible with i40en host

driver.
igb 5.4.0
igbvf 2.4.0
VM-Series Firewalls

(Linux Version)

ixgbevf 4.1.0
DPDK Driver Versions

When the firewall is in DPDK mode, it uses DPDK drivers. Please check the official DPDK release
notes for more information.
By default DPDK is enabled on VM-Series firewalls as stated below. If the VM-Series firewall
detects an unsupported driver, the firewall reverts to PacketMMap mode.
Hypervisor Virtual NIC Drivers

Driver
KVM virtio ixgbe, ixgbevf, i40e, i40evf, and mlnx-en (PAN-OS 10.1 and later)
ESXi VMXNET3 ixgbe, ixgbevf, i40e, i40evf
ARM KVM virtio I40e and mlx5 (PAN_OS 11.1 and later)
See VM-Series for KVM and VM-Series for VMWare vSphere Hypervisor (ESXi) for
PAN-OS versions that support DPDK, DPDK with SR-IOV, or DPDK with Virtio.
PAN-OS Version DPDK Version Comment
11.2 22.11.1
11.1 22.11.1
11.0 20.11.1
10.2 20.11.1
10.1 19.11.3
9.1 18.11
VM-Series Firewalls
Partner Interoperability for VM-Series Firewalls

Palo Alto Networks offers two tiers of support for third-party partner platforms for the VM-Series
next-generation firewall: Palo Alto Networks Certified and Partner-Qualified. The VM-Series
firewall provides the same security features and functionality regardless of support tier but the
types of issues that we can help you resolve are different for each.
• Partner Qualified—Palo Alto Networks customer support helps you with any issue related
directly to VM-Series firewalls. A VM-Series firewall issue is defined as an issue that occurs
after a packet enters the firewall. This level of support does not include issues related to a
partner platform.
VM-Series issues include:
• An issue with your PAN-OS configuration
• An issue with VM-Series upgrades
• An issue with VM-Series licensing
• An issue with VM-Series documentation
• Palo Alto Networks Certified—Palo Alto Networks customer support helps you with all VM-
Series firewall issues as well as any issues related to an approved partner platform. A platform
issue is defined as an issue that involves a packet that is outside of the VM-Series firewall, such
as before it arrives at or after it leaves the firewall or hypervisor. Palo Alto Networks Certified
support also includes support for your hardware configuration.
Partner platform issues include:
• A network interface that is not recognized by the VM-Series firewall
• The VM-Series firewall is not booting
• A platform configuration issue
• An issue with bootstrapping the VM-Series firewall
• An issue that prevents the connection to other networking devices
• Issues related to high availability (HA) functionality
• I/O Acceleration (DPDK, SR-IOV, and PCI passthrough)
For a complete list of the partner platforms supported in each tier, review the integration
information:
• Palo Alto Networks Certified Integrations
• Partner-Qualified Integrations
Palo Alto Networks Certified Integrations

Review these lists to see the Palo Alto Networks certified partner products with which VM-Series
firewalls can interoperate. The tables include details about hardware platforms and software
versions on which you can deploy a VM-Series firewall.
VM-Series Firewalls
The partner software version and the PAN-OS® version columns display the range of
versions and the minimum version in parentheses. For example, if the PAN-OS Version
column displays PAN-OS 10.1.x (10.1.4), then integration support begins with PAN-OS
10.1 but not until PAN-OS 10.1.4. and later PAN-OS versions.
• Ciena
• Cisco Cloud Services Platform
• Cisco Enterprise Computer System (ENCS)
• Citrix SD-WAN
• Juniper NFX Network Services Platform
• NSX SD-WAN by VeloCloud
• Nuage Networks
• Versa Networks
• Vyatta
Ciena
The following table shows the Ciena products with which VM-Series firewalls interoperate.
Hardware Hypervisor
SAOS SAOS PAN-OS Deployment Documentation
Supported Tested Version Modes
Software Software Supported
(Minimum)
Version Version
(Minimum) (Minimum)
3906mvi KVM 18.x.x 18.06.x 9.1.x Layer 3 Ciena

and (18.06.00) (18.06.00) (9.1.0) mode on documentation
3926mvi the VM-50,
VM-100, and
VM-300
VirtIO and
DPDK mode.
Cisco Cloud Services Platform

The following table shows the Cisco Cloud Services Platform (CSP) products with which VM-
Series firewalls interoperate.
VM-Series Firewalls
Hardware CSP
Hypervisor CSP Tested PAN-OS Deployment Documentation
Supported Software Version Modes
Software Version Supported
Version (Minimum)
(Minimum)
(Minimum)
CSP 5228 Megaport2.6.x 2.6.x 10.2.x Layer 3 Set Up the

(KVM) (2.6.1) (2.6.1) (10.2.0) VM-Series
VM-Series
Firewall on
Firewalls
Cisco CSP
in an HA
(PAN-OS
configuration
10.2)
SR-IOV, Packet
Megaport
MMAP, and
Documentation
DPDK mode
CSP 5200 KVM 2.6.x 2.6.x 10.2.x Layer 2, Layer3, Set Up the
Series (2.6.1) (2.6.1) (10.2.0) Virtual wire VM-Series
deployments Firewall on
on all VM- Cisco CSP
Series models (PAN-OS
except VM-50 10.2)
VM-Series
CSP 5400 4.6.x (4.6) 4.6.x 10.1.x Set Up the
Firewalls
Series (4.6.1- (10.1.0) VM-Series
in an HA
FC1) Firewall on
configuration
Cisco CSP
SR-IOV, Packet (PAN-OS
MMAP, and 10.1)
DPDK mode
CSP 5400 2.x.x 2.4.x 9.1.x Set Up the
Series (2.4.0) (2.4.0) (9.1.0) VM-Series
Firewall on
CSP 2100
Cisco CSP
Series
(PAN-OS 9.1)
Cisco Enterprise Computer System (ENCS)

The following table shows the Cisco Enterprise Computer System (ENCS) products with which
VM-Series firewalls interoperate.
VM-Series Firewalls
Hardware NFVIS
Hypervisor Tested PAN-OS Deployment Documentation
Supported Version Modes
NFVIS
Software Supported
Software (Minimum)
Version
Version
(Minimum)
(Minimum)
Cisco KVM 4.12.x 4.12.x 11.1.x • Layer 2, VM-Series on

5400 (4.12) (4.12) (11.1.0) Layer3, Cisco ENCS
Series Virtual wire
4.12.x 4.12.x 10.2.x deployments
(4.12) (4.12) (10.2.0) • Firewalls in
HA
4.6.x (4.6) 4.6.x 10.1.x
(4.6.1- (10.1.0) • Virtio with
FC1) DPDK mode
enabled by
3.x.x (3.8) 3.10.x 9.1.x default
(3.10.1) (9.1.0)
4.6.x
(4.6.1- 3.12.x
FC1) (3.12.1)
4.6.x
(4.6.1-
FC1)
For PAN-OS 11.1.x, you must use the NFVIS CLI to upload the PAN-OS image. The PAN-
OS file size exceeds the file size limit of the ENCS UI.
Citrix SD-WAN
The following table shows the Citrix SD-WAN products with which VM-Series firewalls
interoperate.
Supported
Hardware Hypervisor Tested PAN-OS Deployment Documentation
Software Version Modes
Software
Version Supported
Version (Minimum)
(Minimum)
(Minimum)
Citrix KVM 11.x.x 11.0.x 9.1.x Virtual wire • Citrix SD-

SD- (11.0.1) (11.0.1) (9.1.0) deployments WAN
WAN Deployment
VirtIO with
1100 Guide
packet MMAP
Appliance • Citrix SD-
mode support
only; so you WAN
must disable Solution
DPDK with op- Brief
VM-Series Firewalls
Supported
Hardware Hypervisor Tested PAN-OS Deployment Documentation
Software Version Modes
Software
Version Supported
Version (Minimum)
(Minimum)
(Minimum)
cmd-dpdk-
pkt-io=off
in the init-
cfg.txt
file used for
bootstrapping
or use the
CLI command
set system
setting
dpdk-pkt-io
off
9.1.x Virtual wire

(9.1.0)
DPDK Mode
Juniper NFX Network Services Platform

The following table shows the Juniper NFX Network Services Platform products with which VM-
Series firewalls interoperate.
Hardware Hypervisor
Junos Software PAN-OS Deployment Modes Documentation
Version Version Supported
(Minimum) (Minimum)
NFX 250 KVM 15.1X53-D470.x 9.1.x (9.1.0) Layer 2, Layer 3, Juniper NFX
Virtual Wire documentation
(15.1X53-
D470.5) DPDK mode
NSX SD-WAN by VeloCloud

The following table shows the NSX SD-WAN by VeloCloud products with which VM-Series
firewalls interoperate.
VM-Series Firewalls
Hardware VCE
Hypervisor Tested VCE PAN-OS Deployment Documentation
Version (Minimum)
(Minimum)
(Minimum)
Edge KVM 3.x.x 3.3.x 9.1.x Virtual wire NSX SD-WAN

520v (3.2.0) (3.3.1) (9.1.0) deployments by VeloCloud
documentation
Edge 840 DPDK
Nuage Networks
The following table shows the Nuage Networks products with which VM-Series firewalls
interoperate.
Hardware VSP
Hypervisor Tested VSP PAN-OS Deployment Documentation
Version (Minimum)
(Minimum) (Minimum)
Nuage — 5.x.x 5.3.x TBD Virtual wire Nuage

NSG-X (5.3.3U3) (5.3.3U3) deployments Networks
series on VM-50 documentation
and VM-100
models
VirtIO with
packet MMAP
mode support
only
DPDK must
be disabled: If
you bootstrap,
include op-
cmd-dpdk-
pkt-io=off
in the init-
cfg.txt file,
or, on the VM
Series firewall,
use the CLI
command
set system
setting
dpdk-pkt-
io off
VM-Series Firewalls
Versa Networks
The following table shows the Versa Networks products with which VM-Series firewalls
interoperate.
Hardware Hypervisor
Supported Tested PAN-OS Deployment Documentation
Versa Versa Version Modes
FlexVNF FlexVNF Supported
(Minimum)
Software Software
Version Version
(Minimum) (Minimum)
Versa KVM 21.x.x 21.1.x 9.1.x (9.1.0) Virtual Versa

930 (Dell (21.1.2) (21.1.2) wire, L3 Documentation
VEP4600) deployments
with DPDK
Vyatta
The following table shows the Vyatta products with which VM-Series firewalls interoperate.
Platform Hypervisor
Vyatta PAN-OS Deployment Modes Documentation
Version
(Minimum)
AT&T KVM 19.x 9.1.x (9.1.0) Virtual wire, L2, L3 —

vRouter (1903f) deployments with
5600 DPDK
VM-50, VM-100, and
VM-300
Partner-Qualified Integrations
Review these lists of partner-qualified products with which VM-Series firewalls interoperate. The
tables include details about hardware platforms and software versions on which you can deploy
VM-Series firewalls.
The partner software version and PAN-OS® version columns display the range of versions
and the minimum version in parentheses. For example, if the PAN-OS Version column
displays PAN-OS 10.1.x (10.1.4), then integration support begins with PAN-OS 10.1 but
not until PAN-OS 10.1.4. and later PAN-OS versions.
• ADVA
• Aryaka
• Corsa
VM-Series Firewalls
• iS5Com
• Megaport
• SEL
• Siemens
• Stratus
• ZPE
• Zededa
ADVA
The following table shows the ADVA products with which VM-Series firewalls interoperate.
Hardware Supported PAN-OS Version I/O Acceleration Documentation

ADVA Ensemble
Connector
Version
FSP 150- 19.1.1.33 10.1.x (10.1.0) DPDK mode ADVA

XG304u with SR-IOV Documentation
Aryaka
The following table shows the Aryaka products with which VM-Series firewalls interoperate.

Aryaka Software
Versions
2600 • 5.0.0 • 10.2.x • DPDK and Aryaka

(10.2.0) Virtio Documentation
3000 • 5.2.0
• 11.0.x • Virtio and
10000 (11.0.0) Packet
• 11.1.x MMAP mode
(11.1.0)
Corsa
The following table shows the Corsa products with which VM-Series firewalls interoperate.

Software Version
Corsa Security 2.x.x 10.1.x (10.1.4) SR-IOV with Corsa

Platform Packet MMAP Documentation
VM-Series Firewalls

Software Version
1.x.x 9.1.x (9.1.0) SR-IOV with

Packet MMAP
iS5Com
The following table shows the iS5Com products with which VM-Series firewalls interoperate.
Hardware Supported PAN-OS Mode I/O Documentation

Software Version Acceleration
Version
iS5Com iROC ESX 7.0 11.0.x L2, L3 PCI iS5Com

Update 3 (11.0.2) Passthrough Documentation
Can be
(disabled by
equipped in
default)
RAPTOR or
MicroRAPTOR
Series
Platforms
Megaport
The following table shows the Megaport products with which VM-Series firewalls interoperate.
Hardware Hypervisor Mode PAN-OS I/O Documentation

Version Acceleration
Megaport KVM MVE 10.2.x SR-IOV Megaport

Virtual Edge provides (10.2.0) Documentation
Virtual Cross
• 2vCPU/8GB
Connect
• 4vCPU/16GB (VXC) private
• 8vCPU/32GB network
paths
• 12vCPU/48GB provisioned
as a layer-2
802.1q
VLANs.
SEL
The following table shows the SEL products with which VM-Series firewalls interoperate.
VM-Series Firewalls
Hardware Supported PAN-OS I/O Documentation

Version
SEL-3350 AlmaLinux 10.2.x None SEL Documentation

8.6
(10.2.0)
RHEL 8.5
SEL-3355 AlmaLinux 10.2.x SR-IOV

8.6 supported
(10.2.0)
on
RHEL 8.5
SEL-3355
onboard
ports
Siemens
The following table shows the Siemens products with which VM-Series firewalls interoperate.
Hardware Supported PAN-OS I/O Documentation

Version
RUGGEDCOM Ubuntu 10.1.x L3 mode Siemens Support

APE 1808 20.04 KVM (10.1.0) Virtio with
Siemens Technology Partners
DPDK
9.1.x (9.1.4)
RUGGEDCOM ROX II v.2.14
CLI Configuration Manual
RUGGEDCOM ROX II v.2.14
WebUI Configuration Manual
RUGGEDCOM APE1808
Configuration Manual
Stratus
The following table shows the Stratus products with which VM-Series firewalls interoperate.
Hardware Hypervisor Supported Software Version PAN-OS I/O Documentation

ztC Edge KVM Stratus Redundant Linux 11.0.x — Stratus

250i(ft) 2.3.3 and 3.0 ztC Edge
10.2.x
250i(ft)
Documentation
VM-Series Firewalls
Hardware Hypervisor Supported Software Version PAN-OS I/O Documentation

Contact
Stratus
support to use
version 2.3.3
with PAN-OS.
ZPE
The following table shows the ZPE products with which VM-Series firewalls interoperate.

Nodegrid
Software Version
Gate SR 4.1.x 9.1.x (9.1.0) Virtio with ZPE

DPDK Documentation
NSR
Zededa
The following table shows the Zededa products with which VM-Series firewalls interoperate.
Bootstrapping is not supported for the VM-Series firewall deployed on Zededa.
EVE Version PAN-OS Version Mode I/O Acceleration Documentation
8.5.4 11.0.x 11.0.0 L3 Mode only VirtIO Zededa

Documentation
IPv4 only
VM-Series Firewalls
VM-Series Plugin
The VM-Series plugin is built in to the VM-Series firewalls. You can configure this plugin directly
on the VM-Series firewall or install it on a Panorama™ M-Series or virtual appliance.
To manage the VM-Series plugin configuration on your managed firewalls from Panorama, you
must manually install the VM-Series plugin on Panorama. Refer to Panorama Plugins. You can also
compare VM-Series Plugin and Panorama Plugins.
The following table briefly describes the features introduced in each version of the VM-Series
plugin. For additional information about each version, refer to the VM-Series plugin release notes.
VM-Series Plugin 5.1.x

VM-Series plugin 5.0 versions are compatible with PAN-OS 11.1 releases. The following table
describes new features or changes introduced in each plugin version and the VM-Series PAN-OS
base image that includes each version of the plugin.
VM-Series Included in New Features or Changes

Plugin PAN-OS Base
Version Image
5.1.4 11.1.5 Includes new fixes to improve your experience with the VM-
Series firewall.
5.1.3 — Includes new fixes to improve your experience with the VM-
Series firewall.
5.1.1 11.2.0 Includes new fixes to improve your experience with the VM-
Series firewall.
5.1.0 11.2.0 Introduces reduced maximum session count on the VM-Series

firewall.
This is the minimum required plugin version for the

VM-Series on PAN-OS 11.2.0.

VM-Series Firewalls

Plugin PAN-OS Base
Version Image
5.0.2 — Introduces changes in the maximum session count on the VM-

Series firewall and fixes to internally identified issues.
5.0.1 — Introduces reduced maximum session count on the VM-Series

firewall.
5.0.0 11.1.0 Includes fixes to known issues.


Plugin PAN-OS Base
Version Image
4.0.7 — Includes fixes to known issues.
4.0.5 — Introduces improvements to Google Cloud Platform IPS,

powered by Palo Alto Networks.
4.0.4 — Introduces reduced maximum session count on the VM-Series

firewall and improvements to Google Cloud Platform IPS,
powered by Palo Alto Networks.
4.0.3-h1 — Includes a fix to one issue.
4.0.3 — Includes fixes to known issues.
4.0.0 11.0.0 Introduces support for Advanced Routing on the VM-Series

firewall.

VM-Series Firewalls

Plugin PAN-OS Base
Version Image
3.0.10 10.2.13 Addresses known issues.
3.0.5-h1 — Introduces reduced maximum session count on the VM-Series

firewall.
3.0.3 10.2.3 Addresses known issues and introduces two new features—
Configuring OCI CloudWatch monitoring and Publishing custom
metrics in the OCI console.
3.0.1 10.2.1 Introduces one new feature—PAYG License Support for VM-
Series on AWS, OCI, GCP and Azure.


Plugin PAN-OS Base
Version Image
2.1.17 10.1.14 Introduces fixes for issues.
2.1.16 — Introduces fixes for issues.
VM-Series Firewalls

Plugin PAN-OS Base
Version Image
2.1.11 — Introduces two new features—Full Bootstrap Support for the

VM-Series on OCI and HA Support for the VM-Series on OCI in
FIPS mode.
2.1.10 10.1.9-h1 Introduces fixes for issues.
2.1.8 — Addresses known issues and introduces two new features—

Configuring OCI CloudWatch monitoring and Publishing custom
metrics in the OCI console.
2.1.4 10.1.4 Introduces one new feature—Limit the number of vCPUs

licensed and used by a VM-Series firewall.
2.1.3 10.1.3 Addresses a known issue.
2.1.2 10.1.2 Introduces two new features—Bootstrapping support for

NUMA Performance Optimization and Azure Stack API
Endpoint Access.
2.1.1 10.1.1 Introduces two new features—NUMA Performance

Optimization and Six-Core Support for Intelligent Traffic
Offload.
2.1.0 10.1.0 Default VM-Series plugin for PAN-OS 10.1.0.

VM-Series plugin 2.0 versions are compatible only with PAN-OS 9.1. The following table
VM-Series Firewalls

Plugin PAN-OS Base
Version Image
2.0.7 9.1.10 Introduces management interface swap support for the VM-
Series on VMware ESXi and KVM and addresses known issues.
10.0.6*
2.0.6 9.1.9 Addresses a known issue.

10.0.5*
2.0.5 — Addresses known issues and adds 1500 MTU for Google Cloud
Platform and SR-IOV access mode on ESXi with PAN-OS 9.1.5
and later or 10.0.1 and later.
2.0.4 10.0.4* Addresses known issues and adds licensing support for future
PAN-OS releases.
2.0.3 10.0.3* • Introduces custom image creation for the VM-Series firewall
on Microsoft Azure.
• Introduces Pay-As-You-Go license support for the VM-
Series on Oracle Cloud Infrastructure.
• Introduces enhancements for the VM-Series firewall on
Alibaba Cloud.
• Addresses known issues.
2.0.2 9.1.6 • Introduces shared storage on AWS, Azure and GCP.

Supports subdirectories within cloud storage, enabling you
9.1.7
to store multiple bootstrap files in one storage bucket.
9.1.8 • Introduces support for secure bootstrap on AWS.
10.0.2* • Change in default behavior: VM-Series plugin now uses
HTTPS to communicate with the AWS CloudWatch
endpoint.
2.0.1 10.0.1* • Introduces AWS active-passive high availability using a

secondary IP address.
• Change in default behavior: In new VM-Series deployments
on AWS, the default Packet IO mode is DPDK.
• Introduces bootstrapping with user data on AWS, Azure, and
GCP.
• Introduces bootstrapping VLAN access mode on SR-IOV for
VM-Series firewall on KVM only. Requires PAN-OS 9.1.5 and
later, or 10.0.1 and later.
VM-Series Firewalls

Plugin PAN-OS Base
Version Image
2.0.0 10.0.0* Addresses known issues.
*PAN-OS 10.0 reached end-of-life (EoL) status on July 16, 2022.

VM-Series plugin 1.0 versions are compatible with PAN-OS 9.0 and PAN-OS 9.1 releases. The
following table describes new features or changes introduced in each plugin versions and the VM-
Series PAN-OS base image that includes each version of the plugin.

Plugin Version PAN-OS Base
Image

9.0.13
9.0.12
9.0.11
1.0.12 9.1.4 • Additional PAN-OS custom metrics for AWS, Azure, and
GCP public clouds (panSessionConnectionsPerSecond,
9.1.5
panSessionThroughputKbps, and
panSessionThroughputPps).
• New system startup updates, system health periodic
updates, and live health failure updates for AWS
CloudWatch.
1.0.11 9.0.8 Introduces Deeper Visibility with AWS CloudWatch

Enhancement and addresses known issues.
9.0.9
9.0.10
9.1.2
9.1.3
1.0.10 — Addresses known issues on AWS.
1.0.9 — Introduces support for Oracle Cloud Infrastructure

marketplace deployment and high availability for the VM-
Series firewall, and addresses known issues. PAN-OS 9.1.1 is
required to use these OCI features.
VM-Series Firewalls

Plugin Version PAN-OS Base
Image

9.1.1 Default VM-Series plugin version for PAN-OS 9.1.
1.0.7 — Addresses known issues, including bug fixes and support for
high availability (HA) on Azure Government for the VM-Series
on Azure.
Earliest version on which you can enable (HA) on Azure
Government for the VM-Series on Azure.
1.0.6 — Introduces support for the VM-Series firewall on NSX-T

(North-South) and addresses known issues.
1.0.5 — Introduces the PAN-OS accelerated feature releases (images

with .xfr in the filename*) for only VM-Series firewalls to
enable support for new features and bug fixes; also addresses
known issues.
PAN-OS 9.0.4 requires plugin 1.0.5 or later.
*All PAN-OS 9.0-xfr releases are end-of-life (EoL)

as of September 19, 2020.
1.0.4 — Addresses known issues.
If you want to enable management interface swap

on GCP or AWS platforms and you are running
PAN-OS 9.0.2, you must install VM-Series plugin
1.0.3 or later.
1.0.0 — Enables publishing metrics for supported public clouds: AWS,

Azure, and Google Cloud Platform.
Default VM-Series plugin version for PAN-OS 9.0.
VM-Series Firewalls
AWS Regions
The AWS regions—public, GovCloud, and AWS Outposts—in which you can deploy the VM-Series
firewall from the AWS Marketplace.
AWS Regions Region ID
US East (N. Virginia) us-east-1
US East (Ohio) us-east-2
US West (N.California) us-west-1
US West (Oregon) us-west-2
Asia Pacific (Hong Kong) ap-east-1
Asia Pacific (Singapore) ap-southeast-1
Asia Pacific (Sydney) ap-southeast-2
Asia Pacific (Jakarta) ap-southeast-3
Asia Pacific (Melbourne) ap-southeast-4
Asia Pacific (Malaysia) ap-southeast-5
Asia Pacific (Tokyo) ap-northeast-1
Asia Pacific (Seoul) ap-northeast-2
Asia Pacific (Osaka) ap-northeast-3

Available in BYOL as a Shared AMI. You can find
the AMI for the VM-Series firewall on the EC2
console (Instances > Launch Instance > Community
AMIs) using the AMI ID (ami-0d326a4c332ce4726)
or by searching for Palo Alto Networks.
Asia Pacific (Mumbai) ap-south-1
Asia Pacific (Hyderabad) ap-south-2
Canada Central ca-canada-1
EU (Frankfurt) eu-central-1
VM-Series Firewalls
AWS Regions Region ID
EU (Zurich) eu-central-2
EU (Ireland) eu-west-1
EU (London) eu-west-2
EU (Paris) eu-west-3
EU (Stockholm) eu-north-1
EU (Milan) eu-south-1
EU (Spain) eu-south-2
Israel (Tel Aviv) il-central-1
South America (Sao Paulo) sa-east-1
Middle East (Bahrain) me-south-1
Middle East (UAE) me-central-1
Africa (Cape Town) af-south-1
AWS Gov Cloud (US) us-gov-west
us-gov-east
AWS Outposts On all regions listed above, where AWS

Outposts is supported.
VM-Series Firewalls
Azure Regions
The VM-Series firewall is available on the Azure public and the Azure Government Marketplace.
Locations VM-Series Next- VM-Series Next- VM-Series Next-

Generation Firewall Generation Firewall Generation Firewall
Bundle 1* Bundle 2* (BYOL and ELA)**
All geographies (except

China)
Azure China — — Only BYOL for

PAN-OS 8.1
Azure Government (US)
Azure Israel
Azure DoD
Refer to Azure geography for the list of regions.
VM-Series Firewalls
Google Cloud Regions

You can deploy the VM-Series firewall with any supported PAN-OS® release in all Google Cloud
Platform regions.
VM-Series Firewalls
Alibaba Cloud Regions

You can deploy the VM-Series firewall with PAN-OS® 8.1.3 and later PAN-OS 8.1 releases (where
supported) or later supported PAN-OS releases in all Alibaba Cloud regions.
VM-Series Firewalls
VM-Series Firewall Amazon Machine Images (AMI)

The two most recent versions—2.0 and 2.1—of the CFT for auto scaling the VM-Series firewall on
AWS and the VM-Series Auto Scale Template are supported on all supported PAN-OS releases.
Please use the AWS CLI to find the AMI IDs for automating your deployment of VM-Series
firewalls. (For convenience, we captured the list of PAN-OS Images for AWS GovCloud.)
PAN-OS Images for AWS GovCloud

Because AWS GovCloud had restricted access owing to specific U.S. regulatory requirements, the
AMI IDs for the VM-Series firewall on AWS GovCloud are listed below for your convenience.
AMI IDs for VM-Series Firewalls on AWS GovCloud
Bring Your Own License (BYOL)
us-gov-west-1 Cloned AMI ID us-gov-east-1 Cloned AMI ID
PAN-OS 10.1.3 ami-0b0fb1dc91f1a5b9a ami-0d1efc973806198d3
PAN-OS 10.1.1 ami-02f7ea8be900f9955 ami-0eeeec392d066b8ae
PAN-OS 9.1.9 ami-01686e0ff6dccff8c ami-067d99132a54489a7
PAN-OS 9.1.8 ami-013219291e2bfe323 ami-07df5511d166c456e
PAN-OS 9.1.3 ami-019045558d9d46abe
Pay-as-You-Go (PAYG) Bundle 1
PAN-OS 10.1.3 ami-004b1a1777dcdfd9f ami-016368ea5efba04e1
PAN-OS 10.1.1 ami-084ed91c50f9b4d96 ami-057662646115fdce4
PAN-OS 10.1.0 ami-0a5f5b771f7f8e5d3 ami-07ac1c7c5ce547d69
PAN-OS 9.1.15 ami-0e91c03870e1cd93c ami-03437a1f70f52e166
PAN-OS 9.1.12-h3 ami-0b5bc9e573a08b041 ami-06749834defebd4e0
PAN-OS 9.1.10- ami-0099471b6d15fbddb ami-07797e48453a0682f

c15
PAN-OS 9.1.10 ami-0709b58e478cab702 ami-0a098d4a886576dad
VM-Series Firewalls
AMI IDs for VM-Series Firewalls on AWS GovCloud
PAN-OS PAN-OS ami-011be089674af6421

9.1.3
Pay-as-You-Go (PAYG) Bundle 2
PAN-OS 10.1.3 ami-0fb205aaef8ce2043 ami-0cb03b7f09207667b
PAN-OS 10.1.1 ami-0828cee4fb427a163 ami-0997795d86a05ede0
PAN-OS 10.1.0 ami-099a18de4da9ae98f ami-0debf73b0bb9c2dbe
PAN-OS 9.1.15 ami-0a3050b051091a0eb ami-0d67ea2069394aaba
PAN-OS 9.1.12-h3 ami-004abe9b7a57eed38 ami-068bf7a0c5746f727
PAN-OS 9.1.10- ami-0a192fdfa754d6c40 ami-01df4c86af829b978

c15
PAN-OS 9.1.10 ami-0fc65b7bb5280ec09 ami-050f8775e829afef7
PAN-OS 9.1.3 ami-06695afbfbca39f61
VM-Series Firewalls
CN-Series Firewalls
The CN-Series firewall is supported only in certain environments and is compatible with or
requires a specific set of files to do so.
• CN-Series Supported Environments
• CN-Series Firewall Image and File Compatibility
69
CN-Series Firewalls
CN-Series Supported Environments

You can deploy the CN-Series firewall in the following environments.
Product PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0 PAN-OS 11.1 PAN-OS 11.2
ContainerDocker Docker Docker Docker Docker

runtime
CRI-O CRI-O CRI-O CRI-O CRI-O
Containers Containers Containers Containers Containers
Kubernetes
1.17 through 1.17 through 1.17 through 1.17 through 1.17 through
version 1.27 1.31 1.31 1.31 1.31
Cloud • AWS • AWS • AWS • AWS • AWS

provider EKS (1.17 EKS (1.17 EKS (1.17 EKS (1.17 EKS (1.17
managed through through through through through
Kubernetes 1.27 1.31 1.31 1.31 1.31
for CN- for CN- for CN- for CN- for CN-
Series as a Series as a Series as a Series as a Series as a
daemonset daemonset daemonset daemonset daemonset
and CN- and CN- and CN- and CN- and CN-
Series as Series as Series as Series as Series as
a Service a Service a Service a Service a Service
mode of mode of mode of mode of mode of
deployment. ) deployment. ) deployment. ) deployment. ) deployment. )
• EKS on • AWS • AWS • AWS • AWS
AWS EKS (1.17 EKS (1.17 EKS (1.17 EKS (1.17
Outpost through through through through
(1.17 1.31 for 1.31 for 1.31 for 1.31 for
CN-Series CN-Series CN-Series CN-Series
CN-Series Firewalls
through as a CNF as a CNF as a CNF as a CNF
1.22) mode of mode of mode of mode of
deployment.) deployment.) deployment.) deployment.)
CN- • EKS on • EKS on • EKS on • EKS on
Series AWS AWS AWS AWS
for Outpost Outpost Outpost Outpost
EKS (1.17 (1.17 (1.17 (1.17
on through through through through
AWS 1.31) 1.31) 1.31) 1.31)
Outpost
does CN- CN- CN- CN-
not Series Series Series Series
support for for for for
SR- EKS EKS EKS EKS
IOV on on on on
or AWS AWS AWS AWS
Multus. Outpost Outpost Outpost Outpost
• Azure does does does does
AKS (1.17 not not not not
through support support support support
1.27) SR- SR- SR- SR-
IOV IOV IOV IOV
In or or or or
Azure Multus. Multus. Multus. Multus.
AKS, • Azure • Azure • Azure • Azure
the AKS (1.17 AKS (1.17 AKS (1.17 AKS (1.17
PAN- through through through through
OS 1.31) 1.31) 1.31) 1.31)
10.1.10h1
is In In In In
the Azure Azure Azure Azure
minimum AKS, AKS, AKS, AKS,
required the the the the
version PAN- PAN- PAN- PAN-
to OS OS OS OS
support 10.2.4h3 11.0.2 11.0.2 11.0.2
Kubernetes is is is is
1.25 the the the the
and minimum minimum minimum minimum
above. required required required required
• AliCloud version version version version
ACK (1.26) to to to to
• GCP GKE support support support support
(1.17 Kubernetes Kubernetes Kubernetes Kubernetes
through 1.25 1.25 1.25 1.25
1.27) and and and and
above. above. above. above.
CN-Series Firewalls
• GCP GKE • GCP GKE • GCP GKE • GCP GKE
(1.17 (1.17 (1.17 (1.17
through through through through
1.31) 1.31) 1.31) 1.31)
• OCI OKE • OCI OKE • OCI OKE
In (1.23) (1.23) (1.23)
GCP
GKE,
the
PAN-
OS
10.2.4h3
is
the
minimum
required
version
to
support
Kubernetes
1.25
and
above.
• Google
Anthos
1.12.3
• OCI OKE
(1.23)
CustomerOn the public On the public On the public On the public On the public
managed cloud or on- cloud or on- cloud or on- cloud or on- cloud or on-
Kubernetes
premises data premises data premises data premises data premises data
center. center. center. center. center.
Make sure Make sure Make sure Make sure Make sure
that the that the that the that the that the
Kubernetes Kubernetes Kubernetes Kubernetes Kubernetes
version, CNI version, CNI version, CNI version, CNI version, CNI
Types, and Types, and Types, and Types, and Types, and
Host VM OS Host VM OS Host VM OS Host VM OS Host VM OS
versions are versions are versions are versions are versions are
included in this included in this included in this included in this included in this
table. table. table. table. table.
VMware TKG+ VMware TKG+ VMware TKG+ VMware TKG+ VMware TKG+
version 1.1.2 version 1.1.2 version 1.1.2 version 1.1.2 version 1.1.2
CN-Series Firewalls
• Infrastructure • Infrastructure • Infrastructure • Infrastructure • Infrastructure
Platform— Platform— Platform— Platform— Platform—
vSphere 7.0 vSphere 7.0 vSphere 7.0 vSphere 7.0 vSphere 7.0
• Kubernetes • Kubernetes • Kubernetes • Kubernetes • Kubernetes
Host VM Host VM Host VM Host VM Host VM
OS—Photon OS—Photon OS—Photon OS—Photon OS—
OS OS OS OS Photon OS
Kubernetes
Operating Operating Operating Operating Operating
Host System: System: System: System: System:
VM
• Ubuntu • Ubuntu • Ubuntu • Ubuntu • Ubuntu
16.04 16.04 16.04 16.04 16.04
• Ubuntu • Ubuntu • Ubuntu • Ubuntu • Ubuntu
18.04 18.04 18.04 18.04 18.04
• Ubuntu-22.04 • Ubuntu-22.04 • Ubuntu-22.04 • Ubuntu-22.04 • Ubuntu-22.04
• RHEL/ • RHEL/ • RHEL/ • RHEL/ • RHEL/
CentOS 7.3 CentOS 7.3 CentOS 7.3 CentOS 7.3 CentOS 7.3
and later and later and later and later and later
• CoreOS • CoreOS • CoreOS • CoreOS • CoreOS
21XX, 21XX, 21XX, 21XX, 21XX,
22XX 22XX 22XX 22XX 22XX
• Container- • Container- • Container- • Container- • Container-
Optimized Optimized Optimized Optimized Optimized
OS OS OS OS OS
Linux Kernel Linux kernel Linux kernel Linux kernel Linux kernel
Netfilter: version: version: version: version:
Iptables
• 4.18 or • 4.18 or • 4.18 or • 4.18 or
later (K8s later (K8s later (K8s later (K8s
Service Service Service Service
Mode only) Mode only) Mode only) Mode only)
• 5.4 or later • 5.4 or later • 5.4 or later • 5.4 or later
required required required required
to enable to enable to enable to enable
AF_XDP AF_XDP AF_XDP AF_XDP
mode. See mode. See mode. See mode. See
Editable Editable Editable Editable
Parameters Parameters Parameters Parameters
in CN- in CN- in CN- in CN-
Series Series Series Series
Deployment Deployment Deployment Deployment
YAML Files YAML Files YAML Files YAML Files
for more for more for more for more
information. information. information. information.
CN-Series Firewalls
Linux kernel Linux kernel Linux kernel Linux kernel Linux kernel
version: Netfilter: Netfilter: Netfilter: Netfilter:
Iptables Iptables Iptables Iptables
• 4.18 or
later (K8s
Service
Mode only)
• 5.4 or later
required
to enable
AF_XDP
mode. See
Editable
Parameters
in CN-
Series
Deployment
YAML Files
for more
information.
CNI CNI Spec 0.3 CNI Spec 0.3 CNI Spec 0.3 CNI Spec 0.3 CNI Spec 0.3
Plugins and later: and later: and later: and later: and later:
• AWS-VPC • AWS-VPC • AWS-VPC • AWS-VPC • AWS-VPC
• Azure • Azure • Azure • Azure • Azure
• Calico • Calico • Calico • Calico • Calico
• Flannel • Flannel • Flannel • Flannel • Flannel
• Weave • Weave • Weave • Weave • Weave
• For • For • For • For • For
AliCloud, Openshift, Openshift, Openshift, Openshift,
Terway OpenshiftSDN, OpenshiftSDN, OpenshiftSDN, OpenshiftSDN,
• For OVN OVN OVN OVN
Openshift, Kubernetes Kubernetes Kubernetes Kubernetes
OpenshiftSDN • The • The • The • The
• The following following following following
following are are are are
are supported supported supported supported
supported on the on the on the on the
on the CN-Series CN-Series CN-Series CN-Series
CN-Series
CN-Series Firewalls
firewall as a firewall as a firewall as a firewall as a firewall as a
DaemonSet. DaemonSet. DaemonSet. DaemonSet. DaemonSet.
• Multus • Multus • Multus • Multus • Multus
• Bridge • Bridge • Bridge • Bridge • Bridge
• SR-IOV • SR-IOV • SR-IOV • SR-IOV • SR-IOV
• Macvlan • Macvlan • Macvlan • Macvlan • Macvlan
OpenShiftCN-Series as a • Version • Version 4.2, • Version 4.2, • Version 4.2,

DaemonSet: 4.2, 4.4, 4.4, 4.5, 4.4, 4.5, 4.4, 4.5,
4.5, 4.6, 4.6, 4.7, 4.6, 4.7, 4.6, 4.7,
4.2, 4.4, 4.5,
4.7, 4.8, 4.8, 4.9, 4.8, 4.9, 4.8, 4.9,
4.6, 4.7, 4.8,
4.9, 4.10, 4.10, 4.11, 4.10, 4.11, 4.10, 4.11,
4.9, 4.10, 4.11,
4.11, 4.12, 4.12, 4.13, 4.12, 4.13, 4.12, 4.13,
4.12, and 4.13
4.13,4.14, 4.14, and 4.14, and 4.14, and
and 4.15 4.15 4.15 4.15
CN-Series as a
K8s Service:
OpenShift OpenShift OpenShift OpenShift
(PAN-OS 4.7 4.7 4.7 4.7
10.1.2 and is is is is
later) qualified qualified qualified qualified
on on on on
4.7, 4.8, 4.9,
the the the the
4.10, 4.11,
CN- CN- CN- CN-
4.12, 4.13,
Series Series Series Series
4.14, and 4.15.
as as as as
a a a a
The
DaemonSet DaemonSet DaemonSet DaemonSet
PAN-
only. only. only. only.
OS
10.1.10h1 • OpenShift The The The
is on AWS PAN- PAN- PAN-
the OS OS OS
minimum The 11.0.2 11.0.2 11.0.2
required PAN- is is is
version OS the the the
to 10.2.4h3 minimum minimum minimum
support is required required required
4.12 the version version version
and minimum to to to
above. required support support support
version 4.12 4.12 4.12
to and and and
support above. above. above.
4.12
• OpenShift • OpenShift • OpenShift
and
on AWS on AWS on AWS
above.
CN-Series Firewalls
CN-Series Firewall Image and File Compatibility

Deploying the CN-Series firewall requires a number of different of files. To help ensure a
successful deployment, check the following information to make sure you download the correct
combination of files for CN-Series firewall deployment.
PAN-OS Version YAML Version CNI Version mgmt-init Version
PAN-OS 11.2.x 3.0.x 3.0.x 3.0.x

PAN-OS 11.1.x
PAN-OS 11.0.x
PAN-OS 10.2.x
PAN-OS 10.1.x
Panorama
This section includes information about Panorama™ and compatible versions for devices that
Panorama can manage, as well as about plugins that are available for Panorama.
• Plugins
• Compatible Plugin Versions for PAN-OS 10.2
• Panorama Management Compatibility
• Panorama Hypervisor Support
• Device Certificate for a Palo Alto Networks Cloud Service
77
Panorama
Panorama Plugins
The following tables describe the features and functionality introduced with the Panorama™
extensible plugin architecture.
• Cisco ACI
• Cisco TrustSec
• Panorama CloudConnector Plugin (Formerly, AIOps Plugin for Panorama)
• Cloud Services
• Enterprise Data Loss Prevention (DLP)
• Panorama Interconnect
• IPS Signature Converter
• Kubernetes
• Clustering Plugin
• Network Discovery
• Nutanix
• OpenConfig
• Panorama Software Firewall License Plugin
• Public Cloud—AWS, Azure, and GCP
• SD-WAN
• VMware NSX
• VMware vCenter
• Zero Touch Provisioning (ZTP)
For more information on Panorama plugin versions, refer to the VM-Series and Panorama Plugins
Release Notes.
Cisco ACI
The following table shows the features introduced in each version of the Panorama™ plugin for
Cisco ACI. The plugin uses device groups on Panorama to push the configuration to the managed
firewalls.
End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.
Panorama
Plugin Version Supported Cisco Panorama Maximum Features

ACI Version PAN-OS Panorama
Version PAN-OS
Version
(Minimum)
3.0.1 6.0.x 10.2 (10.2.7) Latest Introduces support

for Endpoint Security
• 5.2.x 10.2 (10.2.0) Group (ESG) tags and
fixes to known issues.
3.0.0 • 6.0.x 10.2 (10.2.4) Latest Introduces

enhancements to
• 5.2.x 10.2 (10.2.0) increase reliability and
robustness.
• 5.1.x
2.0.3 • 6.0.x 10.1 (10.1.9) Latest Introduces a fix for a

known issue.
• 5.2.x 10.1
• 5.1.x
Panorama

Version PAN-OS
Version
(Minimum)
• 5.0.x 9.1 You can
• 4.2.x do a new
deployment
• 4.1.x of Cisco
• 4.0.x ACI
2.0.3 on
• 3.2
Panorama
9.0 or
later. You
can also
upgrade
from
Cisco ACI
2.0.x to
Cisco ACI
2.0.3.
However,
if you
need to
upgrade
from
Cisco ACI
1.0.0 or
Cisco ACI
1.0.1,
you will
need to
upgrade
your
Panorama
to 10.0
or later,
and then
upgrade
the ACI
plugin to
2.0.3.
2.0.2 • 5.1.x 10.1 Latest Introduces Cisco ACI

• 5.0.x 5.1 support and fixes
9.1
for known issues.
• 4.2.x
• 4.1.x
Panorama

Version PAN-OS
Version
(Minimum)
• 4.0.x You can
• 3.2 do a new
deployment
of Cisco
ACI
2.0.2 on
Panorama
9.0 or
later. You
can also
upgrade
from
Cisco ACI
2.0.x to
Cisco ACI
2.0.2.
However,
if you
need to
upgrade
from
Cisco ACI
1.0.0 or
Cisco ACI
1.0.1,
you will
need to
upgrade
your
Panorama
to 10.0
or later,
and then
upgrade
the ACI
plugin to
2.0.2.
2.0.1 • 5.0.x 10.1 Latest Introduces fixes for

• 4.2.x known issues.
9.1
• 4.1.x
• 4.0.x
Panorama

Version PAN-OS
Version
(Minimum)
• 3.2
2.0.0 • 5.0.x 10.1 Latest Introduces the

• 4.2.x Panorama Plugin for
9.1
Cisco ACI Dashboard
• 4.1.x and two new
• 4.0.x monitored attributes—
L2 external endpoint
• 3.2
groups and subnets
under bridge domains.
1.0.1 • 5.0.x 9.1 9.1 Introduces support for

• 4.0.x multiple IP addresses
per endpoint and Cisco
• 3.2 ACI 4.0 and later.
• 3.1
• 2.3(1e)
1.0.0 • 5.0.x 9.1 9.1 Enables support for

• 3.2 Endpoint Monitoring
from Panorama.
• 3.1 Configure the
• 2.3(1e) Panorama plugin for
Cisco ACI to monitor
endpoints so that
you can consistently
enforce security policy
that automatically
adapts to changes
within your ACI
deployment.
Cisco TrustSec
The following table shows the features introduced in each version of Panorama™ plugin for Cisco
TrustSec.
Panorama
Plugin Version Minimum Panorama Qualified Cisco ISE Features

PAN-OS Version Versions
2.0.1 10.2 • ISE 3.3 Introduces fixes for

• ISE 3.2 known issues.
• ISE 3.1
• ISE 2.7
2.0.0 10.2 • ISE 3.2 Introduces support for

• ISE 3.1 Panorama 10.2.x.
• ISE 2.7 Introduces support for

security group tags
(SGT). Use these tags
as match criteria for
placing IP addresses
in dynamic address
groups.
1.0.3 9.1 • ISE 3.1 Introduces a fix for one

• ISE 2.7 issue.
1.0.2 9.1 • ISE 2.4 Introduces the

• ISE2.6 PubSub monitoring
mode, which parses
notifications directly
from the server. The
plugin enables PubSub
mode when v1.0.2 is
running on Panorama
10.0.0 and later. If
v1.0.2 is running on
a Panorama version
earlier than 10.0.0, the
monitoring mode is
Bulk Sync.
1.0.1 • Lowers the minimum

monitoring interval
from 30 seconds to
10 seconds.
• Combined Logs for
the Panorama Plugin
for Cisco TrustSec.
1.0.0 Enables support for

endpoint monitoring
from Panorama.
Panorama
Plugin Version Minimum Panorama Qualified Cisco ISE Features

PAN-OS Version Versions
Configure the
Panorama plugin for
Cisco TrustSec to
monitor endpoints
so that you can
consistently enforce
security policy that
automatically adapts
to changes within your
TrustSec environment.
Panorama CloudConnector Plugin (Formerly, AIOps Plugin for

Panorama)
The following table shows the features introduced in each version of the plugin for AIOps.
Plugin Version Panorama PAN-OS Maximum New Features or Changes

Version Panorama PAN-OS
Version
(Minimum)
2.0.1 10.2 (10.2.3) Latest Introduces enhancements

for Cloud NGFW for AWS
integration with Panorama.
2.0.0 10.2 (10.2.3) Latest Enables you to use the

Panorama AWS plugin
5.0.0 to author and push
device group based policies
to Cloud NGFW for AWS
resources.
1.1.0 10.2 (10.2.3) Latest Enables the policy analyzer

feature that helps you to
check if a new security
rule meets your intended
purpose and that it does
not duplicate, shadow, or
conflict with your existing
rules (pre-commit). You can
also check for duplication
and other anomalies across
your current Security policy
rulebase (post-commit).
Panorama
Plugin Version Panorama PAN-OS Maximum New Features or Changes

Version Panorama PAN-OS
Version
(Minimum)
1.0.0 10.2 (10.2.1) Latest Enables you to proactively

enforce best practice checks
by validating your commits
and letting you know if a
policy needs work before
pushing it to your Panorama.
Cloud Services
You use the Cloud Services plugin to activate Panorama Managed Prisma Access and to retrieve
logs from Panorama-managed firewalls using Strata Logging Service. Review the following table to
see the minimum Panorama and plugin versions for your deployment type.
Deployment Type Panorama and Plugin requirements
Panorama Managed Dependent on plugin version. Review the Minimum Required

Prisma Access Panorama Software Versions required for the plugin you are running.
To find the plugin version you are running, select Panorama > Cloud
Services > Configuration > Service Setup and find the plugin version
in the Plugin Alert area.
Strata Logging Service Strata Logging Service Software Compatibility has the minimum
log retrieval from Panorama and plugin requirements.
Panorama-managed
firewalls only
Enterprise Data Loss Prevention (DLP)

Enterprise Data Loss Prevention (DLP).
Plugin PAN-OS Version Maximum PAN-OS Cloud Services Features

Version Version Plugin
(Minimum)
(Minimum)
6.0.0 12.1.0 Latest Cloud Granular data profiles

Services 6.0 enhance Enterprise DLP
detection capabilities
by allow you to apply
differentiated inline
Panorama

(Minimum)
(Minimum)
content inspection
requirements and
response actions with
the same Security policy
rule.
5.0.5 11.2.5 Latest 11.2 Cloud Minor bug and

Services 5.0 performance fixes.
Preferred
5.0.4 11.1.0 Latest 11.2 Cloud Upgrade to Enterprise

Services 5.0 DLP plugin 5.0.4
Preferred to use AI Access
Security for Prisma
Access (Managed by
Panorama).
AI Access Security
enables organizations
to safely adopt
GenAI applications
by employees by
mitigating the risks
posed by inadvertent
data leakage in prompts
and malicious content in
responses. Fine-grained
data exfiltration and
access control policies
let you to control
the data exposed to
GenAI apps while
simultaneously allowing
you to block access
when necessary. A
robust dashboard with
detailed monitoring
capabilities provides
paralleled insights in
to how GenAI apps
are used across your
organization.
5.0.3 11.1.0 Latest 11.2 Cloud Upgrade to Enterprise

Services 5.0 DLP plugin 5.0.3 to use
Preferred AI Access Security for
Panorama

(Minimum)
(Minimum)
NGFW (Managed by
Panorama).
AI Access Security
enables organizations
to safely adopt
GenAI applications
by employees by
mitigating the risks
posed by inadvertent
data leakage in prompts
and malicious content in
responses. Fine-grained
data exfiltration and
access control policies
let you to control
the data exposed to
GenAI apps while
simultaneously allowing
you to block access
when necessary. A
robust dashboard with
detailed monitoring
capabilities provides
paralleled insights in
to how GenAI apps
are used across your
organization.
5.0.2 11.1.0 11.2.2 Cloud Minor bug and

Preferred
5.0.1 11.1.0 Latest 11.1 Release Cloud Minor bug and

Preferred
5.0.0 11.1.0 Latest 11.1 Release Cloud You must upgrade to

Services 5.0 Enterprise DLP 5.0
Preferred plugin to upgrade
to PAN-OS 11.1.
Additionally, you must
download the Enterprise
DLP 5.0 plugin before
you attempt to install
PAN-OS 11.1.
Panorama

(Minimum)
(Minimum)

Preferred

Preferred
4.0.2 11.0.3 Latest 11.0 Release Cloud The data pattern

Services 4.0 character limit for a
Preferred data profile is removed.
Data profiles no longer
limit the number of data
pattern match criteria
based on the number of
alphanumeric characters
in the data pattern
name, description,
regular expressions, and
proximity keywords.
4.0.1 11.0.2 11.0.2 Cloud Enterprise Data Loss

Services 4.0 Prevention (E-DLP) now
Preferred supports creating a file
type include or exclude
list for data filtering
profiles configured for
file-based inspection.
This allows you to select
one of two modes:
• Inclusion Mode—
Allow only specified
file types be scanned
by Enterprise DLP.
• Exclusion Mode—
Allow all supported
files to be scanned
by Enterprise DLP by
default but excluding
the file types you
specify.
Exclusion Mode
includes True File
Type Support and
Panorama

(Minimum)
(Minimum)
does not rely on
file extensions to
determine file types.
4.0.0 11.0.0 11.0.1 Cloud You must upgrade to

Services 4.0 Enterprise DLP 4.0
Preferred plugin to upgrade
to PAN-OS 11.0.
Additionally, you must
download the Enterprise
DLP 4.0 plugin before
you attempt to install
PAN-OS 11.0.

Services performance fixes.
3.1.0-h50
(PAN-OS
10.2.2-h1 and
later releases)
3.0.8 10.2.4-h3 10.2.7 Cloud Minor bug and

3.1.0-h50
(PAN-OS
10.2.2-h1 and
later releases)

3.1.0-h50
(PAN-OS
10.2.2-h1 and
later releases)

3.1.0-h50
(PAN-OS
10.2.2-h1 and
later releases)
3.0.6 10.2.4-h3 10.2.7 Cloud The data pattern

Services character limit for a
3.1.0-h50 data profile is removed.
(PAN-OS Data profiles no longer
Panorama

(Minimum)
(Minimum)
10.2.2-h1 and limit the number of data
later releases) pattern match criteria
based on the number of
alphanumeric characters
in the data pattern
name, description,
regular expressions, and
proximity keywords.

3.1.0-h50
(PAN-OS
10.2.2-h1 and
later releases)
3.0.4 10.2.4 10.2.4-h3 Cloud Enterprise DLP

Services now supports new
3.1.0-h50 applications, expanded
download support and
(PAN-OS
large file inspection
10.2.2-h1 and
for many existing
later releases)
applications, and
FedRAMP High
compliance.
3.0.3 10.2.3-h4 10.2.4 Prisma Enterprise DLP now

Access 3.1.0- supports upload
h50 inspection of files up to
100MB in size for the
(PAN-OS
Box Web App and Web
10.2.2-h1 and
Browsing applications.
later releases)
3.0.2 10.2.3 Latest 10.2.3-h4 Cloud Enterprise DLP now

Services supports inspection of
3.1.0-h50 file and non-file based
HTTP/2 traffic.
(PAN-OS
10.2.2-h1 and
later releases)
3.0.1 10.2.1 10.2.3 Cloud The Panorama plugin for

Services Enterprise DLP supports
3.1.0-h50 creating a data filtering
profile to scan non-
Panorama

(Minimum)
(Minimum)
(PAN-OS file based traffic for
10.2.2-h1 and sensitive data.
later releases)
3.0.0 10.2.0 10.2.1 Not Upgrade to the

Supported Enterprise DLP plugin
to increase reliability.
Enterprise DLP plugin
3.0 is required to
upgrade to PAN-OS
10.2 and is supported
only on PAN-OS 10.2
and later releases.

1.0.7 10.1 Latest 10.1 Release Cloud Minor bug and




1.0.3 10.1 Latest 10.1 Release Cloud The Panorama plugin

Services 2.2 for DLP supports the
integration of Enterprise
DLP with Prisma Access.
1.0.2 10.1 Latest 10.1 Release Not No new features were

Supported added for this release.
1.0.1 10.1 Latest 10.1 Release Not Enables support for

Supported Enterprise DLP from
Panorama. Configure
the Panorama plugin
for Enterprise DLP
to protect against
unauthorized access,
misuse, extraction, and
Panorama

(Minimum)
(Minimum)
sharing of sensitive
information and
effectively filter
network traffic to
block or generate an
alert before sensitive
information leaves the
network.
Panorama Interconnect
The following table shows the features introduced in each version of the Panorama™
Interconnect plugin.
Plugin Version Minimum PAN-OS Maximum PAN-OS New Features or

Version Version Changes
2.0.0 10.2.4 (PAN-OS Latest 10.2 version You must upgrade to

10.2 release) (PAN-OS 10.2 Panorama Interconnect
release) 2.0.0 plugin to upgrade
to PAN-OS 10.2.
1.1.0 10.0.0 Latest 10.1 version Enables you to

selectively push device
groups, template
stacks, and some
common Panorama
configurations from the
Panorama Controller
to the Panorama
Nodes to avoid
pushing extraneous
configurations to
Panorama Nodes to
minimize configuration
bloat and operational
delays across your
Panorama Interconnect
deployment.
Panorama
Plugin Version Minimum PAN-OS Maximum PAN-OS New Features or

Version Version Changes
1.0.2 9.1 Latest 10.1 version Minor bug and

performance fixes.
1.0.1 Minor bug and

performance fixes.
1.0.0 First plugin introduced

to support a two-tier
Panorama deployment
for a horizontal scale-
out architecture.
IPS Signature Converter

The following table shows the features introduced in each version of the Panorama™ IPS
Signature Converter plugin.
Plugin Version Minimum PAN-OS Features

Version
2.0.3 10.2 • Supports the Startswith and

Endswith keywords.
• Supports DNS protocol and the
dns_query keyword.
2.0.2 10.2 Supports SMTP and FTP protocols.
2.0.1 10.2 Supports HTTP sticky buffers.

Now converts Snort rules that have
commas separating content patterns
and their associated suboption.
2.0.0 10.2 Uses Python 3 for compatibility with

PAN-OS 10.2.
1.0.7 10.1 • Supports the Startswith and

Endswith keywords.
• Supports DNS protocol and the
dns_query keyword.
Panorama

Version
1.0.6 10.1 Supports SMTP and FTP protocols.
1.0.5 10.1 Supports HTTP sticky buffers.

Now converts Snort rules that have
commas separating content patterns
and their associated suboption.
1.0.4 10.1 No significant changes in

functionality.
1.0.3 10.1 Converts rules into SSL custom

signatures if their port is 443.
Converts server-to-client HTTP
rules without content modifiers into
custom signatures with the http-
rsp-status-line and http-rsp-
headers contexts.
Converts Suricata TLS rules into
TLS custom signatures and supports
additional TLS and file data sticky
buffers.
1.0.2 10.1 Converts rules that use the smb

protocol or port 445.
Supports HTTP sticky buffer
keywords in Suricata rules.
Converts HTTP rules into HTTP
custom signatures if either the port
in the rule is HTTP-_PORTS or the
protocol is http.
1.0.1 10.1 Identifies whether newly converted

signatures are already included as part
of your Palo Alto Networks Threat
Prevention subscription.
1.0.0 10.1 Enables support for third-party IPS

signature conversion from Panorama.
Use the Panorama IPS Signature
Converter plugin to gain immediate
protection against newly discovered
threats by converting third-party IPS
rules into Palo Alto Networks custom
Panorama

Version
threat signatures and distributing
them to your Panorama-managed
firewalls.
Kubernetes
The following table displays the features introduced in each version of the Panorama™
Kubernetes plugin.
Plugin Version Minimum Panorama Maximum Panorama Features

PAN-OS Version PAN-OS Version
4.0.0 11.0 Latest Introduces new

features like CN-Series
Hyperscale Security
Fabric, (HSF), Tag Length
Enhancement, Shared
DAG Support, and
Nested DAG Support.
3.0.3 10.2 Latest Introduces fixes for

known issues.

known issues.
3.0.1 Introduces support for

shared dynamic address
groups.
3.0.0 Introduces Retrieving

IPv6 Addresses for
Multus CNI Setup, Tag
Pruning, Service Account
Validation, and advanced
Dashboard features.
2.0.2 10.1 10.1 K8s plugin 2.0.2 creates

a new template on
Panorama called K8S-
Network-Setup-V1-125.
This template creates
Panorama
Plugin Version Minimum Panorama Maximum Panorama Features

PAN-OS Version PAN-OS Version
250 vwire interfaces and
125 vwires.
2.0.1 Introduces fixes for

known issues.
2.0.0 Introduces Core-Based

Licensing, Multiple
Interface Support, and
Custom Certificate
Chaining.

known issues.

known issues.

known issues.

known issues.
1.0.1 Introduces the ability

to disable the creation
of service objects on
Panorama, and support
for offline licensing of
CN-Series firewalls with
Panorama.
1.0.0 Manages licenses for the

CN-Series firewall and
enables you to monitor
clusters and leverage
Kubernetes labels that
you use to organize
Kubernetes objects. The
plugin communicates
with the API server and
retrieves metadata,
which gives you visibility
into applications running
within a cluster.
Panorama
Clustering Plugin
The following table shows the features introduced in Panorama Clustering plugin.
Plugin Version Panorama PAN-OS Maximum Panorama Features

Version PAN-OS Version
(Minimum)
2.0.0 11.1.5 Latest Provides a migration

process that allows
you to migrate from a
non-PA-7500 Series
firewall with an existing
Panorama non-clustering
template to a PA-7500
Series firewall with a
Panorama clustering
template. The release
also provides support
for MACsec on the HSCI
ports that connect the
firewalls in the NGFW
cluster. MACsec provides
data confidentiality and
integrity between the
two endpoints.
2.0.0 11.1.3 Latest Provides visibility to the

NGFW clusters (also
known as PA-Series
clusters) in PA-7500
Series firewalls.
1.0.0 11.0 Latest Provides the visibility to

the Hyper Scale Security
Fabric (HSF) clusters in
CN-Series.
Network Discovery
Network Discovery.
Panorama

(Minimum)
2.1.0 10.2.14 Latest 10.2 release Introduces support for

multiple entry switches
11.2.4 Latest 11.2 release
and multiple SNMP
credentials.
Supports site creation
and site overwrite for
existing subnets learned
through SNMP crawling.
2.0.2 11.1 Latest Introduces new protocols

for device polling.
Introduces new settings
options for configuring
SNMP network discovery
and network data
refreshment jobs.
Includes a fix for a known
issue.
2.0.1 Introduces debug logs

and fixes for a known
issue.
2.0.0 Introduces device polling

using various protocols.
Use polling to learn new
device attributes to send
to IoT Security.
1.0.1 Introduces the capability

to specify a network
discovery protocol using
the CLI.
1.0.0 Introduces SNMP

querying for switches
and network devices.
Use SNMP querying
to learn bindings and
network data to send to
IoT Security.
Panorama
Nutanix
Nutanix.

(Minimum)

known issues.

known issues.
2.0.0 Introduces
enhancements to
increase reliability and
robustness.
1.0.0 9.0 (9.0.4) Latest Enables support for

VM Monitoring from
Panorama. Configure
the Panorama plugin
for Nutanix to monitor
VM workloads so that
you can consistently
enforce security policy
that automatically adapts
Nutanix environment.
OpenConfig
The following table shows the features introduced in each version of the OpenConfig plugin.
Panorama
Plugin Version PAN-OS Version New Features or Changes

(Minimum)
2.1.1 10.2.11 Support for XML API and File-upload

custom PAN-OS data models.
2.1.0 10.2.11 General improvements and bug fixes.
2.0.2 10.2.11 Plugin support for PAN-OS version

10.2.11 and later.
2.0.1 11.0.4 Plugin support for PAN-OS version

11.0.4 and later.
2.0 11.1 Enables Panorama suppport and

telemetry streaming with PAN-OS
custom data models for logging,
PCAP, and config data. Starting with
2.0, the OpenConfig plugin also
comes prepackaged with PAN-OS.
1.3 (Firewall Only) 10.1 Enables support for all streaming

modes with the OpenConfig-routing-
policy model.
1.2.0 (Firewall Only) Enables support for protobuf and

unbundling.
1.1.0 (Firewall Only) Enables support for these standard

OpenConfig models:
• openconfig-ha
• openconfig-zones
• openconfig-network-instances
• openconfig-routing-policy
• openconfig-ospfv2
1.0.0 (Firewall Only) Enables support for the OpenConfig

plugin on PAN-OS firewalls so that
you can use standard OpenConfig
models to automate configuration
and stream telemetry.
Panorama Software Firewall License Plugin

The following table shows the features introduced in each version of the Panorama™ Software
Firewall License plugin.
Panorama
Plugin Version Panorama PAN- Maximum Minimum VM- Features

OS Version Panorama PAN- Series Plugin
OS Version Version
(Minimum)
1.1.2 10.0 (10.0.4) Latest 2.0.4 Introduces fixes for

known issues.
1.1.1 10.1 Latest 2.0.4 Introduces fixes for

known issues.

known issues.
1.0.0 The Panorama

Software Firewall
License plugin
allows you to
automatically license
a VM-Series firewall
when it connects to
Panorama.
Public Cloud—AWS, Azure, and GCP

Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The plugins use
device groups and templates on Panorama to push the configuration to the managed firewalls.
Public Cloud AWS Plugin Panorama Maximum VM-Series Features

Platform Version PAN-OS Panorama Plugin
(Minimum) Version (Minimum)
AWS 5.3.1 10.2 (10.2.3) Latest 3.0.0 Introduces fixes

for known issues.
5.3.0 10.2 (10.2.3) Latest 3.0.0 Adds support for

Egress NAT and
Zone-based Policy
Rules on the Cloud
NGFW for AWS.
Panorama

Introduces fixes
for known issues.
5.2.2 10.2 (10.2.3) Latest 3.0.0 Introduces fixes

for known issues.

for known issues.

for known issues.

for known issues.
5.1.1 10.2 (10.2.3) Latest 3.0.0 Introduces

enhancements for
Cloud NGFW for
AWS integration
with Panorama.

enhancements for
Cloud NGFW for
AWS integration
with Panorama.

support for
Panorama
integration with
Cloud NGFW for
AWS.
4.1.0 10.2 Latest 3.0.0 Introduces

support for nested
dynamic address
groups and tag
pruning.

enhancements to
increase reliability
and robustness.
Panorama

3.0.3 10.1 10.1 2.0.6 Introduces shared

dynamic address
groups support
and bug fixes.
3.0.2 10.1 10.1 2.0.6 Introduces proxy

support and bug
fixes.
3.0.1 10.1 10.1 2.0.6 Introduces

enhancements and
bug fixes.
3.0.0 10.1 10.1 2.0.6 Introduces

Panorama
Orchestration and
new monitoring
parameters.
2.0.2 10.1 10.1 2.0.2 Introduces fixes

for known issues.
9.1 (9.1.2) 1.0.8
2.0.1 1.0.4 Introduces a fix

for a known issue.
2.0.0 9.1 (9.1.2) 10.1 1.0.8 Enables support

for:
• VM Monitoring
• Secure
Kubernetes
Services in an
EKS Cluster
Public Cloud Azure Plugin Panorama Maximum VM-Series Features

(Minimum) Version
(Minimum)
Azure 5.2.2 10.2.4 Latest 4.0.0 Adds support

for Strata
Logging Service.
Panorama

(Minimum) Version
(Minimum)
Introduces fixes
for known issues.
5.2.1 10.2.4 Latest 4.0.0 Adds permission

validation for
private endpoint
read access.
Introduces new
tags used for
monitoring.
Introduces fixes
for known issues.
5.2.0 10.2.4 Latest 4.0.0 Introduces an

automated
workflow for
maintaining the
life cycle of the
VM auth key.
5.1.2 10.2.4 Latest 4.0.0 Introduces

loopback zone
support and DNS
proxy support on
Cloud NGFW for
Azure.
5.1.1 10.2.4 Latest 4.0.0 Introduces tag

pruning feature
to increase the
scalability and the
number of tags
collected by the
Azure plugin.
5.0.0 10.2.4 Latest 4.0.0 Introduces

support for
Panorama
integration with
Cloud NGFW for
Azure.

support for Azure
Panorama

(Minimum) Version
(Minimum)
Workspace-
based Application
Insights.
4.1.0 10.2 Latest Latest Increased the

number of front-
end applications
per VM-Series
for Azure
deployment.
4.0.0 10.2 Latest Latest Introduces

enhancements to
increase reliability
and robustness.

for a known issue.
2.0.1

for known issues.
2.0.1
3.2.0 10.1 10.1 2.1.0 Introduces proxy

support and fix for
2.0.1 a known issue.

for a known issue.
2.0.1

for known issues.
2.0.1
3.0.0 10.1 10.1 2.1.0 Introduces

Panorama
(Upgrade
2.0.1 Orchestration.
from 2.0.0
to 3.0.0
is not
supported.)
Panorama

(Minimum) Version
(Minimum)
2.0.3 10.1 10.1 2.1.0 Introduces a fix

for a known issue.
2.0.0
9.1 (9.1.2) 1.0.8
9.1 1.0.4

for known issues.

for known issues.
2.0.0 9.1 10.1 1.0.4 Enables support

for:
• Auto Scaling—
Template v1.0
• Azure
Kubernetes
Service (AKS)
Cluster—
Template v1.0
Public Cloud GCP Plugin Panorama Maximum VM-Series Features

(Minimum) Version
GCP 3.1.1 10.2 Latest 3.0.0 Introduces

performance
and status
enhancements
in monitoring
definitions.

monitoring of
shared VPC
deployments.
Panorama
Public Cloud GCP Plugin Panorama Maximum VM-Series Features

(Minimum) Version

enhancements
to increase
reliability and
robustness.
2.0.0 9.1 Latest 1.0.4 Enables you to

monitor and
(Upgrade
secure VMs or
from 1.0.0 to
GKE clusters
2.0.0 is not
deployed in
supported.)
GCP.
• Deploy
auto scaling
for VM
instance
groups
or GKE
clusters
using auto
scaling
templates
for both
firewall and
application
deployments.
• VM
Monitoring
for GCP
assets.
SD-WAN
SD-WAN.
Panorama
Plugin Version PAN-OS Version Maximum PAN-OS Features

(Minimum) Version
3.3.2 11.2.4 Latest To use the

following feature or
enhancements, you
require PAN-OS 11.2.4
and later 11.2 releases.
• Prisma Access Hub
Support for SD-WAN
enabled Cellular
Interfaces (4G/5G).
• Improvements and
bug fixes.

enhancements, you
• Support for multiple
virtual routers on the
SD-WAN branches to
have overlapping IP
subnet addresses on
both hub and branch
devices.
• Support for SD-WAN
capability to the 5G
cellular interface.
• Bug fixes.
3.3.0 11.2 Latest To use the

enhancements, you
and later releases.
• Supports monitoring
the bandwidth
of a tunnel and a
physical interface for
a selected site (by
default) in addition
to existing jitter,
latency, and packet
loss performance
measures.
Panorama

(Minimum) Version
• Supports multiple
SD-WAN hubs that
enable you to have
overlapping IP subnet
addresses on branch
devices connecting to
the same SD-WAN
hub.
• Additional SD-WAN
hubs supported for
VPN cluster.
• Additional private link
types supported for
SD-WAN interface
profile.
• Bug and performance
fixes.

(11.1.5)
enhancements, you
and later releases.
• Supports monitoring
the bandwidth
of a tunnel and a
physical interface for
a selected site (by
default) in addition
to existing jitter,
latency, and packet
loss performance
measures.
• Bug fixes.
3.2.1 11.1 Latest To use the

(11.1.3)
enhancements, you
SD-WAN hubs that
Panorama

(Minimum) Version
enable you to have
addresses on branch
the same SD-WAN
hub.
hubs supported for
VPN cluster.
types supported for
SD-WAN interface
profile.
• Bug fixes.
3.2.0 11.1 Latest • SD-WAN IKEv2

certificate-based
authentication
support.
• Public cloud SD-
WAN high availability
support.
• Enable SD-WAN on
IPv6 interfaces and
IPv6 tunnel support.
fixes.
3.1.3 11.0 (11.0.4) Latest To use the

enhancements, you
hubs supported for
VPN cluster.
types supported for
SD-WAN interface
profile.
fixes.
Panorama

(Minimum) Version
3.1.2 11.0 (11.0.2) Latest Bug and performance

fixes.
3.1.1 11.0 (11.0.2) Latest SD-WAN IPv6 Basic

Connectivity
3.0.1-h6 11.0 (11.0.1) Latest Bug and performance

fixes.
3.1.0-h6 11.0 (11.0.1) Latest Enables Advanced

Routing Engine support.
3.0.8 10.2.11 Latest Improvements and bug

fixes
3.0.7-h6 10.2.7-h6 (10.2.7- Latest Bug fixes.

h6)
3.0.7 10.2 (10.2.8) Latest To use the

enhancements, you
and later releases.
SD-WAN hubs that
enable you to have
addresses on branch
the same SD-WAN
hub.
• Bug fixes.
3.0.6 10.2 (10.2.7) Latest Bug fixes.
3.0.6 10.2 (10.2.6) Latest Bug fixes.

fixes.

fixes.
Panorama

(Minimum) Version

fixes.

fixes.
3.0.1 10.2 (10.2.1) Latest Copy ToS Header

Support.
3.0.0 10.2 Latest Upgrade to the SD-

WAN plugin to increase
reliability. SD-WAN
plugin 3.0 is required to
upgrade to PAN-OS 10.2
and is supported only on
PAN-OS 10.2 and later
releases.
2.2.7 10.1.3-h1 Latest Improvements and bug

fixes

fixes.

fixes.

fixes.

fixes.
2.2.2 10.1 (10.1.5-h1) Latest Bug and performance

fixes.
2.2.1 10.1 (10.1.5-h1) Latest Copy ToS Header

support.
2.2.0 10.1 (10.1.4) Latest Prisma Access Hub

support.
2.1.1 10.1 Latest Minor bug and

performance fixes.
Panorama

(Minimum) Version
2.1.0 10.1 Latest SD-WAN supports

Aggregated Ethernet
(AE) interfaces with or
without subinterfaces
for link redundancy.
AE interfaces allow
you to tag for different
ISP services to achieve
end-to-end traffic
segmentation. SD-WAN
also supports Layer 3
subinterfaces for end-to-
end traffic segmentation.
2.0.3 10.1 Latest Minor bug and

performance fixes.
2.0.2 10.1 Latest Includes support so you

can control whether
Auto VPN configuration
enables or disables the
Remove Private AS
setting for all BGP peer
groups on a branch or
hub.
2.0.1 10.1 Latest Includes support for full

mesh VPN cluster with
DDNS service, auto-
VPN configuration with
branch behind NAT, and
Direct Internet Access
(DIA) AnyPath.
2.0.0 10.1 Latest Maintain high-quality

application experience
by leveraging Forward
Error Correction (FEC)
and packet duplication
and by accurately
measuring SaaS and
Cloud applications when
you have an SD-WAN
firewall with Direct
Internet Access (DIA)
links.
Panorama

(Minimum) Version
1.0.6 9.1 (9.1.4) Latest Minor bug and

performance fixes.
1.0.5 9.1 (9.1.4) Latest Minor bug and

performance fixes.
1.0.4 9.1 (9.1.4) Latest In an SD-WAN VPN

cluster that has more
than one hub, you must
assign a priority to each
hub, which determines
the primary hub and
hub failover order.
Panorama maps the
priority to a BGP local
preference and pushes
the local preference
to the branches in the
cluster.
1.0.3 9.1 (9.1.3) 9,1 When the SD-WAN hub

is behind a NAT device,
the plugin supports an
upstream NAT IP address
or FQDN for Auto VPN
configuration to use as a
tunnel endpoint.
1.0.2 9.1 (9.1.2-h1) 9.1.3 Improves ease of use,

such as an automatic
Security policy rule to
allow BGP between
branches and hubs,
ability to refresh the
IKE preshared key for
VPN cluster members,
specifying VPN tunnel
IP address ranges, and
more.
1.0.1 9.1 (9.1.1) 9.1.2 Improves monitoring

experience and search
filtering, and adds an
option to display HA
peers consecutively.
Panorama

(Minimum) Version
1.0.0 9.1 9.1.2 Enables support for SD-

WAN from Panorama.
Configure the Panorama
plugin for SD-WAN to
provide intelligent and
dynamic path selection
on top of the industry-
leading security that
PAN-OS software
already delivers. Provide
the optimal end user
experience by leveraging
multiple ISP links to
ensure application
performance and scale
capacity.
VMware NSX
The following table shows the features introduced in each version of the VM-Series firewall
VMware NSX plugin. For additional information about each plugin, see the release notes on the
Customer Support Portal.
Plugin Version Panorama Panorama Managed VM- New Features or

Version Version Series PAN- Changes
(Minimum) (Maximum) OS Version
(Minimum)
5.0.1 • NSX-V: 10.2 • NSX-V: 10.2 • NSX-V: 9.1 Introduces

(10.2.2) • NSX-T N/S: • NSX-T N/S: support for
• NSX-T N/S: 10.2 9.1 PAN-OS and
10.2 (10.2.2) Panorama
• NSX-T E/W: • NSX-T E/W: 10.2.x.
• NSX-T E/W: 10.2 9.1
5.0.0 10.2 (10.2.2) Introduces
support for
PAN-OS and
Panorama
10.2.x.
Panorama

(Minimum)

• NSX-T N/S: • NSX-T N/S: • NSX-T N/S: fixes for known
10.1 10.1 9.1 issues.
4.0.2 • NSX-T E/W: • NSX-T E/W: • NSX-T E/W: Introduces

10.1 10.1 9.1 fixes for known
issues.
4.0.1 Introduces
fixes for known
issues.
4.0.0 Introduces
Security-Centric
Deployment
Workflow (East-
West) for the
VM-Series on
VMware NSX-T.

• NSX-T N/S: • NSX-T N/S: • NSX-T N/S: fixes for known
10.1 10.1 9.1 issues.
3.2.3 • NSX-T E/W: • NSX-T E/W: • NSX-T E/W: Introduces

10.1 10.1 9.1 fixes for known
issues.
3.2.1 • NSX-V: 9.1 Introduces

• NSX-T N/S: fixes for known
9.1 issues.
• NSX-T E/W:
9.1

• NSX-T N/S: • NSX-T N/S: • NSX-T N/S: Security Policy
9.1 10.1 9.1 Extension
Between NSX-
• NSX-T E/W: • NSX-T E/W: • NSX-T E/W: V and NSX-
9.1 10.1 9.1 T and Device
Certificate
Support on the
Panorama

(Minimum)
VM-Series for
NSX.
The following
VM-Series
firewall for
NSX OVFs
require that you
enable device
certificates.
• 10.1 or later
• 9.1.5 or later
3.1.0 9.1 • NSX-V: 10.1 • NSX-V: 9.1 Introduces

• NSX-T N/S: • NSX-T N/S: the VM-Series
10.2 9.1 firewall on
VMware NSX-
• NSX-T E/W: • NSX-T E/W: T for East-
10.2 9.1 West traffic
protection.
VMware vCenter
VMware vCenter.

Version (Minimum) PAN-OS Version

known issues.
2.0.0 Introduces
enhancements to
increase reliability and
robustness.
1.0.0 9.1 Latest Enables support for

VM Monitoring from
Panorama. Configure
Panorama

Version (Minimum) PAN-OS Version
the Panorama plugin

for VMware vCenter to
monitor VM workloads
so that you can
consistently enforce
security policy that
automatically adapts
vCenter environment.
Zero Touch Provisioning (ZTP)

Zero Touch Provisioning (ZTP).

Minimum Version
3.0.1 11.2.0 Latest Minor bug and

performance fixes.
3.0.0 11.2.0 Latest ZTP 3.0 introduces

enhancements to
the ZTP onboarding
experience by allowing
you to activate applicable
licenses and install the
latest content updates
when the firewall first
connects to Panorama.

performance fixes.
10.2.4

performance fixes.
10.2.4
2.0.2 10.2.0 10.2.3 Minor bug and

performance fixes.
Panorama

Minimum Version
2.0.1 10.2.0 10.2.3 Minor bug and

performance fixes.
2.0.0 10.2.0 10.2.3 Upgrade to the ZTP

plugin to increase
reliability. ZTP plugin 2.0
is required to upgrade
to PAN-OS 10.2 and
is supported only on
PAN-OS 10.2 and later
releases.
1.0.2 10.1.0 Latest 10.1 release Minor bug and

performance fixes.
1.0.1 10.1.0 Latest 10.1 release Minor bug and

performance fixes.
1.0.0 9.1.4 Latest 9.1 release Enables support for

ZTP from Panorama.
Configure the Panorama
plugin for ZTP to simplify
and streamline initial
firewall deployment
by automating the
new managed firewall
on-boarding without
the need for network
administrators to
manually provision the
firewall.
Panorama
Compatible Plugin Versions for PAN-OS 10.2

To increase reliability and robustness, we enhanced PAN-OS® software starting in PAN-OS 10.2
with upgraded Panorama™ plugins and by installing the VM-Series plugin by default. However,
we did not introduce support for all plugins with the initial release of PAN-OS 10.2. Use the
following table to determine the minimum plugin versions for use with PAN-OS 10.2 software
and, where applicable, the first PAN-OS 10.2 version that supports each plugin. (If no PAN-OS
10.2 version is specified, then the minimum version of the plugin is supported in all PAN-OS 10.2
versions.)
For more information about plugins compatible with PAN-OS 10.2 and all other
supported PAN-OS releases, refer to the Panorama Plugins page.
Plugin Name Minimum Compatible Plugin Version with PAN-OS 10.2
AWS plugin 4.0.0
AIOps for NGFW plugin 1.0.0
Azure plugin 4.0.0
Cloud Services plugin (for use 3.1 (Compatible with PAN-OS 10.2.1 and later PAN-OS
with Strata™ Logging Service 10.2 versions)
only)
Cloud Services plugin (for use • 3.2 (compatible with PAN-OS 10.2.3 and later PAN-OS
with Panorama Managed Prisma 10.2 versions)
Access) • 3.1 starting with version 3.1.0-h50 (compatible with
PAN-OS 10.2.2-h1 and later PAN-OS 10.2 versions)
IMPORTANT: Review the PAN-OS and Prisma
Access Known Issues that are applicable to Panorama
deployments running PAN-OS 10.2.2 with Prisma Access
3.1.
Kubernetes plugin 3.0.0
SW FW Licensing plugin (VM 1.0.0

licensing plugin is not a Python-
based plugin and the previous
version is supported)
Panorama VM-Series plugin 3.0.0
SD-WAN plugin 3.0.0
IPS Signature Converter plugin 2.0.0
Panorama
Plugin Name Minimum Compatible Plugin Version with PAN-OS 10.2
ZTP plugin 2.0.0
DLP plugin 3.0.0
OpenConfig plugin 1.1.0
GCP plugin 3.0.0
Cisco ACI plugin 3.0.0
VCenter plugin 2.0.0
Nutanix plugin 2.0.0
Cisco TrustSec plugin 2.0.0
Network Discovery plugin 2.1.0
Important considerations for upgrading your plugins

• The plugin versions listed in the above table are the only plugins compatible with PAN-
OS 10.2 and later PAN-OS 10.2 versions. If you use any other plugins, you should
not upgrade to PAN-OS 10.2 until you upgrade all of your plugins to the minimum
supported version for PAN-OS 10.2.
• Starting with PAN-OS 10.2, the VM-Series plugin is installed by default. This option
is currently available only in PAN-OS 10.2, which means that Panorama software
requires that you download a compatible version of the VM-Series plugin if you
downgrade your firewall from PAN-OS 10.2 to a PAN-OS 10.1 or earlier version.
Each upgraded Panorama plugin supports any supported PAN-OS release in addition to
PAN-OS 10.2.
Supported Migration Paths for Plugins
Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version Version OS Version Version
AWS Upgrade 10.1 3.0 10.2 4.0
Panorama
You
should
upgrade
AWS
plugin
2.x.x
to
3.0.x
in
PAN-
OS
10.1.x
version
before
you
upgrade
to
PAN-
OS
10.2.
Downgrade 10.2 4.0 10.1 3.0
Azure plugin Upgrade 10.1 3.1 10.2 4.0
Downgrade 10.2 4.0 10.1 3.2
Kubernetes Upgrade 10.1 2.0 10.2 3.0

plugin
Downgrade 10.2 3.0 10.1 2.0
Panorama
If
you
have
a
custom
certificate
size
greater
than
32k,
the
autocommit
(which
happens
after
downgrade)
will
fail.
To
avoid
this,
save
the
config
file,
add
a
dummy
value
in
the
custom
certificate
that
is
less
than
16K,
and
then
downgrade
to
2.0.x
(k8s
plugin
cannot
contact
the
API
server).
Then
upgrade
the
Panorama
GCP plugin Upgrade 10.1 2.0 10.2 3.0
Downgrade 10.2 3.0 10.1 2.0
Cisco ACI Upgrade 10.1 2.0 10.2 3.0

plugin
Downgrade 10.2 3.0 10.1 2.0
VCenter Upgrade 10.1 1.0 10.2 2.0

plugin
Downgrade 10.2 2.0 10.1 1.0
Nutanix Upgrade 10.1 1.0 10.2 2.0

plugin
Downgrade 10.2 2.0 10.1 1.0
For more information, review how to:

• Upgrade your PAN-OS software.
• Upgrade your Panorama plugins.
Panorama
Panorama Management Compatibility

Review the table below to understand which Palo Alto Networks Next-Generation Firewall,
Dedicated Log Collector, and WildFire® appliances a Panorama™ management server can
manage based on the installed PAN-OS version. Palo Alto Networks recommends management of
currently supported Palo Alto Networks Next-Generation Firewalls, Dedicated Log collector, and
WildFire appliance running a supported PAN-OS version.
Dedicated Log Collectors must be running the same or later PAN-OS version than managed
firewalls from which logs are forwarded. Palo Alto Networks does not support forwarding logs
from managed firewalls to a Dedicated Log Collector if the Dedicated Log Collector is running
an earlier PAN-OS version than that installed on your managed firewalls. This may lead to log
forwarding and ingestion issues.
(PAN-OS 10.1.2 and earlier PAN-OS 10.1 releases) The device registration authentication key
length is increased when you upgrade Panorama to PAN-OS 10.1.3 or later release:
• Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 releases— Supports onboarding
firewalls, Dedicated Log Collectors, and WildFire appliances running PAN-OS 10.1.2 or earlier
PAN-OS 10.1 release, or running PAN-OS 10.0 or earlier PAN-OS release.
• Panorama running PAN-OS 10.1.3 or later releases— Supports onboarding firewalls, Dedicated
Log Collectors, and WildFire appliances running PAN-OS 10.1.3 or later release, or running
PAN-OS 10.0 or earlier PAN-OS release.
Despite these onboarding requirements, Panorama supports managing firewalls, Dedicated Log
Collectors, and WildFire appliances running the PAN-OS versions described below.
PAN-OS software versions that are End-of-Life (EoL) are not displayed. See the Palo Alto
Networks End of Life Announcements for additional information. EoL PAN-OS versions
are supported only for End-of-Sale (EoS) firewall models until they reach EoL.
Management of End-of-Life (EoL) PAN-OS versions may result in unexpected issues,
particularly if there is a large gap between the PAN-OS version installed on Panorama and
the one installed on the firewall. For example, you may run into unexpected or unknown
issues if you attempt to manage a firewall running the EoL PAN-OS 7.1 release from a
Panorama management server running PAN-OS 10.2 or a later version.
Panorama Version Managed Device Version
11.2 11.2
11.1
11.0
10.2
10.1
9.1
11.1 11.1
Panorama
Panorama Version Managed Device Version

11.0
10.2
10.1
9.1
11.0 11.0
10.2
10.1
9.1
10.2 10.2
10.1
9.1
10.1 10.1
9.1
9.1 9.1
Panorama
Panorama Hypervisor Support

Before you deploy a Panorama™ virtual appliance, verify that the hypervisor meets the minimum
version requirements to deploy Panorama.
Panorama VMware ESXi KVM Hyper-V Nutanix AHV Public Cloud/

Version Compatibility Compatibility Compatibility Compatibility Partner
Integra
Compatibility
PAN-OS 64-bit • Ubuntu • Windows — • Alibaba

11.1, 11.0 kernel-based 18.04 Server Cloud
VMware • Ubuntu 2019 with • Amazon
ESXi 6.0, 16.04 Hyper- AWS
6.5, 6.7, 7.0, V role or
or 8.0. The • CentOS/ Hyper-V • Microsoft
supported RHEL 7 2019 Azure
version of • CentOS/ • Windows • Google
the virtual RHEL 8 Server Cloud
hardware 2016 with Platform
family Hyper- • Amazon
type (also V role or AWS
known as Hyper-V GovCloud
the VMware 2016
virtual • Oracle
hardware • Windows Cloud
version) on Server Infrastructure
the ESXi 2022 with (OCI)
server is Hyper-
vmx-15. V role or
Hyper-V
ESXi 6.0 2022
and later
versions
supports
one disk of
up to 8TB.
Earlier ESXi
versions
support one
disk of up to
2TB.
PAN-OS 64-bit • Ubuntu • Windows Nutanix AOS • Alibaba

10.2 kernel-based 18.04 Server Version— Cloud
VMware • Ubuntu 2019 with 5.10 and • Amazon
ESXi 6.0, 16.04 Hyper- later AWS
6.5, 6.7, 7.0, V role or
Panorama

Integra
Compatibility
or 8.0. The • CentOS/ Hyper-V Nutanix • Microsoft
supported RHEL 7 2019 AHV Azure
version of • CentOS/ • Windows Version— • Google
the virtual RHEL 8 Server 20170830.185 Cloud
hardware 2016 with Platform
To manage
family Hyper- VM-Series • Amazon
type (also V role or firewalls AWS
known as Hyper-V running GovCloud
the VMware 2016 supported
virtual • Oracle
• Windows versions of
hardware Cloud
Server AHV. See
version) on Infrastructure
2022 with VM-Series
the ESXi (OCI)
Hyper- for Nutanix.
server is
vmx-15. V role or
Hyper-V
ESXi 6.0 2022
and later
versions
supports
one disk of
up to 8TB.
Earlier ESXi
versions
support one
disk of up to
2TB.
PAN-OS 64-bit • Ubuntu • Windows Nutanix AOS • Alibaba

10.1 kernel-based 18.04 Server Version— Cloud
VMware • Ubuntu 2019 with 5.10 and • Amazon
ESXi 6.0, 16.04 Hyper- later AWS
6.5, 6.7, or V role or
• CentOS/ Nutanix • Microsoft
7.0. The Hyper-V
RHEL 7 AHV Azure
supported 2019
Version—
version of • CentOS/ • Windows 20170830.185 • Google
the virtual RHEL 8 Server Cloud
hardware 2016 with To manage Platform
family Hyper- VM-Series
• Amazon
type (also V role or firewalls
AWS
known as Hyper-V running
GovCloud
virtual versions of • Oracle
hardware AHV. See Cloud
version) on
Panorama

Integra
Compatibility
the ESXi VM-Series Infrastructure
server is for Nutanix. (OCI)
vmx-10.
ESXi 6.0
and later
versions
supports
one disk of
up to 8TB.
Earlier ESXi
versions
support one
disk of up to
2TB.
PAN-OS 9.1 64-bit • Ubuntu • Windows Nutanix AOS • Amazon

kernel-based 18.04 Server Version— AWS
VMware • Ubuntu 2019 with 5.10 and • Microsoft
ESXi 6.0, 16.04 Hyper- later Azure
6.5, 6.7, or V role or
• CentOS/ Nutanix • Google
7.0. The Hyper-V
RHEL 7 AHV Cloud
supported 2019
Version— Platform
version of • CentOS/ • Windows 20170830.185
the virtual RHEL 8 Server • Amazon
hardware 2016 with To manage AWS
family Hyper- VM-Series GovCloud
type (also V role or firewalls
known as Hyper-V running
virtual versions of
hardware AHV. See
version) on VM-Series
the ESXi for Nutanix.
server is
vmx-10.
ESXi 6.0
and later
versions
supports
one disk of
up to 8TB.
Earlier ESXi
versions
support one
Panorama

Integra
Compatibility
disk of up to
2TB.
Panorama
Device Certificate for a Palo Alto Networks Cloud

Service
A Palo Alto Networks cloud service is a cloud-hosted service maintained and operated by Palo
Alto Networks.
You must install the appropriate device certificate on the firewalls, Panorama™ appliances, and
WildFire® appliances that are using the cloud service that is running one of the following PAN-
OS® versions:
• PAN-OS 11.2.0 or a later PAN-OS 11.2 version
• PAN-OS 10.1.10 or alater PAN-OS 10.1 version
Review the Palo Alto Networks cloud services listed below that require you to install a device
certificate before it will function as expected. Panorama management of firewalls, Dedicated Log
Collectors, and WildFire appliances or downloading content and software updates from the Palo
Alto Networks update server does not require a device certificate. You also do not need to install
a device certificate to establish communication between a firewall and a WildFire appliance.
Cloud Service Firewall Panorama

(Individual and Panorama-
Managed)
AIOps Yes Yes
App-ID Cloud Engine Yes Yes

(ACE)
Cloud Services (Prisma® N/A No

Access)
Strata™ Logging Service Yes Yes

(Formerly Cortex® Data (PAN-OS 10.1 and later) (PAN-OS 10.1 and later)
Lake)
Device Telemetry Yes Yes
Enterprise DLP Yes Yes
Inline Categorization Yes No
Panorama
Cloud Service Firewall Panorama

(Individual and Panorama-
Managed)
Also requires an
Advanced URL Filtering
license
Inline Cloud Analysis Yes No

Also requires an
Advanced Threat
Protection license
Internet of Things (IoT) Yes Yes

Security
ZTP No Yes
MFA Vendor Support
Palo Alto Networks Next-Generation Firewalls and Panorama™ appliances can integrate with
multi-factor authentication (MFA) vendors using RADIUS and SAML. Firewalls can additionally
integrate with specific MFA vendors using the API to enforce MFA through Authentication policy.
Authentication RADIUS TACACS SAML MFA Server Profile

Use Case (any + (any
(any vendor)
vendor) vendor)
Next- √ √ √ —
Generation
Firewall and
Panorama
Administrator
Web Interface
Next- √ √ — —
Generation
Firewall and
Panorama
Administrator
CLI
GlobalProtect™ √ √ √ —
Portal and
Gateway
Authentication
Authentication √ √ √ √
Policy
Vendor / Min. Content Version *
(Formerly
• RSA SecurID Access / 752
Captive Portal
Policy) • PingID / 655
• Okta Adaptive / 655
• Duo v2 / 655
* Palo Alto Networks provides support for MFA vendors through Applications content
updates, which means that if you use Panorama to push device group configurations to
firewalls, you must install the same Applications release version on managed firewalls
as you install on Panorama to avoid mismatches in vendor support.
133
MFA Vendor Support
Supported Cipher Suites
Use this table in the Palo Alto Networks Compatibility Matrix to determine support for cipher
suites according to function and PAN-OS® software release.
• Cloud Identity Engine Cipher Suites
• Cipher Suites Supported in PAN-OS 11.2
135
Cloud Identity Engine Cipher Suites

The following cipher suites are supported and required on the Cloud Identity Engine agent host
for on-premises directories.
Feature or Function Required Ciphers
Cloud Identity Engine • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

agent • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Cipher Suites Supported in PAN-OS 11.2

The following topics list cipher suites that are supported on firewalls running a PAN-OS® 11.2
release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.2 Cipher Suites Supported
in FIPS-CC Mode.
The ciphers supported in normal operation mode are grouped according to feature or
functionality in the following sections:
• PAN-OS 11.2 GlobalProtect Cipher Suites
• PAN-OS 11.2 IPSec Cipher Suites
• PAN-OS 11.2 IKE and Web Certificate Cipher Suites
• PAN-OS 11.2 Decryption Cipher Suites
• PAN-OS 11.2 HA1 SSH Cipher Suites
• PAN-OS 11.2 Administrative Session Cipher Suites
• PAN-OS 11.2 PAN-OS-to-Panorama Connection Cipher Suites
PAN-OS 11.2 GlobalProtect Cipher Suites

The following table lists cipher suites for GlobalProtect™ supported on firewalls running a PAN-
OS® 11.2 release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.2 Cipher Suites
Supported in FIPS-CC Mode.
• GlobalProtect App/Agent—SSL tunnels and SSL connections to gateway and portal

• GlobalProtect App/Agent—IPSec mode
• GlobalProtect Portal—Browser Access
Feature or Function Ciphers Supported in PAN-OS 11.2 Releases
GlobalProtect App/Agent—SSL tunnels • TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 cipher

and SSL connections to gateway and suites
portal • RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1

• RSA-AES-128-GCM-SHA-256
• DHE-RSA-SEED-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• EDH-RSA-3DES-SHA-1
• ECDHE-RSA-AES-128-SHA-1
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• TLS-AES-128-GCM-SHA256
• TLS-CHACHA20-POLY1305-SHA256
GlobalProtect App/Agent—IPSec mode • AES-128-CBC-HMAC-SHA-1

(Keys transported through SSL session • AES-128-GCM-HMAC-SHA-1
with gateway) • AES-256-GCM-HMAC-SHA-1
GlobalProtect Portal—Browser Access • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher

suites
• RSA-SEED-SHA-1
• RSA-3DES-SHA-1

PAN-OS 11.2 IPSec Cipher Suites

The following table lists the cipher suites for IPSec that are supported on firewalls running a PAN-
• IPSec—Post-Quantum Cryptographic Suites (PQCs)

• IPSec—Encryption
• IPSec—Message Authentication
• IPSec—Key Exchange
IPSec—Post-Quantum You can use these cipher suites to secure the rekey operations for
Cryptographic Suites your IPSec tunnels.
(PQCs)
• ML-KEM—512-bit, 768-bit, and 1024-bit keys
• HQC—128-bit, 192-bit, and 256-bit keys
• BIKE—bike-L1, bike-L3, & bike-L5
• Classic McEliece—348,864-bit and 348,864f-bit
• FrodoKEM:
• 640-AES, 976-AES, and 1344-AES
• 640-SHAKE, 976-SHAKE, and 1344-SHAKE
• NTRU-Prime—sntrup761
IPSec—Encryption • NULL
• 3DES

• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM
IPSec—Message • NONE
Authentication • HMAC-MD5
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512
IPSec—Key Exchange Diffie-Hellman groups with or without perfect forward secrecy

(PFS):
• No PFS—This option specifies that the firewall reuses the same
key for IKE phase 1 and phase 2 instead of renewing the key for
phase 2.
• Group 1 (768-bit keys) with PFS enabled
• Group 15 (3072-bit modular exponential group)
• Group 19 (256-bit elliptic curve group) with PFS enabled
• Group 21 (512-bit random elliptic curve group)
PAN-OS 11.2 IKE and Web Certificate Cipher Suites

The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web
certificates that are supported on firewalls running a PAN-OS 11.2 release in normal (non-FIPS-
CC) operational mode.
• IKE—Post-Quantum Cryptographic Suites (PQCs)
• IKE Certificate Support

• IKE—Encryption
• IKE—Message Authentication
• IKE—Key Exchange
• PAN-OS Web Certificates
IKE—Post-Quantum • ML-KEM—512-bit, 768-bit, and 1024-bit keys

Cryptographic Suites • HQC—128-bit, 192-bit, and 256-bit keys
(PQCs)
• BIKE—bike-L1, bike-L3, & bike-L5
• Classic McEliece—348,864-bit and 348,864f-bit
• FrodoKEM:
• 640-AES, 976-AES, and 1344-AES
• 640-SHAKE, 976-SHAKE, and 1344-SHAKE
• NTRU-Prime—sntrup761
IKE Certificate Support • RSA

• Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512
IKE—Encryption • 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
Starting with PAN-OS 10.0.3:
• AES-128-GCM
• AES-256-GCM
IKE—Message • HMAC-MD5
Authentication • HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384

• HMAC-SHA-512
IKE—Key Exchange Diffie-Hellman groups

• Group 1 (768-bit keys)
• Group 19 (256-bit elliptic curve group)
PAN-OS Web • RSA

Certificates
• Keys—2048-bit, 3072-bit, and 4096-bit keys
SHA-512
• ECDSA
SHA-512
PAN-OS 11.2 Decryption Cipher Suites

The following table lists cipher suites for decryption that are supported on firewalls running a
PAN-OS® 11.2 release in normal (non-FIPS-CC) operational mode.
• SSH Decryption—Host Key Algorithms

• SSH Decryption (SSHv2 only)—Encryption
• SSH Decryption (SSHv2 only)—Message Authentication
• SSL/TLS Decryption
• SSL/TLS Decryption—NIST-approved Elliptical Curves
• SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers
• TLS 1.3 Decryption—Signature Algorithms
SSH Decryption—Host • SSH-RSA (2048-bit)

Key Algorithms • SSH-DSS (2048-bit)
SSH Decryption (SSHv2 • AES-128-CBC

only)—Encryption • AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR
SSH Decryption • HMAC-RIPEMD

(SSHv2 only)—Message • HMAC-MD5-96
Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1
SSL/TLS Decryption • SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 cipher suites
• RSA 512-bit, 1024-bit, 2048-bit, 3072-bit, 4096-bit, and 8192-
bit keys
The firewall can authenticate certificates up to

8192-bit RSA keys from the destination server,
however the firewall generated certificate to the
client supports only up to 4096-bit RSA keys.
• RSA-RC4-128-MD5
• RSA-RC4-128-SHA-1
• RSA-3DES-EDE-CBC-SHA-1
• RSA-AES-128-CBC-SHA-1
• TLS_AES_256_GCM_SHA-384
• TLS_CHACHA20_POLY1305_SHA-256
SSL/TLS Decryption— • P-192 (secp192r1)

NIST-approved Elliptical • P-224 (secp224r1)
Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)
• (TLS 1.3 only) X25519
• (TLS 1.3 only) X448
SSL/TLS Decryption— • DHE-RSA-3DES-EDE-CBC-SHA-1

Perfect Forward Secrecy • DHE-RSA-AES-128-CBC-SHA-1
(PFS) Ciphers
• DHE-RSA-AES-256-CBC-SHA-1
If you use • DHE-RSA-AES-128-CBC-SHA-256
the DHE or
ECDHE key
exchange • DHE-RSA-AES-128-GCM-SHA-256
algorithms • DHE-RSA-AES-256-GCM-SHA-384
to enable
PFS support • ECDHE-RSA-AES-128-CBC-SHA-1
for SSL • ECDHE-RSA-AES-256-CBC-SHA-1
decryption, • ECDHE-RSA-AES-128-CBC-SHA-256
you can use
a hardware • ECDHE-RSA-AES-256-CBC-SHA-384
security • ECDHE-RSA-AES-128-GCM-SHA-256
module
(HSM) to
store the • ECDHE-ECDSA-AES-128-CBC-SHA-1
private keys • ECDHE-ECDSA-AES-256-CBC-SHA-1
used for SSL
Inbound • ECDHE-ECDSA-AES-128-CBC-SHA-256
Inspection. • ECDHE-ECDSA-AES-256-CBC-SHA-384
• ( TLS 1.3 only) TLS_AES_128_GCM_SHA-256
• ( TLS 1.3 only) TLS_CHACHA20_POLY1305_SHA-256
TLS 1.3 Decryption— • ECDSA-SECP256r1-SHA-256

Signature Algorithms • RSA-PSS-RSAE-SHA-256
• RSA-PKCS1-SHA-256
• ECDSA-SECP384r1-SHA-384

• RSA-PSS-RSAE-SHA-384
• RSA-PKCS1-SHA-1
PAN-OS 11.2 Administrative Session Cipher Suites

The following table lists the cipher suites for administrative sessions that are supported on
firewalls running a PAN-OS® 11.2 release in normal (non-FIPS-CC) operational mode.
• Administrative Sessions to Web Interface

• Administrative Sessions to CLI (SSH)—Encryption
• Administrative Sessions to CLI (SSH)—Message Authentication
• Administrative Sessions to CLI (SSH)—Server Host Key Types
• Administrative Sessions to CLI (SSH)—Key Exchange Algorithms
Administrative Sessions TLSv1.1, TLSv1.2, and TLSv1.3 cipher suites

to Web Interface
TLSv1.3 cipher suites begin with “TLS”.
• RSA-SEED-SHA1
• RSA-CAMELLIA-128-SHA1
• RSA-AES-128-SHA1
• RSA-AES-256-CBC-SHA1

• ECDHE-ECDSA-AES-128-SHA1
• TLS-AES-128-CCM-SHA256
Administrative Sessions • AES-128-CTR

to CLI (SSH)—Encryption • AES-192-CTR
• AES-256-CTR
• AES-128-GCM
• AES-256-GCM
• CHACHA20-POLY1305
Administrative Sessions • UMAC-64

to CLI (SSH)—Message • UMAC-128
Authentication
• HMAC-SHA1
• HMAC-SHA2-256
• HMAC-SHA-384
• HMAC-SHA2-512
Administrative Sessions • RSA keys—2048-bit, 3072-bit, and 4096-bit keys

to CLI (SSH)—Server Host • ECDSA keys—256-bit, 384-bit, and 521-bit keys
Key Types
Administrative Sessions • curve25519-sha256

to CLI (SSH)—Key • diffie-hellman-group14-sha1
Exchange Algorithms
• diffie-hellman-group14-sha256
• diffie-hellman-group-exchange-sha256
• ecdh-sha2-nistp256

PAN-OS 11.2 HA1 SSH Cipher Suites

The following table lists the cipher suites for HA1 control connections using SSH that are
supported on firewalls running a PAN-OS® 11.2 release in normal (non-FIPS-CC) or FIPS-CC
operational mode.
HA1 SSH • AES 128-bit cipher with Counter Mode

• AES 128-bit cipher with GCM (Galois/Counter Mode)
• AES 192-bit cipher with Counter Mode
• AES 256-bit cipher with GCM
PAN-OS 11.2 PAN-OS-to-Panorama Connection Cipher Suites

The following table lists the cipher suites for PAN-OS®-to-Panorama™ connections that are
supported on firewalls running a PAN-OS 11.2 release in normal (non-FIPS-CC) operational mode.
PAN-OS to Panorama • RSA-RC4-128-SHA-1

Connection • RSA-SEED-SHA-1

PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode

The following table lists cipher suites that are supported on firewalls running a PAN-OS® 11.2
release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details
regarding the algorithm implementation.
If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites
Supported in PAN-OS 11.2
Functions Standards Certificates
Asymmetric key generation
ECC key pair generation (NIST curves FIPS PUB 186-4 Appliances:
P-256, P-384)
<TBD>
VMs:
<TBD>
RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
<TBD>
VMs:
<TBD>
Cryptographic Key Generation (for IKE Peer Authentication)

greater)
<TBD>
VMs:
<TBD>
ECDSA key pair generation (NIST FIPS PUB 186-4 Appliances:

curves P-256, P-384)
<TBD>
VMs:
<TBD>
Cryptographic Key Establishment
ECC-based key establishment SP 800-56A Revision 3 Appliances:

<TBD>
VMs:
<TBD>
FFC-based key establishment SP 800-56A Revision 3 Appliances:

<TBD>
VMs:
<TBD>
AES Data Encryption/Decryption
• AES CTR 128/192/256 • AES as specified in Appliances:

• AES CBC 128/192/256 ISO 18033-3
<TBD>
• AES GCM 128/256 • CBC/CTR as specified
in ISO 10116 VMs:
• AES CCM 128 <TBD>
• GCM as specified in
ISO 19772
• NIST SP 800-38A/C/
D/F
• FIPS PUB 197
Signature Generation and Verification
RSA (2048 bits or greater) FIPS PUB 186-4, “Digital Appliances:

Signature Standard
<TBD>
(DSS)”, Section 5.5,
using PKCS #1 v2.1 VMs:
Signature Schemes
<TBD>
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
ISO/IEC 9796-2, Digital
signature scheme 2
or
Digital Signature scheme
3
ECDSA (NIST curves P-256, P-384, FIPS PUB 186-4, Appliances:

and P-521) “Digital Signature
<TBD>
Standard (DSS)”, Section
6 and Appendix D, VMs:
Implementing "NIST

curves" P-256, P-384, <TBD>
P-521 ISO/IEC 14888-3,
Section 6.4
Cryptographic hashing
SHA-1, SHA-256, SHA-384 and ISO/IEC 10118-3:2004 Appliances:

SHA-512 (digest sizes 160, 256, 384
FIPS PUB 180-4 <TBD>
and 512 bits)
VMs:
<TBD>
Keyed-hash message authentication
• HMAC-SHA-1 ISO/IEC 9797-2:2011 Appliances:

• HMAC-SHA-256 FIPS PUB 198-1 <TBD>
• HMAC-SHA-384 VMs:
• HMAC-SHA-512 <TBD>
Random bit generation
CTR_DRBG (AES-256) ISO/IEC 18031:2011 Appliances:

NIST SP 800-90A <TBD>
VMs:
<TBD>

in FIPS-CC Mode.


GlobalProtect App/Agent—SSL tunnels • TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 cipher

and SSL connections to gateway and suites
portal • RSA-SEED-SHA-1
• RSA-3DES-SHA-1



suites
• RSA-SEED-SHA-1
• RSA-3DES-SHA-1


• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384

• HMAC-SHA-512

(PFS):
phase 2.



SHA-512

• ECDSA
SHA-512
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

PAN-OS Web • RSA

Certificates
SHA-512

• ECDSA
SHA-512




• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160

• HMAC-SHA-1
bit keys

• RSA-RC4-128-MD5

Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)
• ( TLS 1.3 only) X25519
• ( TLS 1.3 only) X448

(PFS) Ciphers

the DHE or • DHE-RSA-AES-128-GCM-SHA-256
ECDHE key
algorithms • ECDHE-RSA-AES-128-CBC-SHA-1
to enable
• ECDHE-RSA-AES-256-CBC-SHA-1
PFS support
you can use
a hardware • ECDHE-RSA-AES-128-GCM-SHA-256
module • ECDHE-ECDSA-AES-128-CBC-SHA-1
(HSM) to
used for SSL
• ECDHE-ECDSA-AES-256-CBC-SHA-384
Inbound
Inspection. • ECDHE-ECDSA-AES-128-GCM-SHA-256

• RSA-PKCS1-SHA-1



to Web Interface
• RSA-SEED-SHA1

• AES-256-CTR
• AES-128-GCM

• AES-256-GCM

Authentication
• HMAC-SHA1
• HMAC-SHA2-256
• HMAC-SHA-384
• HMAC-SHA2-512

Key Types

Exchange Algorithms

operational mode.





P-256, P-384)
#A3453
VMs:
#A3454

greater)
#A3453
VMs:
#A3454

greater)
#A3453
VMs:
#A3454

#A3453
VMs:
#A3454

#A3453
VMs:
#A3454

#A3453
VMs:
#A3454

• AES CBC 128/192/256 ISO 18033-3

• AES GCM 128/256 • CBC/CTR as specified #A3453
• AES CCM 128 in ISO 10116
VMs:
ISO 19772 #A3454
D/F
• FIPS PUB 197

Signature Standard
#A3453
Signature Schemes
#A3454
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
signature scheme 2
or
3

#A3453
Implementing "NIST
#A3454
curves" P-256, P-384,
P-521 ISO/IEC 14888-3,
Section 6.4

FIPS PUB 180-4 #A3453
and 512 bits)
VMs:
#A3454

• HMAC-SHA-256 FIPS PUB 198-1 #A3453

• HMAC-SHA-512 #A3454

NIST SP 800-90A #A3453
VMs:
#A3454

in FIPS-CC Mode.


GlobalProtect App/Agent—SSL tunnels • TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

and SSL connections to gateway and • RSA-SEED-SHA-1
portal
• RSA-3DES-SHA-1



suites
• RSA-SEED-SHA-1
• RSA-3DES-SHA-1


• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

(PFS):

phase 2.



SHA-512
• ECDSA
SHA-512
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

PAN-OS Web • RSA

Certificates
SHA-512
• ECDSA
SHA-512




• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1

bit keys

• RSA-RC4-128-MD5

Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)
• ( TLS 1.3 only) X25519
• ( TLS 1.3 only) X448

(PFS) Ciphers

ECDHE key
to enable
PFS support
you can use
(HSM) to
used for SSL
Inbound

• RSA-PKCS1-SHA-1



to Web Interface
• RSA-SEED-SHA1

• AES-256-CTR
• AES-128-GCM

• AES-256-GCM

Authentication
• HMAC-SHA1
• HMAC-SHA2-256
• HMAC-SHA-384
• HMAC-SHA2-512

Key Types

Exchange Algorithms

operational mode.





P-256, P-384)
#A3453
VMs:
#A3454

greater)
#A3453
VMs:
#A3454

greater)
#A3453
VMs:
#A3454

#A3453
VMs:
#A3454

#A3453
VMs:
#A3454

#A3453
VMs:
#A3454

• AES CBC 128/192/256 ISO 18033-3

• AES GCM 128/256 • CBC/CTR as specified #A3453
• AES CCM 128 in ISO 10116
VMs:
ISO 19772 #A3454
D/F
• FIPS PUB 197

Signature Standard
#A3453
Signature Schemes
#A3454
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
signature scheme 2
or
3

#A3453
Implementing "NIST
#A3454
curves" P-256, P-384,
P-521 ISO/IEC 14888-3,
Section 6.4

FIPS PUB 180-4 #A3453
and 512 bits)
VMs:
#A3454


• HMAC-SHA-512 #A3454

NIST SP 800-90A #A3453
VMs:
#A3454

in FIPS-CC Mode.



portal
• RSA-3DES-SHA-1



suites
• RSA-SEED-SHA-1
• RSA-3DES-SHA-1


• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

(PFS):

phase 2.



SHA-512
• ECDSA
SHA-512
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

PAN-OS Web • RSA

Certificates
SHA-512
• ECDSA
SHA-512




• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1

bit keys

• RSA-RC4-128-MD5

Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)
• ( TLS 1.3 only) X25519
• ( TLS 1.3 only) X448

(PFS) Ciphers

ECDHE key
to enable
PFS support
you can use
(HSM) to
used for SSL
Inbound

• RSA-PKCS1-SHA-1


Administrative Sessions • TLSv1.1 and TLSv1.2 cipher suites

to Web Interface • RSA-SEED-SHA1

• AES-256-CTR
• AES-128-GCM
• AES-256-GCM

Authentication
• HMAC-SHA1
• HMAC-SHA2-256

• HMAC-SHA2-512

Key Types

Exchange Algorithms

operational mode.




FFC key pair generation (key size 2048 FIPS PUB 186-4 Appliances:
bits)
#A2906
VMs:
#A2907
P-256, P-384)
#A2906
VMs:
#A2907

greater)
#A2906

VMs:
#A2907

greater)
#A2906
VMs:
#A2907

#A2906
VMs:
#A2907

#A2906
VMs:
#A2907

#A2906
VMs:
#A2907

• AES CBC 128/192/256 ISO 18033-3
#A2906
in ISO 10116 VMs:
• AES CCM 128 #A2907
ISO 19772
D/F
• FIPS PUB 197

Signature Standard
#A2906
Signature Schemes
#A2907
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
signature scheme 2
or
3

#A2906
Implementing "NIST
#A2907
curves" P-256, P-384,
P-521 ISO/IEC 14888-3,
Section 6.4

FIPS PUB 180-4 #A2906
and 512 bits)
VMs:
#A2907

• HMAC-SHA-512 #A2907

NIST SP 800-90A #A2906

VMs:
#A2907

in FIPS-CC Mode.



portal
• RSA-3DES-SHA-1



suites
• RSA-SEED-SHA-1
• RSA-3DES-SHA-1


• DES
• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

(PFS):

phase 2.



SHA-512
• ECDSA
SHA-512
IKE—Encryption • DES
• 3DES
• AES-128-CBC

• AES-192-CBC
• AES-256-CBC
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

PAN-OS Web • RSA

Certificates
• Keys—512-bit, 1024-bit, 2048-bit, 3072-bit, and 4096-bit
keys
SHA-512
• ECDSA
SHA-512




• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1
bit keys

• RSA-RC4-128-MD5


Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)
• ( TLS 1.3 only) X25519
• ( TLS 1.3 only) X448

(PFS) Ciphers
the DHE or
ECDHE key
to enable
you can use
module
(HSM) to
used for SSL


• RSA-PKCS1-SHA-1



to Web Interface • RSA-SEED-SHA-1
• RSA-3DES-SHA-1

• DHE-RSA-3DES-SHA-1

• AES-256-CTR
• AES-128-GCM
• AES-256-GCM

Authentication
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-512

Key Types
Administrative Sessions • curve25519-SHA-256

to CLI (SSH)—Key • diffie-hellman-group14-SHA-1
Exchange Algorithms
• diffie-hellman-group14-SHA-256
• diffie-hellman-group16-SHA-512
• diffie-hellman-group-exchange-SHA-256
• ecdh-SHA-2-nistp256

operational mode.



Connection • RSA-3DES-SHA-1
• RSA-SEED-SHA-1

FFC key pair generation (key size 2048 FIPS PUB 186-4 Appliances:
bits)
#A2137
VMs:
#A2244
P-256, P-384)
#A2137
VMs:
#A2244

greater)
#A2137
VMs:
#A2244

greater)
#A2137
VMs:
#A2244

#A2137
VMs:
#A2244
ECDSA-based key establishment NIST SP 800-56A Appliances:

Revision 3
#A2137
VMs:
#A2244
FFC-based key establishment NIST SP 800-56A Appliances:

Revision 3
#A2137
VMs:
#A2244

• AES CBC 128/192/256 ISO 18033-3
#A2137
in ISO 10116 VMs:
• AES CCM 128 #A2244
ISO 19772
D/F
• FIPS PUB 197
RSA Digital Signature Algorithm (rDSA) FIPS PUB 186-4, “Digital Appliances:
(2048 bits or greater) Signature Standard
#A2137
Signature Schemes
#A2244
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
signature scheme 2
or
3

#A2137
Implementing "NIST

curves" P-256, P-384, #A2244
P-521 ISO/IEC 14888-3,
Section 6.4

FIPS PUB 180-4 #A2137
and 512 bits)
VMs:
#A2244

• HMAC-SHA-512 #A2244

NIST SP 800-90A #A2137
VMs:
#A2244

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites Supported in
FIPS-CC Mode.

• GlobalProtect App/Agent—SSL

portal
• RSA-3DES-SHA-1



suites
• RSA-SEED-SHA-1
• RSA-3DES-SHA-1


• DES
• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

(PFS):

phase 2.

certificates that are supported on firewalls running a PAN-OS 9.1 release in normal (non-FIPS-CC)
operational mode.


SHA-512
• ECDSA
SHA-512
IKE—Encryption • DES
• 3DES
• AES-128-CBC

• AES-192-CBC
• AES-256-CBC
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

PAN-OS Web • RSA

Certificates
• Keys—512-bit, 1024-bit, 2048-bit, 3072-bit, and 4096-bit
keys
SHA-512
• ECDSA
SHA-512





• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1
SSL/TLS Decryption • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

bit keys

• RSA-RC4-128-MD5

Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)

(PFS) Ciphers
the DHE or
ECDHE key
to enable
you can use
module
(HSM) to
used for SSL




to Web Interface • RSA-SEED-SHA-1
• RSA-3DES-SHA-1
• DHE-RSA-3DES-SHA-1
Administrative Sessions • 3DES-CBC

to CLI (SSH)—Encryption • ARCFOUR128
• ARCFOUR256
• BLOWFISH-CBC
• CAST128-CBC
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR

• AES-256-CTR
• AES-128-GCM
• AES-256-GCM

Authentication
• HMAC-MD5-96
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-512

Key Types
Administrative Sessions • diffie-hellman-group1-SHA-1

to CLI (SSH)—Key • diffie-hellman-group14-SHA-1
Exchange Algorithms

operational mode.
HA1 SSH • AES 128-bit cipher with Cipher Block Chaining


• AES 192-bit cipher with Cipher Block Chaining
• AES 256-bit cipher with Cipher Block Chaining


Connection • RSA-3DES-SHA-1
• RSA-SEED-SHA-1

regarding the algorithm implementation. Also, there were no changes made to the Palo Alto
Networks crypto module between PAN-OS 9.0 and PAN-OS 9.1 so all FIPS certificates still apply
for this PAN-OS 9.1 release.
Functions Standards
FFC key pair generation (key size 2048 bits) FIPS PUB 186-4
ECC key pair generation (NIST curves P-256, P-384) FIPS PUB 186-4
RSA key generation (2048 bits or greater) FIPS PUB 186-4
RSA key generation (2048 bits or greater) FIPS PUB 186-4
ECDSA key pair generation (NIST curves P-256, P-384) FIPS PUB 186-4
ECDSA-based key establishment NIST SP 800-56A Revision 2
FFC-based key establishment NIST SP 800-56A Revision 2
• AES CTR 128/192/256 • AES as specified in ISO 18033-3

• AES CBC 128/192/256 • CBC/CTR as specified in ISO
• AES GCM 128/256 10116
• AES CCM 128 • GCM as specified in ISO 19772

• NIST SP 800-38A/C/D/F
• FIPS PUB 197
RSA Digital Signature Algorithm (rDSA) (2048 bits or FIPS PUB 186-4, “Digital Signature
greater) Standard (DSS)”, Section 5.5,
using PKCS #1 v2.1 Signature
Schemes RSASSA-PSS and/or
RSASSAPKCS1v1_5; ISO/IEC
9796-2, Digital signature scheme 2
or
Digital Signature scheme 3
Functions Standards
ECDSA (NIST curves P-256, P-384, and P-521) FIPS PUB 186-4, “Digital Signature
Standard (DSS)”, Section 6 and
Appendix D, Implementing "NIST
curves" P-256, P-384, ISO/IEC
14888-3, Section 6.4
SHA-1, SHA-256, SHA-384, and SHA-512 (digest sizes ISO/IEC 10118-3:2004

160, 256, 384, and 512 bits)
FIPS PUB 180-4
• HMAC-SHA-1 ISO/IEC 9797-2:2011

• HMAC-SHA-256 FIPS PUB 198-1
• HMAC-SHA-384
• HMAC-SHA-512
CTR_DRBG (AES-256) ISO/IEC 18031:2011

NIST SP 800-90A
GlobalProtect
The following topics provide support information for the GlobalProtect™ app (originally referred
to as the GlobalProtect agent on Windows and Mac).
• Where Can I Install the GlobalProtect App?
• Third-Party IPSec Client Support
• What Features Does GlobalProtect Support?
• TEST: What Features Does GlobalProtect Support?
• What Features Does GlobalProtect Support for IoT?
• What GlobalProtect Features Do Third-Party Mobile Device Management Systems Support?
219
GlobalProtect
Where Can I Install the GlobalProtect App?

The following sections show operating systems on which you can install each release of the
GlobalProtect™ app.
The compatibility lists that follow show compatibility with major versions for each
platform only and does specifically call out minor versions. However, support the stated
support for the major versions implicitly includes support for all minor versions for the
listed major versions.
• Apple macOS
• Microsoft Windows
• Linux
• Apple iOS and iPadOS
• Google Android
• Google Chrome
• Internet of Things (IoT)
• Hypervisors
Use the OS compatibility information to determine what version of the GlobalProtect app you
want your users to run on their endpoints.
Because the version that an end user must download and install to enable successful
connectivity to your network depends on your environment, there is no direct download
link for the GlobalProtect app on the Palo Alto Networks site. In addition, the way you
deploy the GlobalProtect app to your users depends on the OS of the endpoint.
Apple macOS
The following table shows which macOS versions support which versions of the GlobalProtect
app. For instructions on installing the GlobalProtect app on a macOS endpoint, see the installation
instructions for 5.1, 5.2, and 6.0, 6.1, 6.2, and 6.3.
OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2 GP App 6.3
FIPS-CC
macOS √ √ — — —
10.11 (El
Capitan)
macOS √ √ — — — —
10.12
(Sierra)
GlobalProtect
FIPS-CC
macOS √ √ — — — —
10.13
(High
Sierra)
macOS √ √ — — — —
10.14
5.2.12 &
(Mojave)
earlier
macOS √ √ √* √ √* —
10.15
(Catalina)
macOS 11 √ √ √* √ √* —
(Big Sur)
5.1.7 & 5.2.4 &
later (x86 later (x86-
& ARM- based
Based MacBooks)
MacBooks
5.2.5 &
Using
later (x86
Rosetta
& ARM-
Translation)
Based
MacBooks
Using
Rosetta
Translation)
5.2.6 &
later (x86
& ARM-
Based
MacBooks)
macOS 12 — √ √* √ √* √
(Monterey)
5.2.10 or
later (x86
& ARM-
Based
MacBooks)
macOS 13 — √ √* √ √* √
(Ventura)
5.2.12 or 6.0.3 or
later (x86 later (x86
& ARM- & ARM-
GlobalProtect
FIPS-CC
Based Based
MacBooks) MacBooks)
macOS 14 — — √* √ √* √
(Sonoma)
6.0.7 or 6.1.2 or 6.2.1 or
later later later
macOS 15 — — 6.0.11 and — √ √

(Sequoia) later 6.0.x
6.2.6 and 6.3.2 and
releases
later 6.2.x later 6.3.x
releases releases
* Embedded browser framework for SAML authentication upgraded to WebKit in the

following releases:
• GlobalProtect 6.2.3 and later
Microsoft Windows
The following table shows which Microsoft Windows versions support which versions of the
GlobalProtect app. For instructions on installing the GlobalProtect app on a Windows endpoint,
see the installation instructions for 5.1, 5.2 6.0, 6.1, 6.2, and 6.3.
FIPS-CC
Windows 7 √ — — — — —
Service Upgrades
Pack 1 from
5.1.10 to
5.2.x or
later are
blocked.
Windows 8 — — — — — —
Windows √ √ — — — —
8.1
Windows √ √ √* √ √* √
10
GlobalProtect
FIPS-CC
64-bit 64-bit 64-bit
(x64), (x64), (x64),
(x86), and (x86), and (x86), and
ARM64 ARM64 ARM64
devices devices devices
Windows √ √ √ √ √ —
10 UWP
x86 and x86 and
ARM ARM
devices devices
Windows — √ √* √ √* √
11
(x64) and (x64) and (x64) and
ARM64 ARM64 ARM64
devices devices devices
Windows — — — — √ √
365 Cloud
6.2.5 and
PC
later
* Embedded browser framework for SAML authentication upgraded to WebView2 in the

following releases:
Linux
The following table shows compatibility between Linux versions and GlobalProtect app versions.
For instructions on installing the GlobalProtect app on a Linux endpoint, see the installation
instructions for 5.1, 5.2, 6.0, and 6.1.
Only 64-bit Linux versions are supported. 32-bit versions are not supported.
FIPS-CC
CentOS √ √ — — — N/A
7.0
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtect
FIPS-CC
GlobalProtectGlobalProtect
app app
7.1
CLI-based CLI-based
and GUI- and GUI-
based based
app app
7.2
CLI-based CLI-based
and GUI- and GUI-
based based
app app
7.3
CLI-based CLI-based
and GUI- and GUI-
based based
app app
7.4
CLI-based CLI-based
and GUI- and GUI-
based based
app app
7.5
CLI-based CLI-based
and GUI- and GUI-
based based
app app
7.6
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtect
FIPS-CC
app app
7.7
CLI-based CLI-based
and GUI- and GUI-
based based
app app
8.0
CLI-based CLI-based
app app
CentOS — — √ √ √ N/A
8.3
CLI-based Supported CLI-based
and GUI- on and GUI-
based GlobalProtect based
GlobalProtect 6.0.4 or GlobalProtect
app earlier app
versions
only
CLI-based
and GUI-
based
GlobalProtect
app
Red Hat √ √ — — — N/A

Enterprise
Releases Releases
Linux
7.0 7.0
(RHEL) 7.0
through through
through
7.7: CLI- 7.7: CLI-
8.1
based and based and
GUI-based GUI-based
app app
Red Hat — — √ √ N/A N/A

Enterprise
CLI-based CLI-based
Linux
and GUI- and GUI-
(RHEL) 8.3
based based
GlobalProtect
FIPS-CC
GlobalProtect GlobalProtect
app app
Red Hat — — √ √ N/A N/A

Enterprise
CLI-based CLI-based
Linux
and GUI- and GUI-
(RHEL) 8.4
based based
app app
Red Hat — — — — √ N/A

Enterprise
(Supported
Linux
on
(RHEL) 8.7
GlobalProtect
6.1.1 and
later.)
Red Hat √
Enterprise
Supported
Linux
on
(RHEL) 8.9
GlobalProtect
6.2.0 and
later
Red Hat — — — — √ √
Enterprise
(Supported
Linux
on
(RHEL) 9.1
GlobalProtect
6.1.1 and
later.)
Red Hat — — — — — √
Enterprise
(Supported
Linux
on 6.2.1
(RHEL) 9.3
and later)
Ubuntu √ √ √ — — N/A
14.04
CLI-based CLI-based CLI-based
and GUI- and GUI- and GUI-
based based based
GlobalProtectGlobalProtectGlobalProtect
app app app
running
GlobalProtect
FIPS-CC
5.3.2 or
later
Ubuntu √ √ √ √ √ N/A
16.04 LTS
CLI-based CLI-based CLI-based CLI-based CLI-based
and GUI- and GUI- and GUI- and GUI- and GUI-
based based based based based
GlobalProtectGlobalProtectGlobalProtect GlobalProtect GlobalProtect
app app app app app
running
5.3.2 or
later
18.04 LTS
app app app app app
running
5.3.2 or
later
19.04
app app app app app
running
5.3.2 or
later
Ubuntu √ √ √ √ √ √
20.04
CLI-based CLI-based CLI-based CLI only CLI-based (Supported
GlobalProtectGlobalProtectGlobalProtect and GUI- on 6.2.1
app only app only app based and later)
running GlobalProtect
5.3.2 or app
later
Ubuntu — — — — √ √
22.04
CLI-based CLI-based
and GUI- and GUI-
GlobalProtect
FIPS-CC
based based
app app
Ubuntu √
24.04
Fedora — — — — — √
Linux 38
Fedora — — — — — √
Linux 40
(Supported
on
GlobalProtect
6.2.1 and
later.)
Apple iOS and iPadOS

The following table shows compatibility between iOS versions and GlobalProtect app versions.
For instructions on installing the GlobalProtect app on a Apple iOS and iPadOS endpoint, see the
installation instructions for 5.1, 5.2, and 6.0.
OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2
FIPS-CC
iOS 10 √ √ √ √ N/A
(64-bit (64-bit (64-bit (GlobalProtect
devices only) devices only) devices only) app 6.1.0 or
later)
iOS 11 √ √ √ √ N/A
later)
iOS 12 √ √ √ √ N/A
later)
iOS 13 √ √ √ √ N/A
GlobalProtect
FIPS-CC
5.0.8 & later (64-bit (64-bit (GlobalProtect
devices only) devices only) app 6.1.0 or
(64-bit
later)
devices only)
iOS 14 — √ √ √ N/A
(64-bit (64-bit (GlobalProtect
devices only) devices only) app 6.1.0 or
later)
iOS 15 — √ √ √ N/A
(64-bit (64-bit (GlobalProtect
devices only devices only) app 6.1.0 or
running later)
GlobalProtect
app 5.2.12
or later)
iOS 16 — — √ √ N/A
(64-bit (GlobalProtect
devices only app 6.1.0 or
running later)
GlobalProtect
app 6.0.4 or
later)
iOS 17 — — — √ N/A
(GlobalProtect
app 6.1.0 or
later)
iOS 18 — — — √ N/A
(GlobalProtect
app 6.1.6 or
later)
Google Android
The following table shows compatibility between Google Android versions and GlobalProtect app
versions. For instructions on installing the GlobalProtect app on a Google Android endpoint, see
the installation instructions for 5.1, 5.2, and 6.0.
GlobalProtect
FIPS-CC
Google √ √ √ N/A N/A

Android 6.x
(Not
supported on
GlobalProtect
app version
6.0.7 and
later)
Google √ √ √ N/A N/A

Android 7.x
(Not
supported on
GlobalProtect
app version
6.0.7 and
later)
Google √ √ √ √ N/A
Android 8.x
(GlobalProtect
app version
6.1.0 or later)
Android 9.x
(GlobalProtect
app version
6.1.0 or later)
Android 10.x
(GlobalProtect
app version
6.1.0 or later)
Google — √ √ √ N/A
Android 11.x
(GlobalProtect
app version
6.1.0 or later)
Google — √ √ √ N/A
Android 12.x
Starting with (GlobalProtect
GlobalProtect app version
app version 6.1.0 or later)
5.2.10
GlobalProtect
FIPS-CC
Google — — √ √ N/A
Android 13.x
6.0.3 or later (GlobalProtect
app version
6.1.0 or later)
Google — — — √ N/A
Android 14.x
(GlobalProtect
app version
6.1.0 or later)
Google — — — √ N/A
Android 15.x
(GlobalProtect
app version
6.1.6 or later)
Chrome OS √ √ √ √ N/A
Systems
(GlobalProtect
Supporting
app version
Android Apps
6.1.0 or later)
Google Chrome
The following table shows compatibility between Google Chrome OS systems supporting Android
apps and GlobalProtect app versions. For instructions on installing the GlobalProtect app on a
Google Chrome endpoint, see the installation instructions for 5.1, and 5.2, and 6.0.
Chrome OS √ √ √ N/A N/A

Systems
Supporting
Android Apps
Internet of Things (IoT)

The following table shows compatibility between IoT platforms and GlobalProtect app versions.
For instructions on installing the GlobalProtect app on a IoT endpoint, see the installation
instructions for 5.1, 5.2 6.0, and 6.1. See the supported features list to see which GlobalProtect
app features are supported on IoT devices.
GlobalProtect
Android √ √ — √ N/A N/A
Raspbian √ √ — √ √ N/A
Ubuntu √ √ — √ √ N/A
Windows √ √ — √ √ N/A
IoT
Enterprise
Hypervisors
The following table shows hypervisor support on each GlobalProtect app version.
Citrix Xen — — — √ √ √
Desktop
6.0.3 and
later
VMWare √ √ √ √ √ √
Horizon
and
Vcenter
GlobalProtect
Third-Party VPN Client Support

The following topics provide support information for third-party clients:
• What Third-Party VPN Clients are Supported?
• What GlobalProtect Features Do Third-Party Clients Support?
• How Many Third-Party Clients Does Each Firewall Model Support?
What Third-Party VPN Clients are Supported?

The following table lists third-party VPN client support for PAN-OS® software.
For stronger security, higher tunnel capacities, and a greater breadth of features, we
recommend that you use the GlobalProtect™ app instead of a third-party VPN client.
Third-Party IPSec Client Minimum PAN-OS Version
iOS built-in IPSec client 9.1
Android built-in IPSec client 9.1
VPNC on Ubuntu Linux 10.04 and later versions and CentOS 9.1
6 and later versions
strongSwan on Ubuntu Linux and CentOS* 9.1
* To set up authentication for strongSwan Ubuntu and CentOS clients for PAN-OS 9.1 and
later releases, refer to the GlobalProtect Administrator’s Guide for your release.
Clients emulating GlobalProtect are not supported.
What GlobalProtect Features Do Third-Party Clients Support?

Third-party clients support the following GlobalProtect™ features:
GlobalProtect Feature iOS Built-In Android Built- VPNC on strongSwan on

IPSec Client In IPSec Client Ubuntu Linux Ubuntu Linux
10.04 and and CentOS
later versions
and CentOS
6 and later
versions
Mixed Authentication √ √ √ √
Method Support for
GlobalProtect
GlobalProtect Feature iOS Built-In Android Built- VPNC on strongSwan on

IPSec Client In IPSec Client Ubuntu Linux Ubuntu Linux
10.04 and and CentOS
later versions
and CentOS
6 and later
versions
Certificates or User
Credentials
IPSec VPN Connections √ √ √ √
IPv4 Addressing √ √ √ √
Gateway-Level IP Pools √ √ √ √
Primary Username Visiblity √ √ √ √

on GlobalProtect Gateways
How Many Third-Party Clients Does Each Firewall Model Support?

The following table lists the maximum number of third-party X-Auth IPSec clients supported by
each firewall model.
Palo Alto Networks Firewall Maximum Third-Party X-Auth IPSec Clients

Model
Hardware Firewalls
PA-7080 2,000
PA-7050 2,000
PA-5450 4,000
PA-5440 4,000
PA-5430 4,000
PA-5420 4,000
PA-5410 4,000
PA-5280 2,500
PA-5260 2,500
GlobalProtect

Model
PA-5250 2,000
PA-5220 1,500
PA-3440 2,000
PA-3430 2,000
PA-3420 1,500
PA-3410 1,500
PA-3260 1,500
PA-3250 1,500
PA-3220 1,000
PA-1420 1,400
PA-1410 1,400
PA-850 500
PA-820 500
PA-460 1,400
PA-450 1,400
PA-445 1,400
PA-440 1,400
PA-415 500
PA-410 500
PA-220R 500
PA-220** 500
VM-Series Firewalls
VM-700 1,000
GlobalProtect

Model
VM-500 500
VM-300 500
VM-200 500
VM-100 500
VM-50 125
* PA-220 firewalls are supported only on PAN-OS 10.2 and earlier supported PAN-OS versions.
Refer to hardware end-of-life (EoL) dates for more information about end-of-life products.
GlobalProtect
What Features Does GlobalProtect Support?

The following table lists the features supported on GlobalProtect™ by operating system (OS). An
entry in the table indicates the first supported release of the feature on the OS (however, you
should review the End-of-Life Summary to ensure you are using a supported release). A dash
(“—”) indicates that the feature is not supported. For recommended minimum GlobalProtect app
versions, see Where Can I Install the GlobalProtect App?.
For Chromebook and other Chrome OS devices, use Android App 5.0 or a later version
to get GlobalProtect app features introduced in GlobalProtect app 5.0 and later releases.
(Refer also to the end-of-life (EoL) information for the GlobalProtect app.)
Feature Android iOS Chrome Windows Windows Windows macOS Linux

10 UWP 365
Cloud PC
Authentication
Multi- — — — 4.0.0 — — 4.0.0 —

Factor
Authentication
Policy
Improvements 6.3.1 —
for Multi
Authentication
CIE
Experience
SAML 4.0.0 4.0.0 4.1.0 4.0.0 — 6.2.5 4.0.0 5.1

Authentication (On-
(GUI-
Demand
based
connect
GlobalProtect
method
app)
only)
SAML 6.0.0 6.0.0 6.0.0 6.0.0 — 6.2.5 6.0.0 6.0.0

Authentication
(On
with
Demand
Cloud
connect
Authentication
method
Service
only)
Note:
Requires
use of
Default
GlobalProtect

10 UWP 365
Cloud PC
System
Browser
Default 5.2.0 5.2.0 5.2.0 5.2.0 — 6.2.5 5.2.0 5.2.0

System
Browser
for SAML
Authentication
GlobalProtect — — 6.2.6 & — — 6.2.6 —

Support later and & later
for OIDC 6.3.2 and
& later 6.3.2
versions & later
versions
Expired 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 —

Active
(notifications
Directory
only)
Password
Change 5.0.0
for
(full
Remote
support)
Users
Active — — — 4.1.0 — — — —
Directory
Password
Change
Using the
GlobalProtect
Credential
Provider
Mixed 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Authentication
Method
Support
or
Certificates
or User
Credentials
Pre-Logon — — — 4.1.0 — — 4.1.0 —

Followed
by Two-
GlobalProtect

10 UWP 365
Cloud PC
Factor
Authentication
Pre-Logon — — — 4.1.0 — — 4.1.0 —

Followed
by SAML
Authentication
Single Sign-On (SSO)
SSO — — — 1.2.0 — — — —
(Credential
Provider)
Kerberos — — — 3.0.0 — — 4.1.0 —

SSO
SAML 5.1.0 5.2.0 5.1.0 5.2.0 — 6.2.5 5.2.0 5.2.0

SSO
SSO — — — 6.0.0 — — — —
(Smart
Windows
Card
10 or
Authentication)
later
VPN Connections
IPSec 1.3.0 1.3.0 3.1.1 1.0.0 — 6.2.5 1.0.0 4.1.0
SSL 1.3.0 1.3.0 3.1.1 1.0.0 3.1.3 6.2.5 1.0.0 4.1.0
SSL 5.1.0 5.1.0 — 5.1.0 — 6.2.5 5.1.0 5.0.6

Tunnel (CLI)
Enforcement
5.1.0
(web
interface)
Clientless — (no — (no — (no — (no — (no — — (no — (no

VPN client client client client client client client
required) required) required) required) required) required) required)
Connect Methods
GlobalProtect

10 UWP 365
Cloud PC
User- 1.3.0 1.3.0 5.0.0 1.0.0 3.1.3 6.2.5 1.0.0 4.1.0

logon
(through (Always
(always
extended On
on)
support configured
for the from
GlobalProtect third-
app for party
Android) MDM)
Pre-logon — — — 1.1.0 — — 1.1.0 —

(always-
on)
Pre-logon — — — 3.1.0 — — 3.1.0 —

(then on-
demand)
On- 1.3.0 1.3.0 3.1.1 1.0.0 3.1.3 6.2.5 1.0.0 4.1.0

demand
Connect — — — 5.2.0 — — — —
Before
Logon
Conditional — — — 6.2.0 6.2.0 — 6.2.0 —

Connect
Method
Connection Priority
External 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 — 4.0.0 4.1.0

Gateway
Priority
by Source
Region
Internal 4.0.0 4.0.0 — 4.0.0 — — 4.0.0 4.1.0

Gateway
(Except (Except
Selection
DHCP DHCP
by
options) options)
Source IP
Address
Modes
GlobalProtect

10 UWP 365
Cloud PC
Internal 1.3.0 1.3.0 — 1.0.0 — — 1.0.0 4.1

mode
External 1.3.0 1.3.0 3.1.1 1.0.0 3.1.3 — 1.0.0 4.1

mode
Prisma — — — 6.2.0 6.2.0 — 6.2.0 —

Access
Explicit
Proxy
Connectivity
in
GlobalProtect
Networking
Intelligent — — 6.3.1 6.3.1 6.3.1 — 6.3.1 6.3.1

Internal
Host
Detection
Traffic — — 6.3.1 6.3.1 6.3.1 — 6.3.1 6.3.1

Enforcement
IPv4 1.3.0 1.3.0 3.1.1 1.0.0 3.1.3 6.2.5 1.0.0 4.1

Addressing
IPv6 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 6.2.5 4.0.0 4.1

Addressing
Split — 4.0.0 4.0.0 4.0.0 4.0.0 6.2.5 4.0.0 4.1

Tunnel to
Exclude
by Access
Route
Optimized — — — 4.1.0 — — 4.1.0 6.1.0

Split
Domain-
Tunneling
based
for
split
GlobalProtect
tunneling
only;
application-
based
split
GlobalProtect

10 UWP 365
Cloud PC
tunneling
not
supported
Enhanced — — — 6.2.0 6.2.0 6.2.5 6.2.0 —

Split
Tunneling
Wildcard — — — 6.3.1 — 6.3.1 6.3.1 —

Support
for Split
Tunnel
Settings
Based
on the
Application
Split DNS — 6.1.6 — — — — — —

for iOS
Split DNS — — — 5.2.0 — 6.2.5 5.2.0 6.1.0
Per-App 4.0.0 4.0.0 —

VPN
No Direct — — — 4.0.0 — — 4.0.0 6.0.0

Access
to Local
Network
Endpoint — — — 6.0.0 — — 6.0.0 —

Traffic
Windows macOS
Policy
10 or 11 and
Enforcement
later later
Customization
Autonomous — — — 5.2.6 — — 5.2.6 —

DEM
Integration
for User
Experience
Management
GlobalProtect5.2.5 5.2.5 5.2.5 5.2.5 — — 5.2.5 5.2.5

App Log
GlobalProtect

10 UWP 365
Cloud PC
Collection
for
Troubleshooting
Configurable 5.2.4 5.2.4 5.2.4 5.2.4 5.2.4 — 5.2.4 5.2.4

Maximum
Transmission
Unit for
GlobalProtect
Connections
Connect — — — 5.2.0 — — — —
Before
Logon
User- - - - 5.0.3 - — - -
Initiated
Pre-Logon
Connection
Support 5.0.3 5.0.7 - 5.0.3 - — 5.0.3 -

for
Preferred
Gateways
GlobalProtect5.0.0 5.0.0 - 5.0.0 - — 5.0.0 -

Gateway
Location
Configuration
Automatic - - - 4.1.0 - — 4.1.0 -

Launching
of Web
Browser
in Captive
Portal
Environment
GlobalProtect- - - 4.1.0 - — - -
Tunnel
Preservation
On User
Logout
Endpoint 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Tunnel
GlobalProtect

10 UWP 365
Cloud PC
Configurations
Based on
Source
Region
or IP
Address
Portal 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Configuration
Assignment
and HIP-
Based
Access
Control
Using
New
Endpoint
Attributes
HIP 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Report
Redistribution
DNS 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Configuration
Assignment
Based
on Users
or User
Groups
Tunnel 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Restoration
and
Authentication
Cookie
Usage
Restrictions
Concurrent 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Support
for IPv4
and IPv6
DNS
Servers
GlobalProtect

10 UWP 365
Cloud PC
Support 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

for IPv6-
Only
GlobalProtect
Deployment
FIPS-CC — — — FIPS — — FIPS 6.0.7

Validated Validated
on 5.1.4 on
5.1.4
CC
Certified CC
on 5.1.5 Certified
on
x86
5.1.5
platforms
x86
FIPS-CC
platforms
available
on 6.0.7 FIPS-
CC
available
on
6.0.7
MDM 5.0.0 5.0.0 — — — — — —

Integration
for HIP-
Based
Policy
Enforcement
Captive 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Portal
Notification
Delay
Tunnel — — — 4.1.7 — — 4.1.7 —

Connections
Over
Proxies
PAC — — — 6.1.0 — — 6.1.0 6.1.0

deployment
via
GlobalProtect
app
GlobalProtect

10 UWP 365
Cloud PC
End-user — — — 6.1.0 — — 6.1.0 6.1.0

Notification
about
GlobalProtect
Session
Logout
GlobalProtect— — — 4.1.0 — — — —
Credentials
Provier
Pre-Logon
Connection
Status
Static IP — — — 4.1.0 — — — —
Address
Assignment
Multiple — — — 4.1.0 — — 4.1.0 —

Portal
Support
Customizable4.1.0 4.1.0 — 4.1.0 4.1.0 — 4.1.0 4.1.0

Username
and
Password
Labels
Gateway- 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 — 4.0.0 4.1.0

Level IP
Pools
Resilient 4.0.3 4.0.3 — 4.0.3 — — 4.0.3 —

VPN
Pre-logon — — — 4.0.2 — — — —
tunnel
rename
timeout
Restrict — — — 4.0.0 — — 4.0.0 —

Transparent
Agent
Upgrades
to Internal
GlobalProtect

10 UWP 365
Cloud PC
Network
Connections
Enforce — — — 3.1.0 3.1.3 6.2.5 3.1.0 —

GlobalProtect
(VPN
for
Lockdown
Network
configured
Access
from
third-
party
MDM)
Enforce — — — 5.1.0 — 6.2.5 5.1.0 —

GlobalProtect
Exclusions
Enforce — — — 5.2.0 — 6.2.5 5.2.0 —

GlobalProtect
Connections
with
FQDN
Exclusions
Certificate — — — 3.0.0 — — 3.0.0 —

selection
by OID
Deployment — — — 3.0.0 — 6.2.5 3.0.0 —

of SSL
Forward
Proxy CA
certificates
in the
trust store
HIP 1.3.0 1.3.0 3.0.0 1.0.0 3.1.3 6.2.5 1.0.0 4.1.0

reports
(Host (Host
information information
only; only)
Notifications
not
supported)
Run — — — 2.3.0 — — 2.3.0 —

scripts
GlobalProtect

10 UWP 365
Cloud PC
before
and after
sessions
Allow 6.0 — — 2.2.0 — — 2.2.0 4.1.0

users to
disable
GlobalProtect
Welcome 1.3.0 1.3.0 3.0.0 1.0.0 — — 1.0.0 —

and help
pages
HIP — — — 6.2.0 6.2.0 — 6.2.0 —

Exceptions
for Patch
Management
HIP — — — 6.2.0 6.2.0 — 6.2.0 —

Process
Remediation
Extend — — — 6.2.0 6.2.0 — 6.2.0 —

User
Session
for
GlobalProtect
Users
Other
Support 5.0.3 5.0.7 - 5.0.3 - — 5.0.3 5.0.3

for 100
Manual
Gateways
GlobalProtect6.0.8, 6.0.8, 6.0.8, 6.0.8, 6.0.8, — 6.0.8, 6.0.8,

Portal and 6.1.3,6.2.1,6.1.3,6.2.1,6.1.3,6.2.1,6.1.3,6.2.1, 6.1.3,6.2.1, 6.1.3,6.2.1,
6.1.3,6.2.1,
Gateway or later or later or later or later or later or or
Support versions versions versions versions versions later later
for versions versions
(Minimum
TLSv1.3
version (Ubuntu
of 20)
Windows
GlobalProtect

10 UWP 365
Cloud PC
11
required)
User 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 — 4.1.0 4.1.0

Location
Visibility
on
GlobalProtect
Gateways
and
Portals
Gateway 5.0.0 5.0.0 — 5.0.0 — — 5.0.0 —

and Portal
Location
Visibility
for End
Users
Primary 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 — 4.0.0 4.1.0

Username
Visiblity
on
GlobalProtect
Gateways
Automatic — — 4.1.0 — — — — —
VPN
Reconnect
for
Chromebooks
Support — — — — — — — 6.2.0
for Native or
Certificate later
Store for versions
Prisma
Access
and
GloabProtect
App on
Linux
Endpoints
GlobalProtect

10 UWP 365
Cloud PC
Enhanced — — — 6.3.0 — — 6.3.0 —

HIP or later or
Remediation versions later
Process versions
Enhancements — — — 6.3.0 — — 6.3.1 —

for or later or
Authentication versions later
Using versions
Smart
Cards
Enhancements — — — 6.3.0 — — 6.3.0 —

for or later or
Authentication versions later
Using versions
Smart
Cards-
Removal
of
Multiple
PIN
Prompts
Intelligent 6.3 (Pre- — 6.3

Portal logon
(Always
On)
connect
method
only)
DHCP 6.0.8 6.0.8 — 6.0.8, 6.0.8, — 6.0.8, 6.0.8

Based IP or later or later 6.2.1 6.2.1 6.2.1 or
Address versions versions or later or later or later
Assignment versions versions later versions
and versions
Management
for
GlobalProtect
Best — — — 6.3.1 — — 6.3.1 —

Gateway
Selection
Criteria
GlobalProtect

10 UWP 365
Cloud PC
CLI — — — — — — — 6.2.1
Support or
for SAML later
Authentication versions
with
Default
Browser
for
GlobalProtect
App on
Linux
Endpoints
Identification5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 — 5.1.0 5.1.0

and
Quarantine
of
Compromised
Devices
(Deprecates
Device
Block List)
GlobalProtect
TEST: What Features Does GlobalProtect Support?

This topic lists the features supported on GlobalProtect™ by operating system (OS). An entry
in the table indicates the earliest supported release of the feature on the OS. The End-of-Life
Summary contains information on supported releases). A dash (“—”) indicates that the feature is
not supported. For recommended minimum GlobalProtect app versions, see Where Can I Install
the GlobalProtect App?.
For Chromebook and other Chrome OS devices, use Android App 5.0 or a later version to
get GlobalProtect app features introduced in GlobalProtect app 5.0 and later releases.
Click on the appropriate feature category to review the supported features:

• Authentication Features
• Single Sign-On
Authentication Features
GlobalProtect supports the following authentication features.
Feature Minimum Minimum Minimum Minimum Minimum Minimum Minimum

Supported Supported Supported Supported Supported Supported Supported
Version Version Version Version Version Version Version
Android iOS Chrome Windows Windows macOS Linux
10 UWP
Multi- — — — 5.1.0 — 5.1.0 —

Factor
Authentication
Policy
SAML 5.1.0 5.1.0 5.1.0 5.1.0 — 5.1.0 5.1.0

Authentication (On-
(GUI-
Demand
based
connect
GlobalProtect
method
app)
only)
SAML 6.0.0 6.0.0 6.0.0 6.0.0 — 6.0.0 6.0.0

Authentication
(On
with Cloud
Demand
Authentication
connect
Service
method
Note: only)
Requires
use of
Default
GlobalProtect

10 UWP
System
Browser
Default 6.0.0 6.0.0 6.0.0 6.0.0 — 6.0.0 6.0.0

System
Browser
for SAML
Authentication
Expired 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 —

Active
(notifications
Directory
only)
Password
Change for 5.0.0
Remote
(full
Users
support)
Active — — — 5.1.0 — — —
Directory
Password
Change
Using the
GlobalProtect
Credential
Provider
Mixed 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0

Authentication
Method
Support or
Certificates
or User
Credentials
Pre-Logon — — — 5.1.0 — 5.1.0 —

Followed
by Two-
Factor
Authentication
Pre-Logon — — — 5.1.0 — 5.1.0 —

Followed
GlobalProtect

10 UWP
by SAML
Authentication
Single Sign-On
GlobalProtect supports the following single sign-on features.

10 UWP
SSO — — — 5.1.0 — — —
(Credential
Provider)
Kerberos — — — 5.1.0 — 5.1.0 —

SSO
SAML SSO 5.1.0 6.0.0 6.0.0 6.0.0 — 6.0.0 6.0.0
SSO (Smart — — — 6.0.0 — — —

Card
Windows
Authentication)
10 or
later
GlobalProtect
What Features Does GlobalProtect Support for IoT?

The following table describes the features supported for GlobalProtect™ IoT by OS:
Feature Android Raspbian Ubuntu Windows IoT

Enterprise
IPSec VPN √ √ √ √
SSL VPN √ √ √ √
Pre-Logon — — — √
Connect Mode
User-Logon √ √ √ √
Connect Mode
Certificate or Certificate or Certificate or Certificate or
username and username and username and username and
password password password password
On-Demand — — — √
Connect Mode
External √ √ √ √
Gateway Priority
by Source
Region
Internal √ √ √
Gateway
Selection by
Source IP
Address
Internal Mode √ √ √ √
External Mode √ √ √ √
Split Tunnel √ √ √ √
Based on Access
Route
Split Tunnel — — — √
Based on
Destination
GlobalProtect

Enterprise
Domain, Client
Process, and
Video Streaming
Application
Multiple Portal — — — √
Support
Resilient VPN √ √ √ √
Pre-Logon — — — √
Tunnel Rename
Timeout
Restrict √ — — √
Transparent
App Upgrades
to Internal
Network
Connections
Enforce √ — — √
GlobalProtect
for Network
Access
Deployment of √ √ √ √
SSL Forward
Proxy CA
Certificates in
the Trust Store
HIP Reports √ √ √ √
Run Scripts — √ √ √
Before and After
Sessions
Certificate — — √
Selection by
OID
Allow Users — — — √
to Disable
GlobalProtect
GlobalProtect

Enterprise
Multi-Factor — — — √
Authentication
(MFA)
SAML — — — √
Authentication
Expired Active — — — √
Directory (AD)
Password
Change for
Remote Users
Active Directory — — — √
(AD) Password
Change
Using the
GlobalProtect
Credential
Provider
SSO (Credential — — — √
Provider)
Kerberos SSO — — — √
Welcome and — — — √
Help Pages
Headless-Mode √ √ √ √
Without Icon,
Pop-Up, Dialogs,
and UI
GlobalProtect
What GlobalProtect Features Do Third-Party Mobile

Device Management Systems Support?
The following table lists the GlobalProtect™ features supported on third-party mobile device
management (MDM) systems. A dash (“—”) indicates that the feature is not supported.
Feature Workspace Microsoft MobileIron Google Jamf Pro

ONE Intune Admin
Console
GlobalProtect √ √ √ √ √
App
(macOS
Deployment
only;
requires
GlobalProtect
app 6.1 or
later)
Always on VPN √ √ √ √ —
Configuration
(iOS and (Android, (iOS and (Android
Android iOS, and Android only)
only) Windows 10 only)
UWP only)
Remote √ √ √ √ —
Access VPN
(iOS and (Android and (iOS only)
Configuration
Android iOS only)
only)
Per-App VPN √ √ √ — —
Configuration
(Android, (iOS only)
iOS, and
Windows 10
UWP only)
MDM √ — — — —
Integration with
HIP
VPN Lockdown √ — — — —
Prisma Access
The following topics provide support information for Prisma® Access:
• What Features Does Prisma Access Support?
• Prisma Access and Panorama Version Compatibility
259
Prisma Access
What Features Does Prisma Access Support?

Prisma® Access helps you to deliver consistent security to your remote networks and mobile
users. There are two ways that you can deploy and manage Prisma Access:
• Cloud Managed Prisma Access—If you're not using Panorama™ software to manage your next-
generation firewalls, the Prisma Access app on the hub gives you a simplified way to onboard
and manage Prisma Access.
• Panorama Managed Prisma Access—If you're already using Panorama software to manage
your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage
your existing configurations. However, you’ll need the Cloud Services plugin to use Panorama
for Prisma Access.
The features and IPSec parameters supported for Prisma Access vary depending on the
management interface you’re using—Panorama or the Prisma Access app. You cannot switch
between the management interfaces after you activate your Prisma Access license. This means
you must decide how you want to manage Prisma Access before you begin setting up the product.
Review the Prisma Access Feature Support information to help you select your management
interface.
For a description of the features supported in GlobalProtect™, see the features that
GlobalProtect supports.
• Prisma Access Feature Support
• Integration with Other Palo Alto Networks Products
• Multitenancy Unsupported Features and Functionality
Prisma Access
Prisma Access Feature Support

The following sections provide you with the supported features and network settings for Prisma
Access (both Panorama managed and Cloud managed).
• Management
• Remote Networks
• Service Connections
• Mobile Users—GlobalProtect
• Mobile Users—Explicit Proxy
• Security Services
• Network Services
• Identity Services
• Policy Objects
• Logs
• Reports
Prisma Access
Management
Feature Prisma Access (Cloud Prisma Access (Panorama
Managed) Managed)
Best Practice Checks √ Learn more —
Default Configurations √ —
Default settings enable you Examples include:
to get started quickly and
• Default DNS settings
securely
• Default GlobalProtect
settings, including for the
Prisma Access portal
• Default Prisma Access
infrastructure settings
Built-in Best Practice Rules √ —

To ensure that your network Features with best practice
is as secure as possible, rules include:
enable your users and
• Security rules
applications based on best
practice templates. With best • Security profiles
practices as your basis, you • Decryption
can then refine policy based
on your enterprise needs. • M365
Onboarding Walkthroughs √ Learn more —

for First-Time Setup
Guided walkthroughs include:
• Onboard Remote
Networks
• Onboard Mobile Users
(GlobalProtect)
• Onboard Your HQ or Data
Centers
• Turn on Decryption
Centralized Management √ —
Dashboards
Dashboards are available for
These can include best features including:
practice scores and usage
• Security Policy
information
• Security Profiles
• Decryption
Prisma Access

Managed) Managed)
• Authentication
• Certificates
• SaaS Application
Management
Hit Counts √ √ Learn more

Hit counts for Security
profiles include counts
that measure the profile’s
effectiveness, and these
can depend on the profile
(for example, unblocked
critical and high severity
vulnerabilities, or WildFire
submission types).
Policy Rule Usage √
Policy Optimizer √ √
Profile Groups √ Learn more √
Configuration Table Export — √
Prisma Access
Remote Networks
Managed) Managed)
IPSec Tunnels √ √
See the list of Supported IKE
Cryptographic Parameters.
We do not support FQDNs
for peer IPSec addresses; use
an IP address for the peer
address instead.
Secure Inbound Access √ Learn more √ Learn more
Tunnel Monitoring
Dead Peer Detection (DPD) √ √
ICMP √ √
Bidirectional Forwarding — —
Detection (BFD)
SNMP — —
Use Tunnel Monitoring
instead of SNMP to monitor
the tunnels in Prisma Access.
Prisma Access
Service Connections
Managed) Managed)
IPSec Tunnels √ √
See the list of Supported IKE We do not support FQDNs
Cryptographic Parameters. for peer IPSec addresses; use
an IP address for the peer
address instead.
Tunnel Monitoring
Dead Peer Detection (DPD) √ √
ICMP √ √
Bidirectional Forwarding — —
Detection (BFD)
SNMP — —
Use Tunnel Monitoring
instead of SNMP to monitor
the tunnels in Prisma Access.
Traffic Steering √ Learn more √ Learn more

(using policy-based Introduced in 1.7.
forwarding rules to forward
internet-bound traffic to
service connections)
Prisma Access
Mobile Users—GlobalProtect
Managed) Managed)
Using On-Premises Gateways (Hybrid Deployments)
On-premises gateway √ √
integration with Prisma
We support using on-
Access
premises gateways with
Prisma Access gateways.
Priorities for Prisma Access √ √

and On-Premises Gateways
Supported for deployments
that have on-premises
GlobalProtect gateways. You
can set a priority separately
for on-premises gateways
and collectively for all
gateways in Prisma Access.
You can also specify source
regions for on-premises
gateways.
Manual Gateway Selection √ Learn more √ Learn more

Users can manually select
a cloud gateway from their
client machines using the
GlobalProtect app.
GlobalProtect Gateway Modes
External Mode √ √
Internal Mode √ √
Introduced in 5.1 Preferred Introduced in 5.1 Preferred
and Innovation. and Innovation.
If you are running a version If you are running a version
below 5.1 Innovation, you can below 5.1 Innovation, you
add one or more on-premise can add one or more on-
gateways and configure them premise gateways and
as internal gateways. configure them as internal
gateways.
Prisma Access

Managed) Managed)
GlobalProtect App Connect Methods
User-Logon (always on) √ √
Pre-Logon (always on) √ √
Pre-Logon (then on-demand) √ √
On-Demand √ √
Clientless VPN
Clientless VPN √ Learn more √ Learn more
Mobile User—GlobalProtect Features
Support for Mutliple √ √

Username Formats
Mobile Device Management — √ Learn more

(MDM)
MDM Integration with HIP √ √

Prisma Access does not
support AirWatch MDM
HIP service integration;
however, you can use the
GlobalProtect App for
iOS and Android MDM
Integration for HIP-Based
Policy Enforcement
Optimized Split Tunneling for √ √

GlobalProtect
Administratively Log Out √ √ Learn more

Mobile Users
Introduced in 1.4.
DHCP — —
Prisma Access uses the IP
address pools you specify
during mobile user setup
to assign IP addresses to
Prisma Access

Managed) Managed)
mobile users and does not
use DHCP.
GlobalProtect App Version √ √ Learn more

Controls
One-click configuration for
GlobalProtect agent log
collection
Prisma Access
Mobile Users—Explicit Proxy

Managed) Managed)
Explicit Proxy Support √ Learn more √ Learn more

Introduced in 2.0 Innovation.
Explicit Proxy Connectivity in √ Learn more √ Learn more

GlobalProtect for Always-On
Introduced in 4.0 Preferred Introduced in 4.0 Preferred
Internet Security
with GlobalProtect app with GlobalProtect app
version 6.2 version 6.2
Prisma Access
Security Services

Managed) Managed)
Security Policy √ √
DoS Protection √ √
The Prisma Access
infrastructure manages DoS
protection.
SaaS Application √ Learn more —

Management
Supported for:
• Microsoft 365 apps
Includes
a guided
walkthrough
to safely
enable M365
• Google apps
• Dropbox
• YouTube
IoT Security √ √
Security Profiles
Supported Profile Types √ √

• Antispyware • Antispyware
• DNS Security • DNS Security (enabled via
• Vulnerability Protection an Antispyware profile)
• WildFire and Antivirus • Vulnerability Protection
• URL Filtering • Antivirus
• File Blocking • WildFire
• Data Loss Prevention • URL Filtering

(DLP) • File Blocking
• HTTP Header Insertion • Data Loss Prevention
(DLP)
Prisma Access

Managed) Managed)
Dashboards for Security √ Learn more —

Profiles
Dashboards are tailored to
each profile, and give you:
• centralized management
for security service
features
• visibility into profile usage
and effectiveness
• access to cloud databases
(search for threat
coverage, for example)
Best Practice Scores for √ Learn more —

Security Profiles
Response pages √ √
We support HTTP response
pages for mobile users and
users at remote networks.
To use HTTPS response
pages, open a CLI session
in the Panorama that
manages Prisma Access,
enter the set template
Mobile_User_Template
config deviceconfig
settingssl-decrypt
url-proxyyes command
in configuration mode, and
commit your changes.
HTTP Header Insertion
HTTP Header Insertion √ √

Profiles
Decryption
Decryption Policies √ √
Decryption Profiles √ √
Prisma Access

Managed) Managed)
Automatic SAN Support for √ √

SSL Decryption
SSL Forward Proxy √ √
SSL Inbound Inspection — √
SSH Proxy — √
Guided Walkthrough: √ —
Turn on Decryption
Prisma Access
Network Services
Managed) Managed)
Network Services
Quality of Service (QoS) √ √

Prisma Access uses the same We introduced QoS
QoS policy rules and QoS for Remote network
profiles and supports the deployments that allocate
same DSCP markings as bandwidth by compute
Palo Alto Networks Next- location in 3.0 Preferred.
Generation Firewalls.
Application Override √ √
IPv4 Addressing √ √
IPv6 Addressing √ √
You can access internal
(private) apps that use IPv6
addressing.
Introduced in 2.2 Preferred.
Split Tunnel Based on Access √ √

Route
Split Tunnel Based on √ √

Destination Domain, Client
Process, and Video Streaming
Application
NetFlow — —
NAT √ √
Prisma Access automatically
manages outbound NAT; you
cannot configure the settings.
SSL VPN Connections √ √
Routing Features
Static Routing √ √
Prisma Access

Managed) Managed)
Dynamic Routing (BGP) √ √
Dynamic Routing (OSPF) — —
High Availability
High availability Palo Alto Networks maintains √

Availability.
SMTP √ √
Prisma Access sometimes Prisma Access sometimes
blocks SMTP port 25 for blocks SMTP port 25 for
security reasons and to security reasons and to
mitigate the risk from known mitigate the risk from known
vulnerabilities that exploit vulnerabilities that exploit
nonsecure SMTP. Palo Alto nonsecure SMTP. Palo Alto
Networks recommends Networks recommends
using ports 465, 587, or using ports 465, 587, or
an alternate port 2525 for an alternate port 2525 for
SMTP. SMTP.
Prisma Access
Identity Services
Managed) Managed)
Authentication Types
SAML √ √
Cloud Identity Engine √ √

Requires 3.0 Innovation or a Requires 3.0 Innovation or a
later Innovation release. later Innovation release.
TACACS+ √ √
RADIUS √ √
LDAP √ √
On-Premises LDAP
Authentication
Kerberos √ √
We support Kerberos only on Kerberos SSO
Windows clients.
MFA √ √
Multi-Factor Authentication
(MFA)
Local Database √ √
Authentication
Authentication Features
Authentication Rules √ √
Authentication Portal √ √
Certificate-Based √ √
Authentication
Supported for both IPSec Supported for both IPSec
and mobile users with and mobile users with
GlobalProtect. GlobalProtect.
Prisma Access

Managed) Managed)
RADIUS Vendor-Specific — —
Attributes (VSAs)
Framed IP-Address retrieval — —

from a RADIUS server
Extensible Authentication √ √
Protocol (EAP) Support for
RADIUS
Single Sign-On (SSO) √ √
Terminal Server (TS) Agent √ √

Supported for the following Supported for the following
platforms: platforms:
• Citrix XenApp 7.x • Citrix XenApp 7.x
• Windows Server 2019 • Windows Server 2019
• Windows 10 Enterprise • Windows 10 Enterprise
Multi-session Multi-session
We support a maximum of We support a maximum of
400 TS agents. 400 TS agents.
Cloud Identity Engine (Directory Sync Component)
Directory Sync for User and √ √

Group-Based Policy
Supports on-premises Active You can retrieve user and
Directory and Azure Active group information using the
Directory. Directory Sync component of
the Cloud Identity Engine.
• Learn more
Prisma Access supports on-
premises Active Directory,
Azure Active Directory, and
Google IdP.
Introduced in 1.6.
Support for Azure Active
Directory introduced in 2.0
Preferred.
Support for Google IdP
introduced in 3.0 Preferred
and Innovation.
Prisma Access

Managed) Managed)
Identity Redistribution √ √
• IP address-to-username
mappings
• HIP
• Device Quarantine
• IP-Tag
• User-Tag
Ingestion of IP address-to- — √
username mappings from a
third-party integration (NAC)
Include username in HTTP √ √

header insertion entries
Introduced in 1.7.
Requires Panorama running
PAN-OS 9.1.1 or a later
supported PAN-OS version.
Prisma Access
Policy Objects
Managed) Managed)
Addresses √ √
Address Groups √ √
Dynamic Address Groups — —

(DAGs) and Auto-Tags
XML API - Based Dynamic — √

Address Group Updates
Regions √ √
Dynamic User Groups (DUGs) √ √
App-ID (Applications) √ √
Simplified Application √ —
Dependency Workflow (App
We do not support commit
Dependency tab for commits)
warnings for Prisma Access.
Service-Based Session √ √ Learn more

Timeouts
Application Groups √ √
Application Filters √ √
Services √ √
Service Groups √ √
Tags √ √
Streamlined Application- √ √
Based Policy (Tag-based
Introduced in 1.7.
application filters)
Auto-Tag Actions √ √
Prisma Access

Managed) Managed)
HIP Objects
HIP √ √
HIP Match Log √ √
HIP-Based Security Policy √ √
HIP Notifications √ √
HIP Report Submission √ √
HIP Checks √ √
HIP Report Viewing — √

Introduced in 1.5.
HIP Redistribution √ √
Introduced in 1.5.
HIP Objects and Profiles √ √
External Dynamic Lists √ √
Certificate Management
Custom Certificates √ √
Palo Alto Networks Issued √ √

Certificates
Certificate Profiles √ √
Custom Certificates √ √
SSL/TLS Service Profiles √ √
SSL √ √
We support SSL only for
mobile users, not for site-to-
site VPNs.
SCEPs √ √
Prisma Access

Managed) Managed)
OCSP Responders √ √
Default Trusted Certificate √ √

Authorities
Prisma Access
Logs
Managed) Managed)
Enhanced Application √ √
Logging
Strata™ Logging Service √ √

(formerly Cortex® Data Lake)
Log Storage
Log Forwarding App √ √

Forward logs stored in Strata
Logging Service to syslog and
email destinations
Log Forwarding Profiles √ √

Default Log Forwarding We do not support HTTP,
profile SNMP, auto-tagging in Built-
in Actions.
Enhanced Mobile Users √ √

Visibility for Administrators
Introduced in 1.7.
(GlobalProtect logs)
If you use Panorama running
a PAN-OS 9.0 (EoS) version,
you can still see traffic and
HIP logs from Panorama but
you need to use the Explore
app from the Hub to see the
remaining logs.
Prisma Access
Reports
Managed) Managed)
Reports √ Learn More √ Learn more

You can also use Dashboards Introduced in Prisma Access
for a comprehensive view of 1.8.
the applications, ION devices,
threats, users, and security
subscriptions at work in your
network.
App Report √ Learn more √ Learn more

This feature has the following
Strata Logging Service-based
limitation:
SaaS Application Usage
report (Monitor > PDF
Reports > SaaS Application
Usage)—You cannot filter
the logs for user groups (we
do not support the Include
user group information in the
report option).
Usage Report √ Learn more √ Learn more
User Activity Report √ Learn more √ Learn more
Best Practices Report √ Learn more √
WildFire Reports √ Learn More √

Support introduced in 2.0
Innovation.
Prisma Access
Integration with Other Palo Alto Networks Products

Managed) Managed)
Cortex XSOAR integration — √

We support source IP-based
allow lists and malicious user
activity detection.
Enterprise Data Loss √ √

Prevention (DLP) integration
Cortex XDR integration √ √

Prisma Access is compatible Prisma Access is compatible
with the Cortex XDR version with the Cortex XDR version
of Strata Logging Service. of Strata Logging Service.
Cortex XDR receives Prisma Cortex XDR receives Prisma
Access log information Access log information
from Strata Logging Service from Strata Logging Service
(formerly Cortex Data Lake). (formerly Cortex Data Lake).
Prisma SaaS integration √ √

We support SaaS visibility We support SaaS visibility
with Strata Logging Service. with Strata Logging Service.
Prisma Access
Multitenancy Unsupported Features and Functionality

We do not support the following Prisma Access (Panorama managed) features in a multitenant
deployment:
• Dynamic DNS Registration Support for Mobile Users—GlobalProtect
• IoT Security
In addition, a Panorama managed multitenant deployment has changes to the following
functionality:
• You cannot view your Panorama managed tenants under Common Services: Tenant
Management.
• For Panorama Managed Prisma Access, continue to use Panorama for managing Prisma Access
and the admin access that Panorama controls locally. You cannot manage users, roles, and
services accounts using Common Services: Identity and Access for Panorama Managed Prisma
Access. However, you can use Common Services: Identity and Access for managing other apps
such as ADEM and Insights.
• You cannot use the Prisma Access APIs in pan-dev.
The following Prisma Access components and add-ons have the following caveats when used in a
multitenant deployment:
• For Prisma Access—Explicit Proxy deployments, if you have an existing Prisma Access non-
multitenant deployment and convert it to a multitenant deployment, only the first tenant
(the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the
multitenant deployment after the first one do not support Explicit Proxy.
• SaaS Security and Enterprise Data Loss Prevention (Enterprise DLP) support multitenancy with
the following restrictions:
• Only a superuser on Panorama can create DLP profiles and patterns and can associate DLP
profiles to Security policy rules for tenants.
• A superuser must commit all changes to Panorama whenever they make changes in DLP
profiles and patterns.
• All tenants share a single copy of profiles and pattern configurations and, therefore, changes
occur on all tenants.
• Since Security policy rules can be different across tenants, each tenant can have different
data filtering profiles associated with Security policy rules.
• You can use Prisma SD-WAN integration and Configuring multiple portals in Prisma Access
only with one tenant per multitenant deployment.
• If you enable high availability (HA) with active and passive Panorama appliances in a
multitenant deployment, you cannot change the HA pair association after you enable
multitenancy.
Prisma Access
Prisma Access and Panorama Version Compatibility

This section provides you with the minimum and maximum versions of Panorama™ to use with
Prisma® Access, along with the end-of-service (EoS) dates for Panorama software versions with
Prisma Access.
• Supported IKE Cryptographic Parameters
• Minimum Required Panorama Software Versions
• End-of-Support (EoS) Dates for Panorama Software Version Compatibility with Prisma Access
Prisma Access
Supported IKE Cryptographic Parameters

The following table documents the IKE cryptographic settings that we support with Prisma®
Access.
Component Phase 1 Supported Crypto Phase 2 Supported Crypto

Parameters Parameters
Encryption 3DES Null (not recommended)

AES-128 DES
AES-192 3DES
AES-256 AES-128-CBC
AES-192-CBC
AES-256-CBC
AES-128-GCM
AES-192-GCM
AES-256-GCM
Authentication/Integrity MD5 None (supported with Galois/

Counter Mode (GCM)
SHA-1
MD5
We support only SHA1 in IKE
Crypto profiles (Phase 1) with SHA-1
IKEv2 with certificate-based
SHA-256
authentication.
SHA-384
SHA-256
SHA-512
SHA-384
SHA-512
DH Group Group 1 No PFS (not recommended)

Group 2 Group 1
Group 5 Group 2
Group 14 Group 5
Group 19 Group 14
Group 20 Group 19
Group 20
Security Association (SA) Configurable Configurable

Lifetime
Prisma Access
Component Phase 1 Supported Crypto Phase 2 Supported Crypto

Parameters Parameters
SA Lifebytes N/A Configurable
Prisma Access
Minimum Required Panorama Software Versions

The Cloud Services plugins require the following minimum Panorama™ software versions.
For more information about the versions used with Prisma Access, including the recommended
Panorama and GlobalProtect versions, see the Prisma Access Release Notes for your Release:
• Prisma Access 5.2
• Prisma Access 5.1
• Prisma Access 5.0, 5.0.1, 4.0, 4.1, and 4.2
Due to the fast-paced release cycle for Prisma Access and the Cloud Services plugin, the
software end-of-support (EoS) dates for Panorama appliances for managing Prisma
Access vary from the software end-of-life (EoL) dates for PAN-OS and Panorama releases.
These exceptions apply only to Panorama version compatibility with Prisma Access.
Cloud Services Plugin Version Minimum Required Panorama Version
5.2 and 5.2.1 Preferred and • PAN-OS 11.2.3 (required for 5.2 Innovation) or PAN-
Innovation OS 11.2.4 (required for 5.2.1 Innovation)
• PAN-OS 10.2.10 (required for 5.2 and 5.2.1
Preferred)
5.1 and 5.1.1 Preferred and • PAN-OS 11.2 (required for 5.1 and 5.1.1 Innovation)
Innovation
• PAN-OS 10.2.4 (required for 5.1 and 5.1.1 Preferred)
4.0, 4.1, and 4.2 Preferred • PAN-OS 11.1.0 or a later PAN-OS 11.1 version
5.0 and 5.0.1 Preferred and • PAN-OS 11.0.0 or a later PAN-OS 11.0 version
Innovation
Running Panorama with PAN-OS 11.0 or PAN-
OS 11.1 does not give you access to PAN-OS 11.0
features in Prisma Access.
You must have a Panorama appliance running PAN-
OS 10.2 to take advantage of the PAN-OS 10.2
features in Prisma Access.
For Panorama versions supported and

required for FedRAMP deployments, see
Prisma Access FedRAMP Requirements.
Prisma Access
End-of-Support (EoS) Dates for Panorama Software

Version Compatibility with Prisma Access
When Prisma® Access upgrades its infrastructure and dataplane after a major release, the
upgrades can become incompatible with earlier Panorama™ versions. Because of the fast-paced
release of Prisma Access and the Cloud Services plugin, the software compatibility end-of-support
(EoS) dates for Panorama can differ from the software end-of-life dates for Panorama releases
and apply to Panorama version compatibility with Prisma Access only.
If the Panorama appliance that manages Prisma Access is running a software version that’s
incompatible (not supported) with the upgrades, you must upgrade Panorama to a compatible
version to take full advantage of the capabilities of the infrastructure and dataplane upgrades.
It's our goal to make this process as easy as possible and, for this reason, we make every effort
to provide you with adequate notice of Panorama and Prisma Access version compatibility
requirements.
Use the dates in the following table to learn when a Panorama software version that manages
Prisma Access is no longer compatible with Prisma Access so that you can plan an upgrade to a
supported version prior to the EoS date.
Due to the fast-paced release cycles for Prisma Access and the Cloud Services plugin,
the software compatibility end-of-support (EoS) dates for Panorama appliances that
manage Prisma Access sometimes differ from the software end-of-life (EoL) dates for
PAN-OS and Panorama software versions. The exceptions apply only to Panorama version
compatibility with Prisma Access.
To find the latest EoS compatibility information for your Panorama software with Prisma
Access, log in to the Panorama appliance that manages Prisma Access, select the Service
Setup page (Panorama > Cloud Services > Configuration > Service Setup), and view
the Panorama Alert information. (See Notifications and Alerts for Panorama, Cloud
Services Plugin, and PAN-OS Dataplane Versions for details.)
Panorama Software Version EoS Dates for Prisma Access Deployments
PAN-OS 10.0 March 1, 2023
PAN-OS 9.1 August 1, 2022

Before this date, you must upgrade your Panorama
to PAN-OS 10.1 or a later supported (with Prisma
Access) PAN-OS version.
We support PAN-OS 10.1 only after you upgrade to
2.2 Preferred or to the following 2.1 plugins:
• 2.1.0-h24 Preferred
• 2.1.0-h16 Innovation
Prisma Access
You must upgrade Panorama regardless of the Cloud Services plugin version you're running when
the Panorama software version reaches its EoS date. You cannot continue using earlier versions of
the Cloud Services plugin with an earlier unsupported version of Panorama software.
The following Panorama software versions are already EoS and you cannot use them with Prisma
Access:
• PAN-OS 10.0—EoS on July 16, 2022
• PAN-OS 9.0—EoS on February 1, 2021
Strata Cloud Manager and
Panorama Feature Parity
Strata Cloud Manager and Panorama both enable you to centrally manage large-scale firewall
deployments. These are the features each supports.
• Software
• Management
• Optimization
• Reporting
• Hardware
• Cloud-Delivered Security Services
• Cloud
Software
Feature Strata Cloud Manager Panorama
PAN-OS 11.0 support Yes Yes
PAN-OS 10.2 support Yes (PAN-OS 10.2.3 Yes

minimum)
PAN-OS 10.1 support No Yes
PAN-OS 9.1 support No Yes
VM-Series support Yes (VM Flex support) Yes
CN-Series support No Yes
Cloud NGFW support No Yes
Prisma Access Yes Yes
Management
Proxied Management Connection Yes (requires internet Yes

connectivity)
Dynamic Address Groups Yes Yes
291
Strata Cloud Manager and Panorama Feature Parity
Dynamic User Groups Yes Yes
Reusable Configuration Snippets Yes No
Templates No Yes
REST API Yes Yes
Log Collectors Strata Logging Service is Yes

supported by default
Application Command Center Equivalent functionality Yes

through Activity Insights
Context Switching No Yes
Local Config Management No No
Multi-VSYS No Yes
PAN-OS SD-WAN Yes Yes
Automated VPN creation Yes (no extra licensing Requires SD-WAN license
required)
Optimization
Policy Optimizer Yes No
Rule Hit Counts Captures the number of Yes

days that the policy rule is
not triggered
Unused Rules Yes No
Unused Objects Yes No
Reporting
Report Scheduler Yes Yes
Custom Reports No Yes
Custom Dashboards Yes No
Hardware
Gen 4 Hardware Support Yes Yes
Gen 3 Hardware Support Yes (requires manual Yes

Device Certificate
retrieval)
Gen 2 Hardware Support No Yes
Cloud-Delivered Security Services
IoT Security Yes Yes
Enterprise DLP Yes Yes
SaaS Inline Yes Yes
DNS Security Yes Yes
Advanced Threat Prevention Yes Yes
Advanced URL Filtering Yes Yes
Advanced WildFire Yes Yes
AIOps for NGFW Yes Yes
Strata Logging Service Yes Yes
SaaS Application Endpoints Yes No
Bootstrap Onboarding Yes (yet to be released) Yes
Cloud
Cloud Provider Tag Harvesting Yes Yes
Identity
Cloud Identity Engine Yes Yes
User-ID Agent
You install the User-ID™ agent on a domain server that is running a supported operating system
(OS) and then connect the User-ID agent to exchange or directory servers.
• Where Can I Install the User-ID Agent?
• Which Servers Can the User-ID Agent Monitor?
• Where Can I Install the User-ID Credential Service?
295
User-ID Agent
Where Can I Install the User-ID Agent?

The following table shows the operating systems on which you can install each release of the
Windows-based User-ID™ agent. The system must also meet the minimum requirements (see the
User-ID agent release notes).
Operating System Release 9.1 Release Release Release

10.1 10.2 11.0
Windows Server 2022 √ √ √ √

9.1.4 &
later
Windows Server 2012 and 2012 R2 √ √ √ √
User-ID Agent
Which Servers Can the User-ID Agent Monitor?

The following are the exchange and directory servers you can monitor with the PAN-OS®
integrated and Windows-based User-ID™ agents:
You can install only specific releases of the Windows-based User-ID agent on supported
Microsoft Windows servers.
Server Versions Supported
Microsoft • 2019—Only with Windows User-ID agent 9.0.2 and later releases or
Exchange Server with PAN-OS integrated User-ID agents running the following PAN-OS
releases:
• PAN-OS 11.0 (all releases)
• 2016—Only with Windows User-ID agent or with PAN-OS integrated
User-ID agents running the following PAN-OS releases:
• 2013
Microsoft • 2022—Only with Windows User-ID agent or with PAN-OS integrated

Windows Server User-ID agents running the following PAN-OS releases:
• PAN-OS 10.2.1 and later PAN-OS 10.2 releases
• 2019—Only with Windows User-ID agent 9.1 and later versions or
with PAN-OS integrated User-ID agents running the following PAN-OS
releases:
User-ID Agent
Server Versions Supported

• 2016—Only with Windows User-ID agent or with PAN-OS integrated
User-ID agents running the following PAN-OS releases:
• 2012 and 2012 R2
Novell 8.8
eDirectory
Server
User-ID Agent
Where Can I Install the User-ID Credential Service?

The following table shows the Read-Only Domain Controller (RODC) on which you can install
each release of the Windows User-ID™ agent with the User-ID credential service to detect
credential submissions. The credential service is an add-on for the Windows User-ID agent; you
must install the add-on separately.
Server PAN-OS Version Supported Windows User-ID Agent

Version Supported
Windows Server 2022 • 11.0 • 11.0
Windows Server 2019 • 11.0 • 11.0

• 10.2.3 • 10.2.1
• 10.1.11 • 10.1.2
• 10.0.11-h1* • 10.1.1
• 10.1.7 • 9.1.4
• 9.1.15
User-ID Agent
Terminal Server (TS) Agent
You install the Terminal Server (TS) agent on a domain server that is running a supported
operating system (OS) and then report username-to-port mapping information to PAN-OS®
firewalls.
• Where Can I Install the Terminal Server (TS) Agent?
• How Many TS Agents Does My Firewall Support?
301
Where Can I Install the Terminal Server (TS) Agent?

The following table shows the operating systems on which you can install each release of the
Terminal Server (TS) agent.
For optimal configuration, install the TS agent version that matches the PAN-OS version
running on your firewall. If there is not a TS agent version that matches your PAN-OS
version, install the latest version that is closest to the PAN-OS version.
Operating System TS Agent 9.1 TS Agent 10.1 TS Agent 10.2 TS Agent 11.0
Windows Server √ √ √ √
2022
9.1.4 & later
2019
2016
2012 R2
Windows 11 √ √ √ √
Enterprise Multi-
9.1.4 & later
session
Windows 10 √ √ √ √
Enterprise Multi-
9.1.1 & later
session
Citrix Metaframe √ √ √ √
Presentation Server
4.x
Citrix XenApp 5.x √ √ √ √
How Many TS Agents Does My Firewall Support?

The following table shows how many Terminal Server (TS) agents each hardware-based and VM-
Series firewall supports. To confirm which PAN-OS® releases are supported on your firewall,
review the Supported PAN-OS releases for each model.
For optimal configuration, install the TS agent version that matches the PAN-OS version
running on the firewall. If there is not a TS agent version that matches the PAN-OS
version, install the latest version that is closest to the PAN-OS version.
Firewall or VM Model PAN-OS 9.1 PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0
Hardware Firewalls
PA-7000 Series 2,000 2,000 2,000 2,000
PA-7000 Series with SMC- 2,500 2,500 2,500 2,500

B
PA-5450 — 2,500 2,500 2,500
PA-5440 — — — 2,500
PA-5410, PA-5420, and — — 2,500 2,500

PA-5430
PA-5200 Series 2,500 2,500 2,500 2,500
PA-3430 and PA-3440 — — 2,000 2,000
PA-3410 and PA-3420 — — 400 400
PA-3200 Series 2,000 2,000 2,000 2,000
PA-1400 Series — — — 400
PA-800 Series 1,000 1,000 1,000 1,000
PA-460 — 1,000 1,000 1,000
PA-450 — 400 400 400
PA-445 — — — 800
PA-440 — 800 800 800
PA-415 — — — 400
Firewall or VM Model PAN-OS 9.1 PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0
PA-410 — 400 400 400

10.1.2 & later
PA-220R 400 400 400 400
PA-220 400 400 400 —
VM-Series Firewalls
VM-700 2,500 2,500 2,500 2,500
VM-500 2,000 2,000 2,000 2,000
VM-300 400 400 400 400
VM-100 400 400 400 400
VM-50 Lite 400 400 400 400
Strata Logging Service Software
Compatibility
To forward firewall log data to Strata Logging Service (formerly Cortex® Data Lake), you must
ensure that your firewalls are running a supported PAN-OS® version. The PAN-OS version you
need depends on whether you use Panorama™ to onboard several firewalls simultaneously or you
onboard firewalls individually.
To onboard firewalls to Strata Logging Service using Panorama, you must also install a supported
version of the Cloud Services plugin. If you use the Cloud Services plugin to enable Prisma®
Access, ensure that your Panorama is running supported versions of PAN-OS and the Cloud
Services plugin.
Version Requirements for Panorama Managed Firewalls
Software versions required to integrate a Panorama-managed deployment with Strata Logging
Service.
Software Version Description
PAN-OS* Minimum: 9.1 To forward logs from Panorama-managed firewalls

to Strata Logging Service, both Panorama and the
firewalls must run PAN-OS 9.1 or a later supported
PAN-OS version.
For enhanced application logging and more reliable
service, upgrade to PAN-OS 9.1 or a later supported
PAN-OS version.
Cloud Minimum: 1.5.0-h6 The Cloud Services plugin enables you to send log data
Services from Panorama-managed firewalls. To download the
Recommended: the
plugin plugin, see the step describing how to install the plugin
latest version
when you configure Panorama for Strata Logging
Service.
Ensure that your Panorama is running a

PAN-OS version that supports your Cloud
Services plugin version. Failure to do so
can result in a loss of data.
Version Requirements for Individually Managed Firewalls
305
Strata Logging Service Software Compatibility
Software Version Description
PAN-OS Minimum: PAN-OS 9.1 Individually managed firewalls must run PAN-OS 9.1 or
a later supported PAN-OS version to authenticate to
Strata Logging Service.
Content Minimum: 8274 Install the latest content updates to ensure your
Version firewall can authenticate to Strata Logging Service.
Cortex XDR
Compatibility information for Cortex XDR® has a new home. Going forward, when you
click the links below, you will be redirected to the Palo Alto Networks docs-cortex
website.
• Where Can I Install the Cortex XDR Agent?

• Cortex XDR Supported Kernel Module Versions by Distribution
• Cortex XDR and Traps Compatibility with Third-Party Security Products
307
Cortex XDR
Endpoint Security Manager (ESM)
You can install the Traps™ agent, now known as the Cortex XDR® agent, and the Endpoint
Security Manager (ESM) Components (comprised of the ESM Console, one or more ESM Servers,
and the database) only on servers and endpoints that are running a supported operating system
(OS).
309
Where Can I Install the Endpoint Security Manager

(ESM)?
The Endpoint Security Manager (ESM) comprises the ESM Console, one or more ESM Servers, and
a database and is now documented with the Cortex® XDR agent.
Compatibility information for Cortex XDR (and Traps) has a new home. Going forward,
you can determine Endpoint Operating Systems Supported with Cortex XDR and
Traps by going to the Palo Alto Networks docs-cortex website.
Where Can I Install the Cortex XDR Agent?

The Traps™ agent is now the Cortex XDR® agent in Cortex XDR agent release 7.0 and later
releases.
Compatibility information for Cortex XDR (and Traps) has a new home. Going forward,
you can determine where you can install the Cortex XDR agent by going to the Palo
Alto Networks docs-cortex website.
IPv6 Support by Feature
Use the following table to review PAN-OS® features (listed by category) that support IPv6 traffic.
• Security
• Management & Panorama
• SD-WAN
• Networking
• VPN
• Host Dynamic Address Configuration
• Device
• User-ID™
PAN-OS Feature PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

9.1 10.1 10.2 11.0 11.1 11.2
Security
WildFire® Appliance — √ √ √ √ √
App-ID™ and Firewalling in √ √ √ √ √ √

Layer 2 and Layer 3
User-ID™ √ √ √ √ √ √
Content-ID™ √ √ √ √ √ √
Block IPv6 in IPv4 Tunneling √ √ √ √ √ √

(via App-ID)
Zone Protection √ √ √ √ √ √
Packet-Based Attack √ √ √ √ √ √
Protection
Reconnaissance Protection √ √ √ √ √ √
URL Filtering √ √ √ √ √ √
SSL Decryption √ √ √ √ √ √
SSH Decryption √ √ √ √ √ √
313

9.1 10.1 10.2 11.0 11.1 11.2
DoS Rulebase √ √ √ √ √ √
IPv6 Access to PAN-DB √ √ √ √ √ √
DNS Sinkhole √ √ √ √ √ √
External Dynamic List (EDL) √ √ √ √ √ √
Management & Panorama™
SSH Management (dedicated √ √ √ √ √ √

MGMT port)
Web Interface Management √ √ √ √ √ √

(dedicated MGMT port)
Interface Management (ping, √ √ √ √ √ √

telnet, ssh, http, https - all
ports)
Device to Panorama SSL TCP √ √ √ √ √ √

Connection
Panorama HA Connection √ √ √ √ √ √
Between Peers
DNS √ √ √ √ √ √
Dynamic DNS Support for √ √ √ √ √ √

Firewall Interfaces (DHCP-
based interfaces)
RADIUS √ √ √ √ √ √
LDAP √ √ √ √ √ √
SYSLOG √ √ √ √ √ √
SNMP √ √ √ √ √ √
NTP √ √ √ √ √ √
Device DNS (device only) √ √ √ √ √ √
DNS Proxy √ √ √ √ √ √

9.1 10.1 10.2 11.0 11.1 11.2
Reporting and Visibility in to √ √ √ √ √ √

IPv6
IPv6 Address Objects √ √ √ √ √ √
IPv6 FQDN Address Objects √ √ √ √ √ √
SD-WAN
SD-WAN IPv6 Basic — — — √ √ √

Connectivity
(11.0.2
& later)
SD-WAN for NGFW IPv6 — — — — √ √

support
Networking
IPv6 Static Routes √ √ √ √ √ √
PBF √ √ √ √ √ √
PBF Next-Hop Monitor (v6 √ √ √ √ √ √

endpoint)
OSPFv3 √ √ √ √ √ √
MP-BGP √ √ √ √ √ √
GRE Tunneling Support √ √ √ √ √ √
ECMP √ √ √ √ √ √
Dual Stack Support for L3 √ √ √ √ √ √

Interfaces
QoS Policy √ √ √ √ √ √
QoS Marking √ √ √ √ √ √
DSCP (session based) √ √ √ √ √ √
Neighbor Discovery and √ √ √ √ √ √

Duplicate Address Detection

9.1 10.1 10.2 11.0 11.1 11.2
Tunnel Content Inspection √ √ √ √ √ √
Virtual Wires √ √ √ √ √ √
NPTv6 (stateless prefix √ √ √ √ √ √

translation)
NAT64 (IP-IPv6 protocol √ √ √ √ √ √

translation)
LLDP (Link Layer Discovery √ √ √ √ √ √

Protocol)
Bidirectional Forwarding √ √ √ √ √ √
Detection (BFD)
IPv6 PPPoE Client — — — — √ √
Dynamic IPv6 Addressing on — — — — √ √

the Management Interface
VPN
GlobalProtect™ √ √ √ √ √ √
IKE/IPSec √ √ √ √ √ √
IKEv2 √ √ √ √ √ √
IPv6 over IPv4 IPSec Tunnel √ √ √ √ √ √
Large Scale VPN (LSVPN) √ √ √ √ √ √
Host Dynamic Address Configuration
DHCPv6 Relay √ √ √ √ √ √
DHCPv6 Client with Prefix — — — √ √ √

Delegation (Dataplane
Interface only)
SLAAC (Router √ √ √ √ √ √
Advertisements)
SLAAC (Router Preference) √ √ √ √ √ √

9.1 10.1 10.2 11.0 11.1 11.2
SLAAC (RDNSS) √ √ √ √ √ √
Device
High Availability (HA)—Active/ √ √ √ √ √ √

Active
HA—Active/Passive √ √ √ √ √ √
HA—IPv6 transport for HA1 & √ √ √ √ √ √

HA2
HA Path Monitoring (IPv6 √ √ √ √ √ √

Endpoint)
HA Clustering — √ √ √ √ √
User-ID
Map IPv6 Address to Users √ √ √ √ √ √
Captive Portal for IPv6 √ √ √ √ √ √
Connection to User-ID Agents √ √ √ √ √ √

over IPv6
User-ID XML API for IPv6 √ √ √ √ √ √
Terminal Server Agent IPv6 √ √ √ √ √ √
Mobile Network Infrastructure
Feature Support
Review the lists of Specific Palo Alto Networks firewall models and PAN-OS® software versions
that support GTP, SCTP, 5G, PFCP, and RADIUS Security, as well as 3GPP Technical Standards:
• PAN-OS Releases by Model that Support GTP, SCTP, and 5G Security
• PAN-OS Releases by Model that Support Intelligent Security Correlation (PFCP, RADIUS, and
GTP)
• 3GPP TS References for GTP Security
• 3GPP TS References for 5G Security
• 3GPP TS References for 5G Multi-Edge Security
• 3GPP TS References for UE-to-IP Address Correlation with PFCP in 4G
319
Mobile Network Infrastructure Feature Support
PAN-OS Releases by Model that Support GTP, SCTP,

and 5G Security
The following table lists which firewall models and PAN-OS software versions support the
following security methods:
• General Packet Radio Service (GPRS) Tunnelling Protocol (GTP) security
• Stream Control Transmission Protocol (SCTP) security
• 5G security
Firewall Model PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

9.1 (GTP 10.1 (GTP, 10.2 (GTP, 11.0 (GTP, 11.1 (GTP, 11.2 (GTP,
and SCTP) SCTP, and SCTP, and SCTP, and SCTP, and SCTP, and
5G) 5G) 5G) 5G) 5G)
VM-Series Firewalls √ √ √ √ √ √
CN-Series Firewalls* — √ √ √ √ √
PA-7500 Firewalls — — — — √ √
(Standalone only)
PA-7000 Series √ √ √ √ √ √
Firewalls that
use three of the
following cards**:
• PA-7000-100G-
NPC card;
• PA-7000-LFC-A
card; and
• PA-7050-SMC-B
card
OR
PA-7080-SMC-B
card
PA-5410, PA-5420, — — √ √ √ √
and PA-5430
Firewalls
PA-5440 Firewalls — — — √ √ √
PA-5445 Firewalls — — — — √ √
Firewall Model PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

9.1 (GTP 10.1 (GTP, 10.2 (GTP, 11.0 (GTP, 11.1 (GTP, 11.2 (GTP,
and SCTP) SCTP, and SCTP, and SCTP, and SCTP, and SCTP, and
5G) 5G) 5G) 5G) 5G)
PA-5450 Firewalls — √ √ √ √ √
PA-5200 Series √ √ √ √ √ √
Firewalls
PA-3430 and — — √ √ √ √
PA-3440 Firewalls
* CN-Series Daemonset mode supports GTP, SCTP, and 5G security in PAN-OS 10.1 and later
PAN-OS versions. Additionally, CN-Series firewalls running PAN-OS 10.2 and later PAN-OS
versions support GTP, SCTP, and 5G security in both K8s cloud-native network (CNF) mode and
Daemonset mode.
** To verify that your PA-7000 Series firewall is installed with the cards that support
GTP and SCTP, use the show chassis inventory CLI command. However, it is
possible that cards are installed but are not functional if your firewall does not account
for all dependencies. Refer to the PA-7000 Series Firewall Hardware Reference for
installation instructions and to review the dependencies for each card.
PAN-OS Releases by Model that Support Intelligent

Security Correlation (PFCP, RADIUS, and GTP)
The following table lists which firewall models and PAN-OS software versions support Intelligent
Security Correlation:
• Packet Forwarding Control Protocol (PFCP)
• Remote Authentication Dial-In User Service (RADIUS)
• General Packet Radio Service (GPRS) Tunnelling Protocol (GTP)
Firewall Model PAN-OS 11.0 PAN-OS 11.1 PAN-OS 11.2

(PFCP* and (PFCP and (PFCP, RADIUS,
RADIUS**) RADIUS and GTP)
VM-Series Firewalls √ √ √
CN-Series Firewalls √ √ √
PA-7000 Series Firewalls that use √ √ √

three of the following cards***:
• PA-7000-100G-NPC card;
• PA-7000-LFC-A card; and
• PA-7050-SMC-B card
OR
PA-7080-SMC-B card
PA-5410, PA-5420, PA-5430, √ √ √

PA-5440, and PA-5450 Firewalls
PA-5445 Firewalls — √ √
PA-5200 Series Firewalls — √ √
PA-3430 and PA-3440 Firewalls √ √ √
* In PAN-OS 11.0, we support only 4G CUPS architecture for Intelligent Security with PFCP.
** We support Intelligent Security with RADIUS in PAN-OS 11.0.2 and all later PAN-OS versions.
*** To verify that your PA-7000 Series firewall is installed with the cards that support
PFCP, RADIUS, and GTP, use the show chassis inventory CLI command.
However, it is possible that cards are installed but are not functional if your firewall
does not account for all dependencies. Refer to the PA-7000 Series Firewall Hardware
Reference for installation instructions and to review the dependencies for each card.
3GPP TS References for GTP Security

3GPP TS references for GTP security on firewalls that support GTP security.
Protocol 3GPP TS 3GPP TS Release
PAN-OS 10.2 GTPv2-C 29.274 Up to 15.2

PAN-OS 10.1
GTPv1-C 29.060 Up to 15.5.0
GTP-U 29.281 Up to 15.0.0
— 43.129 15.0.0
— 23.401 15.12.0
PAN-OS 9.1 GTPv2-C 29.274 Up to 15.2
GTPv1-C 29.060 Up to 15.1
GTP-U 29.281 Up to 15.0.0
PAN-OS 8.1 (only where GTPv2-C 29.274 Up to 13.4

supported)
GTPv1-C 29.060 Up to 13.4
GTP-U 29.281 Up to 13.0
3GPP TS References for 5G Security

3GPP Technical Standards references for 5G network slice, 5G subscriber ID, and 5G equipment
ID security on firewalls that support GTP security.
• Procedures for the 5G System (5GS)
• 5GS Session Management Services
3GPP TS 3GPP TS Release
PAN-OS 10.2 23.502 Up to 15.5.0

PAN-OS 10.1
29.502 Up to 15.4.0
3GPP TS References for 5G Multi-Edge Security

5G Multi-Edge Security supports Packet Forwarding Control Protocol (PFCP) messages over N4
interfaces for the following technical specifications in the 3GPP TS release:
• Interface between the Control Plane and the User Plane nodes
3GPP Technical Standards reference for 5G Multi-Edge Security on firewalls that support 5G
MEC Security:
PAN-OS 10.2 29.244 Up to 16.5.0

PAN-OS 10.1
3GPP TS References for UE-to-IP Address Correlation

with PFCP in 4G
The below table provides the 3GPP Technical Standards reference for firewalls that leverage User
Equipment (UE)-to-IP Address Correlation using the Packet Forwarding Control Protocol (PFCP)
for 4G network traffic.
PAN-OS 11.0 23.214 Up to 16.2.0
29.244 Up to 16.9.1

Compatibility Matrix Reference

Uploaded by

Compatibility Matrix Reference

Uploaded by

Palo Alto Networks Compatibility

About the Documentation

CN-Series Firewall Image and File Compatibility.............................................................. 76

MFA Vendor Support................................................................................... 133

PAN-OS 11.1 GlobalProtect Cipher Suites...........................................................151

PAN-OS 9.1 HA1 SSH Cipher Suites..................................................................... 214

Multitenancy Unsupported Features and Functionality................................................284

Strata Cloud Manager and Panorama Feature Parity...........................291

Terminal Server (TS) Agent.........................................................................301

Strata Logging Service Software Compatibility..................................... 305

IPv6 Support by Feature............................................................................. 313

Palo Alto Networks Next-Generation Firewalls

Palo Alto Networks PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Palo Alto Networks PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Palo Alto Networks PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Palo Alto Networks Appliances

Palo Alto Networks Release Release Release Release Release Release

WF-500 Appliance Analysis Environment Support

WF-500 Appliance VM ID WF-500 Appliance Guest VM Filename Minimum

Windows XP (Adobe vm-3 WFWinXpAddon3_m-1.0.1.xpaddon3 10.2.2 and

Windows 7 x64 SP1 vm-5 WFWin7_64Addon1_m-1.0.1.7_64addon1 10.2.2 and

WFWin7_64Base_m-1.0.0.7_64base 10.1 and

Windows XP (Internet vm-6* WFWinXpGf_m-1.0.0.xpgf 10.1 and

Windows 10 x64 vm-7 WFWin10Base_m-1.0.1.10base 10.2.2 and

Palo Alto Networks PA-7000 Series Cards

PA-7000 Series Firewall PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Network and Data Processing Cards

PA-7000 Series Firewall PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Palo Alto Networks PA-5450 Cards

PA-5450 Firewall Cards PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Network and Data Processing Cards

Palo Alto Networks PA-7500 Cards

Network and Data Processing Cards

HA Port and Processor Support

PA-7000 Series Firewall Cards

Breakout Port Support

Palo Alto Networks Breakout Breakout Ports Breakout Speed

Palo Alto Networks Breakout Breakout Ports Breakout Speed

PA-3430 √ • Port 35 — Ports 27, 28, 29, and 10Gbps/25Gbps

PA-3440 √ • Port 35 — Ports 27, 28, 29, and 10Gbps/25Gbps

PA-5410 √ • Port 41 — Ports 25, 26, 27, and 10Gbps/25Gbps

PA-5420 √ • Port 41 — Ports 25, 26, 27, and 10Gbps/25Gbps

Palo Alto Networks Breakout Breakout Ports Breakout Speed

PA-5430 √ • Port 41 — Ports 25, 26, 27, and 10Gbps/25Gbps

PA-5440 √ • Port 41 — Ports 25, 26, 27, and 10Gbps/25Gbps

PA-5445 √ • Port 41 — Ports 25, 26, 27, and 10Gbps/25Gbps

PA-5450 √ • Port 25 — Ports 5, 6, 7, and 8 10Gbps/25Gbps

PA-7050 √ • Port 25 — Ports 9, 10, 11, and 12 10Gbps/25Gbps

Palo Alto Networks Breakout Breakout Ports Breakout Speed

PA-7050 √ • Port 9 — Ports 1, 2, 3, and 4 10Gbps

PA-7080 √ • Port 25 — Ports 9, 10, 11, and 12 10Gbps/25Gbps

PA-7080 √ • Port 9 — Ports 1, 2, 3, and 4 10Gbps

PA-7500 √ • Port 1 — Ports 21, 22, 23, and 24 10Gbps/25Gbps/100Gbps

VM-Series Firewall Hypervisor Support

Private Cloud Deployments

VM-Series for VMware vSphere Hypervisor (ESXi)

PAN-OS Version VMware VMware I/O Base Image

PAN-OS 11.1.x 7.0 vmx-19 SR-IOV, Panorama-

PAN-OS 11.1.x 6.7, 7.0, 8.0 • vmx-10 SR-IOV, PA-VM-

PAN-OS 10.2.x 6.7, 7.0, 8.0 vmx-10 SR-IOV, PA-VM-

PAN-OS 9.1.x (9.1.0) 6.7, 7.0 vmx-10 SR-IOV, PA-VM-

PAN-OS 9.1.x (9.1.0) 6.5, 6.7 vmx-10 SR-IOV, PA-VM-

VM-Series for VMware NSX-V

SupportedPAN-OS Version PanoramaVMware vSphere VMware Minimum Base I/O

10.2.x 9.1.0 to 9.1.6 5.0.0 6.4.1 • 6.5 vmx-10 PA-VM- LRO

• 9.1.x 9.1.7 to latest 3.2.0 6.4.8 • 6.5 vmx-10 PA-VM- LRO

• 9.1.x 9.1.0 to 9.1.6 3.2.0 6.4.1 • 6.5 vmx-10 PA-VM- LRO

VM-Series for VMware NSX (Formerly NSX-T)

Panorama Panorama VMware VMware PAN-OS Latest Base Image

11.0.x 5.0.1 and 3.2.x, vmx-10 PAN-OS PA-VM-

10.2.x 5.0.0 and 3.2.x, vmx-10 PAN-OS PA-VM-

10.1.x 3.2.0 to 2.5.x, vmx-10 PAN-OS PA-VM-

4.0.x 4.0.x vmx-10 PAN-OS PA-VM-

9.1.x 3.2.0 to 2.5.x, vmx-10 PAN-OS PA-VM-

VM-Series for KVM

PAN-OS 11.1.4 Oracle Linux 8.10 DPDK Virtio PA-VM-