PAN-OS 12.1 Orion includes several enhancements and new features that improve the security of PAN-OS against attacks on the platform. A majority of these features are implemented behind the scenes as part of the platform’s built-in protections. These features are designed to prevent successful exploits, reduce the impact of exploits, detect attempted exploits, and enable the ability to respond to attacks on PAN-OS. The features described here either have settings that can be configured or that generate logs to provide more information on PAN-OS security.

Integrity Measurement Architecture (IMA) runs in enforcement mode by default, and only allows execution of binaries and programs cryptographically signed by Palo Alto Networks. This prevents the execution of malware that might be dropped by an attacker and blocks attempts to modify existing PAN-OS binaries, effectively extending the secure boot into the run-time environment. You can monitor IMA violations through system logs using the CLI or the web interface. When IMA detects an attempted violation, it logs a critical severity system that you can use for investigation.

When IMA detects violations or attempted violations, PAN-OS can be configured to either continue running (collect logs and alerts for investigation), which is the default, or reboot to maintenance mode to disrupt the attacker and facilitate a more thorough investigation.

Software integrity checks run at boot time and then daily at a set time. You can now schedule the checks to run at a different time to better accommodate your requirements.