Next-Generation Firewall
Management Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Management Features
What new management features are in PAN-OS 12.1?
Accelerate Insights and Enhance Security with Telemetry Autoenablement
August 2025
|
Telemetry autoenablement for Palo Alto
Networks devices streamlines the activation and configuration of telemetry,
eliminating complex workflows and manual setup. This feature ensures that upon
device onboarding, telemetry is automatically enabled and configured to stream data
to the correct data residency region, determined by your location or existing
configurations.
Strata Cloud Manager or hub now manages telemetry settings, rather than
individual Panorama or firewall devices. These services store information for all
devices within a tenant service group (TSG), simplifying and automating telemetry
configuration. This approach removes operational hurdles, enabling full utilization
of telemetry's benefits while maintaining control over data sharing preferences.
Consistent telemetry data streaming provides enhanced security, faster
security responses, and access to advanced features through critical threat
insights. Telemetry autoenablement ensures your devices send valuable diagnostic and
usage information, significantly improving support case resolution times and
offering real-time insights into performance, usage, and potential issues.
You have the ability to manage your telemetry settings at the TSG
level, including the option to change the telemetry tier from Full to Diagnostic
through the hub interface or Strata Cloud Manager. This tiered approach ensures you
can choose the level of information shared while adhering to data privacy
requirements. Additionally, all telemetry configuration changes are logged for audit
purposes, assisting with compliance and security policy adherence.
Quantum Key Distribution
August 2025
|
Quantum Key Distribution (QKD) support enables your firewall to use quantum-safe
cryptography for IPsec VPN connections. This feature implements the ETSI GS QKD 014
standard, allowing interoperability with external QKD devices from Toshiba and ID
Quantique. QKD addresses vulnerabilities in IKEv2, the protocol used for
establishing and managing IPsec VPNs, such as Harvest Now, Decrypt Later attacks.
The Key Management Entity (KME) manages the distribution of keys generated by QKD
(also called quantum-generated keys) to the Secure Application Entities (SAEs),
which are your firewalls. You can configure the KME URL, authentication methods, and
other parameters through the QKD profile on the firewall’s management interface.
This solution is applicable for organizations in government, financial services,
healthcare, and other sectors that handle sensitive data or need to meet certain
security regulations. QKD support helps prepare your network for potential quantum-
based threats while maintaining compatibility with your existing VPN setup.
Security Enhancements
August 2025
|
PAN-OS security is enhanced with Integrity Measurement Architecture (IMA) to protect
against sophisticated attacks and reduce the impact if a process is being
compromised. These security mechanisms work together to restrict what an attacker
can do if they manage to exploit a vulnerability in PAN-OS, limiting their ability
to move laterally within the system or tamper with critical system files and
logs.
IMA only allows execution of binaries and programs cryptographically signed by Palo
Alto Networks. This prevents the execution of malware that might be dropped by an
attacker and blocks attempts to modify existing PAN-OS binaries, effectively
extending the secure boot and hardware root of trust into the runtime environment.
When IMA detects an attempted violation, it logs a critical severity alert that you
can use for investigation.
You can monitor IMA violations through system logs using the CLI. When these security
mechanisms detect violations, PAN-OS can be configured to either continue running
(collecting logs and alerts for investigation) or reboot to maintenance mode to
disrupt the attacker and facilitate a more thorough investigation.
The IMA security enhancements work alongside other PAN-OS security features,
including updated open source software components, improved cryptographic libraries,
TPM-based secure boot, hardware root of trust (on Gen 4 hardware and newer), and
both boot-time and periodic software integrity checks. Together, these mechanisms
create multiple layers of defense that significantly improve the security posture of
your PAN-OS devices against sophisticated attacks.
Device Security Settings
August 2025
|
System-level security violations can indicate that an attacker might have compromised
your firewall, and the Device Security Settings feature helps you minimize potential
damage by allowing you to define how your firewall responds when such violations
occur. When Integrity Measurement Architecture (IMA) detects that security
violations have been attempted on your firewall, you can configure the system to
either continue operating normally or automatically enter maintenance mode to limit
potential damage. Your configuration changes are logged with high severity to
maintain an audit trail of security policy modifications.
As a network security administrator, you can use this feature to protect your
environment when PAN-OS experiences system-level security violations. By default,
your firewall continues running when violations occur, but you have the option to
configure it to enter maintenance mode instead, which can help contain security
breaches by limiting system functionality until you can investigate and remediate
the issue.
When security violations are attempted on your firewall, you can invoke your internal
incident response (IR) or forensics process to investigate this further. This
feature provides you with greater control over your security posture and helps you
implement appropriate incident response measures when potential security compromises
are detected.
Plugin Bundling
August 2025
|
The new Plugin Bundling feature fundamentally
changes the upgrade process by automating plugin management. Previously, you had to
manually compare and download plugins to ensure they were compatible with the PAN-OS
version. This process was prone to errors that could lead to network outages and
data loss, such as overwritten VPN pre-shared keys.
By bundling compatible plugins directly with the base image, this feature eliminates
the risk of version mismatches and preserves your configurations. When you upgrade,
the system automatically downloads the correct plugin versions, so you no longer
have to manually download them. This ensures a seamless and conflict-free update.
The Plugins interface now provides a single location to manage all bundled plugins.
The interface displays and sorts plugins, allowing you to easily install the ones
you need. If you have the required license, you can manage Cloud Services in a
separate, dedicated section.
Upgrade Checks
August 2025
|
The Upgrade Checks feature introduces report generation for standalone firewalls,
Panorama appliances, and Panorama managed firewalls to help you prepare your devices
for an upgrade while also providing comprehensive visibility of system post-upgrade.
You are now able to generate an upgrade check report, including critical and
informational checks, to identify potential issues in the device such as disk space,
certificate expiry, memory usage, license validation, and more. After an upgrade,
you can generate a comparison report to verify functionality or to facilitate
troubleshooting issues. This feature is especially useful for large-scale
deployments, providing improved visibility across multiple devices for upgrade
readiness, reducing upgrade failures, and minimizing downtime.
Zero Touch Provisioning Over Cellular
August 2025
|
Zero Touch Provisioning (ZTP) over Cellular enables automated deployment and
configuration of NGFW (Managed by Panorama) in remote locations with limited
connectivity or lacking traditional wired connections using cellular interfaces.
With the expanded support for cellular connections, ZTP now supports multiple
connectivity scenarios, including cellular-only, ethernet-only, or both to provide
the flexibility to adapt to various network environments. This capability integrates
with your existing Panorama™ management server workflows, maintaining a consistent
management experience and ensures efficient deployment without requiring on-site IT
intervention. You can use ZTP onboarding to streamline remote NGFW
deployments, reduce operational costs, and quickly secure remote sites. ZTP Over
Cellular is valuable for organizations with distributed networks, retail locations,
or temporary sites where traditional connectivity might be limited or unavailable.
The feature is designed to work with current and future 5G-enabled platforms,
ensuring long-term value and adaptability as your network evolves.