>
    Strata Copilot
    Networking Features
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Features Introduced in PAN-OS 10.2
    4. Networking Features
    Download PDF

    Networking Features

    Table of Contents

    Networking Features

    What new Networking features are in PAN-OS 10.2?
    New Networking FeatureDescription
    Authenticate LSVPN Satellite with Serial Number and IP Method
    (PAN-OS 10.2.8 and later 10.2 releases)
    You can now onboard a remote satellite using the combination of serial number and IP address in addition to the username/password and satellite cookie authentication method. This authentication method reduces the complexity by enabling you to perform software upgrade and deploy new firewalls without manual intervention.
    PA-5420 Firewall Supports Additional Virtual Routers
    (PAN-OS 10.2.8 and later 10.2 releases)
    The number of virtual routers supported on a PA-5420 firewall increased from 50 to 65. This increase allows you to have a virtual router for each virtual system on the firewall in the event that you configure more than 50 virtual systems.
    Improved Throughput with Lockless QoS
    (PAN-OS 10.2.5 and later 10.2 releases)
    The Palo Alto Networks QoS implementation now supports a new QoS mode called lockless QoS for PA-3410, PA-3420, PA-3430, PA-3440, PA-5410, PA-5420, and PA-5430 firewalls. For firewalls with higher bandwidth QoS requirements, the lockless QoS dedicates CPU cores to the QoS function that improves QoS performance, resulting in improved throughput and latency.
    Software Cut-Through Support for PA-5410, PA-5420, PA-5430, and PA-3400 Series Firewalls
    (PAN-OS 10.2.5 and later 10.2 releases)
    The PA-5410, PA-5420, PA-5430, and PA-3400 Series firewalls have significantly improved latency.
    LSVPN Cookie Expiry Extension
    (PAN-OS 10.2.4 and later 10.2 releases)
    You can now configure the cookie expiration period from 1 to 5 years, while the default remains as 6 months. The encrypted cookie stored on an Large Scale VPN (LSVPN) satellite expires after every 6 months. This causes the VPN tunnels associated with the satellite to go down, causing an outage until the satellite is re-authenticated to the LSVPN portal or gateway and a new cookie is generated. A re-authentication every six months causes administrative overhead, affecting productivity, network stability, and resources of the company.
    To reduce administrative overhead, we’ve extended the cookie expiration period from 6 months to 5 years.
    Increased Maximum Number of Security Zones for PA-3400 Series Firewalls
    (PAN-OS 10.2.4 and later 10.2 releases)
    (PA-3400 Series firewalls only) The maximum number of security zones supported on the PA-3410 and PA-3420 firewalls has increased from 40 to 200. The maximum number of security zones supported on the PA-3430 firewall has increased from 100 to 200.
    Poll Timeout Improvement for PA-3400 and PA-5400 Series Firewalls
    (PAN-OS 10.2.4 and later 10.2 releases)
    The PA-3400 and PA-5400 Series firewalls have improved latency when operating under low load.
    Persistent NAT for DIPP
    (PAN-OS 10.2.4 and later 10.2 releases)
    One type of source NAT is Dynamic IP and Port (DIPP). Some applications, such as VoIP, video, and others, use DIPP and may require Session Traversal Utilities for NAT (STUN) protocol. DIPP NAT uses symmetric NAT, which may have compatibility issues with STUN. To alleviate those issues, persistent NAT for DIPP provides additional support for connectivity with such applications. When you enable persistent NAT for DIPP, the binding of a private source IP address and port to a specific public (translated) source IP address and port persists for subsequent sessions that arrive having that same original source IP address and port.
    IPv4 Multicast for Advanced Routing Engine
    (PAN-OS 10.2.2 and later 10.2 releases)
    The Advanced Routing Engine supports IPv4 multicast on logical routers. This engine supports PIM sparse mode (PIM-SM), PIM source-specific mode (PIM-SSM), and Internet Group Management Protocol (IGMP) on NGFW interfaces. You can also configure static routes over which to reverse-path forward (RPF) from the NGFW to the source. In line with the other routing protocols, multicast routing relies on profiles to parameterize PIM and IGMP. Unlike the legacy routing engine, which supports IGMPv1, the Advanced Routing Engine instead supports IGMP static joins for devices that do not support IGMPv2 or IGMPv3.
    Security Policy Rule Top-Down Order When Wildcard Masks Overlap
    (PAN-OS 10.2.1 and later 10.2 releases)
    When a packet with an IP address matches prefixes in Security policy rules that have overlapping wildcard masks, you can have the firewall choose the first fully matching rule in top-down order (rather than match the rule with the longest prefix in the mask). Thus, more than one rule has the potential to be enforced on different packets.
    Increase in Wildcard Address Objects
    (PAN-OS 10.2.1 and later 10.2 releases)
    The number of wildcard address objects supported per virtual system is increased to 5,000 on PA-5220, PA-5250, PA-5260, and PA-5280 firewalls.
    Advanced Routing Engine
    PAN-OS 10.2 offers an advanced routing engine that uses an industry-standard configuration methodology to reduce your learning curve. It allows the creation of profile-based filtering lists and conditional route maps, all of which can be used across logical routers. These profiles provide finer granularity to filter routes for each dynamic routing protocol and improve route redistribution across multiple protocols.
    If you have an existing firewall configuration that uses the legacy routing engine, the migration of that deployment to the advanced routing engine is not supported in this release. (A new firewall deployment has no configuration to migrate; therefore, such migration is not supported.)
    PAN-OS 10.2.0 and 10.2.1 don't support IPv4 multicast on the Advanced Routing Engine.
    New BGP Capabilities
    The Advanced Routing Engine provides new BGP capabilities:
    • Suppress/unsuppress map
    • BGP backdoor
    • Fast failover
    • Advanced filtering
    • Replace AS, allow AS, and no-prepend support for import rules
    • Increased character limit to 64 in the AS Path regular expression field for BGP Export rule
    • Enhanced community support
    • Ability to select Exact in conditional advertising
    • Conditional advertisements based on learned routes
    • More granular filter on the prefix match in export/import rules
    • Redistribution of multiple BGP prefix communities per import/export policy
    • Ability to select exact, shortest, and longest match for redistributed routes
    • Ability to re-order route redistribution profiles
    • Support for BGP graceful shutdown
    New OSPFv3 and OSPFv2 Capabilities
    The Advanced Routing Engine provides new OSPFv3 and OSPFv2 capabilities:
    • Granular administrative distance
    • Advanced inter-area filtering to limit what is imported to and exported from an OSPF area
    • Redistribution using a route map
    • New action on range command to substitute a route
    • Redistribute only default route from OSPF to RIP
    • MTU-ignore for OSPF interfaces
    HA Cluster Behavior Change for Modular System
    On an HA cluster standalone firewall node that is chassis based (such as a PA-5450 or PA-7000 Series firewall), if you restart a slot or power a slot on or off, the change in status does not trigger a failover; the firewall remains functional after it restarts or you power it on.

    © 2026 Palo Alto Networks, Inc. All rights reserved.