PAN-OS Software Patch Deployment
Table of Contents
Expand all | Collapse all
-
- Authenticate LSVPN Satellite with Serial Number and IP Address Method
- Private Key Export in Certificate Management
- Clone a Snippet
- Security Checks
- GlobalProtect Portal and Gateway
- IP Optimization for Mobile Users - GlobalProtect Deployments
- License Enforcement for Mobile Users (Enhancements)
- Multiple Virtual Routers Support on SD-WAN Hubs
- Native SASE Integration with Prisma SD-WAN
- New Prisma Access Cloud Management Location
- Normalized Username Formats
- PAN-OS Software Patch Deployment
- Policy Analyzer
- Saudi Arabia Compute Location
- Site Template Configuration
- TACACS+ Accounting
- Tenant Moves and Acquisitions
- Traceability and Control of Post-Quantum Cryptography in Decryption
- User Session Inactivity Timeout
-
- FedRAMP High "In Process" Requirements and Activation
- License Activation Changes
- Performance Policy with Forward Error Correction (FEC)
- View and Monitor ZTNA Connector Access Objects
- Software Cut-Through Support for PA-3400 and PA-5400 Series Firewalls
- Persistent NAT for DIPP
- ZTNA Connector Wildcard and FQDN Support for Applications and Additional Diagnostic Tools
-
- 5G Cellular Interface for IPv4
- Advanced WildFire Inline Cloud Analysis
- API Key Certificate
- App Acceleration in Prisma Access
- ARM Support on VM-Series Firewall
- Authentication Exemptions for Explicit Proxy
- BGP MRAI Configuration Support
- Cloud Managed Support for Prisma Access China
- Configuration Audit Enhancements
- Cortex Data Lake (CDL) Logging with CN-Series Firewall
- Device-ID Visibility and Policy Rule Recommendations in PAN-OS
- Dynamic IPv6 Address Assignment on the Management Interface
- Dynamic Routing in CN-Series HSF
- Enhanced IoT Policy Recommendation Workflow for Strata Cloud Manager
- Enhanced SaaS Tenants Control
- Exclude All Explicit Proxy Traffic from Authentication
- Region Support for Strata Logging Service
- GlobalProtect Portal and Gateway Support for TLSv1.3
- IKEv2 Certificate Authentication Support for Stronger Authentication
- Improved Throughput with Lockless QoS
- Increased Device Management Capacity for the Panorama Virtual Appliance
- Inline Security Checks
- Integrate Prisma Access with Microsoft Defender for Cloud Apps
- IoT Security: Device Visibility and Automatic Policy Rule Recommendations
- IOT Security Support for CN-Series
- IP Protocol Scan Protection
- IPSec VPN Monitoring
- Link Aggregation Support on VM-Series
- Maximum of 500 Remote Networks Per 1 Gbps IPSec Termination Node
- New Platform Support for Web Proxy
- New Template Variables
- PA-415-5G Next-Generation Firewall
- PA-450R Next-Generation Firewall
- PA-455 Next-Generation Firewall
- PA-5445 Next-Generation Firewall
- PA-7500 Next-Generation Firewall
- Policy Rulebase Management Using Tags
- Post Quantum IKE VPN Support
- PPPoE Client for IPv6
- Public Cloud SD-WAN High Availability (HA)
- Remote Browser Isolation
- Secure Copy Protocol (SCP) Support
- Security Checks
- Service Connection Identity Redistribution Management
- Service Provider Backbone Integration
- Session Resiliency for the VM-Series on Public Clouds
- Intelligent Security with PFCP for N6 and SGI Use Cases
- SNMP Network Discovery for IoT Security
- Strata Cloud Manager: Application Name Updates
- Support for Cortex Data Lake Switzerland Region
- TACACS+ Accounting
- Throughput Enhancements for Web Proxy
- TLSv1.3 Support for Administrative Access Using SSL/TLS Service Profiles
- Traceability and Control of Post-Quantum Cryptography in Decryption
- Traffic Replication Remote Network and Strata Cloud Manager Support
- VM-Series Device Management
- View and Monitor App Acceleration
- View and Monitor Remote Browser Isolation
- Virtual Routing Forwarding for WAN Segmentation
-
- New Prisma Access Cloud Management Location
- Cortex Data Lake Regional Support
- Integrate Prisma Access with Microsoft Defender for Cloud Apps
- Delete a Snippet
- Create a Custom Path Quality Profile
- High-Bandwidth Private App Access with Colo-Connect
- Refresh Pre Shared Keys for Auto VPN
- New Predefined BGP Redistribution Profile
- Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies
- Cloud IP-Tag Collection
- Web Proxy for Cloud-Managed Firewalls
- Config Version Snapshot
- Log Viewer Usability Enhancements
- Introducing ADEM APIs
- July 2023
-
- High-Bandwidth Private App Access with Colo-Connect
- Traffic Replication and PCAP Support
- Third-Party Device-ID in Prisma Access
- New and Remapped Prisma Access Locations and Compute Locations
- Transparent SafeSearch Support
- Private IP Visibility and Enforcement for Explicit Proxy Traffic Originating from Remote Networks
- Service Provider Backbone Integration
- Cloud Management of NGFWs
- Feature Adoption Dashboard
- Best Practices Dashboard
- Compliance Summary Dashboard
- Security Posture Insights Dashboard
- Advanced Threat Prevention Dashboard
- Custom Dashboard
- Device Health Dashboard
- Incidents and Alerts
- NGFW SDWAN Dashboard
- Capacity Analyzer
- Enhancements to CDSS Dashboard
-
- Conditional Connect Method for GlobalProtect
- Enhanced Split Tunnel Configuration
- Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security
- Host Information Profile (HIP) Exceptions for Patch Management
- Host Information Profile (HIP) Process Remediation
- License Activation
PAN-OS Software Patch Deployment
Install bug and Common Vulnerability and Exposure (CVE) fixes to Palo Alto Networks
Next-Generation Firewall (NGFW), WF-500 appliance, and
Panorama™ management server
.Upgrading your Palo Alto Networks Next-Generation Firewall (NGFW), WF-500 appliance, or
Panorama™ management server
to a new PAN-OS release introduce new features developed to
strengthen your security posture and fix known issues. This requires you to schedule
downtime, and potentially introduces changes to default behaviors and additional issues
that your security administrator has not yet reviewed or may not want to introduce into
your production environment. In some cases, an identified bug or Common Vulnerability and Exposure (CVE) need to be
addressed immediately. PAN-OS software patch deployment allows you to download and
install PAN-OS software patches to apply fixes without requiring you to schedule a
prolonged maintenance you to install new PAN-OS versions. They are designed to address
bugs and CVE only; no new features, functionality, or web interface changes are
introduced in a PAN-OS software patch. This allows you to strengthen your security
posture immediately without introducing any new known issues or changes to default
behaviors that may come with installing a new PAN-OS release. A PAN-OS software patch is
deployed directly from the Palo Alto Networks Next-Generation NGFW or Panorama web interface. For Panorama managed firewalls and WF-500
appliances, you can install a PAN-OS software on your managed devices from
the Panorama web interface.
PAN-OS software patches are cumulative. This means that more recent versions of a
software patch for any given PAN-OS version include all the fixes included in the
previous software patches. For example, Palo Alto Networks released the following
software patches for PAN-OS 10.2.8;
10.2.8-p1.sb1
,
10.2.8-p1.sb2
, and
10.2.8-p1.sb3
. In this case,
10.2.8-p1.sb3
includes every bug and CVE fixes
introduced in 10.2.8-p1.sb1
and
10.2.8-p1.sb2
.PAN-OS software patch deployment is supported on Palo Alto Networks NGFW, WF-500
appliances, and
Panorama
running PAN-OS 10.2.8 or later 10.2 release. PAN-OS
software patches require an outbound internet connection to download from the Palo Alto
Networks Update Server. For air-gapped managed devices, Panorama must still have an
outbound internet connection to download PAN-OS software patches, but an outbound
internet connection isn't required to install and apply them to your managed
devices.