Networking Features

What new Networking features are in PAN-OS 10.1?
Networking features in PAN-OS 10.1.
New Networking Feature
LSVPN Cookie Expiry Extension
PAN-OS 10.1.7 and later 10.1 Releases
You can now configure the cookie expiration period from 1 to 5 years, while the default remains as 6 months. The encrypted cookie stored on an Large Scale VPN (LSVPN) satellite expires after every 6 months. This causes the VPN tunnels associated with the satellite to go down, causing an outage until the satellite is re-authenticated to the LSVPN portal or gateway and a new cookie is generated. A re-authentication every six months causes administrative overhead, affecting productivity, network stability, and resources of the company.
To reduce administrative overhead, we’ve extended the cookie expiration period from 6 months to 5 years.
Persistent NAT for DIPP
PAN-OS 10.1.6 and later 10.1 Releases
One type of source NAT is Dynamic IP and Port (DIPP). Some applications, such as VoIP, video, and others, use DIPP and may require Session Traversal Utilities for NAT (STUN) protocol. DIPP NAT uses symmetric NAT, which may have compatibility issues with STUN. To alleviate those issues, persistent NAT for DIPP provides additional support for connectivity with such applications. When you enable persistent NAT for DIPP, the binding of a private source IP address and port to a specific public (translated) source IP address and port persists for subsequent sessions that arrive having that same original source IP address and port.
Aggregate Group Members on Multiple Cards
A PA-7050 or PA-7080 firewall that has an aggregate interface group configured using different line cards will correctly handle fragmented packets after you run the CLI operational command: set ae-frag redistribution-policy hash.
Network Packet Broker
You can now not only decrypt but also broker all traffic—decrypted TLS, non-decrypted TLS, and non-TLS—to a suite of vendor-agnostic security tools such as IPS, IDS, and SIEM devices for inspection. Network Packet Broker eliminates the need to purchase and maintain dedicated, single-function appliances to decrypt and manage security chain devices. You can filter and forward traffic to one chain or to multiple chains of security devices based on application, user, IP address, device, and zone. You can also load balance traffic and eliminate single points of failure. The feature enables you to consolidate security tools with overlapping functionality, which simplifies your network and reduces capital and operating expenses.
Support for Stronger SNMPv3 Encryption
SNMPv3 now supports stronger hashing and encryption algorithms to better meet your organizations internal encryption policies. You can specify hashing algorithms from SHA-224 to SHA-512 for the Authentication Protocol, and encryption algorithms AES-192 and AES-256 for the Privacy Protocol when configuring SNMP or defining the SNMP Trap Server profile.

Recommended For You