|
|
|
![]() ![]() |
|
|
Document:PAN-OS® New Features Guide
Perfect Forward Secrecy (PFS) Support
Last Updated:
Mon Jul 06 14:59:42 PDT 2020
Current Version:
7.1 (EoL)
Table of Contents
Search the Table of Contents
-
- Upgrade/Downgrade Considerations
- Upgrade the Firewall to PAN-OS 7.1
- Upgrade Firewalls Using Panorama
- Upgrade a Firewall to PAN-OS 7.1
- Upgrade an HA Firewall Pair to PAN-OS 7.1
- Downgrade from PAN-OS 7.1
- Downgrade to a Previous Maintenance Release
- Downgrade to a Previous Feature Release
- Downgrade While Maintaining Enhanced Capacities on PA-3050 Firewalls and PA-3020 Firewalls
-
- Support for ELB on the VM-Series Firewalls in AWS
- Support for Multi-Tenancy and Multiple Sets of Policy Rules on the VM-Series NSX Edition Firewall
- VM-Series for Microsoft Hyper-V
- Support for VMware Tools on Panorama and VM-Series on ESXi
- Support for Device Group Hierarchy in the VM-Series NSX edition firewall
- VM-Series Firewall in Microsoft Azure
- Support for Bootstrapping VM-Series Firewalls
-
- GlobalProtect App for Chrome OS
- GlobalProtect App for Windows Phone
- Simplified GlobalProtect Agent User Interface for Windows and Mac OS
- Dynamic GlobalProtect App Customization
- Enhanced Two-Factor Authentication
- Client Authentication Configuration by Operating System or Browser
- Kerberos for Internal Gateway for Windows
- Customizable Password Expiry Notification Message
- Enhanced Authentication Challenge Support for Android and iOS Devices
- Block Access from Lost or Stolen and Unknown Devices
- Certificate Selection by OID
- Save Username Only Option
- Use Address Objects in a GlobalProtect Gateway Client Configuration
- Maximum Internal Gateway Connection Retry Attempts
- GlobalProtect Notification Suppression on Windows
- Disable GlobalProtect Without Comment
- Pre-logon then On-Demand Connect Method
- Enforce GlobalProtect for Network Access
- Connection Behavior on Smart Card Removal
-
- Failure Detection with BFD
- LACP and LLDP Pre-Negotiation on an HA Passive Firewall
- Binding a Floating IP Address to an HA Active-Primary Firewall
- Multicast Route Setup Buffering
- Per-VLAN Spanning Tree (PVST+) BPDU Rewrite
- Configurable MSS Adjustment Size
- DHCP Client Support on Management Interface
- PA-3000 Series and PA-500 Firewall Capacity Increases
- SSL/SSH Session End Reasons
- Fast Identification and Mitigation of Sessions That Overutilize the Packet Buffer
The firewall now supports Perfect Forward Secrecy (PFS) for SSL Forward Proxy decrypted sessions. PFS is a secure communication protocol that prevents the compromise of one encrypted session from leading to the compromise of multiple encrypted sessions. With PFS, a server generates unique private keys for each secure session that it establishes with a client. If a server private key is compromised, only the single session established with that key is vulnerable—an attacker cannot retrieve data from past and future sessions because the server establishes each connection with a uniquely generated key.
In releases prior to PAN-OS 7.1, the firewall did not decrypt SSL sessions established using PFS key exchange algorithms. Depending on your security policy, the firewall either blocked these SSL sessions without decrypting them or decrypted the SSL sessions without maintaining PFS. Now, for SSL sessions established with PFS key exchange algorithms, the firewall both decrypts the SSL session and preserves PFS protection for both past and future sessions.
Decryption support for ephemeral Diffie-Hellman (DHE)-based PFS and elliptic curve Diffie-Hellman (ECDHE)-based PFS is enabled by default when you upgrade a firewall to PAN-OS 7.1 for sessions decrypted with the SSL Forward Proxy decryption method. You can disable support for these PFS key exchange algorithms by
modifying the firewall decryption profile
you apply to SSL Forward Proxy decrypted traffic.