>
    Strata Copilot
    Networking Features
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Features Introduced in PAN-OS 11.2
    4. Networking Features
    Download PDF

    Networking Features

    Table of Contents

    Networking Features

    What new Networking features are in PAN-OS 11.2?
    The following section describes new networking features introduced in PAN-OS 11.2.

    Support for HTTP/2 Networking

    August 2025
    • Introduced in PAN-OS 11.2.8.
    The NGFW management plane now supports the HTTP/2 network protocol, in addition to the currently supported HTTP/1.1 network protocol. HTTP/2 enables more efficient web communication by utilizing features like multiplexing, header compression, server push functionality, and prioritization support, leading to improved page load times and overall performance. When you manually enable HTTP/2 through the CLI, HTTP/1.1 is automatically disabled and includes no fallback capability. The lack of fallback capability is to maintain compliance with certain security safeguards (for example, to protect against request smuggling, response queue poisoning, other HTTP/1.1 downgrade-related risks, and mandated encryption through TLS), as well as various Federal standards. As such, you may need to specify which protocol to use in environments with compatibility issues or if there are security concerns requiring specific mitigation strategies.

    Preventing DoS Attacks with Enhanced DoS and PBP Configurations

    September 2024
    • Introduced in PAN-OS 11.2.3.
    Destination IP address-only DoS Protection policy rules pose a risk: they either unintentionally block safe traffic or leave your internet-facing firewalls exposed. Enhanced DoS protection and packet buffer protection (PBP) address this security and operational challenge.
    You can now configure edge zones—those that connect directly to the internet—using both the source and destination IP addresses. This capability enables you to block DoS attacks more efficiently without accidentally blocking safe traffic from reaching your network. You are now able to use the software and hardware block tables to protect against these attacks more effectively.
    We introduced the following improvements to help protect your Palo Alto Networks firewalls from DoS attacks:
    • Configure a DoS policy rule with a destination IP address-only classification for internet-facing zones. This strengthens your firewall’s protection from internet-originated DoS attacks by enabling it to block source IP addresses using software and hardware ACL blocking settings.
    • Set both buffer-based and latency-based activation settings simultaneously for improved PBP. PBP monitors session latency and buffer utilization concurrently and activates mitigation when either threshold is exceeded, protecting your firewall resources.
    • Increase or decrease the software block duration setting for software block table entries. This improves efficiency for software-based firewalls, while the software block table acts as additional protection alongside the hardware block table for hardware products.
    • Monitor software tags (on-chip descriptors), buffer utilization (in percentage), and firewall resources from your SNMP server using new SNMP support for buffer and on-chip packet descriptor utilization.

    IPv6 Support on Cellular Interface for PA-415-5G Firewall

    September 2024
    • Introduced in PAN-OS 11.2.3.
    Many organizations face the problem of connecting branch offices or remote sites in locations that don't have access to traditional internet providers. The challenge is even greater when a site's only option is a cellular network that uses only IPv6.
    The PA-415-5G firewall addresses this by supporting dynamic IPv6 addressing on it cellular interface. This feature allows the firewall to obtain a dynamic IPv6 prefix from a cellular provider, establishing a direct connection to your corporate network even when the ISP only offers IPv6. The firewall can also be configured with a dual-stack configuration to support both IPv4 and IPv6 traffic over the same cellular interface.
    This new capability ensures that remote locations can maintain a secure and reliable connection to the rest of your organization. It expands the options available for connecting your business, enabling you to deploy a firewall in any location with a 5G cellular network.

    Encrypted DNS for DNS Proxy and the Management Interface

    July 2024
    • Introduced in PAN-OS 11.2.1.
    When you use DNS on your operating systems and web browsers, you can encrypt the DNS traffic to help maintain privacy and protect traffic from meddler (MitM) attacks. If you configure your PAN-OS firewall to act as a DNS proxy, you can enable encrypted DNS and configure the DNS proxy to accept one or more types of DNS communication from the client: DNS-over-HTTP (DoH), DNS-over-TLS (DoT), or cleartext.
    To enforce encryption, you specify the type of encryption that the DNS proxy should use to communicate with DNS servers. If a DNS server rejects encrypted DNS or the DNS proxy does not receive a response from the primary or secondary server within the timeout period, you can configure the DNS proxy to fall back to unencrypted DNS communications with the server.
    Additionally, you can enable encrypted DNS on the management interface of the firewall so that DNS requests use DoH, DoT, or fall back to unencrypted DNS.

    Post Quantum Hybrid Key Exchange VPN

    May 2024
    • Introduced in PAN-OS 11.2.
    Post Quantum Hybrid Key Exchange VPN extends your PAN-OS post-quantum VPN security by adding the ability to create post-quantum cryptographic (PQC) hybrid keys using the NIST round 3 and round 4 cryptographic suites. You can future proof your VPN encryption keys and safeguard against harvest now, decrypt later (HNDL) attacks by combining multiple key exchange mechanisms (KEM) with full crypto agility.
    The hybrid key technology is based on RFC 9242 and RFC 9370, and allows you to add up to seven additional key exchange mechanisms (KEM). With each additional KEM added, the level of quantum resistance increases as the attacker needs all used KEMs to become vulnerable before the key can be broken. You can apply the hybrid key technology to both IKEv2's key exchange and IPSec's rekey key exchange to ensure all VPN key exchanges are quantum resistant.
    To provide in-depth quantum defense, you can also enable both of its post quantum VPN technologies together. If both the RFC 8784 post quantum pre-shared key (released with PAN-OS 11.1) and this new PQ Hybrid Key feature are enabled, PAN-OS generates the hybrid key and then mixes in the static pre-shared key.

    Increased Maximum Number of Security Rules for the PA-3400 Series Firewall

    May 2024
    • Introduced in PAN-OS 11.2.
    (PA-3410 and PA-3420 firewalls only) The maximum number of security rules supported has increased from 2,500 to 10,000.

    Authenticate LSVPN Satellite with Serial Number and IP Method

    February 2024
    • Introduced in PAN-OS 10.2.8 and later 10.2 releases.
    May 2024
    • Available in PAN-OS 11.2.0 and later releases.
    • Available in PAN-OS 11.1.3 and later releases.
    Beginning with PAN-OS 10.1 and later releases, we support Username/password and Satellite Cookie Authentication method for a satellite to authenticate to the portal. This method requires user intervention to get satellites authenticated by a portal that prevents automating the deployment of remote satellites and adds difficulty and complexity for the administrators to perform software upgrade and deploy new firewalls.
    To remove the user intervention while onboarding a remote satellite and to enable automating the deployment of remote satellites, we introduce a new authentication method called Serial number and IP address Authentication. You can now onboard a remote satellite using the combination of serial number and IP address in addition to the username/password and satellite cookie authentication method. This authentication method reduces the complexity by enabling you to deploy new firewalls without manual intervention.
    However, Username/password and Satellite Cookie Authentication remains as a default authentication method.
    Before enabling the Serial number and IP address Authentication method, configure the satellite serial number at the portal as one of the authentication verification conditions.
    • Configure the satellite IP address as an IP allow list at the portal using the set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satellite-ip-allowlist entry <value> command to add a satellite device IP address on the GlobalProtect portal.
    • Enable the Serial number and IP address Authentication method using the set global-protect satellite-serialnumberip-auth enable CLI command. After you enable this method, the satellite continuously attempts to authenticate with the portal for the configured retry interval (in seconds) after power-on until the portal explicitly instructs the satellite to stop.
    Upon successfully configuring a satellite device allowed IP address list per portal, and configuring the satellite serial number on the GlobalProtect portal, the satellite can initiate the connection to the portal.

    © 2025 Palo Alto Networks, Inc. All rights reserved.