Changes to Default Behavior
PAN-OS 7.1 has the following changes in default behavior. You can also see CLI and XML API Changes in PAN-OS 7.1.
PAN-OS 7.1 has the following changes in default behavior for App-ID features:
When you configure a Security policy rule with the Application setting
Anyand the Service setting
application-default, all applications are now permitted only on their standard ports as defined in Palo Alto Networks Applipedia. For example, if a Security policy rule allows any application traffic on the default application ports, the firewall will allow web-browsing traffic only on port 80 and SSH traffic only on port 22. In earlier PAN-OS release versions, the Service setting
application-defaultwas interpreted as Any when configured with the Application setting
Any. You can replicate the behavior of earlier PAN-OS releases by changing rules with the Application setting
Anyand the Service setting
application-defaultto include the Application setting
Anyand the Service setting
With all PAN-OS release versions, applications continue to be permitted only on their standard ports when the applications are explicitly defined in a rule (Application is not set to
Any) and the Service setting is set to
PAN-OS 7.1.11 and later releases) You must now select at least one Category when creating or modifying an application filter (
). This optimizes firewall performance when filtering applications, as the firewall includes only the categories that are relevant to you.
PAN-OS 7.1 has the following change in default behavior for authentication features:
Hardware security modules
PAN-OS 7.1.10 and later releases) To downgrade to a release earlier than PAN-OS 7.1.10, you must ensure that the master key is stored locally on Panorama or on the firewall, not on a hardware security module (HSM).
PAN-OS 7.1 has the following changes in default behavior for Decryption features:
PAN-OS 7.1 has the following changes in default behavior for GlobalProtect features:
PAN-OS 7.1 has the following change in default behavior for management features:
Logs and reports
M-Series appliances and PA-7000 Series firewalls now generate System logs with a severity level set to critical instead of medium for the disk-failed, disk-faulty, and pair-disappeared RAID events.
PAN-OS 7.1 has the following changes in default behavior for networking features:
First packet broadcasting
PAN-OS 7.1.16 and later 7.0 releases) The option to broadcast the first packet for a session to all the dataplanes on a firewall is now disabled by default on PA-5000 Series firewalls: the first packet goes only to the first dataplane (DP0). Enabling first packet broadcasting improves firewall performance during session setup. However, the dataplanes become unstable when you enable both first packet broadcasting and jumbo frames. To enable or disable first packet broadcasting, use the
set session broadcast-first-packet [no | yes]CLI command.
Floating IP addresses
PAN-OS 7.1.4 and later releases) PA-5000 Series firewalls have an increased number of allowed virtual floating IP addresses in active/active configurations. With this change, the available floating IP addresses for each firewall model are as follows:
The BGP peer connection settings include Multi Hop, which is the TTL value in the IP header. The default value of
0means 2 for eBGP prior to PAN-OS 7.1.9; it means
1beginning with PAN-OS 7.1.9.
URL Filtering Changes
PAN-OS 7.1 has the following changes in default behavior for URL Filtering features:
External Dynamic Lists
In PAN-OS 7.0 and earlier versions, each firewall supported a maximum of 10 Dynamic Block Lists (of type IP address only) and each list could contain the maximum number of IP addresses supported by your firewall model minus 300; 300 IP addresses were reserved for internal use on the firewall and were deducted from the available limit.
In PAN-OS 7.1, Dynamic Block Lists are called External Dynamic Lists. External Dynamic Lists can be of three types: IP address, Domain, or URL. On any firewall model, you can configure a maximum of 30 unique sources for external dynamic lists. While the firewall does not impose a limit on the number of lists of a specific type, the following limits are enforced:
In PAN-OS 7.1, the maximum number of custom categories supported per virtual system has increased from 50 to 500. The maximum number of shared custom categories on a firewall has increased from 50 to 100. All other limits are the same as in earlier PAN-OS versions. The maximum number of custom categories, across the shared location and all virtual systems enabled on the firewall, stays at 2,900.
PAN-OS 7.1 has the following change in default behavior for User-ID features:
When performing client probing using Windows Management Instrumentation (WMI), the User-ID agent now excludes public IPv4 addresses by default (those public IP addresses outside the scope of RFC 1918 and RFC 3927). To enable WMI probing of public IPv4 addresses, you must add their subnetworks to the Include List of the User-ID agent.
PAN-OS 7.1 has the following changes in default behavior for virtualization features:
PAN-OS 7.1.7 and later releases) To deactivate a VM-Series license you must first install a license API key on your firewall or Panorama. For more information, see Virtualization Features.
PAN-OS 7.1.6 and later releases) All newly deployed instances of the BYOL and usage-based models of the VM-Series firewall (Bundle 1 and Bundle 2) available through the AWS Marketplace support the longer AWS instance ID format. These firewalls will have a longer serial number and a new CPU ID format.
VMware Service Manager
The VMware Service Manager configuration, which is required for deploying the VMware NSX edition firewall, changes in the following ways on upgrade:
PAN-OS 7.1 has the following change in default behavior for WildFire features:
Mac OS X file analysis
Palo Alto Networks firewalls running PAN-OS 7.1 and with the content release version 582 or later that are configured to forward Any file type for WildFire analysis, will automatically begin forwarding Mac OS X files. For details about Mac OS X file analysis and how to define the file types the firewall forwards for WildFire analysis, see Mac OS X File Analysis.
Recommended For You
Recommended videos not found.