End-of-Life (EoL)

CLI and XML API Changes in PAN-OS 7.1

PAN-OS 7.1 has the following CLI changes, which also affect corresponding PAN-OS XML API requests. You can use the CLI in debug mode to view the corresponding XML API syntax for CLI commands. For changes that are specific to the XML API, see XML API Changes in PAN-OS 7.1.

App-ID CLI Changes

PAN-OS 7.1 has the following CLI changes for App-ID features:
Feature
Change
Application status
With the role-based access control enhancements, on firewalls enabled for multiple virtual systems, you must specify the target virtual system before you can view or set application status. The following commands have changed:
  • PAN-OS 7.0 and earlier releases:
    request get-disabled-applications vsys <value> request get-application-status vsys <value> application <value> request set-application-status-recursive vsys <value> enable-dependent-apps <yes|no> application <value> status <enabled|disabled>
  • PAN-OS 7.1 and later releases:
    First set the target vsys.
    set system setting target-vsys <value>
    Then enter the command to retrieve or set the application status.
    request get-disabled-applications request get-application-status application <value> request set-application-status-recursive enable-dependent-apps <yes|no> application <value> status <enabled|disabled>

GlobalProtect CLI Changes

PAN-OS 7.1 has the following CLI changes for GlobalProtect features:
Feature
Change
Two-factor authentication
With the introduction of two-factor authentication in GlobalProtect, a number of API requests have been changed. Use the CLI with the
debug cli on
command to see changes in the corresponding XML requests. Affected commands are within the following command hierarchy:
set global-protect global-protect-portal <name> satellite-config set global-protect global-protect-portal <name> client-config set global-protect global-protect-portal <name> portal-config

Management CLI Changes

PAN-OS 7.1 has the following CLI changes for management features:
Feature
Change
API keys
(
PAN-OS 7.1.7 and later releases
) New commands enable you to manage API keys. These keys are required when performing secure credential operations, including VM-Series license deactivation. Refer to VM-Series License Deactivation API Key. Use the following commands to manage API keys:
  • To show the current API key:
    request license api-key show
  • To delete the current API key:
    request license api-key delete
  • To configure the API key:
    request license api-key set key <key>
Restarting processes
(
PAN-OS 7.1.5 and later releases
) New commands enable you to restart firewall processes (bfd, cryptod, dhcpd, ikemgr, keymgr, and pppoed) that previously required root access to restart:
debug software restart process bfd debug software restart process crypto debug software restart process dhcp debug software restart process ikemgr debug software restart process keymgr debug software restart process pppoe
Content updates
(
PAN-OS 7.1.3 and later releases
) New commands enable you to check for application and threat content updates hourly and to verify the configuration:
debug management-server content hourly-check set enable debug management-server content hourly-check show
Operational modes
The maintenance mode menu for selecting the mode of operation changed:
  • Firewall platforms
    —The Set CCEAL4 mode menu is renamed to Set FIPS-CC mode. Additionally, the Set FIPS mode menu is removed
  • Panorama virtual appliances, M-Series appliances, and WF-500 appliances
    —The Set CCEAL4 mode menu is renamed to Set FIPS-CC mode.
If your firewall is set to FIPS mode, you must change the mode of operation to CCEAL4 mode (using Set CCEAL4 mode menu option in maintenance mode) before you upgrade to a PAN-OS 7.0. or later release. See upgrade considerations for more details on upgrading a firewall that is set to FIPS mode.
When you change from FIPS mode to CCEAL4 mode, you lose all configuration settings so it is important to back up your configuration first and re-import it after you change modes (and before you upgrade). For information on changing to FIP-CC mode, refer to Certifications.
Decompression modes
Hardware-based and software-based decompression is supported on all Palo Alto Networks products (excluding VM-Series firewalls). Starting in PAN-OS 7.1, a hybrid mode (enabled by default) allows firewalls to dynamically switch from hardware-based decompression to software-based decompression when the hardware decompression engine is under a heavy load and then switch back when the load decreases. Prior to PAN-OS 7.1, you could manually switch between decompression modes but you could choose only one mode at a time: hardware (default) or software.
You can modify this new setting (zip mode auto) so that the firewall performs only hardware-based decompression or software-based decompression as needed.
  • PAN-OS 7.0 and earlier releases:
    set deviceconfig setting zip sw [yes|no]
  • PAN-OS 7.1 and later releases:
    set deviceconfig setting zip mode [sw | hw | auto]
New counters are also introduced to the
show system setting zip
command output to monitor the number of times that the firewall switches from hardware-based decompression to software-based decompression:
  • Number of SW Forced Switchovers
    —The number of times that the firewall forces a switchover to software-based decompression. A forced switchover can occur when the firewall is in hardware zip mode if the hardware decompression engine becomes unresponsive.
  • Number of SW Automatic Switchovers
    —The number of times the firewall has dynamically switched from hardware-based to software-based decompression when in automatic zip mode.
CPU monitoring
The following command now shows asterisks (
*
) instead of zeros (
0
) when a corresponding CPU core load percentage is not currently being measured or cannot be measured:
show running resource-monitor
An asterisk may indicate potential issues, such as a malfunction that causes packet processing to pause. When issues like this occur, the response repeatedly shows an asterisk instead of a number. It is normal for core 0 to always show an asterisk.

Monitoring CLI Changes

PAN-OS 7.1 has the following CLI change for monitoring features:
Feature
Change
Log filtering
To view the results of a query, the request format has been updated to be uniform between firewalls and Panorama:
  • PAN-OS 7.0 and earlier releases:
    show query id <1-4294967295>
  • PAN-OS 7.1 and later releases:
    show query result id <1-4294967295> skip <0-4294967295>

Networking CLI Changes

PAN-OS 7.1 has the following CLI changes for networking features:
Feature
Change
VLANs
(
PAN-OS 7.1.5 and later releases
) A new command allows you to configure how the firewall handles the Priority Code Point (PCP) value in the VLAN tag field when forwarding the frame between different VLANs. By default, the firewall automatically unsets the PCP value when forwarding between VLANs for greater security. To address a requirement in a particular customer environment, you can configure the firewall to pass through the PCP value so that it is preserved on frame forwarding. Use the following command to configure this behavior, where the default value is no to disable PCP pass-through:
set session pass-through-1q-pcp <yes|no>
To view the PCP configuration, use the existing command to display VLANs:
show vlan all
The command output has the following updates associated with the PCP pass-through configuration:
pvst+ tag rewrite: enabled pvst+ native vlan id: 1 drop stp: disabled 802.1Q PCP pass through: disabled
Interfaces
  • With the introduction of configurable maximum segment size (MSS) adjustment sizes, the request format to enable MSS adjustment has changed:
    • PAN-OS 7.0 and earlier releases:
      set network interface ethernet <name> layer3 adjust-tcp-mss <yes|no> set network interface ethernet <name> layer3 units <name> adjust-tcp-mss <yes|no> set network interface vlan adjust-tcp-mss <yes|no> set network interface vlan units <name> adjust-tcp-mss <yes|no> set network interface loopback adjust-tcp-mss <yes|no> set network interface loopback units <name> adjust-tcp-mss <yes|no>
    • PAN-OS 7.1 and later releases:
      set network interface ethernet <name> layer3 adjust-tcp-mss enable <yes|no> set network interface ethernet <name> layer3 units <name> adjust-tcp-mss enable <yes|no> set network interface vlan adjust-tcp-mss enable <yes|no> set network interface vlan units <name> adjust-tcp-mss enable <yes|no> set network interface loopback adjust-tcp-mss enable <yes|no> set network interface loopback units <name> adjust-tcp-mss enable <yes|no>
  • The
    netstat
    command is moved from the root level to within the request command hierarchy:
    • PAN-OS 7.0 and earlier releases:
      netstat programs yes interface yes
    • PAN-OS 7.1 and later releases:
      request netstat programs yes interface yes
    Additionally, use of the
    request netstat programs
    command option now requires superuser or superreader permissions.
Session settings
The CLI command to set the maximum number of multicast packets queued per session has changed. The new command updates the configuration instead of running an operational command. This change, which persists even if the firewall is reset, now requires you to commit your configuration changes:
  • PAN-OS 7.0 and earlier releases:
    set session max-pending-mcast-pkts-per-session <0-2000>
  • PAN-OS 7.1 and later releases:
    set deviceconfig setting session max-pending-mcast-pkts-per-session <1-2000>

Threat Prevention CLI Changes

PAN-OS 7.1 has the following CLI changes for threat prevention features:
Feature
Change
Anti-Spyware profiles
With the new ability to specify intelligence sources through a list on an external domain, you must now specify the list. Example changes in the CLI follow:
  • PAN-OS 7.0 and earlier releases:
    show profiles spyware <name> botnet-domains action show profiles spyware <name> botnet-domains action alert show profiles spyware <name> botnet-domains action allow show profiles spyware <name> botnet-domains action block show profiles spyware <name> botnet-domains action sinkhole
  • PAN-OS 7.1 and later releases:
    show profiles spyware <name> botnet-domains lists <name> action show profiles spyware <name> botnet-domains lists <name> action alert show profiles spyware <name> botnet-domains lists <name> action allow show profiles spyware <name> botnet-domains lists <name> action block show profiles spyware <name> botnet-domains lists <name> action sinkhole

URL Filtering CLI Changes

PAN-OS 7.1 has the following CLI change for URL Filtering features:
Feature
Change
External Dynamic Lists
When indicating an hourly polling time for external block lists (now called
external dynamic lists
), you can no longer indicate a specific minute within the hour. The change in the CLI is as follows:
  • PAN-OS 7.0 and earlier releases:
    set external-list <name> recurring hourly at <value>
  • PAN-OS 7.1 and later releases:
    set external-list <name> recurring hourly

User-ID CLI Changes

PAN-OS 7.1 has the following CLI changes for User-ID features:
Feature
Change
Username-to-group mapping
The following User-ID configuration commands, used to retrieve the list of groups and the corresponding list of members from an LDAP server, now require you to specify the virtual system to which the LDAP server profile belongs:
  • PAN-OS 7.0 and earlier releases:
    show user group-mapping naming-context server <ip/netmask>|<value> server-port <1-65535> use-ssl <yes|no> is-active-directory <yes|no> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> show user group-selection use-ssl <yes|no> base <value> bind-dn <value> bind-password <value> name-attribute <value> group-object <value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server [ <server1> <server2>... ] show user group-selection use-ssl <yes|no> base <value> bind-dn <value> bind-password <value> name-attribute <value> group-object <value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server-port [ <server-port1> <server-port2>... ]
  • PAN-OS 7.1 and later releases:
    show user group-mapping naming-context server <ip/netmask>|<value> sp_vsys_id <value> server-port <1-65535> use-ssl <yes|no> is-active-directory <yes|no> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> show user group-selection sp_vsys_id <value> use-ssl <yes|no> base <value> bind-dn <value> bind-password <value> name-attribute <value> group-object <value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server [ <server1> <server2>... ] show user group-selection sp_vsys_id <value> use-ssl <yes|no> base <value> bind-dn <value> bind-password <value> name-attribute <value> group-object <value> container-object <value> filter <value> search-scope <one|subtree> proxy-agent <ip/netmask>|<value> proxy-agent-port <1-65535> force <yes|no> server-port [ <server-port1> <server-port2>... ]

XML API Changes in PAN-OS 7.1

The PAN-OS 7.1 XML API has the following changes:
Feature
Change
User-ID
(
PAN-OS 7.1.5 and later releases
) The firewall has the following changes in how it times out IP address and user mapping information registered using the XML API. Unless you explicitly specify a timeout value in the API request, the firewall inherits the User-ID timeout value configured on the firewall (the
Enable User ID Timeout
value in
Device
User Identification
User Mapping
Cache
).
In releases earlier than PAN-OS 7.1.5, when you did not specify a timeout value, the firewall treated the value as 0, which meant that the IP address and user mapping never expired. If you want to preserve the same behavior and ensure that the mapping never expires, you must explicitly set the timeout value to 0 as shown in the following API request:
<uid-message><version>1.0</version><type>update</type><payload><login><entry name="domain\name2" ip="1.1.1.2" timeout="0"/></login></payload></uid-message>
Error codes
Certain PAN-OS XML API configuration requests now return a different API error code to accurately indicate that the object specified by the XPath does not exist. Affected requests include type=config with action=delete and type=config with action=get.
  • PAN-OS 7.1 and later releases:
    <response code="7" status="success"><msg>Object doesn't exist</msg></response>
  • PAN-OS 7.0 and earlier releases (action=delete):
    <response code="20" status="success"><msg>Object doesn't exist</msg></response>
  • PAN-OS 7.0 and earlier releases (action=get):
    <response code="19" status="success"><msg>Object doesn't exist</msg></response>
Custom reports
On PA-7000 Series firewalls and Panorama, API requests for custom reports no longer support the synchronous (asynch=no) option. API requests now provide a job ID, which you can use to retrieve the report. Additionally, API requests for reports (type=report) are now processed asynchronously by default on all firewall platforms.

Recommended For You