CLI and XML API Changes in PAN-OS 7.1
PAN-OS 7.1 has the following CLI changes, which also affect corresponding PAN-OS XML API requests. You can use the CLI in debug mode to view the corresponding XML API syntax for CLI commands. For changes that are specific to the XML API, see XML API Changes in PAN-OS 7.1.
App-ID CLI Changes
PAN-OS 7.1 has the following CLI changes for App-ID features:
With the role-based access control enhancements, on firewalls enabled for multiple virtual systems, you must specify the target virtual system before you can view or set application status. The following commands have changed:
GlobalProtect CLI Changes
PAN-OS 7.1 has the following CLI changes for GlobalProtect features:
With the introduction of two-factor authentication in GlobalProtect, a number of API requests have been changed. Use the CLI with the
debug cli oncommand to see changes in the corresponding XML requests. Affected commands are within the following command hierarchy:
Management CLI Changes
PAN-OS 7.1 has the following CLI changes for management features:
PAN-OS 7.1.7 and later releases) New commands enable you to manage API keys. These keys are required when performing secure credential operations, including VM-Series license deactivation. Refer to VM-Series License Deactivation API Key. Use the following commands to manage API keys:
PAN-OS 7.1.5 and later releases) New commands enable you to restart firewall processes (bfd, cryptod, dhcpd, ikemgr, keymgr, and pppoed) that previously required root access to restart:
PAN-OS 7.1.3 and later releases) New commands enable you to check for application and threat content updates hourly and to verify the configuration:
The maintenance mode menu for selecting the mode of operation changed:
When you change from FIPS mode to CCEAL4 mode, you lose all configuration settings so it is important to back up your configuration first and re-import it after you change modes (and before you upgrade). For information on changing to FIP-CC mode, refer to Certifications.
Hardware-based and software-based decompression is supported on all Palo Alto Networks products (excluding VM-Series firewalls). Starting in PAN-OS 7.1, a hybrid mode (enabled by default) allows firewalls to dynamically switch from hardware-based decompression to software-based decompression when the hardware decompression engine is under a heavy load and then switch back when the load decreases. Prior to PAN-OS 7.1, you could manually switch between decompression modes but you could choose only one mode at a time: hardware (default) or software.
You can modify this new setting (zip mode auto) so that the firewall performs only hardware-based decompression or software-based decompression as needed.
show system setting zipcommand output to monitor the number of times that the firewall switches from hardware-based decompression to software-based decompression:
The following command now shows asterisks (
*) instead of zeros (
0) when a corresponding CPU core load percentage is not currently being measured or cannot be measured:
An asterisk may indicate potential issues, such as a malfunction that causes packet processing to pause. When issues like this occur, the response repeatedly shows an asterisk instead of a number. It is normal for core 0 to always show an asterisk.
Monitoring CLI Changes
PAN-OS 7.1 has the following CLI change for monitoring features:
To view the results of a query, the request format has been updated to be uniform between firewalls and Panorama:
Networking CLI Changes
PAN-OS 7.1 has the following CLI changes for networking features:
PAN-OS 7.1.5 and later releases) A new command allows you to configure how the firewall handles the Priority Code Point (PCP) value in the VLAN tag field when forwarding the frame between different VLANs. By default, the firewall automatically unsets the PCP value when forwarding between VLANs for greater security. To address a requirement in a particular customer environment, you can configure the firewall to pass through the PCP value so that it is preserved on frame forwarding. Use the following command to configure this behavior, where the default value is no to disable PCP pass-through:
To view the PCP configuration, use the existing command to display VLANs:
The command output has the following updates associated with the PCP pass-through configuration:
The CLI command to set the maximum number of multicast packets queued per session has changed. The new command updates the configuration instead of running an operational command. This change, which persists even if the firewall is reset, now requires you to commit your configuration changes:
Threat Prevention CLI Changes
PAN-OS 7.1 has the following CLI changes for threat prevention features:
With the new ability to specify intelligence sources through a list on an external domain, you must now specify the list. Example changes in the CLI follow:
URL Filtering CLI Changes
PAN-OS 7.1 has the following CLI change for URL Filtering features:
External Dynamic Lists
When indicating an hourly polling time for external block lists (now called
external dynamic lists), you can no longer indicate a specific minute within the hour. The change in the CLI is as follows:
User-ID CLI Changes
PAN-OS 7.1 has the following CLI changes for User-ID features:
The following User-ID configuration commands, used to retrieve the list of groups and the corresponding list of members from an LDAP server, now require you to specify the virtual system to which the LDAP server profile belongs:
XML API Changes in PAN-OS 7.1
The PAN-OS 7.1 XML API has the following changes:
PAN-OS 7.1.5 and later releases) The firewall has the following changes in how it times out IP address and user mapping information registered using the XML API. Unless you explicitly specify a timeout value in the API request, the firewall inherits the User-ID timeout value configured on the firewall (the
Enable User ID Timeoutvalue in
In releases earlier than PAN-OS 7.1.5, when you did not specify a timeout value, the firewall treated the value as 0, which meant that the IP address and user mapping never expired. If you want to preserve the same behavior and ensure that the mapping never expires, you must explicitly set the timeout value to 0 as shown in the following API request:
Certain PAN-OS XML API configuration requests now return a different API error code to accurately indicate that the object specified by the XPath does not exist. Affected requests include type=config with action=delete and type=config with action=get.
On PA-7000 Series firewalls and Panorama, API requests for custom reports no longer support the synchronous (asynch=no) option. API requests now provide a job ID, which you can use to retrieve the report. Additionally, API requests for reports (type=report) are now processed asynchronously by default on all firewall platforms.
Recommended For You
Recommended videos not found.