GRE support over the PAN-OS cellular interface enables you to establish GRE tunnels using cellular connections on next-generation firewalls. This feature allows you to configure GRE tunnels with dynamic IP addressing, supporting IPv4 for tunnel endpoints and traffic. You can use this capability to securely connect remote IoT devices, such as video cameras and sensors, back to a mobile headend over cellular networks.

A GRE tunnel over a cellular interface is particularly useful for large service providers looking to extend their routing infrastructure while minimizing operational expenses. By supporting dynamic addressing, it accommodates scenarios where IP addresses may change, providing flexibility in mobile and cellular environments. This GRE over cellular solution allows you to deploy NGFWs in locations without traditional Ethernet connectivity, making it ideal for government, industrial, and remote site applications where secure, reliable communication over cellular networks is essential.

You can configure FQDN address objects as load-balanced FQDNs to ensure comprehensive policy matching when application servers use load-balanced DNS servers to distribute traffic. When you enable this feature, the firewall maintains a complete list of resolved IP addresses for the FQDN, rather than replacing the existing list with each DNS response. This addresses situations where load-balanced DNS servers return only a subset of available IP addresses in response to individual queries, which can cause policy rules to fail when matching against IP addresses that were not included in the most recent DNS response.

You configure this functionality by enabling a new checkbox option in the FQDN address object configuration. When you designate an FQDN as load-balanced, the DNS proxy implements additional query logic to build and maintain the complete set of resolved IP addresses. The system adds DNS retry events with progressive timing intervals when it receives different IP addresses from those currently stored, allowing it to discover the full range of IP addresses associated with the load-balanced domain.

You would implement this feature when your network includes applications that rely on load-balanced DNS infrastructure where complete visibility into all possible destination IP addresses is critical for security policy enforcement. The feature ensures that your security policies function correctly, regardless of which subset of IP addresses the load-balanced DNS server returns for any individual query.

The feature maintains backward compatibility with existing FQDN configurations, and you can selectively enable load-balanced DNS handling only for specific FQDN address objects that require this behavior. The system limits each domain to a maximum of 100 IP addresses to manage memory usage effectively while supporting the vast majority of load-balanced DNS implementations.

High-performance network environments, such as large enterprises, headquarters, and data centers, frequently experience significant bottlenecks when processing high volumes of proxy traffic through their Secure Web Gateway (SWG) solutions. This performance limitation restricts necessary network scalability. PAN-OS ^® 12.1 solves this critical challenge by introducing support for the PA-5450 firewall. This enhancement specifically leverages the PA-5450's multi-CPU chassis architecture to deliver powerful improvements in throughput and scalability for high-traffic proxy deployments. This update ensures that users in demanding environments benefit fully from the enhanced capabilities of the Secure Web Gateway solution.

Many organizations are rapidly migrating to IPv6 networks, driven by ISP adoption and the depletion of IPv4 space. This transition often introduces security blind spots, making it challenging to maintain consistent country-based policy enforcement across dual-stack or IPv6-only environments. IPv6 support for IP geolocation supplements the existing IPv4 geolocation support for country-based Security, Decryption, and DoS Protection NGFW policies by providing visibility and control in dual-stack and IPv6-only environments using your current security policy rules with a single global switch. This unified approach simplifies policy management and ensures consistent security enforcement across both IPv4 and IPv6 networks. This addresses the growing adoption of IPv6 by ISPs and other large enterprise organizations as well as customers who are required to phase out IPv4 and implement IPv6 as part of a larger migration process.

To ensure up-to-date geolocation data, Palo Alto Networks provides a regularly updated global content file which includes an IPv4/IPv6 to country mapping database to determine the ownership of a given IP space. The IP to geolocation mapping for IPv6 addresses is supported with the same level of granularity and coverage as for IPv4 addresses, ensuring consistent policy enforcement across both address types. Alternatively, you can create your own custom mappings by providing a range of IPv6 addresses to a specified region; these have precedence over the default mapping and can be used to fine-tune your security policies.

PAN-OS uses deep packet inspection (DPI) to generate enhanced application logs (EAL) from ICMPv6 neighbor discovery protocol (NDP) packets. With ICMPv6 EAL, Device Security can learn about devices and device attributes and support Advanced Device-ID for IPv6 deployments. Cortex XDR can also use ICMPv6 EALs from PAN-OS.

EALs for ICMPv6 NDP is enabled by default. To prevent log flooding from ICMPv6 deployments, you can disable ICMPv6 EAL using the CLI. When disabling ICMPv6 EAL, commit the device config for the change to take effect.

set deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp

If you disable ICMPv6 EAL, you can reenable it using the CLI. Commit the device config for the change to take effect.

delete deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp

PAN-OS® 12.1 introduces support for range filters when configuring custom Packet Captures (PCAPs). This feature addresses troubleshooting challenges with batch traffic where specific source IP addresses, ports, or protocols are unknown.

You can configure capture filters to define ranges using a dash (-) to separate values for:

The system captures any packets that fall within the defined ranges, including the boundary values. You can also combine single-value filters with range filters to refine your packet captures.