New Features in November 2023

The application tile names on the hub for Prisma Access, Prisma SD-WAN, and AIOps for NGFW (the premium app only) are now changed to Strata Cloud Manager. With this update, the application URL has also changed to stratacloudmanager.paloaltonetworks.com, and you’ll also now see the Strata Cloud Manager logo on the left navigation pane.

Moving forward, continue using the Strata Cloud Manager app to manage and monitor your deployments.

You can now view the status of the IPSec VPN tunnels to know whether or not valid IKE and IPSec SAs have been established, and whether the tunnel interface is up and available for passing traffic.

Because the tunnel interface is a logical interface, it can’t indicate a physical link status. Therefore, you must use IPSec tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down, and routing changes are triggered to set up a new tunnel and redirect traffic.

With the IPSec VPN tunnel monitoring feature, you can view the tunnel status:

View the overall status of all the IPSec tunnels, IPSec tunnel status per device, and detailed status of each IPSec tunnel.

The PA-450R is a new rugged firewall appliance that upgrades the PA-220R firewall. The PA-450R is designed for industrial, commercial, and government deployments. The hardware is suited for installation in harsh environments with extreme temperatures and high humidity levels.

The PA-450R is supported on PAN-OS 11.1 and later versions. The firewall features two SFP/RJ-45 combo ports and six RJ-45 ports. The RJ-45 ports include two fail-open ports that can be configured to provide a pass-through connection in the event of a power failure.

The PA-450R is powered by DC power and optionally supports power redundancy. The device has a fanless design and can be installed on a flat surface, wall, and equipment rack. The hardware is compliant with ICS/SCADA system architecture.

The PA-5445 adds the highest performance fixed form-factor model to the Palo Alto Networks® Next-Generation Firewall lineup. This firewall, supported on PAN-OS 11.1 and later versions, features hardware resources dedicated to networking, security, signature matching, and management. The PA-5445 is ideal for deployments in enterprise data centers, headquarters, and regional offices.

The PA-5445 has the highest App-ID speed (93Gbps), L7 threat inspection rate (70Gbps), and session count (48M) in a fixed form-factor firewall.

The PA-5445 features eight RJ-45 ports, twelve SFP+ ports, four SFP28 ports, and four form-factor pluggable QSFP28 ports that support breakout mode. The firewall also features dedicated HSCI and HA1 ports for high availability control.

The PA-5445 can be powered by AC or DC power supplies and optionally supports power redundancy. The hardware takes up 2RU of rack space and should be mounted in a 19” equipment rack.

This release adds support for a bootstrapping process that allows you to configure newly deployed firewalls without manually configuring them prior to deployment. Previously, a firewall image was created for your cloud environments that required you to manually include information such as DNS entries and IP addresses in the init.cfg file.

This new process associates the firewall with a Panorama management host to automate the onboarding and configuration of your software firewall. With this functionality, the bootstrapping process:

• Automatically instantiates, onboards, and configures the firewall instance without prior knowledge of the firewall serial number.
• Automatically onboards the Strata Cloud Manager tenant, from which the tenant receives the initial configuration and becomes fully operational without manual intervention.

Create the bootstrap package with the following fields:

• panorama-server. Use this field to specify cloud management for your Panorama host. This field initiates a TLS connection to the Strata Cloud Manager service edge. For example, panorama-server=cloud. Values other than cloud are interpreted as a Panorama Internet Protocol or FQDN, and will initiate a Panorama management connection. A value defined for panorama-server-2 is ignored when panorama-server=cloud.
• dgname. This field is used to define the Cloud Management folder in which the firewall is mapped.
• vm-series-auto-registration-pin-id. Include the VM-Series registration PIN ID. This automates the process of instantiating the firewall instance by establishing the connection to the Strata Cloud Manager service edge.
• vm-series-auto-registration-pin-value. Include the VM-Series registration PIN VALUE to automate the process of instantiating the firewall instance by establishing the connection to the Strata Cloud Manager service edge.
  The PIN ID and PIN VALUE fields are use to request a Thermite certificate. This certificate is used to authenticate the device and build a secure connection to the cloud service, such as Strata Cloud Manager.

Palo Alto Networks now offers reconnaissance protection for IP protocol scans. IP protocol scans cycle through IP protocol numbers to determine the IP protocols and services supported by target machines. Malicious actors use this scanning technique to identify and exploit open and insecure protocols. This feature enables your firewall to detect and block, allow, or alert on these scans. For example, you can configure the firewall to drop subsequent packets from a host exhibiting behavior consistent with IP protocol scans.

You can configure protection against IP protocol scans in the Reconnaissance Protection settings of a Zone Protection profile. The firewall identifies IP protocol scans based on the specified number of scan events that occurs within a specified interval. If necessary, you can exclude the IP addresses of trusted internal groups performing vulnerability testing from reconnaissance protection. Details of each detected scan are available in the Threat logs.

You can now configure TLSv1.3 in SSL/TLS service profiles to secure administrative access to management interfaces. TLSv1.3 delivers several performance and security enhancements, including shorter SSL/TLS handshakes and more secure cipher suites. In an SSL/TLS service profile, you can select TLSv1.3 as the minimum or maximum supported protocol version for connections to the management interface. Selecting TLSv1.3 automatically enables the following TLSv1.3 cipher suites:

However, you can deselect any key exchange algorithms, encryption algorithms, or authentication algorithms as needed. In addition to offering TLSv1.3 support, SSL/TLS service profiles now enable customization of the key exchange algorithms, encryption algorithms, and authentication algorithms supported.