Changes to Default Behavior in PAN-OS 11.1
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
-
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Changes to Default Behavior in PAN-OS 11.1
What default behavior changes impact PAN-OS 11.1?
The following table details the changes in default behavior upon upgrade to PAN-OS®
11.1. You may also want to review the Upgrade/Downgrade Considerations before upgrading
to this release.
Feature | Change |
---|---|
Authentication Override |
This change in behavior applies only if
you have set the Authentication Override Cookie
Lifetime value higher than the Tunnel
Login Lifetime. On PAN-OS 11.1.x versions, the Authentication Override
Cookie Lifetime cannot exceed the Tunnel
Login Lifetime value. Even if you set the
authentication override cookie lifetime to be higher, it will remain
valid only for the duration of the tunnel login lifetime. This
change further strengthens the security of the authentication
override cookie by preventing its use after the tunnel login
lifetime expires.
|
Log Collectors
|
Ports 9300, 9301, and 9302 are now used for communication among Log
Collectors in a Collector Group for log distribution and must be
opened on your network.
|
High Speed Log Forwarding on a PA-7500 firewall
|
When High Speed Log Forwarding is enabled on a PA-7500, only
Management Plane logs are affected. To view and store Data Plane
logs, you must configure log forwarding
and enable demo mode.
|
Collector Groups |
The minimum number of Log Collectors required for a Collector Group
to be operational is based on the following formula where
n equals the total number of Log Collectors in
the Collector Group:
n/2+1
For example, if you configure a Collector Group with six Log
Collectors, a minimum of four Log Collectors are required for the
Collector Group to be operational.
Additionally, you should round down the minimum number of Log
Collectors required if you have an odd number of Log Collectors in a
Collector Group. For example, if you have three Log Collectors in a
Collector Group, you need at least two Log Collectors for the
Collector Group to remain operational.
Two Log Collectors in a Collector Group are supported, but the
Collector Group becomes non-operational if one Log Collector
goes down. |
GlobalProtect - Use Default Browser for SAML Authentication
|
When you upgrade the PAN-OS version from 11.0.x to 11.1.0, then:
When you upgrade the PAN-OS version from 11.0.x to 11.1.0 and if the
Use Default Browser for SAML
Authentication option is set to
No in the app settings, then the
Use Default Browser option is not added
and the option is not displayed on the Client
Authentication screen.
If you downgrade the PAN-OS version from 11.1.0 to an earlier
version, the Use Default Browser
configuration that you have configured in the Client Authentication
setting of the portal will be removed.
|
Authentication for explicit proxy
|
When you upgrade to PAN-OS 11.1, the firewall evaluates the
authentication policy for every explicit proxy traffic policy
match.
|
Authentication sequence
|
In PAN-OS 11.1 and previous versions, when you select the
Exit the sequence on failed
authentication option, the firewall ends the
authentication sequence when the authentication profile successfully
authenticates the user or the firewall has unsuccessfully attempted
authentication with all authentication profiles.
In PAN-OS 11.1.1, when you select the Exit the sequence on
failed authentication option, the authentication
sequence ends when the authentication profile authenticates
successfully or fails the authentication.
|
Panorama Management of Multi-Vsys Firewalls
Upgrade from PAN-OS 10.1 to PAN-OS 11.1 using Skip Software
Version Upgrade only
|
For multi-vsys firewalls managed by a Panorama managed server,
configuration objects in the Shared device group are now pushed to a
Panorama Shared configuration context for all virtual systems rather
than duplicating the shared configuration to each virtual system to
reduce the operational burden of scaling configurations for
multi-vsys firewalls.
As a result, you must delete or rename any locally configured
firewall Shared object that has an identical
name to an object in the Panorama Shared
configuration. Otherwise, configuration pushes from Panorama fail
after the upgrade and display the error
<object-name> is already in
use.
The following configurations cannot be added to the Shared Panorama
location and are replicated to the Panorama location of each vsys of
a multi-vsys firewall.
|
Palo Alto Networks recommends that if a multi-vsys firewall is
managed by Panorama, then all vsys configurations should be managed
by Panorama.
This helps avoid commit failures on the
managed multi-vsys firewall and allows you to take advantage of
optimized shared object
pushes from Panorama.
| |
Automatic OpenConfig Installation |
The 2.0.2 version of the OpenConfig plugin is automatically installed
to enable on-demand telemetry streaming. When telemetry is enabled
on the device, OpenConfig establishes a connection to AIOps for
NGFW. Upon successful plugin initialization, the __openconfig user
becomes visible in administrative sessions, and all telemetry
traffic is routed through the OpenConfig plugin.
|
Automated Commit Recovery (PAN-OS 11.1.6 and later releases) |
The automated commit recovery feature default iteration and timeout
values have changed. The default iteration value has changed from 1
to 5 seconds, and the timeout value has changed from 10 to 30
seconds.
|