Management Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Management Features
What new management features are in PAN-OS 11.1?
API Key Certificate
November 2023
|
With PAN-OS and Panorama, the option to encrypt the API key using a self-signed
certificate is now available, ensuring enhanced security when you retrieve your API
key. This feature utilizes the PAN-OS device certificate management function to
encrypt the API key for added protection.
See use cases for Keys and Certificates on PAN-OS for more
information on how to manage certificates using PAN-OS and Panorama.
This feature introduces a new field under DeviceSetupManagementAuthentication settings that enables you to select an API Key
Certificate to encrypt your API key. To use this feature, simply
generate an RSA Certificate above 3,027 bits and select the created certificate as
the API key certificate under the Authentication Settings
option.
The existing workflow to generate the API key will still be the same, but now all
existing API keys will be invalid when you add or change an API key certificate.
Configuration Audit Enhancements
November 2023
|
You can perform a configuration audit to see the
configuration changes made between two selected configuration versions. This allows
your administrators to assess and document impact of configuration changes, trace
back changes in case of an outage, and perform regular audits in order to adhere to
security compliance standards. Enhancements to configuration audits now allow you to
not only view the entire XML differences between the two selected config versions,
but also provides you per-object granular view of the change data.
The XML Diff displays the XML file differences between any two
selected config versions. The Change Summary provides a
granular details about each of the configuration objects that added, deleted, or
modified between the older selected config version and the newest selected config
version. The type granular details are:
- Object Name—Name of impacted configuration object.
- Object Type—Type of configuration object impacted.
- Modified Time—Date and time configuration object change occurred.
- Location—Device group, template, or template stack where the configuration change occurred.
- Location Type—The configuration container type where the change occurred.
- Modified By—Administrator that modified the configuration object.
- Operation—The type of operation performed on the configuration object.
Policy Rulebase Management Using Tags
November 2023
|
Tags allow you to identify the purpose or function of a policy rule and help you
better organize your policy rulebase. After you apply tags to the policy rules in
your policy rulebase, you can use the Tag Browser to visually group and manage
your policy rulebase based on the tags you assigned to your policy rules. When
viewing your policy rulebase using tags, you can perform operational procedures such
as adding, deleting, or moving policy rules with the applied tagging more easily.
Additionally, you can filter your policy rulebase using tags to apply one or more
tag search filters to the policy rulebase to narrow down the list of policy rules
displayed. Viewing your policy rulebase using tags maintains the rule evaluation
order.
Policy rulebase management using tags is supported for across all policy rulebases.
For firewalls managed by a Panorama management server, you can create and assign
tags to policy rules from Panorama. Both Panorama, managed firewalls, and standalone
firewalls running PAN-OS 10.2.5 or later 10.2 or PAN-OS 11.0.3 or later release
support policy rulebase base management using tags.
Secure Copy Protocol Support
November 2023
|
In air-gapped deployments where your devices have no outbound internet connection,
you can enable Secure Copy Protocol (SCP) to
upload supported file types to an air-gapped device. To perform an SCP upload, you
must enable SCP upload functionality for each specific Superuser administrator you
want to allow to perform an SCP upload, and isn't a global device configuration.
Once SCP uploads are enabled for a Superuser admin, you can use this admin to write
scripts and automation for supported file uploads directly to your air-gapped device
using the CLI rather than the web interface.
SCP upload are supported from devices running a Microsoft Windows, macOS, or any
Linux operating system. SCP upload must be performed from your device command line.
SCP applications like WinSCP and FileZilla are not supported. A system log is
generated when you successfully SCP a file to your device or if an SCP upload fails
for any reason.
You can SCP the following files to your device:
- PAN-OS Software Versions—/scp/software/
- PAN-OS Software Patches—/scp/patch/
- Application & Threats Content Updates—/scp/content/
- WildFire Content Updates—/scp/wildfire/
- Antivirus Content Updates—/scp/anti-virus/
- PAN-OS Plugin Versions—/scp/plugin/
- XML Configuration Files—/scp/config/
- License Key Files—/scp/license/
Strata Command Center
March 2024
|
The Strata Cloud Manager Command
Center is your new NetSec homepage; it is your first stop to assess
the health, security, and efficiency of your network. In a single view, the command
center shows you all users and IoT devices accessing the internet, SaaS
applications, and private apps, and how Prisma Access, your NGFWs, and your security
services are protecting them.
The command center provides you with four different views, each with its
own tracked data, metrics, and actionable insights to examine and interact with:
- Summary: A high-level look at all your network and security infrastructure. Monitor the traffic between your sources (users, IoT) and applications (private, SaaS), and see metrics onboarded security subscriptions.
- Threats: Dig deeper into anomalies on your network and block threats that are impacting your users. Review the traffic inspected on your network and see how threats are being detected and blocked around the clock by your Cloud-Delivered Security subscriptions.
- Operational Health: Review incidents of degraded user experience on your network and see root-cause analysis of the issues and remediation recommendations.
- Data Security: Find high-risk sensitive data and update data profiles to further secure your network. Review the sensitive data flow across your network and SaaS applications.
When the command center surfaces an issue through one of these views that
you should address or investigate (an anomaly, a security gap, a degraded user
experience, something that impacts the security and health of your network), it
provides a path to where you can take actions to further secure your network.
For example, if you are looking at the Threats view and would like more information
about Command and Control threats on your network, you can click C2 in the Blocked
and Alerted Threats table and jump to Activity Insights, where you can drill
down and investigate details about all the Command and Control threats, such as the
threat name, severity, and change the action from Alert to Drop.
View Preferred and Base Releases of PAN-OS Software
May 2024
|
The Panorama web interface now displays the preferred releases and the
corresponding base releases of PAN-OS software. Before you upgrade or downgrade
Panorama or PAN-OS, you can view the list of preferred and base releases and choose
your preferred target PAN-OS release. Preferred releases offer the latest and the
most advanced features and ensure stability and performance. When there are no
preferred releases available, the corresponding base version is not displayed. If
necessary, you can choose to view either preferred releases or base releases.