The PA-415-5G firewall supports dynamic IPv6 addressing and dual-stack networking on a cellular interface. This is especially helpful when your cellular operator provides only IPv6 services or your location requires IPv6 connectivity. The cellular interface supports dynamically obtaining an IPv6 prefix from the 5G provider network.

When you use DNS on your operating systems and web browsers, you can encrypt the DNS traffic to help maintain privacy and protect traffic from meddler (MitM) attacks. If you configure your PAN-OS firewall to act as a DNS proxy, you can enable encrypted DNS and configure the DNS proxy to accept one or more types of DNS communication from the client: DNS-over-HTTP (DoH), DNS-over-TLS (DoT), or cleartext.

To enforce encryption, you specify the type of encryption that the DNS proxy should use to communicate with DNS servers. If a DNS server rejects encrypted DNS or the DNS proxy does not receive a response from the primary or secondary server within the timeout period, you can configure the DNS proxy to fall back to unencrypted DNS communications with the server.

Additionally, you can enable encrypted DNS on the management interface of the firewall so that DNS requests use DoH, DoT, or fall back to unencrypted DNS.

Post Quantum Hybrid Key Exchange VPN extends your PAN-OS post-quantum VPN security by adding the ability to create post-quantum cryptographic (PQC) hybrid keys using the NIST round 3 and round 4 cryptographic suites. You can future proof your VPN encryption keys and safeguard against harvest now, decrypt later (HNDL) attacks by combining multiple key exchange mechanisms (KEM) with full crypto agility.

The hybrid key technology is based on RFC 9242 and RFC 9370, and allows you to add up to seven additional key exchange mechanisms (KEM). With each additional KEM added, the level of quantum resistance increases as the attacker needs all used KEMs to become vulnerable before the key can be broken. You can apply the hybrid key technology to both IKEv2's key exchange and IPSec's rekey key exchange to ensure all VPN key exchanges are quantum resistant.

To provide in-depth quantum defense, you can also enable both of its post quantum VPN technologies together. If both the RFC 8784 post quantum pre-shared key (released with PAN-OS 11.1) and this new PQ Hybrid Key feature are enabled, PAN-OS generates the hybrid key and then mixes in the static pre-shared key.

Beginning with PAN-OS 10.1 and later releases, we support Username/password and Satellite Cookie Authentication method for a satellite to authenticate to the portal. This method requires user intervention to get satellites authenticated by a portal that prevents automating the deployment of remote satellites and adds difficulty and complexity for the administrators to perform software upgrade and deploy new firewalls.

To remove the user intervention while onboarding a remote satellite and to enable automating the deployment of remote satellites, we introduce a new authentication method called "Serial number and IP address Authentication”. You can now onboard a remote satellite using the combination of serial number and IP address in addition to the username/password and satellite cookie authentication method. This authentication method reduces the complexity by enabling you to deploy new firewalls without manual intervention.

However, Username/password and Satellite Cookie Authentication remains as a default authentication method.

Before enabling the Serial number and IP address Authentication method, configure the satellite serial number at the portal as one of the authentication verification conditions.

Upon successfully configuring a satellite device allowed IP address list per portal, and configuring the satellite serial number on the GlobalProtect portal, the satellite can initiate the connection to the portal.