New Features - PAN-OS - 12.1

Advanced Device-ID enhances the existing Device-ID by enabling more granular and precise device grouping capabilities for policy recommendations. With Advanced Device-ID, you can create complex Device-ID objects by defining matching criteria using multiple asset categories and attributes. The matching criteria allow for matching specific asset types, operating systems, and device categories, or even exclude certain devices, based on risk and various other factors.

Using Advanced Device-ID, you can create more targeted security policy rules, improving your network's overall security posture. For example, you can define policy rules for all IoT assets and exclude a few predefined ones, or create rules for assets without an Device Security verdict. The feature also supports grouping multiple Device-ID objects together for use in security policy rules, helping to streamline policy management.

In healthcare, manufacturing, and industries with diverse asset ecosystems, Advanced Device-ID provides more precise control over asset access and security policy applications, helping you meet compliance requirements and reduce security risks. With a more nuanced approach to how security policy rules apply to a variety of assets, Advanced Device-ID enables you to better protect your network while maintaining operational efficiency.

Advanced Device-ID introduces three operational modes: legacy, hybrid, and advanced. These modes allow you to transition from the existing Device-ID implementation to the new advanced functionality. In hybrid mode, you can use both legacy and advanced Device-ID objects, providing backwards compatibility and ensuring your security policy rules remain active, while allowing you to explore the new capabilities. The advanced mode offers the full power of the new feature, with improved asset targeting features using asset attributes learned from Device Security .

Sometimes servers present certificates that aren't signed by a trusted root certificate authority (CA) during TLS handshakes. When this happens, Next-Generation Firewalls (NGFWs) can't establish a chain of trust, causing the SSL/TLS connection to fail. PAN-OS® 12.1 solves this problem for SSL Forward Proxy connections by fetching missing intermediate certificates using the URL specified in the Authority Information Access (AIA) extension of the server certificate. This eliminates the need to manually upload intermediate certificates or bypass decryption for these connections.

Note: If a server certificate doesn’t have the AIA extension, it remains untrusted.

The Automatic Retrieval of Intermediate Certificates feature examines server certificates during TLS handshakes. If a certificate can't be validated due to an incomplete certificate chain but contains the AIA extension with a CA Issuer URL, the NGFW performs multiple steps. It checks its intermediate certificate cache for an entry corresponding to the URL in the extension. If an entry isn't present, the NGFW attempts to download the certificates from the AIA URL. Then, the NGFW verifies that the certificate's Subject Name (SN) matches the certificate issuer name and the certificate hasn't expired. If these criteria are met, the certificate is cached for future use. The NGFW can recursively fetch up to three levels of intermediate certificates to build a complete chain to a trusted root CA.

Although the first connection attempt fails during the fetch process, subsequent connections succeed because of the cache. The NGFW stores fetched certificates in a cache for up to one week, depending on certificate expiration dates.

Decryption logs provide visibility into certificate fetching results through the Server Certificate Status field.

Panorama now enables more flexible and efficient SD-WAN deployments by allowing you to customize firewall capacity settings. By adjusting the balance between SD-WAN rules, interfaces, and members, you can scale your network to support up to 16 members per VIF while maintaining optimal system performance.

Use these settings when you need to scale high-density environments or optimize resource allocation for specific virtual interfaces.

Benefits of Customizable Capacity

• Enhanced Scalability : Support up to 16 members per VIF to accommodate growing network demands.
• Resource Optimization : Balance system resources between rules and interfaces based on your specific deployment needs.
• Improved Performance : Maintain system stability while pushing the boundaries of standard configuration limits.

The Next-Generation Firewall (NGFW) acts as a proxy between clients and servers during SSL Forward Proxy and SSL Inbound Inspection, making visibility into each proxied connection essential. However, decryption logs that lack this visibility, miss other critical details, or are difficult to analyze complicate monitoring and hinder troubleshooting. PAN-OS® 12.1 addresses these issues with comprehensive improvements to decryption logs.

Decryption log fields now distinguish between the client-side session (traffic between the client and NGFW) and the server-side session (traffic between the NGFW and server). These fields have a "client" or "server" prefix, enabling you to compare values and understand what is happening at each stage of the proxied connection. Fields that apply to the session as a whole, such as Session ID, do not have these labels.

In addition, new fields record decryption status, reasons for decryption exclusion, and certificate revocation status based on Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checks. For example, Decryption Status records if a session was decrypted or not and whether it was by failure or design.

Further, existing error messages have been simplified, and new error messages have been added. These updates make it easier to interpret decryption log errors and identify the ones requiring more immediate attention.

All decryption log improvements are automatically enabled for platforms with decryption logging capabilities.

System-level security violations can indicate that an attacker might have compromised your firewall, and the Device Security Settings feature helps you minimize potential damage by allowing you to define how your firewall responds when such violations occur. When Integrity Measurement Architecture (IMA) detects that security violations have been attempted on your firewall, you can configure the system to either continue operating normally or automatically enter maintenance mode to limit potential damage. Your configuration changes are logged with high severity to maintain an audit trail of security policy modifications.

As a network security administrator, you can use this feature to protect your environment when PAN-OS experiences system-level security violations. By default, your firewall continues running when violations occur, but you have the option to configure it to enter maintenance mode instead, which can help contain security breaches by limiting system functionality until you can investigate and remediate the issue.

When security violations are attempted on your firewall, you can invoke your internal incident response (IR) or forensics process to investigate this further. This feature provides you with greater control over your security posture and helps you implement appropriate incident response measures when potential security compromises are detected.

You can now configure DNS rewrite conditions to control when DNS address translation occurs based on the DNS client's characteristics. This enhancement allows you to specify that DNS responses should only be modified when the DNS client matches particular source zones or source addresses configured in your NAT rules. When you enable DNS rewrite conditions, the firewall evaluates whether the DNS client requesting the resolution matches your configured criteria before performing any address translation in the DNS response.

You might want to use this feature when you have specific DNS clients that require a different DNS resolution behavior from others in your network. For example, if you have internal users who should receive translated addresses for certain services, while external or guest users should receive the original addresses, you can configure DNS rewrite conditions to apply translation only to traffic from designated internal zones. This gives you granular control over which clients receive modified DNS responses, rather than applying DNS rewrite globally to all clients requesting resolution for a particular address.

The feature supports both positive matching (where you can specify that DNS rewrite should occur only when the client matches the NAT rule's source zone and address) and negative matching (through exclusion lists, where you can specify particular source zones or IP address ranges that shouldn't undergo a DNS rewrite for the specific NAT policy rule).

When you configure these conditions, the firewall performs the same DNS rewrite mapping lookup process as before, but adds an additional validation step to verify that the requesting DNS client meets your specified criteria. If the client does not match the configured conditions, the firewall skips the DNS rewrite for that particular request, while still processing other DNS rewrite rules that might apply to different clients requesting the same address resolution.

Device Security uses ARP Enhanced Application Logs (EAL) to provide visibility and identification for devices on IPv4 networks. However, IPv6 deployments use Neighbor Discovery Protocol (NDP) instead of ARP, which means a lack of EAL visibility prevents full IPv6 support for Device Security .

PAN-OS ® now uses Deep Packet Inspection (DPI) to generate EALs from ICMPv6 NDP packets, providing the same level of functionality for IPv6 environments. With ICMPv6 EALs, Device Security can use this data to support Device-ID in IPv6 deployments. This change ensures that Device Security has the necessary visibility to identify and classify devices communicating over IPv6.

EALs for ICMPv6 NDP are enabled by default and are generated for both Network Solicitation (NS) and Network Advertisement (NA) packets. These logs are transmitted over the acknowledgment (ACK) channel for reliable delivery to prevent loss due to congestion. If you experience log flooding in high-volume IPv6 deployments, you can disable ICMPv6 EAL logging using the following CLI command:

set deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp 

To complete the configuration and apply the change, commit the device configuration. To re-enable the feature, use the following command:

delete deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp 

PAN-OS® 12.1 introduces support for range filters when configuring custom Packet Captures (PCAPs). This feature addresses troubleshooting challenges with batch traffic where specific source IP addresses, ports, or protocols are unknown.

You can configure capture filters to define ranges using a dash (-) to separate values for:

• IP addresses : Use subnet masks or specific IP ranges for source and destination IPs.

• Ports : Define ranges for both source and destination ports.

• Protocols : Specify a range of protocols.

The system captures any packets that fall within the defined ranges, including the boundary values. You can also combine single-value filters with range filters to refine your packet captures.

The Enhanced Shared Optimization feature now significantly improves how Panorama pushes configurations to multi-vsys firewalls, resolving critical challenges like object duplication, memory exhaustion, and commit failures.

The feature introduces the Full optimization mode, which lets you move all firewall objects into the shared location of the firewall. This includes the previously excluded objects, such as external dynamic lists (EDLs), Custom URL categories, and various Security Profiles, such as antivirus, antispyware, URL Filtering, and HIP objects. This eliminates object replication across individual virtual systems. It drastically reduces configuration size in typical deployments and prevents commit failures caused by exceeding object limits.

This enhancement streamlines management, increases scalability, and prevents deployments from hitting object limits.

Entrust nShield hardware security modules (HSMs) integrate with Next-Generation Firewalls to securely generate and store master keys and private keys. As the nShield client-side software for PAN-OS® 11.2 and earlier versions approaches its end-of-support date, organizations face compliance and service continuity issues. To address these issues, PAN-OS 12.1 upgrades the legacy Security World software to version 13.6.3. Security World 13.6.3 ensures FIPS 140-3 compliance and is compatible with both older and newer nShield HSM models integrated with Palo Alto Networks. This compatibility ensures that nShield HSM operations remain uninterrupted and modernizes your HSM infrastructure through security and functionality enhancements.

Prisma Access support added in the Prisma Access 6.1.0 release.

Granular data profiles enhance your Enterprise Data Loss Prevention (E-DLP) detection capabilities by allowing you to apply differentiated inline content inspection requirements and response actions within the same Security policy rule. For example, you can use a single granular data profile to block high-risk data patterns while alerting on lower-risk ones, set varying log severities for different data profiles, and set specific file types for each data profile included in the granular data profile.

Granular data profiles simplify policy rulebase management by consolidating multiple rules into a single, more flexible Security policy rule. Furthermore, they reduce false positive detections and allow your data security admins to achieve a more nuanced approach to data protection that aligns closely with your organization's risk management strategy while maintaining a lean and efficient Security policy rulebase.

With the High Availability (HA) Firewall Pair Upgrade Orchestration feature, you can simplify and automate the process of upgrading HA firewall pairs. When you use this feature, Panorama orchestrates the entire upgrade process for you, eliminating most of the manual steps that you need to execute on each device. The feature intelligently manages the upgrade sequence by following a careful and automated sequence:

• Upgrades the passive (or active-secondary) peer first.

• Automatically reboots the passive peer.

• After the first passive peer is back online and the HA status is synchronized, the system initiates HA failover and upgrades the other peer.

The system automatically performs pre-checks to validate that your environment is ready for the upgrade. It verifies that both firewalls are connected to Panorama, confirms configuration synchronization, and validates that the HA links are operational. If these checks pass, the upgrade process begins automatically. After upgrade, the system automatically performs the necessary reboots without your intervention. In the event of an upgrade failure, you must perform a manual upgrade on the failed firewall.

This feature supports upgrading up to 200 HA pairs in a single workflow job. The feature supports both upgrade and downgrade operations, giving you flexibility in managing your firewall software versions. By automating and orchestrating what was previously a manual process, this feature reduces operational overhead and minimizes the potential for human error during firewall upgrades.

For this feature to be available, Panorama must be running 12.1.2 or a later release, and the HA firewalls must be running PAN-OS 10.2.0 or a later release.

Device Security enables you to secure your connected device environments with both inbound and outbound policy recommendations. While PAN-OS and Panorama initially supported only outbound policy recommendations, the addition of inbound policy recommendations lets you create a more comprehensive security posture for your IT and IoT devices. Creating policy rule recommendations based on both outbound and inbound profile behaviors helps prevent vulnerability exploitation, lateral movement, and other security risks that outbound policies alone cannot address.

You can now view both inbound and outbound behaviors for device profiles in the UI and create security policies accordingly. For outbound behaviors, the source is the IT/IoT device profile, while the destination can be any . For inbound behaviors, you can now set the source as any, and the destination is the IT/IoT device profile. This symmetrical approach lets you control both what your IT/IoT devices can access, as well as what other enterprise sources can access your IT/IoT devices, implementing a true Zero Trust security model.

The policy recommendation workflow supports both per-device and per-profile levels, giving you flexibility in how you implement security policies. When creating policies, you can specify source and destination attributes including device profiles, IP addresses, and FQDNs. The naming convention for policies intelligently selects the appropriate profile name (whether in source or destination) to ensure clarity in your policy set. For policy rule recommendations based on inbound profile behaviors, the name has "-inbound" appended.

By leveraging both inbound and outbound policy recommendations, you can significantly reduce your attack surface by allowing only trusted behaviors for your IT/IoT devices. This is particularly valuable for securing critical infrastructure and sensitive device deployments where you need to control both inbound and outbound traffic.

PAN-OS® 12.1 introduces support for Log Collector Scaling. This feature allows you to explicitly select master-eligible nodes to address performance bottlenecks in large-scale log collection environments. This optimization provides a more predictable failover behavior and more efficient resource utilization across your Collector Group.

To achieve the best performance, select a maximum of four Log Collectors per Collector Group to be master-eligible. Previously, all Log Collectors within a Collector Group were eligible to become the master node. When the active master failed, the system dynamically elected a new one. This election process involved continuous communication among numerous nodes, creating significant overhead, particularly in larger deployments.

This feature supports all platforms, enabling a significantly higher logging rate. For example, with a Collector Group using up to 16 M-700 appliances, you can scale log ingestion rates to over 1 million Logs Per Second (lps). This level of scaling is currently supported only on M-700 appliances.

You can designate specific Log Collectors as master-eligible nodes based on strategic criteria such as hardware capacity, network resiliency, or geographic distribution. You can configure master-eligible nodes through either the Panorama web interface or the command-line interface.

When you implement this feature, consider selecting nodes with the best hardware specifications, network connectivity, and geographic placement to ensure optimal performance and availability. By strategically designating your master-eligible nodes, you can create a more resilient logging infrastructure that maintains high performance even under demanding conditions.

The Global Find feature is now optimized to enhance search experiences by significantly improving responsiveness when multiple administrators work simultaneously on the system.

Enabling the Optimized Search prioritizes and searches for the most relevant records based on admin-usage patterns. The new usage-based reference search returns results in batches based, preventing the GUI from freezing during intensive searches. This substantially reduces search times across large configurations. You can also choose to exclusively search for UUIDs or Template References by selecting the Search UUIDs and Include Template References options respectively.

In Policy Management, by default, the Rule Usage and App Usage columns and the Policy Optimizer are hidden after an upgrade. This prevents automatic data fetching for these components, which prevent significant slowdowns. The system now fetches data for these columns only when you explicitly make them visible.

For best performance, you can customize your view to display Rule Usage, App Usage columns, and Policy Optimizer only when needed.

Securing industrial or remote outdoor environments often requires robust networking hardware capable of operating safely in harsh conditions. The PA-455R-5G Next-Generation Firewall addresses this challenge while also offering a solution to 5G cellular requirements.

The firewall ships in a secure, rugged casing that allows you to install it in outdoor environments; the rugged casing enables the firewall to operate safely even when exposed to otherwise hazardous elements such as wind, rain, and high temperatures.

The PA-455R-5G supports PAN-OS® 12.1.2 and later versions. The firewall features connectors on which you can install a 4x4 MIMO antenna as well as two nano (4FF) SIM card slots you can use to enable connectivity with two different mobile network providers. The I/O panel of the device includes two SFP/RJ-45 combo ports and six RJ-45 ports that offer 10/100/1000Mbps network speeds.

The PA-455R-5G runs on AC power and has four dedicated PoE (power over Ethernet) ports to extend up to 180W of power to a connected device. The PA-455R-5G has a fanless design, makes use of waterproof cabling, and mounts securely onto a wall or a pole.

Gaining comprehensive visibility into all internal firewall certificates can be a challenge, often requiring manual checks across various system components and increasing the risk of human error. The Firewall Web Interface addresses this by displaying a centralized list of all internal Palo Alto Networks® certificates under DeviceCertificate ManagementCertificatesPAN-OS System Certificates .

This new feature provides a single, unified location for managing critical assets. You can easily review certificate details, check expiration dates, and track the overall status of system certificates without navigating to multiple sections of the firewall. By consolidating this information, this feature reduces the time and effort needed for audits and compliance checks.

Along with these enhancements, new cryptographic dynamic updates ensure that your Certificate Authority Trust Store and PAN-issued certificates remain up to date.

The new Plugin Bundling feature fundamentally changes the upgrade process by automating plugin management. Previously, you had to manually compare and download plugins to ensure they were compatible with the PAN-OS version. This process was prone to errors that could lead to network outages and data loss, such as overwritten VPN pre-shared keys.

By bundling compatible plugins directly with the base image, this feature eliminates the risk of version mismatches and preserves your configurations. When you upgrade, the system automatically downloads the correct plugin versions, so you no longer have to manually download them. This ensures a seamless and conflict-free update.

The Plugins interface now provides a single location to manage all bundled plugins. The interface displays and sorts plugins, allowing you to easily install the ones you need. If you have the required license, you can manage Cloud Services in a separate, dedicated section.

Adopting post-quantum cryptography (PQC) is critical to protecting your organization and its assets against future quantum computers, which will break today’s classical cryptography. Failure to adopt PQC early increases the risk of compromise of sensitive data with attacks like Harvest Now, Decrypt Later already under way. On the other hand, upgrading legacy applications and systems is a time-consuming and costly process that risks service disruption and data security without proper guardrails in place. Accounting for these concerns, PAN-OS® 12.1 adds support for securing TLSv1.3 sessions using post-quantum (PQ) key encapsulation mechanisms (KEMs) to SSL Forward Proxy, SSL Inbound Inspection, Decryption Mirror, and the Network Packet Broker features.

In decryption profiles, you can enable PQ KEMs standardized by the National Institute of Standards and Technology (NIST) or nonstandardized, experimental options. You can also specify if your selected algorithms are preferred by the client-side, server-side, or both. Next-Generation Firewalls (NGFWs) now serve as cipher translation proxies, translating between PQC and classical encryption for applications that are not yet post-quantum ready. For example, you can use quantum-safe encryption for communications between end users and NGFWs but classical encryption for connections between an NGFW and applications.

This solution secures both legacy and quantum-safe systems and applications, enables you to meet PQC mandates, and reduces stress and complexity around PQC upgrades.

PAN-OS includes several enhancements and new features that improve the security of PAN-OS against attacks on the platform. A majority of these features are implemented behind the scenes as part of the platform’s built-in protections. These features are designed to prevent successful exploits, reduce the impact of exploits, detect attempted exploits, and enable the ability to respond to attacks on PAN-OS. These security features either have settings that can be configured or that generate logs to provide more information on PAN-OS security.

PAN-OS security is enhanced with Integrity Measurement Architecture (IMA) to protect against sophisticated attacks and reduce the impact if a process is being compromised. These security mechanisms work together to restrict what an attacker can do if they manage to exploit a vulnerability in PAN-OS, limiting their ability to move laterally within the system or tamper with critical system files and logs.

IMA runs in enforcement mode by default, and only allows execution of binaries and programs cryptographically signed by Palo Alto Networks. This prevents the execution of malware that might be dropped by an attacker and blocks attempts to modify existing PAN-OS binaries, effectively extending the secure boot and hardware root of trust into the run-time environment. When IMA detects an attempted violation, it logs a critical severity alert that you can use for investigation.

You can monitor IMA violations through system logs using the CLI or from the web interface. When IMA detects violations or attempted violations, PAN-OS can be configured to either continue running (collect logs and alerts for investigation), which is the default, or reboot to maintenance mode to disrupt the attacker and facilitate a more thorough investigation.

The IMA security enhancements work alongside other PAN-OS security features, including updated open source software components, improved cryptographic libraries, TPM-based secure boot, hardware root of trust (on Gen 4 hardware and newer), and both boot-time and periodic software integrity checks. Together, these mechanisms create multiple layers of defense that significantly improve the security posture of your PAN-OS devices against sophisticated attacks.

Server certificate verification ensures users connect to legitimate servers, protects sensitive data, and mitigates the risk of attacks like meddler-in-the-middle (MITM) and phishing. However, certificate verification can block business-critical websites and applications that fail authentication due to certificate issues such as an incomplete certificate chain. Workarounds consume time and result in security gaps.

PAN-OS® 12.1 introduces the Bypass Server Certificate Verification setting to decryption profiles for SSL Forward Proxy. When enabled, your Next-Generation Firewall (NGFW) ignores certificate issues and completes the TLS handshake by presenting a Forward Trust certificate. This allows the session to be decrypted without disruption, ensuring the availability of critical services.

Note: Enabling this option disables all other server certificate verification settings.

Bypassing server certificate verification may introduce risks, such as regulatory noncompliance or connection vulnerabilities. It is a temporary solution that enables you to gradually address underlying certificate issues. Decryption logs help you identify servers requiring attention by recording if certificate validation was bypassed for a session.

When adding a device in high availability (HA) to SD-WAN Devices, you now have the option to add its HA peer simultaneously. This feature streamlines configuration by enabling you to configure both devices from a single configuration page, ensuring configuration consistency between the active and passive devices. When selected, the system identifies the HA peer and displays the device name, prompting you to specify a site name for the peer. Both devices are then created with matching configurations, which is critical since SD-WAN configurations between HA pairs should be identical except for site names.

Prior to this enhancement, you needed to add each device in an HA pair separately to SD-WAN Devices, which could lead to configuration mismatches. The system would display warnings when such mismatches were detected, but the manual correction process was error-prone.

With this feature, any configuration changes made to one device automatically propagate to its peer, maintaining synchronization between the devices. This feature is useful when adding devices to VPN clusters, as SD-WAN requires both HA peers to have matching configurations for proper functioning during failover events.

If you attempt to configure HA devices separately, the SD-WAN plugin will prevent this operation and guide you to add HA pairs instead. This safeguard, along with visual indicators that alert you to any configuration mismatches between HA pairs, helps maintain the integrity of your SD-WAN deployment and ensures proper failover functionality in your high availability environment.

Many organizations are rapidly migrating to IPv6 networks, driven by ISP adoption and the depletion of IPv4 space. This transition often introduces security blind spots, making it challenging to maintain consistent country-based policy enforcement across dual-stack or IPv6-only environments. IPv6 support for IP geolocation supplements the existing IPv4 geolocation support for country-based Security, Decryption, and DoS Protection NGFW policies by providing visibility and control in dual-stack and IPv6-only environments using your current security policy rules with a single global switch. This unified approach simplifies policy management and ensures consistent security enforcement across both IPv4 and IPv6 networks. This addresses the growing adoption of IPv6 by ISPs and other large enterprise organizations as well as customers who are required to phase out IPv4 and implement IPv6 as part of a larger migration process.

To ensure up-to-date geolocation data, Palo Alto Networks provides a regularly updated global content file which includes an IPv4/IPv6 to country mapping database to determine the ownership of a given IP space. The IP to geolocation mapping for IPv6 addresses is supported with the same level of granularity and coverage as for IPv4 addresses, ensuring consistent policy enforcement across both address types. Alternatively, you can create your own custom mappings by providing a range of IPv6 addresses to a specified region ; these have precedence over the default mapping and can be used to fine-tune your security policies.

Zero Touch Provisioning (ZTP) can now use cellular interfaces to automatically deploy and configure NGFW (Managed by Panorama or Strata Cloud Manager) in remote locations with limited connectivity or lacking traditional wired connections.

ZTP now supports multiple connectivity scenarios, including cellular-only, ethernet-only, and hybrid connectivity. This provides the flexibility to adapt to various network environments, particularly distributed networks, retail locations, or temporary sites where traditional wired connectivity might be unavailable. This capability integrates directly with existing workflows to maintain management consistency and enable efficient remote deployment without requiring on-site IT intervention. Built to support current and future 5G-enabled platforms, ZTP over Cellular ensures long-term adaptability and reduced operational costs by streamlining the secure onboarding of remote assets.

ZTP over cellular interfaces are supported on devices running PAN-OS 12.1.2 and later.