Next-Generation Firewall
Networking Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Networking Features
What new Networking features are in PAN-OS 12.1?
The following section describes new networking features introduced in PAN-OS 12.1.
DNS Rewrite with Condition Check
August 2025
|
You can now configure DNS rewrite conditions to control when DNS
address translation occurs based on the DNS client's characteristics. This
enhancement allows you to specify that DNS responses should only be modified when
the DNS client matches particular source zones or source addresses configured in
your NAT rules. When you enable DNS rewrite conditions, the firewall evaluates
whether the DNS client requesting the resolution matches your configured criteria
before performing any address translation in the DNS response.
You might want to use this feature when you have specific DNS clients that require a
different DNS resolution behavior from others in your network. For example, if you
have internal users who should receive translated addresses for certain services,
while external or guest users should receive the original addresses, you can
configure DNS rewrite conditions to apply translation only to traffic from
designated internal zones. This gives you granular control over which clients
receive modified DNS responses, rather than applying DNS rewrite globally to all
clients requesting resolution for a particular address.
The feature supports both positive matching (where you can specify that DNS rewrite
should occur only when the client matches the NAT rule's source zone and address)
and negative matching (through exclusion lists, where you can specify particular
source zones or IP address ranges that shouldn't undergo a DNS rewrite for the
specific NAT policy rule).
When you configure these conditions, the firewall performs the same DNS rewrite
mapping lookup process as before, but adds an additional validation step to verify
that the requesting DNS client meets your specified criteria. If the client does not
match the configured conditions, the firewall skips the DNS rewrite for that
particular request, while still processing other DNS rewrite rules that might apply
to different clients requesting the same address resolution.
GRE Tunnel over a Cellular Interface
August 2025
|
GRE support over the PAN-OS cellular
interface enables you to establish GRE tunnels using cellular connections
on next-generation firewalls. This feature allows you to configure GRE tunnels with
dynamic IP addressing, supporting IPv4 for tunnel endpoints and traffic. You can use
this capability to securely connect remote IoT devices, such as video cameras and
sensors, back to a mobile headend over cellular networks.
A GRE tunnel over a cellular interface is particularly useful for large service
providers looking to extend their routing infrastructure while minimizing
operational expenses. By supporting dynamic addressing, it accommodates scenarios
where IP addresses may change, providing flexibility in mobile and cellular
environments. This GRE over cellular solution allows you to deploy NGFWs in
locations without traditional Ethernet connectivity, making it ideal for government,
industrial, and remote site applications where secure, reliable communication over
cellular networks is essential.
PA-5450 Firewall Support for Secure Web Gateway
August 2025
|
For high-performance environments such as headquarters, large enterprises, and data
centers, PAN-OS 12.1 solves the challenge of supporting
high-traffic proxy solutions with its support for the PA-5450 firewall. This enhancement
leverages the PA-5450's multi-CPU chassis to deliver significant improvements in
performance and scalability. This update ensures that users requiring proxy
solutions benefit from the enhanced capabilities of secure web gateway (SWG).
IPv6 Geolocation Support
August 2025
|
IPv6 support for IP geolocation supplements the existing IPv4 geolocation support for
country-based Security, Decryption, and DoS Protection policies by providing
visibility and control in dual-stack and IPv6-only environments using your current
security policy rules with a single global switch. This unified approach simplifies
policy management and ensures consistent security enforcement across both IPv4 and
IPv6 networks. This addresses the growing adoption of IPv6 by ISPs and other large
enterprise organizations as well as customers who are required to phase out IPv4 and
implement IPv6 as part of a larger migration process.
To ensure up-to-date geolocation data, Palo Alto Networks provides a regularly
updated global content file which includes an IPv4/IPv6 to country mapping database
to determine the ownership of a given IP space. The IP to geolocation mapping for
IPv6 addresses is supported with the same level of granularity and coverage as for
IPv4 addresses, ensuring consistent policy enforcement across both address types.
Alternatively, you can create your own custom mappings by providing a
range of IPv6 addresses to a specified region; these have precedence over
the default mapping and can be used to fine-tune your security policies.
Additionally, IPv6 support for IP Geolocation integrates seamlessly with existing
Palo Alto Networks logging and monitoring tools. Source and destination countries
are displayed in logs for IPv6 traffic, and you can filter logs by source or
destination country to include IPv6 traffic. All ACC widgets that display source or
destination country information now count IPv6 traffic as well.
Enhanced Application Logs for ICMPv6
August 2025
|
PAN-OS uses deep packet inspection (DPI) to generate enhanced application
logs (EAL) from ICMPv6 neighbor discovery protocol (NDP) packets. With ICMPv6 EAL,
Device Security can learn about devices and device attributes and support Advanced
Device-ID for IPv6 deployments. Cortex XDR can also use ICMPv6 EALs from PAN-OS.
EALs for ICMPv6 NDP is enabled by default. To prevent log flooding from ICMPv6
deployments, you can disable ICMPv6 EAL using the
CLI. When disabling ICMPv6 EAL, commit the device config for the change to take effect.
set deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp
If you disable ICMPv6 EAL, you can reenable it using the CLI. Commit the device config
for the change to take effect.
delete deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp
Enhanced Packet Capture with Support for Range Filters
August 2025
|
You can now use range filters when you take custom packet captures (PCAPs). You
can use range filters to address the challenges of troubleshooting batch traffic
issues in environments where the exact source IP addresses, ports, and protocols are
not known. While setting capture filters, you can set a range of values separated by
dash delimiters for IP addresses, ports, and protocols. You can set source and
destination IPs with subnet masks or specific IP ranges. Similarly, you can set
source and destination port ranges and protocol ranges. You can also mix
single-value filters with range filters. The Next-Generation Firewall captures the
packets that fall within the defined ranges, including the boundary values, when
reaching the data plane.