Quantum Key Distribution (QKD) support enables your firewall to use quantum-safe cryptography for IPsec VPN connections. This feature implements the ETSI GS QKD 014 standard, allowing interoperability with external QKD devices from Toshiba and ID Quantique. QKD addresses vulnerabilities in IKEv2, the protocol used for establishing and managing IPsec VPNs, such as Harvest Now, Decrypt Later attacks. The Key Management Entity (KME) manages the distribution of keys generated by QKD (also called quantum-generated keys) to the Secure Application Entities (SAEs), which are your firewalls. You can configure the KME URL, authentication methods, and other parameters through the QKD profile on the firewall’s management interface. This solution is applicable for organizations in government, financial services, healthcare, and other sectors that handle sensitive data or need to meet certain security regulations. QKD support helps prepare your network for potential quantum- based threats while maintaining compatibility with your existing VPN setup.

PAN-OS security is enhanced with Integrity Measurement Architecture (IMA) to protect against sophisticated attacks and reduce the impact if a process is being compromised. These security mechanisms work together to restrict what an attacker can do if they manage to exploit a vulnerability in PAN-OS, limiting their ability to move laterally within the system or tamper with critical system files and logs.

IMA only allows execution of binaries and programs cryptographically signed by Palo Alto Networks. This prevents the execution of malware that might be dropped by an attacker and blocks attempts to modify existing PAN-OS binaries, effectively extending the secure boot and hardware root of trust into the runtime environment. When IMA detects an attempted violation, it logs a critical severity alert that you can use for investigation.

You can monitor IMA violations through system logs using the CLI. When these security mechanisms detect violations, PAN-OS can be configured to either continue running (collecting logs and alerts for investigation) or reboot to maintenance mode to disrupt the attacker and facilitate a more thorough investigation.

The IMA security enhancements work alongside other PAN-OS security features, including updated open source software components, improved cryptographic libraries, TPM-based secure boot, hardware root of trust (on Gen 4 hardware and newer), and both boot-time and periodic software integrity checks. Together, these mechanisms create multiple layers of defense that significantly improve the security posture of your PAN-OS devices against sophisticated attacks.

System-level security violations can indicate that an attacker might have compromised your firewall, and the Device Security Settings feature helps you minimize potential damage by allowing you to define how your firewall responds when such violations occur. When Integrity Measurement Architecture (IMA) detects that security violations have been attempted on your firewall, you can configure the system to either continue operating normally or automatically enter maintenance mode to limit potential damage. Your configuration changes are logged with high severity to maintain an audit trail of security policy modifications.

As a network security administrator, you can use this feature to protect your environment when PAN-OS experiences system-level security violations. By default, your firewall continues running when violations occur, but you have the option to configure it to enter maintenance mode instead, which can help contain security breaches by limiting system functionality until you can investigate and remediate the issue.

When security violations are attempted on your firewall, you can invoke your internal incident response (IR) or forensics process to investigate this further. This feature provides you with greater control over your security posture and helps you implement appropriate incident response measures when potential security compromises are detected.

The new Plugin Bundling feature fundamentally changes the upgrade process by automating plugin management. Previously, you had to manually compare and download plugins to ensure they were compatible with the PAN-OS version. This process was prone to errors that could lead to network outages and data loss, such as overwritten VPN pre-shared keys.

By bundling compatible plugins directly with the base image, this feature eliminates the risk of version mismatches and preserves your configurations. When you upgrade, the system automatically downloads the correct plugin versions, so you no longer have to manually download them. This ensures a seamless and conflict-free update.

The Plugins interface now provides a single location to manage all bundled plugins. The interface displays and sorts plugins, allowing you to easily install the ones you need. If you have the required license, you can manage Cloud Services in a separate, dedicated section.

The Upgrade Checks feature introduces report generation for standalone firewalls, Panorama appliances, and Panorama managed firewalls to help you prepare your devices for an upgrade while also providing comprehensive visibility of system post-upgrade. You are now able to generate an upgrade check report, including critical and informational checks, to identify potential issues in the device such as disk space, certificate expiry, memory usage, license validation, and more. After an upgrade, you can generate a comparison report to verify functionality or to facilitate troubleshooting issues. This feature is especially useful for large-scale deployments, providing improved visibility across multiple devices for upgrade readiness, reducing upgrade failures, and minimizing downtime.

Zero Touch Provisioning (ZTP) over Cellular enables automated deployment and configuration of NGFW (Managed by Panorama) in remote locations with limited connectivity or lacking traditional wired connections using cellular interfaces. With the expanded support for cellular connections, ZTP now supports multiple connectivity scenarios, including cellular-only, ethernet-only, or both to provide the flexibility to adapt to various network environments. This capability integrates with your existing Panorama™ management server workflows, maintaining a consistent management experience and ensures efficient deployment without requiring on-site IT intervention. You can use ZTP onboarding to streamline remote NGFW deployments, reduce operational costs, and quickly secure remote sites. ZTP Over Cellular is valuable for organizations with distributed networks, retail locations, or temporary sites where traditional connectivity might be limited or unavailable. The feature is designed to work with current and future 5G-enabled platforms, ensuring long-term value and adaptability as your network evolves.