PAN-OS 10.0 supports new networking features.
New Networking Feature
IKEv2 Support for AES-GCM Encryption
Available with PAN-OS® 10.0.3 and later 10.0 releases)
Security-conscious customers in financial verticals and other markets who have VPN deployments are standardizing on strong IKE and IPSec security and require PAN-OS firewalls to support AES-GCM (Advanced Encryption Standard with Galois/Counter Mode). PAN-OS firewalls now support two new encryption algorithms for IKEv2 crypto profiles: AES-GCM with 128-bit strength and AES-GCM with 256-bit strength to provide compatibility with other devices and to provide stronger security than AES-CBC (AES with Cipher-Block Chaining).
Bonjour Reflector for Network Segmentation
Available with PAN-OS® 10.0.1 and later 10.0 releases)
To support Apple Bonjour in network environments that use segmentation to route traffic for security or administrative purposes (for example, where servers and clients are in different subnets), you can now forward Bonjour IPv4 traffic between Layer 3 (L3) Ethernet or Aggregated Ethernet (AE) interfaces or subinterfaces that you specify. The Bonjour Reflector option allows you to forward multicast Bonjour advertisements and queries to up to 16 L3 Ethernet and AE interfaces or subinterfaces, ensuring user access to services and device discoverability regardless of Time To Live (TTL) values or hop limitations.
HA Clustering for Multiple Data Centers
Data centers with multiple locations and high throughput need high availability (HA) with more than two members to ensure high reliability and to avoid a single point of failure. PAN-OS HA can now support clustering of up to 16 firewalls that perform session state synchronization. HA pairs in each data center prevent a single firewall failure and a data center failure, and asymmetric traffic from a data center is not dropped when sent to another data center.
HA Clustering for Horizontal Scaling of Firewalls
Within a data center, HA solutions must be able to scale horizontally. To provide seamless horizontal scalability of performance and capacity, PAN-OS HA can now support clustering of up to 16 firewalls that perform session state synchronization. In the event of a network outage or a firewall going down, the sessions fail over to a different firewall in the cluster.
HA Additional Path Monitoring Groups
To allow more flexible control over high availability (HA) deployments, you now have support for the use of multiple different destination IP groups within a single virtual wire (vwire), VLAN, and virtual router instance in PAN-OS and VMs. In addition to the option to set failure condition parameters for destination IP groups, you have greater granularity in controlling your HA failovers over those vwire, VLAN, and virtual router instances through segmentation.
Packet Buffer Protection Based on Latency
Some protocols and applications are sensitive to latency; you can now enable packet buffer protection based on latency, which triggers protection before the latency affects the protocol or application. Packet buffer protection based on buffer utilization (which was available prior to PAN-OS 10.0) defends your firewall and network from single-session DoS attacks that can overwhelm the firewall’s packet buffer and cause legitimate traffic to drop; it is now enabled by default.
Ethernet SGT Protection
In a Cisco TrustSec network, firewalls need to be able to identify and block packets that have specific Security Group Tags (SGTs) in their 802.1Q header. You can now do so at the ingress zone by creating a Zone Protection profile that lists SGTs to block, which results in better performance than blocking packets with security policy rules.
Aggregate Interface Group Capacity Increase
The need to support more link aggregation groups for network resiliency has increased as firewalls are positioned closer to endpoints to provide better visibility and control. The number of aggregate Ethernet (AE) interface groups that the PA-3200 Series, PA-5200 Series, and most PA-7000 Series firewalls support increased from 8 to 16. The exception is the PA-7000 Series firewall with PA-7000-100G-NPC-A and SMC-B, which increased from 8 to 32 AE interface groups. On all of these supported firewall models, QoS is supported on only the first eight AE interface groups.
ECMP Strict Source Path
When you enable ECMP for a virtual router, IKE and IPSec traffic originating at the firewall by default egresses an interface that the ECMP load-balancing method determines. If the firewall has more than one ISP providing equal-cost paths to the same destination, one ISP could block legitimate traffic that arrives on an unexpected interface that ECMP chose. To avoid that problem, you can now enable ECMP Strict Source Path to ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs.
Tunnel Acceleration for GRE, VXLAN, and GTP
Generic Routing Encapsulation (GRE), Virtual Extensible Local Area Network (VXLAN), and GPRS Tunneling Protocol (GTP) are now supported by tunnel acceleration in the network processor, which improves performance and throughput.
Advanced Route Engine
Preview Mode Only)
The advanced route engine allows the firewall to scale and provide stable, high-performing, and highly available routing functions to large data centers, ISPs, enterprises, and cloud users. The advanced route engine supports BGP and static routes only. This upcoming route engine feature is in preview mode and is considered beta; it is for customers who want to use BGP and static routes and doesn’t support other routing protocols, such as OSPF.
Recommended For You
Recommended videos not found.