The VM-Series extends safe application enablement to virtualized and cloud environments using the same PAN-OS™ feature set that is available in physical security appliances. The core of the VM-Series is the next-generation firewall which natively classifies all traffic, inclusive of applications, threats and content, then ties that traffic to the user, regardless of location or device type. The application, content, and user - in other words, the business elements that run the business - are then used as the basis of an organization’s security policies, resulting in an improved security posture and a reduction in incident response time.
The VM-Series is based on a Single Pass software architecture to minimize latency. Operations such as application identification and decoding and signature matching for all threats and content, networking functions, and policy lookup, are executed once to optimize performance. The management and data plane are separated, with dedicated CPUs assigned to each plane to ensure that management access is always available, irrespective of traffic loads.
The VM-Series allows you to apply next-generation security policies to virtualized and cloud computing environments at the same speed that the virtualized applications are built up and taken down.
- Automated, transparent deployment and provisioning: In order to support the agile characteristics of virtualization and cloud, security provisioning must be automated. Tight integration enables the VM-Series security services to be automatically deployed and transparently inserted to inspect VM to VM traffic. In addition, the VM-Series supports a flexible REST-based API, which allows you to integrate with 3rd party cloud orchestration solutions such as OpenStack and CloudStack. This enables the VM-Series to be deployed and configured in lock step with virtualized workloads.
- Policy creation with dynamic context: In a virtualized and cloud environment where virtual machines often change functions and can move from server to server, building security policies based on static IP addresses alone can have limited value. Dynamic Address Groups allows you to create policies using tags as an identifier for virtual machines instead of a static object definition. Multiple tags representing virtual machine attributes such as IP address and operating system can be resolved within a Dynamic Address Group, allowing you to easily apply policies to virtual machines as they are created or travel across the network.
- Automated VM monitoring: Security policies must be able to monitor and keep up with changes in virtual machine attributes. The VM Monitoring capabilities on the VM-Series provide agent and agentless options to poll for virtual machine inventory and changes. Virtual machine attributes are collected as tags and can then be used in Dynamic Address Groups to keep track of virtual machine changes.
- Centralized management: Security appliances in a virtual and cloud environment should be managed in the same consistent manner as physical security appliances. The VM-Series can be managed using Panorama to ensure consistent enforcement of policies across physical, virtual and cloud environments. Rich centralized logging and reporting capabilities provide visibility into virtualized applications, users and content.