Networking Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
- Networking Features
- Decryption Features
- Certificate Management Features
- Management Features
- Panorama Features
- Mobile Infrastructure Security Features
- SD-WAN Features
- Zone Protection Features
- GlobalProtect Features
- IoT Security Features
- Virtualization Features
- Authentication Features
- Advanced WildFire Features
- Hardware Features
-
- PAN-OS 11.1.2 Known Issues
- PAN-OS 11.1.2-h16 Addressed Issues
- PAN-OS 11.1.2-h15 Addressed Issues
- PAN-OS 11.1.2-h14 Addressed Issues
- PAN-OS 11.1.2-h12 Addressed Issues
- PAN-OS 11.1.2-h9 Addressed Issues
- PAN-OS 11.1.2-h4 Addressed Issues
- PAN-OS 11.1.2-h3 Addressed Issues
- PAN-OS 11.1.2-h1 Addressed Issues
- PAN-OS 11.1.2 Addressed Issues
Networking Features
What new Networking features are in PAN-OS 11.1?
The following section describes new networking features introduced in PAN-OS 11.1.
Increased Maximum Security Policies and Zones for the PA-1400 and PA-3400 Series
(PA-1400 and PA-3400 Series firewalls only) The maximum
number of security policies and security zones supported on the firewalls is now
increased.
On the PA-1410 and PA-1420 firewalls, the maximum number of
security policies has increased from 5,000 to 10,000. The maximum number of security
zones has increased to 1,000.
On the PA-3410, PA-3420, PA-3430, and PA-3440 firewalls, the
maximum number of security policies has increased from 10,000 to 30,000. The maximum
number of security zones has increased to 1,000.
Multi-VSYS Support for NGFW Clustering
January 2025
|
Multi-VSYS support for PA-7500 Series firewalls in clustering mode enables you to
efficiently use your firewalls with large virtual system capacity. This feature
brings parity with standalone systems, allowing you to configure up to 25 virtual
systems on your clustered PA-7500 Series firewalls. You can assign virtual systems at the interface level,
including support for MC-LAG and Aggregate Ethernet interfaces. This capability is
crucial for customers migrating from PA-7050 NGFWs in HA active/passive or
active/active configurations to PA-7500 clustering, as it allows you to carry over
your existing multi-VSYS configurations.
The feature supports per-VSYS policies, including security rules, NAT rules, and
policy-based forwarding. It also enables role-based administration, local user
databases, and services such as syslog and SNMP for each virtual system. By
implementing multi-VSYS in NGFW clustering mode, you can efficiently separate
traffic and management functionality per department, while still benefiting from
shared gateways for internet connections across virtual systems. This feature is
particularly valuable to large enterprises, service providers, and organizations
across various vertical markets that require robust network segmentation and
multi-tenancy capabilities in their high-performance firewall deployments.
NPTv6 with Dynamically Assigned IPv6 Address Prefix
October 2024
|
You can configure NGFW interfaces to obtain their dynamic IPv6 addresses from ISPs by
using DHCPv6, PPPoEv6, or cellular LTE/5G. However, an ISP (such as a cellular
provider) might not provide a delegated IPv6 prefix that the firewall can use to
provision LAN hosts with IPv6 prefixes. Also, an ISP may provide a delegated IPv6
prefix, but you might not want to expose your networking addresses externally.
Beginning with PAN-OS 11.1.5, you can use NPTv6 with dynamically assigned IPv6 address
prefixes; this solution addresses both use cases. (NPTv6 already
supported translation of statically configured IPv6 prefixes.)
IKE Gateway with Dynamic IPv6 Address Assignment
October 2024
|
Beginning with PAN-OS 11.1.5, you can set up an IKE gateway on an interface that
has a dynamically assigned IPv6 address configured by DHCPv6, PPPoEv6, or a 5G
modem. (Setting up an IKE gateway on an interface with a static IPv6 address was
already possible.)
IPv6 Support on Cellular Interface for PA-415-5G Firewall
October 2024
September 2024
|
The PA-415-5G firewall supports dynamic IPv6 addressing and dual-stack networking on
a cellular interface. This is especially
helpful when your cellular operator provides only IPv6 services or your location
requires IPv6 connectivity. The cellular interface supports dynamically obtaining an
IPv6 prefix from the 5G provider network.
Support for Proxy ID in IPSec Transport Mode
October 2024
|
In the earlier PAN-OS versions, the IPSec transport mode did not support proxy
ID settings for IPSec negotiation. Hence, you could not configure a proxy ID in
transport mode when using the web interface. If you try to configure a proxy ID
through the CLI, it will be replaced with 0.0.0.0/0 automatically during the
configuration commit. With the lack of proxy ID support, connecting to other
vendor’s devices through policy-based IPSec transport mode was leading to
communication failure.
We’ve now introduced support for proxy ID in transport mode that enables
you to have a seamless connection. You can configure proxy ID in IPSec transport
mode only using the CLI command.
Explicit Proxy Support for Advanced Services
October 2024
September 2024
|
Palo Alto Networks now provides support for Advanced cloud-based features (including,
but not limited to Precision AI™ optimized features such as Advanced WildFire: Inline Cloud Analysis,
Advanced Threat Prevention: Inline Cloud
Analysis, Inline Deep Learning Analysis for Advanced URL
Filtering; as well as App-ID Cloud Engine, and Enterprise DLP) when using an explicit proxy as part of
a customer's network security infrastructure. Previously, access to various
components of advanced security subscriptions required direct internet connectivity,
preventing users from maximizing the feature set of their advanced cloud services
when internet traffic is handled by an explicit proxy server, which could leave them
vulnerable to certain security threats. When Explicit Proxy Support for Advanced
Services is enabled, the firewall initiates and completes a proxy handshake
and authentication procedures to establish connection to the specified proxy server,
which subsequently forwards traffic to the Palo Alto Networks Advanced cloud service
servers via the proxy.
For more information about enabling explicit proxy support for advanced services,
refer to the configuration documentation for enabling the specific advanced
subscription service.
Overlapping IP Address Support
June 2024
|
Without the ability to reuse the same IP address across multiple interfaces, it can
be difficult to manage large environments where the firewall resources are shared or
segmented. Beginning with PAN-OS 11.1.4, duplicate (overlapping) IP address support
allows you to use the same IPv4 or IPv6 address on multiple firewall interfaces when
the interfaces belong to different logical routers. The interfaces can belong to
different security zones on a single virtual system, or belong to the same zone on
different virtual systems, or belong to different zones and different virtual
systems.
PA-1400 Series firewalls, VM-Series firewalls, and Panorama template stacks support
overlapping addresses.
Overlapping IP address support requires the Advanced Routing Engine. When you enable
Advanced Routing, the option to enable Duplicate IP Address Support becomes
available for you to select. The overlapping addresses can be statically configured
or dynamically assigned to interfaces. All Layer 3 interfaces types (Ethernet, VLAN,
tunnel, loopback, Aggregate Ethernet [AE], and AE subinterfaces) support overlapping
IP addresses.
NGFW Clustering of PA-7500 Series Firewalls
May 2024
|
Data centers need very high levels of network bandwidth and reliability. NGFW
clustering is a way to provide redundancy to two PA-7500 Series firewalls in an NGFW
cluster in the event of a link failure, card failure, or chassis failure. NGFW
clustering blends the legacy HA active/active and active/passive solutions into a
single high availability solution. The two cluster nodes connect over a single HSCI
connection. The firewalls maintain a dual active data plane with a single active
control plane. Neighboring devices see the NGFW cluster as a single Layer 2 (virtual
wire) or Layer 3 device.
The NGFW cluster solution reduces failover time, increases resiliency, and supports a
multichassis link aggregation group (MC-LAG). The firewalls in the NGFW cluster
increase port availability, require fewer IP addresses, and rely on open
standards.
Increased Maximum Number of Security Rules for the PA-3400 Series Firewall
May 2024
|
(PA-3410 and PA-3420 firewalls only) The maximum number of
security rules supported has increased from 2,500 to 10,000.
PA-5420 Firewall Supports Additional Virtual Routers
May 2024
|
The number of virtual routers supported on a PA-5420 firewall increased from 50 to
65. This increase allows you to have a virtual router for each virtual system on the
firewall in the event that you configure more than 50 virtual systems.
Authenticate LSVPN Satellite with Serial Number and IP Method
February 2024
May 2024
|
Beginning with PAN-OS 10.1 and later releases, we support Username/password and
Satellite Cookie Authentication method for a satellite to authenticate to the
portal. This method requires user intervention to get satellites authenticated by a
portal that prevents automating the deployment of remote satellites and adds
difficulty and complexity for the administrators to perform software upgrade and
deploy new firewalls.
To remove the user intervention while onboarding a remote satellite and to
enable automating the deployment of remote satellites, we introduce a new
authentication method called Serial number and IP address
Authentication. You can now onboard a remote satellite using the
combination of serial number and IP address in addition to the username/password and
satellite cookie authentication method. This authentication method reduces the
complexity by enabling you to deploy new firewalls without manual intervention.
However, Username/password and Satellite Cookie Authentication remains as a default
authentication method.
Before enabling the Serial number and IP address Authentication method, configure the
satellite serial number at the portal as one of the authentication verification
conditions.
- Configure the satellite IP address as an IP allow list at the portal using the set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satellite-ip-allowlist entry <value> command to add a satellite device IP address on the GlobalProtect portal.
- Enable the Serial number and IP address Authentication method using the set global-protect satellite-serialnumberip-auth enable CLI command. After you enable this method, the satellite continuously attempts to authenticate with the portal for the configured retry interval (in seconds) after power-on until the portal explicitly instructs the satellite to stop.
Upon successfully configuring a satellite device allowed IP address list per portal,
and configuring the satellite serial number on the GlobalProtect portal, the
satellite can initiate the connection to the portal.
Per Policy Persistent DIPP
December 2023
|
Some applications, such as VOIP and video, use DIPP source NAT and may require STUN.
DIPP NAT uses symmetric NAT, which may have compatibility issues with STUN. To
alleviate those issues, persistent NAT for DIPP provides additional support for
connectivity with such applications. When you enable persistent NAT for DIPP, the
binding of a private source IP address and port to a specific public (translated)
source IP address and port persists for subsequent sessions that arrive having that
same original source IP address and port.
Software Cut-Through Support for PA-3400 and PA-5400 Series Firewalls
December 2023
|
The PA-3400 Series and PA-5400 Series (excepting the PA-5450)
firewalls have significantly improved latency.
Improved Throughput with Lockless QoS
November 2023
|
The Palo Alto Networks QoS implementation now supports a new QoS mode called lockless QoS for PA-3410, PA-3420,
PA-3430, PA-3440, PA-5410, PA-5420, PA-5430, PA-5440, and PA-5445 firewalls. For
firewalls with higher bandwidth QoS requirements, the lockless QoS dedicates CPU
cores to the QoS function that improves QoS performance, resulting in improved
throughput and latency.
Dynamic IPv6 Address Assignment on the Management Interface
November 2023
|
The management (MGT) interface on the NGFW now supports dynamic IPv6 address
assignment. Configuring the MGT interface for dynamic IPv6 address assignment
(rather than a static address) makes it easier to insert and manage the firewall in
an IPv6 network.
When you configure the MGT interface, you'll notice new IPv4 and IPv6 tabs to
separate the configurations.
You have two types of addressing to choose from: stateful or stateless. On the
network segment, you control the router where you set flags to indicate that the MGT
interface will be one of the following:
- A stateful DHCPv6 client, which receives its IPv6 address with prefix length and other configuration information from a DHCPv6 server.
- An IPv6 stateless address autoconfiguration (SLAAC) client, which autogenerates its IPv6 address. A stateless IPv6 address avoids a DHCPv6 server having to store dynamic state information about clients; such avoidance is helpful in environments with a large number of endpoints.
The firewall uses Neighbor Discovery Protocol (NDP) to send a Router Solicitation to
all routers on the link. The flags in the Router Advertisement (RA) that the sole
router (or preferred router) on the link sends to the firewall control whether the
firewall will use SLAAC or stateful DHCPv6 to get a dynamic address for the MGT
interface.
However, the current situation is that when the Autonomous (A) flag is set in the RA
message, the firewall chooses both a DHCPv6 address and a SLAC address. Ideally, the
firewall should choose only the SLAAC address and shouldn't send a DHCPv6 Solicit
message. As a result of this known issue, if there is a DHCPv6 server on the segment
and it can assign an IPv6 address, the firewall prefers DHCPv6 address assignment
over SLAAC.
You specify either a static IPv6 default gateway address or request a dynamic IPv6
default gateway address, which the firewall learns from the RA that the router
sends. Even if you configure the MGT interface with a static IPv6 address, you now
have this same choice for configuring the default gateway.
Therefore, you have four possible options for configuring the MGT interface and its
default gateway:
- Static IPv6 address and static IPv6 default gateway address
- Static IPv6 address and dynamic IPv6 default gateway address
- Dynamic IPv6 address and static IPv6 default gateway address
- Dynamic IPv6 address and dynamic IPv6 default gateway address
Configuring the MGT interface as a DHCPv6 client involves requesting a Non-Temporary
or Temporary Address, deciding on the Rapid Commit option, and specifying the DHCPv6
Unique ID type.
PPPoE Client for IPv6
November 2023
|
The firewall supports an Ethernet Layer 3 interface or subinterface acting as a Point-to-Point Protocol over Ethernet (PPPoE)
IPv6 client to reach an ISP that provides IPv6 internet services. In
PPPoE mode, the interface or subinterface can obtain an IPv6 address dynamically
using DHCPv6 either in stateful or stateless mode. In stateful mode, the PPPoE
interface acquires all connection parameters dynamically from the DHCPv6 server. In
stateless mode, the IPv6 address of the PPPoE interface is obtained using stateless
address autoconfiguration (SLAAC), but the other parameters (DNS and prefix
delegation) are obtained through DHCPv6. Stateful and stateless DHCPv6 reduce
provisioning effort and errors, and simplify address management.
Only Ethernet Layer 3 interfaces and subinterfaces support an IPv6 PPPoE client
(tunnel, AE, VLAN, and loopback interfaces don't support an IPv6 PPPoE client). A
Layer 3 interface and its subinterface can't act as a PPPoEv6 client at the same
time.
A limitation is that the interface configured with PPPoEv6
can't acquire a DNS server address or DNS prefix from Router Advertisement
(RA-DNS). You'll have to rely on DHCPv6 to obtain the DNS information or configure
those parameters manually.
Once configured for PPPoE, an interface can't be assigned a
static IP address.
Post-Quantum IKEv2 VPNs
November 2023
|
Post-quantum VPNs resist attacks based on quantum computing and post-quantum
cryptography (PQC). Palo Alto Networks post-quantum VPN support enables you to
configure quantum-resistant IKEv2 VPNs and is based on the RFC 8784 standard to maximize interoperability with
other vendors' equipment and with future standards. Multiple government agencies
around the world, including the NSA and NIAP, recommend implementing RFC 8784 to
improve quantum resistance. Implementing RFC 8784 is the simplest way to create
quantum-resistant VPNs because you don't need to upgrade crypto elements.
Addressing the quantum threat immediately is critical to defend against Harvest Now, Decrypt Later attacks that target
long-lived data because the development of cryptographically relevant quantum
computers (CRQCs) will vastly reduce the amount of time required to break classical
encryption.
Configuring quantum-resistant VPNs can prevent attackers from recording critical
encrypted key material and thus prevent them from decrypting the data even if they
steal it. If you have long-lived data, start planning now for the threat posed by
quantum computers and quantum cryptography and for your network's transition to a
post-quantum world. The first step is to make your VPN connections
quantum-resistant.
RFC 8784 provides a transition from today's classical cryptography to PQC.
Quantum-resistant VPNs based on RFC 8784 enable using post-quantum pre-shared keys
(PPKs) that are not transmitted with the data, so harvesting attacks fail because
they don't capture the key material that they need to decrypt the data later. A PPK
is a complex, strong hexadecimal string that you statically program into the IKE
peers at the ends of the VPN tunnel.
Adding a static PPK that's delivered out-of-band to the classical Diffie-Hellman (DH)
key prevents Shor's algorithm from cracking the key
because the key is no longer based on prime numbers. RFC 8784 enables using long,
strong PPKs that meet the NIST Category 5 security level.
In addition, RFC 8784 provides the backward compatibility to fall back to classical
cryptography if a peer can't support FRC 8784, so the implementation doesn't risk
refusing legitimate connections. Palo Alto Networks implementation of RFC 8784
provides flexibility and quantum resistance for your IKEv2 VPNs:
- You can add up to ten post-quantum (PQ) PPKs to each IKEv2 VPN. Each PQ PPK is associated with a PPK KeyID, which uniquely identifies the PPK, so you can configure up to ten PPK + KeyID pairs. You can configure PPKs yourself or use a built-in tool to generate strong PPK strings. Configuring multiple active PPKs enables the firewall that initiates the IKEv2 peering to randomly select one of the active PPKs to use with the peer.
- You can configure PPK strings from 16-64 bytes (32-128 characters) in length. For best security, use PPK strings that are at least 32 bytes (64 characters) in length.
- You can set the Negotiation Mode to control the ciphers used to establish the connection:
- Mandatory—Require that the responding peer use RFC 8784 and abort the connection if it only uses classical cryptography.
- Preferred—Allow the initiating device to fall back to classical cryptography if the peer doesn't support RFC 8784.
- You can activate and deactivate individual PQ PPKs, so if a PQ PPK is lost or exposed, you can disable it and remove it from the negotiation pool.
In addition to implementing RFC 8784 now:
- Migrate to tougher cipher suites. Follow RFC 6379 for Suite B Cryptographic Suites for IPsec, upgrade ciphers to Suite-B GCM-256, and avoid using weaker AES-128-bit algorithms.
- Upgrade to larger hash sizes such as SHA-384 or SHA-512. Don't use MD5 or SHA-1.
- Upgrade your CA to larger RSA key sizes. Use 4096-bit RSA key sizes and migrate VPN certificate authentication to new certificates.
The following example topology shows three VPN termination sites. Sites A and C
support post-quantum VPNs based on RFC 8784. Site B supports only classical VPNs.
Site A must be able to communicate with both Site B and Site C.

Site A uses both Mandatory and Preferred negotiation modes. When Site A communicates
with Site B, which only supports classical cryptography, Site A falls back to
classical negotiation. When Site A communicates with Site C, Site A uses a PQ PPK
because Site C supports using PQ PPKs.
New Platform Support for Web Proxy
November 2023
|
The web proxy feature is now supported on the
PA-5400 series, which includes the PA-5410, PA-5420, PA-5430 PA-5440 and PA-5445
platforms.
Throughput Enhancements for Web Proxy
November 2023
|
The throughput for both the explicit and transparent components of the web proxy has been significantly improved,
resulting in better performance at scale.
Authentication Exemptions for Explicit Proxy
November 2023
|
If you use the explicit proxy configuration for your web proxy, you can now
configure exemptions for traffic
from specific sources, destinations, or both. IoT devices, such as printers, cannot
respond to an authentication request from the proxy or support a certificate or PAC
file for authentication. You can configure up to three authentication exemptions for
devices using the explicit proxy.
Exclude All Explicit Proxy Traffic from Authentication
November 2023
|
If you do not require authentication for your explicit proxy traffic, you
can exclude all explicit proxy traffic
from authentication. If you enable this option, the firewall or Panorama does not
authenticate any explicit proxy traffic and does not create any logs for
authentication events.
5G Cellular Interface for IPv4
November 2023
|
If you have a PA-415-5G firewall, you can now configure a 5G interface for IPv4 cellular
traffic. The PA-415-5G is similar to the PA-415 except that it contains an
integrated 5G module to support 4G/5G capability and configuration of an interface
for IPv4 cellular traffic.
The 5G cellular interface enables configuration of a primary internet connection as
well as configuration of a secondary connection for redundancy in case the primary
connection is not available. This type of interface supports data connectivity over
the 5G mobile network; if the 5G network is unavailable, the firewall automatically
switches to a 4G or 3G network, depending on availability.
To enable the 5G cellular interface, configure an Access Point Name (APN) profile.
The APN profile specifies which network or networks the device can access and
whether the device receives a dynamic or static IP address.
You can configure a primary and secondary SIM card if it is available. If you have a
secondary SIM card, you can configure the firewall to switch from one SIM card to
another if one SIM card becomes unavailable. For security, enable a PIN code for the
SIM card to prevent misuse. If you cannot remember the PIN code, you must obtain a
Personal Unblock Key (PUK) for the SIM card to unlock it for use.
For monitoring purposes, you can enable the Dashboard widgets to view more
information about the status of the 5G network.
Cellular Firmware Upgrades for 5G Interface
April 2024
|
As multiple cellular carriers release new firmware updates to address issues and add
new capabilities, managing these firmware updates and ensuring users receive them in
a timely manner quickly becomes a complex but critical task. Depending on what type
of deployment you have, there could be multiple carriers and versions to manage,
which significantly adds to the scale and time commitment necessary for this task.
To simplify the process of updating the firmware for your 5G
interface, you can now use a device web interface to review, manage, and install the
latest firmware updates available from supported carriers. All you need to do is
select the firewall model and the carrier type, then download the firmware updates
from the Customer Support Portal. Once this is complete, you can then install the
updates on the firewall as the latest firmware version. After you confirm the
installation, this allows the firewall to push the updated firmware to the
appropriate users on your network. You can also optionally use the Customer Support
Portal to view checksum information and read the release notes for the available
firmware updates to find out more about the changes in this update.
Updating firmware is a key step in ensuring that your users get the latest features
and support and to protect your network and users from malicious activity. By
providing a simplified management tool for quick deployment of firmware updates,
Palo Alto Networks can help ensure protection against the latest threats and
vulnerabilities for the users on your network.