Changes to Default Behavior
Changes to the default behavior in PAN-OS® 10.0.
The following table details the changes
in default behavior upon upgrade to PAN-OS® 10.0. You may also want
to review the Upgrade/Downgrade Considerations before upgrading
to this release.
Feature | Change |
---|---|
Panorama High Availability | In PAN-OS 10.0, enter the Panorama Peer
HA Serial number on each Panorama high availability (HA)
peer when configuring HA to reduce your attack surface against brute
force attacks on the Panorama IP addresses. |
Multiple APNs on S11 interfaces for RAN deployments | In PAN-OS 10.0.2 and earlier, all access
point names (APNs) from the same user equipment (UE) shared a single
GTP-C tunnel on an S11 interface. In PAN-OS 10.0.3 and later,
the firewall supports multiple APNs on an S11 interface for RAN deployments
by creating separate sessions for multiple APNs. By dividing the
GTP-C tunnel into multiple sessions, the firewall now processes
each APN independently. |
Session persistence during rate limiting
for GTP and SCTP brute force attack signatures | In PAN-OS 9.1 and earlier, if the number
of packets matching the context of the brute force signature for
GTP and SCTP (including Diameter-S6a and S1AP) per-message signatures
exceeded the threshold and the Action was drop ,
the firewall would deny any further traffic for the session and drop
any subsequent packets. In PAN-OS 10.0.2 and later, the firewall
keeps the session open and drops packets on a per-session basis
only if they match the brute force signature. For example, if the
rate limit configuration is five packets every two seconds, the
firewall allows the first four packets; the fifth and any subsequent packets
are dropped for the two-second threshold duration. |
Packet Buffer Protection | On all firewall models, packet buffer protection based
on packet buffer utilization percentage is enabled by default globally
and on each zone. |
VM-Series Disk Upgrade Restriction | In PAN-OS version 9.0 and higher the recommended
minimum disk size for VM-Series firewalls was 60GB, but PAN-OS did
not prevent the upgrade if the minimum was not met. PAN-OS version
10.0 disallows upgrade if your VM-Series firewall disk size is less
than 60GB. |
Access Domain for REST API | Access domains enable administrators to
manage access to specific domains on Panorama and on firewalls with
multiple virtual systems. Access domain enforcement now extends
to the REST API. |
PAN-OS and Panorama REST API Enhancements | After you upgrade to PAN-OS version 10.0,
the initial REST API access privileges for admin role profiles will
default to Disabled . If you downgrade from
PAN-OS version 10.0 to 9.1, the admin role profiles will preserve
the XML API access privileges, and the preserved XML API access
privileges will determine the REST API access privileges. |
NT LAN Manager protocol | Due to the inherent security risks of this
legacy protocol, the NT LAN Manager (NTLM) authentication protocol
has been removed in this release. We recommend using Kerberos Single Sign-On
(SSO) or Security Assertion Markup Language (SAML) for SSO authentication. |
User-ID Redistribution for Dedicated Log Collectors | The Dedicated Log Collector no longer supports redistribution
for User-ID information in this release. We recommend using the
firewall or Panorama to redistribute information. |
Collector Groups | The minimum number of Log Collectors required
for a Collector Group to be operational is based on the following
formula where n equals the total number of
Log Collectors in the Collector Group:n/2+1 For
example, if you configure a Collector Group with six Log Collectors,
a minimum of four Log Collectors are required for the Collector
Group to be operational. Additionally, you should round down
the minimum number of Log Collectors required if you have an odd
number of Log Collectors in a Collector Group. For example, if you
have three Log Collectors in a Collector Group, you need at least
two Log Collectors for the Collector Group to remain operational. Two Log Collectors in a Collector Group
is supported but the Collector Group becomes non-operational if
one Log Collector goes down. |
SSL Decryption profile TLS maximum version | In PAN-OS 9.1 and earlier, the default Max Version in
the SSL Decryption profile’s SSL Protocol Settings was Max so
that profiles automatically used the newest TLS version without manual
reconfiguration.In PAN-OS 10.0, the default setting for Max Version changed
to TLSv1.2 to prevent service disruption
of mobile applications that enforce certificate pinning, which do
not work with TLSv1.3. For the same reason, when you upgrade to
PAN-OS 10.0, all Decryption profiles with the Max Version set
to Max are automatically reconfigured to TLSv1.2 as
the Max Version . |
Context Switch | After you upgrade to PAN-OS 10.0, you must
assign a Device Admin Role that is pushed
to your managed firewalls when configuring a Panorama Admin Role
profile to allow Device Group and Template administrators to context
switch between the Panorama and firewall web interface.During
the context switch, Panorama validates if the admin has access to
a specific vsys or for all vsys. If the admin has access to all
vsys, then Panorama uses the device admin role context switch. If
the admin has access to one or some of the vsys, then Panorama uses
the vsys admin role to context switch. |
Device-ID | In PAN-OS 9.1 and earlier, the firewall
used the Palo Alto Networks Services service route to send Enhanced
Application Logs (EAL logs). In PAN-OS 10.0 and later versions,
the firewall sends EAL logs using the Data Services service route,
which uses the management interface by default. Other services,
such as Data Loss Prevention (DLP), also use this service route.
You can configure any Layer 3 (L3) interface, including the management
or dataplane interfaces, for the service route. If your firewall
currently sends EAL logs (for example, if you are using Cortex XDR),
the firewall automatically uses the Data Services service route after
you upgrade to PAN-OS 10.0. If you want to use a different interface
for the service route, you can change the service route to any L3
interface. If you use a log forwarding card (LFC) with the 7000
series, when you upgrade to PAN-OS 10.0, you must configure the
management plane or dataplane interface for the service route because the
LFC ports do not support the requirements for the service route.
We recommend using the dataplane interface for the Data Services
service route. |
Log Forwarding | The PA-7000 series firewall utilizing a
Log Forward Card does not forward logs to an M-Series appliance
in Panorama or Log Collector mode with 10GB network interfaces. To
successfully forward logs from a PA-7000 series firewall utilizing
a Log Forwarding Card, a network switch must be present between
the PA-7000 series lfp0 or lfp1 interfaces
of the Log Forwarding Card and the M-Series appliance for the PA-7000
series firewall. |
Terminal Server (TS) agent | Previously, to exclude the IP Address and Alternative
IP Addresses of a Terminal Server (TS) Agent host from IP address-to-user
mappings, you needed to manually enter those IP Addresses in the Exclude
list. Now, the firewall automatically excludes these IP Addresses
from IP address-to-user mapping. |
User-ID | Previously, if User-ID could not identify
a user from the existing mappings, it would send a query for updated
user mappings to all User-ID agents, which was useful if there was
a longer time interval between updates. Now, the agents send the mapping
updates to the firewall or Panorama in real time so there is no
need to send the query for new mappings. |
Captive Portal (Authentication Portal) | To improve security, the firewall now generates
a token parameter for the Authentication Portal URL when the user's
web traffic matches an Authentication Policy rule. If you have shared
or bookmarked a URL for the Authentication Portal page, after you
upgrade to PAN-OS 10.0, update the bookmarked URL by removing the url parameter
or disable the token generation using the following CLI command
in Configure mode: set deviceconfig setting captive-portal disable-token yes ,
then commit the changes using the commit command. |
Local Administrator Authentication | If you have a local administrator account
that authenticates using a remote authentication server such as
a SAML Identity Provider (IdP), you must ensure that the username
that the authentication server sends to the firewall or Panorama
doesn't contain a domain and is identical to the username in the
local administrator account settings on the firewall or Panorama. |
SAML Authentication | The None option for
the Identity Provider Certificate in the SAML Identity Provider
server profile has been removed in this release. To ensure the integrity
of the SAML Responses or Assertions from Identity Provider (IdP),
the firewall or Panorama requires an IdP certificate. The firewall
or Panorama always validates the signature of the SAML Responses
or Assertions against the IdP certificate that you configure. |
PA-7000 Series Firewall Memory Limit for the
Management Server | As of PAN-OS 10.0.1, the PA-7000 Series
firewalls have new CLI commands to enable or disable resource control
groups and new CLI commands to set an upper memory limit of 8G on
a process (mgmtsrvr). To enable resource-control
groups, use: debug software resource-control enable To
disable resource-control groups, use: debug software resource-control disable To
set the memory limit, use: debug management-server limit-memory enable To
remove the memory limit, use: debug management-server limit-memory disable Reboot
the firewall to ensure the memory limit change takes effect. |
PAN-OS Root Partition | In PAN-OS versions 9.1 and earlier, the
default threshold for root partition was 95%. In version 10.0 onward,
the default threshold is 90%. |
Device Administrator | Non-superuser administrators with all rights enabled
can Review Policies or Review
Apps for downloaded or installed content versions. |
SSH Service Profile | In PAN-OS 9.1 and earlier releases, you
could generate a new pair of public and private SSH host keys and
change other SSH configuration parameters such as the default host
key type from the CLI. In PAN-OS 10.0 and later releases,
you must create an SSH service profile ( Device Certificate Management SSH Service Profile |
Scheduled Reports for Cortex Data Lake | ( PAN-OS 10.0.3 or later ) Beginning
with PAN-OS 10.0.3, support for scheduled reports on Cortex Data
Lake data is now enabled by default. |
IoT Edge Services | Panorama regularly connects to the IoT Edge Service
to download policy recommendations for IoT based policies. This
connection is attempted by Panorama regardless of whether the IoT
license is active on any managed firewalls. A high severity
gRPC connection failure system log is generated in the event of
connection failure or if Panorama manages no IoT licensed firewall.No action
is needed regarding these system logs if you are not leveraging
the policy recommendation capabilities of IoT or if you are not
managing any IoT licensed firewalls. If you are leveraging
the policy recommendation capabilities of IoT, review the gRPC connection failure
system log to understand what is causing the connection issue between
Panorama and the IoT Edge Service. In PAN-OS 10.0.9 and later
releases, the frequency of connection attempts by Panorama to the
IoT Edge Service is reduced. |
Generate Tech Support File for Firewalls Managed by Panorama | After upgrading Panorama to PAN-OS 10.0, Panorama and managed devices
must both be running PAN-OS 10.0 or later release in order for
Device Group & Template Admins to generate a Tech Support file ( Device Support Generate Tech Support File Device Group & Template admins cannot generate a Tech Support
file when you context switch to the managed firewall web interface
running PAN-OS 9.1 or earlier release. |
Recommended For You
Recommended Videos
Recommended videos not found.