Next-Generation Firewall
New Features Through August 2023
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Decryption Overview
-
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- TLSv1.3 Decryption
- High Availability Not Supported for Decrypted Sessions
- Decryption Mirroring
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Post-Quantum Cryptography Detection and Control
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Activate Free Licenses for Decryption Features
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
Cloud Management and AIOps for NGFW
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
New Features Through August 2023
These are the new features introduced from June through August 2023 for AIOps for
NGFW Free, and for AIOps for NGFW Premium.
These are the new features introduced from June through August 2023 for AIOps for NGFW
Free, and for AIOps for NGFW Premium. AIOps for NGFW Premium updates include new
features to support Cloud Management for NGFWs.
AIOps for NGFW on the Strata Cloud Manager Platform
AIOps for NGFW is now supported on the new Strata Cloud Manager platform. Starting
in June 2023, we'll be rolling out phased updates to provide you with the new
platform experience. We'll be updating your AIOps for NGFW app so that it is
on the Strata Cloud Manager platform, alongside your other Palo Alto Networks
products and subscriptions that are supported for unified management. This change
gives you a new navigation for your AIOps for NGFW features, introduces new
features, and means you can use common workflows and features across AIOps for NGFW
and your other products that are also updated for Strata Cloud Manager. Learn
more:
- What to expect when AIOps for NGFW is updated to give you the new management experience
- Where can I find my AIOps for NGFW features in Strata Cloud Manager?
- Take a First Look Strata Cloud Manager
- See the products and subscriptions are supported for unified management with Strata Cloud Manager
Palo Alto Networks Strata Cloud Manager
is the new AI-Powered network security management and operations platform. With Strata Cloud Manager, you can easily manage and monitor your Palo Alto Networks
network security infrastructure ━ your NGFWs and SASE environment ━ from a single,
streamlined user interface. This new cloud management experience gives you:
-
Shared policy for SASE and your NGFWs, and a unified view into security effectiveness.
-
AI-Powered ADEM for Prisma SASE; this new Prisma Access add-on license automates complex IT operations, to increase productivity and reduce time to resolution for issues.
-
Best practice recommendations and workflows to strengthen security posture and eliminate risk.
-
A common alerting framework that identifies network disruptions, so you can maintain optimal health and performance.
-
Enhanced user experience, with contextual and interactive use-case driven dashboards and license-aware data enrichment.
Learn more about Strata Cloud Manager
Cloud Management of NGFWs
Manage Palo Alto Networks Next-Generation firewalls from Strata Cloud Manager.
Manage your Palo Alto Networks Next-Generation firewalls from Strata Cloud Manager. Cloud Management of NGFW is a cloud-delivered
and AI-powered security solution to manage Palo Alto Networks' advanced ML-powered
firewalls alongside your Prisma Access deployments.
Cloud Management of NGFWs is done from a single streamlined user interface and leverages
Palo Alto Networks best-in-class cloud-delivered security services. To manage your
Next-Gen firewalls from Strata Cloud Manager, you must enable AIOps for NGFW Premium which also draws on PAN-OS device telemetry data to give
you an overview of the health and security of your cloud managed NGFWs. For logging, Strata Logging Service provides a secure, resilient, and fault tolerant
centralized log storage and aggregation.
VM Flex License Agreement for AIOps for NGFW
Now you can use Common Services to activate a VM Flex license agreement for
AIOps for NGFW.
Capacity Analyzer
Learn about what's new in Capacity Analyzer.
Sometimes, you can encounter a predicament where particular features on
your Next-Generation Firewalls (NGFW) approach their capacity thresholds, resulting
in diminished system performance and operational disruptions. Dealing with
capacity-related issues can be time-consuming, and unfortunately, these issues tend
to come to light only after the limits are breached.
The Capacity Analyzer feature allows
monitoring of device resource capacity by tracking metrics usage based on model
types. This feature includes a heatmap visualization to display resource consumption
rates and locations for each metric. It also enables planning for upgrading to
higher capacity firewalls based on specific needs. This proactive approach ensures
that you know about potential capacity constraints, allowing you to take preemptive
action to safeguard your business operations.

Compliance Summary Dashboard
View a history of changes to security checks.
Check the Compliance dashboard to view a history of
changes to the security checks made up to 12 months in the past, grouped together by
Center for Internet Security (CIS) and National Institute of Standards and Technology
(NIST) frameworks.

Best Practices Dashboard
The best practices dashboard and reports measure your security posture against Palo
Alto Networks’ best practice guidance.
Check the Best Practices dashboard for daily best
practices reports, and their mapping to Center for Internet Security’s Critical Security
Controls (CSC) checks, to help you identify areas where you can make changes to improve
your best practices compliance. Share the best practice report as a PDF and schedule it
to be regularly delivered to your inbox. This release introduces the following new
features:
- Ability to export BPA reports in .csv format for use in third-party applications such as Microsoft Excel
- Ability to download CLI remediations in .txt format. CLI remediations are generated using TSF data you upload when generating an On-Demand BPA report. (PAN-OS 9.1 and above TSFs)
- Ability to view historical trend charts for BPA checks

Security Posture Insights Dashboard
Get visibility into the security status and trend of your deployment based on the
security postures of the onboarded NGFW devices.
Get visibility into the security status and trend of your deployment based on
the security postures of the onboarded NGFWs with Security Posture Insights. Use this dashboard
to:
-
Know the trend of issues that impact the security posture of your deployment.
-
Understand the security improvements that you have made in your deployment by looking at the historical security score data.
-
Narrow down devices where there is an opportunity to improve the security posture and prioritize the issues to resolve them.

On-Demand BPA & Adoption Summary
Generate a BPA Report with Feature Adoption Summary on demand.
Run the Best Practice Assessment (BPA) and Feature Adoption summary directly
from Strata Cloud Manager. Just upload a Tech Support File (TSF) to generate the on-demand BPA report for devices
that are not sending telemetry data or onboarded to AIOps for NGFW (PAN-OS devices
running versions 9.1 and above).
The BPA evaluates your security posture against Palo Alto Networks best practices and
prioritizes improvements for devices. Security best practices prevent known and unknown
threats, reduce the attack surface, and provide visibility into traffic, so you can know
and control which applications, users, and content are on your network.
Custom Dashboard
Create and customize dashboards to get visibility into areas of interest in your
network.
Apart from the default dashboards, you can now build a custom dashboard based on your network and
security visibility requirements. You can use various types of customizable widgets from
the widget library to create the dashboard. The
widgets available to you depend on the services supported with your licenses. You can
add up to 10 widgets in a custom dashboard and create 10 custom dashboards per user. The
custom dashboard can be customized at any time. These are some of the customizations
available in the custom dashboard:
-
Customize dashboard settings such as layout, dashboard name, and descriptions
-
Edit widget title, description, and show or hide filters
-
Filter and sort data
-
Look at the Sample Data view to know how your widget looks in the dashboard

Device Health Dashboard
The Device Health dashboard provides an overall view of the health and performance of
your NGFW devices.
The Device health dashboard shows you the
cumulative health status and performance of your onboarded NGFW devices. The device
health is determined by the severity of the health score (0-100) and its corresponding
health grade (good, fair, poor, critical). The health score is calculated based on the
priority, quantity, type, and status of the open alerts.
This dashboard helps you:
-
Understand the deployment improvements that you have made over a period by looking at the historical health score data.
-
Narrow down devices that require attention in your deployment and prioritize the issues to resolve them.
- Review the device statistics and fix the critical alerts on the device to improve the health score and deployment health.
Advanced Threat Prevention Dashboard
Identify opportunities to strengthen your security posture with the threat prevention
dashboard.
The Advanced Threat Prevention dashboard gives
insight into unknown malware, command and control (C2), and vulnerability exploit
attempts in your network. The dashboard gives visibility into the real-time threat
detection data by inline cloud analysis along with threats
detected based on the threat signatures generated from malicious
traffic data collected from various Palo Alto Networks services.
This dashboard provides:
- a time line view of threats allowed and blocked, list of source IPs and users responsible for generating command and control (C2) traffic, and hosts targeted by cloud-detected exploits.
- contextual links to Log Viewer to get context around the threat.
- IOC search result to learn about the usage patterns related to host generating traffic and host targeted by vulnerability exploits.
- cloud report and packet capture from the logs to get additional context and use Palo Alto Networks threat analytics data and threat intelligence to improve your incident response processes.
The dashboard helps to understand the security effectiveness of the Advanced Threat Prevention service. Use the data along
with the analysis data from your other Palo Alto Networks security services to prevent
security infringement on your network infrastructure.

Enhancements to CDSS Dashboard
Learn about the enhancements in the CDSS dashboard.
In order to enhance the security of your enterprise by identifying and
addressing potential security vulnerabilities, AIOps for NGFW offers a streamlined
workflow that enables you to monitor the implementation of CDSS features using the CDSS dashboard. This allows you to easily
track the progress of CDSS feature activation, configuration, and adherence to best
practices. Moreover, you have the option to override recommendations at the firewall
level, saving time by avoiding the need to override them for each role-pair
individually.

Feature Adoption Dashboard
Monitor the security features you’re using.
Monitor Feature Adoption and stay abreast of which
security features you’re using in your deployment and potential gaps in coverage. This
release introduces the following new features:
- TSF upload-generated CLI remediations (PAN-OS 9.1 and above TSFs)
- Historical adoption trend charts
- Per-device views of adoption (including for Panorama-managed devices)
- Ability to export adoption data as .csv file

NGFW SDWAN Dashboard
Learn about what's new in the NGFW SDWAN dashboard.
The NGFW SD-WAN dashboard provides performance
metrics for cloud-managed firewalls with SD-WAN, allowing visibility into application
and link performance. It helps troubleshoot issues across VPN clusters, isolates
problems to affected sites, applications, and links, and generates actionable alerts for
poor links and applications. These alerts are based on data-driven thresholds and offer
insights into trends with machine learning-powered detection and forecasting.
