In PAN-OS 10.0, enter the Panorama

Peer HA Serial

number on each Panorama high availability (HA) peer when configuring HA to reduce your attack surface against brute force attacks on the Panorama IP addresses.

In PAN-OS 10.0.2 and earlier, all access point names (APNs) from the same user equipment (UE) shared a single GTP-C tunnel on an S11 interface.

In PAN-OS 10.0.3 and later, the firewall supports multiple APNs on an S11 interface for RAN deployments by creating separate sessions for multiple APNs. By dividing the GTP-C tunnel into multiple sessions, the firewall now processes each APN independently.

In PAN-OS 9.1 and earlier, if the number of packets matching the context of the brute force signature for GTP and SCTP (including Diameter-S6a and S1AP) per-message signatures exceeded the threshold and the

Action

was

drop

, the firewall would deny any further traffic for the session and drop any subsequent packets.

In PAN-OS 10.0.2 and later, the firewall keeps the session open and drops packets on a per-session basis only if they match the brute force signature. For example, if the rate limit configuration is five packets every two seconds, the firewall allows the first four packets; the fifth and any subsequent packets are dropped for the two-second threshold duration.

On all firewall models, packet buffer protection based on packet buffer utilization percentage is enabled by default globally and on each zone.

In PAN-OS version 9.0 and higher the recommended minimum disk size for VM-Series firewalls was 60GB, but PAN-OS did not prevent the upgrade if the minimum was not met. PAN-OS version 10.0 disallows upgrade if your VM-Series firewall disk size is less than 60GB.

Access domains enable administrators to manage access to specific domains on Panorama and on firewalls with multiple virtual systems. Access domain enforcement now extends to the REST API.

After you upgrade to PAN-OS version 10.0, the initial REST API access privileges for admin role profiles will default to

Disabled

. If you downgrade from PAN-OS version 10.0 to 9.1, the admin role profiles will preserve the XML API access privileges, and the preserved XML API access privileges will determine the REST API access privileges.

Due to the inherent security risks of this legacy protocol, the NT LAN Manager (NTLM) authentication protocol has been removed in this release. We recommend using Kerberos Single Sign-On (SSO) or Security Assertion Markup Language (SAML) for SSO authentication.

The Dedicated Log Collector no longer supports redistribution for User-ID information in this release. We recommend using the firewall or Panorama to redistribute information.

The minimum number of Log Collectors required for a Collector Group to be operational is based on the following formula where

n

equals the total number of Log Collectors in the Collector Group:

n/2+1

For example, if you configure a Collector Group with six Log Collectors, a minimum of four Log Collectors are required for the Collector Group to be operational.

Additionally, you should round down the minimum number of Log Collectors required if you have an odd number of Log Collectors in a Collector Group. For example, if you have three Log Collectors in a Collector Group, you need at least two Log Collectors for the Collector Group to remain operational.

In PAN-OS 9.1 and earlier, the default

Max Version

in the SSL Decryption profile’s SSL Protocol Settings was

Max

so that profiles automatically used the newest TLS version without manual reconfiguration.

In PAN-OS 10.0, the default setting for

Max Version

changed to

TLSv1.2

to prevent service disruption of mobile applications that enforce certificate pinning, which do not work with TLSv1.3. For the same reason, when you upgrade to PAN-OS 10.0, all Decryption profiles with the

Max Version

set to

Max

are automatically reconfigured to

TLSv1.2

as the

Max Version

.

After you upgrade to PAN-OS 10.0, you must assign a

Device Admin Role

that is pushed to your managed firewalls when configuring a Panorama Admin Role profile to allow Device Group and Template administrators to context switch between the Panorama and firewall web interface.

During the context switch, Panorama validates if the admin has access to a specific vsys or for all vsys. If the admin has access to all vsys, then Panorama uses the device admin role context switch. If the admin has access to one or some of the vsys, then Panorama uses the vsys admin role to context switch.

In PAN-OS 9.1 and earlier, the firewall used the Palo Alto Networks Services service route to send Enhanced Application Logs (EAL logs).

In PAN-OS 10.0 and later versions, the firewall sends EAL logs using the Data Services service route, which uses the management interface by default. Other services, such as Data Loss Prevention (DLP), also use this service route. You can configure any Layer 3 (L3) interface, including the management or dataplane interfaces, for the service route.

If your firewall currently sends EAL logs (for example, if you are using Cortex XDR), the firewall automatically uses the Data Services service route after you upgrade to PAN-OS 10.0. If you want to use a different interface for the service route, you can change the service route to any L3 interface.

If you use a log forwarding card (LFC) with the 7000 series, when you upgrade to PAN-OS 10.0, you must configure the management plane or dataplane interface for the service route because the LFC ports do not support the requirements for the service route. We recommend using the dataplane interface for the Data Services service route.

The PA-7000 series firewall utilizing a Log Forward Card does not forward logs to an M-Series appliance in Panorama or Log Collector mode with 10GB network interfaces.

To successfully forward logs from a PA-7000 series firewall utilizing a Log Forwarding Card, a network switch must be present between the PA-7000 series

lfp0

or

lfp1

interfaces of the Log Forwarding Card and the M-Series appliance for the PA-7000 series firewall.

Previously, to exclude the IP Address and Alternative IP Addresses of a Terminal Server (TS) Agent host from IP address-to-user mappings, you needed to manually enter those IP Addresses in the Exclude list. Now, the firewall automatically excludes these IP Addresses from IP address-to-user mapping.

Previously, if User-ID could not identify a user from the existing mappings, it would send a query for updated user mappings to all User-ID agents, which was useful if there was a longer time interval between updates. Now, the agents send the mapping updates to the firewall or Panorama in real time so there is no need to send the query for new mappings.

To improve security, the firewall now generates a token parameter for the Authentication Portal URL when the user's web traffic matches an Authentication Policy rule. If you have shared or bookmarked a URL for the Authentication Portal page, after you upgrade to PAN-OS 10.0, update the bookmarked URL by removing the

url

parameter or disable the token generation using the following CLI command in Configure mode:

set deviceconfig setting captive-portal disable-token yes

, then commit the changes using the

commit

command.

If you have a local administrator account that authenticates using a remote authentication server such as a SAML Identity Provider (IdP), you must ensure that the username that the authentication server sends to the firewall or Panorama doesn't contain a domain and is identical to the username in the local administrator account settings on the firewall or Panorama.

The

None

option for the Identity Provider Certificate in the SAML Identity Provider server profile has been removed in this release. To ensure the integrity of the SAML Responses or Assertions from Identity Provider (IdP), the firewall or Panorama requires an IdP certificate. The firewall or Panorama always validates the signature of the SAML Responses or Assertions against the IdP certificate that you configure.

As of PAN-OS 10.0.1, the PA-7000 Series firewalls have new CLI commands to enable or disable resource control groups and new CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).

To enable resource-control groups, use:

To disable resource-control groups, use:

To set the memory limit, use:

To remove the memory limit, use:

Reboot the firewall to ensure the memory limit change takes effect.

In PAN-OS versions 9.1 and earlier, the default threshold for root partition was 95%. In version 10.0 onward, the default threshold is 90%.

Non-superuser administrators with all rights enabled can

Review Policies

or

Review Apps

for downloaded or installed content versions.

In PAN-OS 9.1 and earlier releases, you could generate a new pair of public and private SSH host keys and change other SSH configuration parameters such as the default host key type from the CLI.

In PAN-OS 10.0 and later releases, you must create an SSH service profile (

Device

Certificate Management

SSH Service Profile

) to customize management and HA SSH configurations. You can configure these profiles from the CLI or the firewall or Panorama web interface.

Panorama regularly connects to the IoT Edge Service to download policy recommendations for IoT based policies. This connection is attempted by Panorama regardless of whether the IoT license is active on any managed firewalls.

A high severity gRPC connection failure system log is generated in the event of connection failure or if Panorama manages no IoT licensed firewall. No action is needed regarding these system logs if you are not leveraging the policy recommendation capabilities of IoT or if you are not managing any IoT licensed firewalls.

If you are leveraging the policy recommendation capabilities of IoT, review the gRPC connection failure system log to understand what is causing the connection issue between Panorama and the IoT Edge Service.

In PAN-OS 10.0.9 and later releases, the frequency of connection attempts by Panorama to the IoT Edge Service is reduced.

After upgrading Panorama to PAN-OS 10.0, Panorama and managed devices must both be running PAN-OS 10.0 or later release in order for Device Group & Template Admins to generate a Tech Support file (

Device

Support

Generate Tech Support File

) when you context switch to the managed firewall web interface.

Device Group & Template admins cannot generate a Tech Support file when you context switch to the managed firewall web interface running PAN-OS 9.1 or earlier release.