Focus

Next-Generation Firewall

New Features in March 2024

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

New Features in March 2024

These are the new features introduced in March 2024 for AIOps for NGFW Free, and for AIOps for NGFW Premium.

These are the new features introduced in March 2024 for AIOps for NGFW Free, and for AIOps for NGFW Premium (use Strata Cloud Manager app). AIOps for NGFW Premium updates include new features to support Cloud Management for NGFWs.

AIOps for NGFW: NGFW/Panorama Management Certificate Expiration Alert

March 1, 2024

Introducing the NGFW/Panorama Management Certificate Expiration alert that detects the upcoming expiration of the NGFW or Panorama Management certificate on devices by April 7, 2024. When these certificates expire, it results in a loss of connection between Panorama and NGFWs, M-Series appliances operating in PAN-DB private cloud mode, WildFire appliances (WF500/B), and Peer Panoramas, regardless of their management or Log Collector modes. Consequently, expired certificates compromise centralized management and visibility, posing security risks and operational inefficiencies. This alert helps you identify the PAN-OS devices within your network that are susceptible to this issue and provides information about the remediation options.

Supported on AIOps for NGFW Free and Strata Cloud Manager with AIOps for NGFW Premium license.

The NGFW/Panorama Management Certificate Expiration alert assesses the following criteria:

Checks if Panorama is managing the device.
Checks if the device is running a minor version lower than the specified version in Table 2: Target Upgrade Versions.
Checks if a custom certificate is being used for Device-Panorama connectivity.
Checks if the dynamic content update version is greater than or equal to 8795-8489 on all NGFWs, Panorama, and log collectors.
Checks if the firewall has rebooted at least once after the content package update.

This alert is triggered if it meets all the following conditions:

Panorama manages the device.

Unmanaged devices and those managed by Strata Cloud Manager are exempt.
The device is running an older software version and it's not using a custom certificate for Panorama-NGFW-LC connectivity.
The device either has a content package version prior to 8795-8489 or a version exceeding 8795-8489 but has not undergone a reboot since the content package installation.

If these conditions are met, a critical alert is generated notifying you about NGFW/Panorama management certificate expiry.

The device remains unaffected if either condition 1 or 2 fails. If this alert is active, it's closed upon the failure of either condition 1 or 2.

Health alerts actively monitor the health and performance of your platform in real-time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects:

Monitoring Metrics: Continuously monitor various metrics from the NGFWs, including CPU utilization, memory usage, disk space, network throughput, and other relevant performance indicators.
Anomaly Detection: Generate alerts that dynamically adjust based on the metric's historical value and your usage trends.
Predictive Analysis: Predict when certain thresholds exceed or when specific events occur by analyzing historical data and patterns. This helps forecast potential issues before they escalate.

AIOps for NGFW: Probable Cause Analysis with CDL

March 1, 2024

The probable cause analysis is enhanced to use the Strata Logging Service (CDL) logs and provide additional metadata to identify the probable cause that led to the creation of an alert or incident. This analysis enables pinpointing the policies, applications, source zones, URLs, source IPs, and regions potentially causing the alert, thereby facilitating appropriate remediation actions. For instance, when session exhaustion triggers an Adverse Resource Usage alert, you can utilize the probable cause analysis to identify the primary contributors to the alert and follow the suggested remediation recommendations.

Supported on Strata Cloud Manager with AIOps for NGFW Premium license.

To troubleshoot the issues that cause alerts, AIOps for NGFW leverages advanced AI capabilities to provide probable causes for alerts. By reviewing these probable causes, you can identify the source of the issue and follow the provided recommendations for resolving it. This feature ensures optimal network performance by mitigating disruptions and maximizing the effectiveness of your cybersecurity solution.

Next-Generation Firewall Docs

New Features in March 2024

Next-Generation Firewall Docs

New Features in March 2024

AIOps for NGFW: NGFW/Panorama Management Certificate Expiration Alert

AIOps for NGFW: Probable Cause Analysis with CDL

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner