PAN-OS 7.1 has the following changes in default behavior.
App-ID Changes
PAN-OS 7.1 has the following change in default behavior for App-ID features:
Feature Change
Application defaults When you configure a Security policy rule with the Application setting Any and the Service setting application-default, all applications are now permitted only on their standard ports as defined in Palo Alto Networks Applipedia. For example, if a Security policy rule allows any application traffic on the default application ports, the firewall will allow web-browsing traffic only on port 80 and SSH traffic only on port 22. In earlier PAN-OS release versions, the Service setting application-default was interpreted as Any when configured with the Application setting Any. You can replicate the behavior of earlier PAN-OS releases by changing rules with the Application setting Any and the Service setting application-default to include the Application setting Any and the Service setting Any. With all PAN-OS release versions, applications continue to be permitted only on their standard ports when the applications are explicitly defined in a rule (Application is not set to Any) and the Service setting is set to application-default.
Application filters ( PAN-OS 7.1.11 and later releases ) You must now select at least one Category when creating or modifying an application filter ( Objects > Application Filters). This optimizes firewall performance when filtering applications, as the firewall includes only the categories that are relevant to you.
Authentication Changes
PAN-OS 7.1 has the following change in default behavior for authentication features:
Feature Change
Hardware security modules ( PAN-OS 7.1.10 and later releases ) To downgrade to a release earlier than PAN-OS 7.1.10, you must ensure that the master key is stored locally on Panorama or on the firewall, not on a hardware security module (HSM).
Decryption Changes
PAN-OS 7.1 has the following changes in default behavior for Decryption features:
Feature Change
Decryption profiles ( PAN-OS 7.1.10 and later releases ) The firewall does not support SSL decryption of RSA keys that exceed 8Kb in size. You can either block connections to servers that use certificates with RSA keys exceeding 8Kb or skip SSL decryption for such connections. To block such connections, select Objects > Decryption Profile, edit the profile, select SSL Decryption > SSL Forward Proxy, and in the Unsupported Mode Checks section select Block sessions with unsupported cipher suites. To skip decryption for such connections, clear Block sessions with unsupported cipher suites. ( PAN-OS 7.1.6 and later releases ) The maximum size of a server certificate chain for SSL traffic is now restricted to approximately 24KB. The Decryption profile does not exclude certificate chains larger than 24KB, and the firewall discards sessions using a certificate chain larger than 24KB. In releases earlier than PAN-OS 7.1.6, server certificate chains that exceed 16KB fail decryption and the Decryption profile excludes them as unsupported.
GlobalProtect Changes
PAN-OS 7.1 has the following changes in default behavior for GlobalProtect features:
Feature Change
GlobalProtect portal agent The Allow user to save password option, which was available in PAN-OS 7.0 in a GlobalProtect portal agent configuration, is now deprecated and is superseded by the Save User Credentials setting in PAN-OS 7.1. After you upgrade the firewall or Panorama to PAN-OS 7.1, the setting is discarded. Because the default behavior—which allows GlobalProtect to save user credentials—is the same for both options, no additional configuration is required to retain this behavior. However, to enforce behavior other than the default—for example, to prevent GlobalProtect from saving credentials altogether or from saving the password only—you must manually configure the Save User Credentials option after upgrading to PAN-OS 7.1. The Authentication Modifier option, which was available in PAN-OS 7.0 in a GlobalProtect portal agent configuration, is now deprecated by the Authentication Override options in PAN-OS 7.1. After you upgrade the firewall or Panorama to PAN-OS 7.1, any authentication modifier settings are discarded. Because the new Authentication Override options are disabled by default, to configure GlobalProtect portals and gateways to accept secure encrypted cookies, you must manually configure the new Authentication Override options in PAN-OS 7.1.
Management Changes
PAN-OS 7.1 has the following changes in default behavior for management features:
Feature Change
Logs and reports M-Series appliances and PA-7000 Series firewalls now generate System logs with a severity level set to critical instead of medium for the disk-failed , disk-faulty , and pair-disappeared RAID events.
Networking Changes
PAN-OS 7.1 has the following changes in default behavior for networking features:
Feature Change
First packet broadcasting ( PAN-OS 7.1.16 and later 7.0 releases ) The option to broadcast the first packet for a session to all the dataplanes on a firewall is now disabled by default on PA-5000 Series firewalls: the first packet goes only to the first dataplane (DP0). Enabling first packet broadcasting improves firewall performance during session setup. However, the dataplanes become unstable when you enable both first packet broadcasting and jumbo frames. To enable or disable first packet broadcasting, use the set session broadcast-first-packet [no | yes] CLI command.
VLAN tags In Layer 2 deployments, by default, the firewall rewrites the inbound VLAN tag in a Cisco per-VLAN spanning tree (PVST+) or Rapid PVST+ bridge protocol data unit (BPDU) to the correct outbound VLAN tag before forwarding the BPDU. In PAN-OS 7.0 and earlier releases, the firewall flooded the packets to the VLANs in the VLAN group without rewriting the tag, which disrupted Cisco PVST+. The firewall has the following changes to how it handles the Priority Code Point (PCP) value in the VLAN tag field when forwarding the frame between different VLANs: ( PAN-OS 7.1.5 and later releases ) A new CLI command ( set session pass-through-1q-pcp <yes|no> ) allows you to configure how the firewall handles the PCP value. By default, the firewall automatically unsets the PCP value when forwarding between VLANs, but you can use this new command if you need to preserve the PCP value in the VLAN tag field. ( PAN-OS 7.1.3 and 7.1.4 only ) The firewall preserves the PCP value in the VLAN tag field by default when forwarding the frame.
Floating IP addresses ( PAN-OS 7.1.4 and later releases ) PA-5000 Series firewalls have an increased number of allowed virtual floating IP addresses in active/active configurations. With this change, the available floating IP addresses for each firewall model are as follows: PA-5020 has 1024 floating IP addresses PA-5050 has 2048 floating IP addresses PA-5060 has 2048 floating IP addresses
BGP The BGP peer connection settings include Multi Hop, which is the TTL value in the IP header. The default value of 0 means 2 for eBGP prior to PAN-OS 7.1.9, and it means 1 beginning with PAN-OS 7.1.9.
URL Filtering Changes
PAN-OS 7.1 has the following changes in default behavior for URL Filtering features:
Feature Change
External Dynamic Lists In PAN-OS 7.0 and earlier versions, each firewall supported a maximum of 10 Dynamic Block Lists (of type IP address only) and each list could contain the maximum number of IP addresses supported by your firewall model minus 300; 300 IP addresses were reserved for internal use on the firewall and were deducted from the available limit. In PAN-OS 7.1, Dynamic Block Lists are called External Dynamic Lists. External Dynamic Lists can be of three types: IP address, Domain, or URL. On any firewall model, you can configure a maximum of 30 unique sources for external dynamic lists. While the firewall does not impose a limit on the number of lists of a specific type, the following limits are enforced: IP address—The PA-5000 Series and the PA-7000 Series firewalls support a maximum of 150,000 total IP addresses; all other platforms support a maximum of 50,000 total IP addresses. No limits are enforced for the number of IP addresses per list. When the maximum supported IP address limit is reached on the firewall, the firewall generates a syslog message. URL and domain—A maximum of 50,000 URLs and 50,000 domains are supported on each platform, with no limits enforced on the number of entries per list.
URL categories In PAN-OS 7.1, the maximum number of custom categories supported per virtual system has increased from 50 to 500. The maximum number of shared custom categories on a firewall has increased from 50 to 100. All other limits are the same as in earlier PAN-OS versions. The maximum number of custom categories, across the shared location and all virtual systems enabled on the firewall, stays at 2,900.
User-ID Changes
PAN-OS 7.1 has the following change in default behavior for User-ID features:
Feature Change
Client probing When performing client probing using Windows Management Instrumentation (WMI), the User-ID agent now excludes public IPv4 addresses by default (those public IP addresses outside the scope of RFC 1918 and RFC 3927). To enable WMI probing of public IPv4 addresses, you must add their subnetworks to the Include List of the User-ID agent.
Virtualization Changes
PAN-OS 7.1 has the following changes in default behavior for virtualization features:
Feature Change
VM-Series license ( PAN-OS 7.1.7 and later releases ) To deactivate a VM-Series license you must first install a license API key on your firewall or Panorama. For more information, see Virtualization Features.
AWS Marketplace ( PAN-OS 7.1.6 and later releases ) All newly deployed instances of the BYOL and usage-based models of the VM-Series firewall (Bundle 1 and Bundle 2) available through the AWS Marketplace support the longer AWS instance ID format. These firewalls will have a longer serial number and a new CPU ID format.
VMware Service Manager The VMware Service Manager configuration, which is required for deploying the VMware NSX edition firewall, changes in the following ways on upgrade: The VMware Service Manager configuration on Panorama is separated from the Service Definition. A new VMware Service Definition called Palo Alto Networks NGFW is created. This service definition includes a template, device group, link to the ova for the PAN-OS version, and auth codes that you had configured on the VMware service manager in the earlier version. Since a template was optional in the earlier versions, the template name you defined is used if you had created one, otherwise a default template called NSX_TPL is created for you. A zone called Palo Alto Networks profile 1 is auto-generated within the template; the zone is enabled as Service profile zone for NSX. On a Template and Device Group Commit, the VM-Series firewalls will generate a pair of virtual wire subinterfaces (ethernet 1/1.2 and ethernet 1/2.2) and bind the pair to this zone.
WildFire Changes
PAN-OS 7.1 has the following change in default behavior for WildFire features:
Feature Change
Mac OS X file analysis Palo Alto Networks firewalls running PAN-OS 7.1 and with the content release version 582 or later that are configured to forward Any file type for WildFire analysis, will automatically begin forwarding Mac OS X files. For details about Mac OS X file analysis and how to define the file types the firewall forwards for WildFire analysis, see Mac OS X File Analysis.

Related Documentation