Data centers and networks often require very fast detection of communication failures. The firewall now supports Bidirectional Forwarding Detection (BFD), a protocol that detects failures in the bidirectional path between an interface on the firewall and a configured BFD peer. The PAN-OS implementation of BFD allows you to configure BFD settings (such as transmit and receive intervals) per routing protocol or static route.

An HA passive firewall can now negotiate LACP and LLDP before it becomes active. This pre-negotiation reduces failover times by eliminating the delays incurred by LACP or LLDP negotiations.

In an HA active/active configuration, you can now bind a floating IP address to the firewall in the active-primary state. Thus, on a failover, when the active-primary firewall (Peer A) goes down and the active-secondary firewall (Peer B) takes over as the active-primary peer, the floating IP address moves to Peer B. Traffic continues to go to Peer B, even when Peer A recovers and becomes the active-secondary device. This feature provides more control over how floating IP address ownership is determined as firewalls move between HA states. Prior to this feature, the floating IP address was bound to the firewall through its Device ID [0/1] and would follow the Device ID to which it was bound. Now, in mission-critical data centers, you can benefit from this feature in several ways:

You can have an active/active configuration so that you can do path monitoring out of both firewalls, yet the HA peers function like an active/passive configuration because traffic directed to the floating IP address always goes to the active-primary firewall.
The floating IP address does not move back and forth between HA devices if the active-secondary device flaps up and down. Therefore, traffic remains stable on the active-primary firewall.
You have control over which firewall owns the floating IP address, so you can keep new and existing sessions on the active-primary firewall.
You can verify a firewall is fully functional before you manually pass ownership of the floating IP address back to it.

You can now enable buffering of the first packet in a multicast session when the multicast route or forwarding information base (FIB) entry does not yet exist for the corresponding multicast group. By default, the firewall does not buffer the first multicast packet in a new session; instead, it uses the first packet to set up the multicast route. This is expected behavior for multicast traffic. You need to enable multicast route setup buffering only if your content servers are directly connected to the firewall and your custom application cannot withstand the first packet in the session being dropped.

When an interface on the firewall is configured for a Layer 2 deployment, the firewall now rewrites the inbound Port VLAN ID (PVID) number in a Cisco per-VLAN spanning tree (PVST+) bridge protocol data unit (BPDU) to the proper outbound VLAN ID number and forwards it out. This new default behavior in PAN-OS 7.1 allows the firewall to correctly tag Cisco proprietary Per VLAN Spanning Tree (PVST+) and Rapid PVST+ frames between Cisco switches in VLANs on either side of the firewall. Thus, spanning tree loop detection using Cisco PVST+ functions properly. There is no behavior change for other types of spanning tree.

The Maximum Segment Size (MSS) adjustment size is now configurable so that you can adjust the number of bytes available for the IP and TCP headers in an Ethernet frame. You can expand the adjustment size beyond 40 bytes to accommodate longer IP and TCP headers. For example, if you are forwarding a packet through an MPLS network where multiple tags can be added to the packet, you may need to increase the number of bytes in the header.

The management interface on the firewall now supports DHCP client for IPv4, which allows the management interface to receive its IPv4 address from a DHCP server. The management interface also supports DHCP Option 12 and Option 61, which allow the firewall to send its hostname and client identifier, respectively, to a DHCP server.

In a DHCP relay agent configuration, each Layer 3 Ethernet or VLAN interface now supports up to eight IPv4 DHCP severs and eight IPv6 DHCP servers. This is an increase over the previous limit of four DHCP servers per interface per IP address family.

PA-3000 Series and PA-500 firewalls support more ARP entries, MAC addresses, and IPv6 neighbors than they supported in prior releases. Additionally, PA-3000 Series firewalls support more FIB addresses.

The Session End Reason column in Traffic logs now indicates the reason for SSL/SSH session termination. For example, the column might indicate that a server certificate expired if you configured certificate expiration as a blocking condition for SSL Forward Proxy decryption. You can use SSL/SSH session end reasons to troubleshoot access issues for internal users requesting external services or for external users requesting internal services.

A new CLI command (

show running resource-monitor ingress-backlogs

) on any hardware-based firewall allows you to see the packet buffer percentage used, the top five sessions using more than two percent of the packet buffers, and the source IP addresses associated with those sessions. This information is very helpful when a firewall exhibits signs of resource depletion and starts buffering inbound packets because it is an indication that the firewall might be experiencing an attack. Another new CLI command (

request session-discard [timeout < x >] [reason < reason_string >] id <session_id >

) allows you to immediately discard a session without a commit.