Security-conscious customers in financial verticals and other markets who have VPN deployments are standardizing on strong IKE and IPSec security and require PAN-OS firewalls to support AES-GCM (Advanced Encryption Standard with Galois/Counter Mode). PAN-OS firewalls now support two new encryption algorithms for IKEv2 crypto profiles: AES-GCM with 128-bit strength and AES-GCM with 256-bit strength to provide compatibility with other devices and to provide stronger security than AES-CBC (AES with Cipher-Block Chaining).

To support Apple Bonjour in network environments that use segmentation to route traffic for security or administrative purposes (for example, where servers and clients are in different subnets), you can now forward Bonjour IPv4 traffic between Layer 3 (L3) Ethernet or Aggregated Ethernet (AE) interfaces or subinterfaces that you specify. The Bonjour Reflector option allows you to forward multicast Bonjour advertisements and queries to up to 16 L3 Ethernet and AE interfaces or subinterfaces, ensuring user access to services and device discoverability regardless of Time To Live (TTL) values or hop limitations.

Data centers with multiple locations and high throughput need high availability (HA) with more than two members to ensure high reliability and to avoid a single point of failure. PAN-OS HA can now support clustering of up to 16 firewalls that perform session state synchronization. HA pairs in each data center prevent a single firewall failure and a data center failure, and asymmetric traffic from a data center is not dropped when sent to another data center.

Within a data center, HA solutions must be able to scale horizontally. To provide seamless horizontal scalability of performance and capacity, PAN-OS HA can now support clustering of up to 16 firewalls that perform session state synchronization. In the event of a network outage or a firewall going down, the sessions fail over to a different firewall in the cluster.

To allow more flexible control over high availability (HA) deployments, you now have support for the use of multiple different destination IP groups within a single virtual wire (vwire), VLAN, and virtual router instance in PAN-OS and VMs. In addition to the option to set failure condition parameters for destination IP groups, you have greater granularity in controlling your HA failovers over those vwire, VLAN, and virtual router instances through segmentation.

Some protocols and applications are sensitive to latency; you can now enable packet buffer protection based on latency, which triggers protection before the latency affects the protocol or application. Packet buffer protection based on buffer utilization (which was available prior to PAN-OS 10.0) defends your firewall and network from single-session DoS attacks that can overwhelm the firewall’s packet buffer and cause legitimate traffic to drop; it is now enabled by default.

In a Cisco TrustSec network, firewalls need to be able to identify and block packets that have specific Security Group Tags (SGTs) in their 802.1Q header. You can now do so at the ingress zone by creating a Zone Protection profile that lists SGTs to block, which results in better performance than blocking packets with security policy rules.

The need to support more link aggregation groups for network resiliency has increased as firewalls are positioned closer to endpoints to provide better visibility and control. The number of aggregate Ethernet (AE) interface groups that the PA-3200 Series, PA-5200 Series, and most PA-7000 Series firewalls support increased from 8 to 16. The exception is the PA-7000 Series firewall with PA-7000-100G-NPC-A and SMC-B, which increased from 8 to 32 AE interface groups. On all of these supported firewall models, QoS is supported on only the first eight AE interface groups.

When you enable ECMP for a virtual router, IKE and IPSec traffic originating at the firewall by default egresses an interface that the ECMP load-balancing method determines. If the firewall has more than one ISP providing equal-cost paths to the same destination, one ISP could block legitimate traffic that arrives on an unexpected interface that ECMP chose. To avoid that problem, you can now enable ECMP Strict Source Path to ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs.

Generic Routing Encapsulation (GRE), Virtual Extensible Local Area Network (VXLAN), and GPRS Tunneling Protocol (GTP) are now supported by tunnel acceleration in the network processor, which improves performance and throughput.