New Features - PAN-OS - 10.2

Enterprises today employ workers everywhere, connecting to apps that are anywhere. Hybrid workforces rely on high-performing app experiences, but slowdowns caused by cloud latency and adverse network conditions drain productivity and frustrate workers. The major causes of poor performance can consist of:

• Cloud latency experienced when apps are processing dynamic content
• Wireless connectivity issues

Both of these issues exist outside the control of the enterprise. Apps use Content Delivery Network (CDN) caching, but modern apps are powered by dynamic content that can't be cached. And consumer-grade Wi-Fi and wireless connectivity have no performance service-level agreements (SLAs) because wireless conditions like interference and signal strength are continuously changing.

App Acceleration for Prisma SASE directly addresses the causes of poor performance by accelerating dynamic content in top SaaS apps, and has added support for these apps:

• AWS S3

• Azure Storage

• Box

• Google Drive

• Microsoft OneDrive

• Salesforce

• SAP Ariba

• ServiceNow

• Slack ( file downloads )

• Zoom ( file downloads from chat, recording downloads )

These enhancements provide you with the following benefits:

• Up to five times the improvement over direct-to-internet app performance (measured in app response time and throughput metrics)

• Enriches AI-powered ADEM with Real User Metrics (RUM) to enhance observability into performance issues

• No code changes required

A new authentication method called Serial number and IP address Authentication

Beginning with PAN-OS 10.1 and later releases, we support Username/password and Satellite Cookie Authentication method for a satellite to authenticate to the portal. This method requires user intervention to get satellites authenticated by a portal that prevents automating the deployment of remote satellites and adds difficulty and complexity for the administrators to perform software upgrade and deploy new firewalls.

To remove the user intervention while onboarding a remote satellite and to enable automating the deployment of remote satellites, we introduce a new authentication method called Serial number and IP address Authentication . You can now onboard a remote satellite using the combination of serial number and IP address in addition to the username/password and satellite cookie authentication method. This authentication method reduces the complexity by enabling you to deploy new firewalls without manual intervention.

However, Username/password and Satellite Cookie Authentication remains as a default authentication method.

Before enabling the Serial number and IP address Authentication method, configure the satellite serial number at the portal as one of the authentication verification conditions.

• Configure the satellite IP address as an IP allow list at the portal using the set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satellite-ip-allowlist entry <value> command to add a satellite device IP address on the GlobalProtect portal.
• Enable the Serial number and IP address Authentication method using the set global-protect satellite-serialnumberip-auth enable CLI command. After you enable this method, the satellite continuously attempts to authenticate with the portal for the configured retry interval (in seconds) after power-on until the portal explicitly instructs the satellite to stop.

Upon successfully configuring a satellite device allowed IP address list per portal, and configuring the satellite serial number on the GlobalProtect portal, the satellite can initiate the connection to the portal.

Previously, in HA Active/Passive pairs with service routes configured for Palo Alto Networks services or DNS servers, it was impossible to renew device certificates on the passive device because the passive device's dataplane functions are down. Starting with this PAN-OS® release, the passive device can have service routes configured and receive certificate updates and renewals through its HA interface connected to the active device. You do not have to configure or change your network security policy to perform this function; the process happens automatically when a certificate is near its expiry date. This allows your HA pair to maintain up to date and secure connections with Palo Alto Networks licenses and services even after a failover event.

You can verify if the passive device has successfully renewed a certificate using the following CLI command:

show device-certificate status 

Note: It's recommended that you enable encryption on the HA link, otherwise you will receive the following system log during the renewal process: HA1 link is used without encryption .

With earlier SD-WAN plugin versions, you can't have SD-WAN configurations on multiple virtual routers. By default, a sdwan-default virtual router is created and it enables Panorama to automatically push the router configurations. Due to this restriction, customers faces difficulty and spends additional effort in some of the SD-WAN deployments:

• User Scenario: Overlapping IP addresses from different branches connecting to the same hub.

  • Single Virtual Router Configuration on SD-WAN Hub: Customers may need to reconfigure the overlapping subnets to unique address spaces.

  • Multiple Virtual Routers Configuration on SD-WAN Hub: Enable Multi-VR Support on the SD-WAN hub device. The traffic from different branches is directed to different virtual routers on a single hub to keep the traffic separate.

• User Scenario: Government regulations that disallow different entities to function on the same virtual router.

  • Single Virtual Router Configuration on SD-WAN Hub: Customers won’t be able to separate routing of different entities with a single virtual router.

  • Multiple Virtual Routers Configuration on SD-WAN Hub: Enable Multi-VR Support on the SD-WAN hub device to keep the traffic of different entities separate. Multiple virtual routers on the SD-WAN hub maps the branches to different virtual routers on the hub that provides logical separation between the branches.

SD-WAN plugin now supports multiple virtual routers on the SD-WAN hubs that enable you to have overlapping IP subnet addresses on branch devices connecting to the same SD-WAN hub. Multiple virtual routers can run multiple instances of routing protocols with a neighboring router with overlapping address spaces configured on different virtual router instances. Multiple virtual router deployments provide the flexibility to maintain multiple virtual routers, which are segregated for each virtual router instance.

However, the number of virtual routers supported on the PAN-OS SD-WAN hub varies by platform.

Benefits:

• A hub with multiple virtual router configuration logically separates the routing for each branch office that it is connected with.
• Branches sharing the same SD-WAN hub can reuse the same IP subnet address.

The following figure illustrates an SD-WAN hub with two virtual routers. By enabling multiple virtual routers support on the SD-WAN hub, the four branches connecting to the same SD-WAN hub (but different virtual routers) can have overlapping IP subnets or belong to different entities and function independently because their traffic goes to different virtual routers.

Managing complex security environments often leads to sprawling policy rulebases, making efficient administration and auditing extremely difficult. Policy Rulebase Tag Management solves this challenge by allowing your security administrators to easily categorize and organize your policy rules. Tags enable security administrators to quickly identify the purpose, function, or ownership of any policy rule, fostering a clearer understanding of your organization's overall security posture. Policy Rulebase Management Using Tags ensures administrators maintain precision and control regardless of the scale of their network security infrastructure.

After assigning tags to policy rules, security administrators can use the integrated Tag Browser to visually group and manage your policy rulebase. This organization streamlines common operational procedures and helps improve efficiency. For instance, your security administrators can now add, delete, or move sets of related policies more efficiently than navigating a flattened rule hierarchy. Furthermore, security administrators can filter the policy rulebase using one or more tag search criteria, dramatically narrowing the list of displayed rules for precise management. Importantly, viewing the rulebase using these visual tags does not alter the fundamental rule evaluation order, preserving security integrity/

Palo Alto Networks supports Policy Rulebase Management Using Tags across all policy rulebases for your Panorama® management server and standalone NGFW running PAN-OS 10.2.5 or later 10.2 release or PAN-OS 11.0.3 or later 11.0 release. If you manage NGFW using a Panorama, you can centrally create and assign these organization tags.