Data centers and networks often require very fast detection of communication failures. The firewall now supports Bidirectional Forwarding Detection (BFD), a protocol that detects failures in the bidirectional path between an interface on the firewall and a configured BFD peer. The PAN-OS implementation of BFD allows you to configure BFD settings (such as transmit and receive intervals) per routing protocol or static route.
LACP and LLDP Pre-Negotiation for an HA Passive Firewall
An HA passive firewall can now negotiate LACP and LLDP before it becomes active. This pre-negotiation
reduces failover times by eliminating the delays incurred by LACP or LLDP negotiations.
Binding a Floating IP Address to an HA Active-Primary Firewall
In an HA active/active configuration, you can now bind a floating IP address
to the firewall in the active-primary state. Thus, on a failover, when the active-primary firewall (Peer A) goes down and the active-secondary firewall (Peer B) takes over as the active-primary peer, the floating IP address moves to Peer B. Traffic continues to go to Peer B, even when Peer A recovers and becomes the active-secondary device. This feature provides more control over how floating IP address ownership is determined as firewalls move between HA states. Prior to this feature, the floating IP address was bound to the firewall through its Device ID [0/1] and would follow the Device ID to which it was bound. Now, in mission-critical data centers, you can benefit from this feature in several ways:
You can have an active/active configuration so that you can do path monitoring out of both firewalls, yet the HA peers function like an active/passive configuration because traffic directed to the floating IP address always goes to the active-primary firewall.
The floating IP address does not move back and forth between HA devices if the active-secondary device flaps up and down. Therefore, traffic remains stable on the active-primary firewall.
You have control over which firewall owns the floating IP address, so you can keep new and existing sessions on the active-primary firewall.
You can verify a firewall is fully functional before you manually pass ownership of the floating IP address back to it.
Multicast Route Setup Buffering
You can now enable buffering of the first packet in a multicast session when the multicast route or forwarding information base (FIB) entry does not yet exist for the corresponding multicast group. By default, the firewall does not buffer the first multicast packet in a new session; instead, it uses the first packet to set up the multicast route. This is expected behavior for multicast traffic. You need to enable multicast route setup buffering
only if your content servers are directly connected to the firewall and your custom application cannot withstand the first packet in the session being dropped.
Per VLAN Spanning Tree (PVST+) BPDU Rewrite
When an interface on the firewall is configured for a Layer 2 deployment, the firewall now rewrites the inbound Port VLAN ID
(PVID) number in a Cisco per-VLAN spanning tree (PVST+) bridge protocol data unit (BPDU) to the proper outbound VLAN ID number and forwards it out. This new default behavior in PAN-OS 7.1 allows the firewall to correctly tag Cisco proprietary Per VLAN Spanning Tree (PVST+) and Rapid PVST+ frames between Cisco switches in VLANs on either side of the firewall. Thus, spanning tree loop detection using Cisco PVST+ functions properly. There is no behavior change for other types of spanning tree.
Configurable MSS Adjustment Size
The Maximum Segment Size (MSS) adjustment size
is now configurable so that you can adjust the number of bytes available for the IP and TCP headers in an Ethernet frame. You can expand the adjustment size beyond 40 bytes to accommodate longer IP and TCP headers. For example, if you are forwarding a packet through an MPLS network where multiple tags can be added to the packet, you may need to increase the number of bytes in the header.
DHCP Client Support on the Management Interface
The management interface
on the firewall now supports DHCP client for IPv4, which allows the management interface to receive its IPv4 address from a DHCP server. The management interface also supports DHCP Option 12 and Option 61, which allow the firewall to send its hostname and client identifier, respectively, to a DHCP server.
Increase in Number of DHCP Servers per DHCP Relay Agent
In a DHCP relay agent
configuration, each Layer 3 Ethernet or VLAN interface now supports up to eight IPv4 DHCP severs and eight IPv6 DHCP servers. This is an increase over the previous limit of four DHCP servers per interface per IP address family.
PA-3000 Series and PA-500 Firewall Capacity Increases
PA-3000 Series and PA-500 firewalls
support more ARP entries, MAC addresses, and IPv6 neighbors than they supported in prior releases. Additionally, PA-3000 Series firewalls support more FIB addresses.
SSL/SSH Session End Reasons
The Session End Reason column in Traffic logs now indicates the reason for SSL/SSH session termination. For example, the column might indicate that a server certificate expired if you configured certificate expiration as a blocking condition for SSL Forward Proxy decryption. You can use SSL/SSH session end reasons to troubleshoot access issues for internal users requesting external services or for external users requesting internal services.
Fast Identification and Mitigation of Sessions that Overutilize the Packet Buffer
A new CLI command (
show running resource-monitor ingress-backlogs
) on any hardware-based firewall platform allows you to see the packet buffer percentage used, the top five sessions using more than two percent of the packet buffers, and the source IP addresses associated with those sessions. This information is very helpful when a firewall exhibits signs of resource depletion and starts buffering inbound packets because it is an indication that the firewall might be experiencing an attack. Another new CLI command (
request session-discard [timeout <x
>] [reason <reason_string
>] id <session_id
) allows you to immediately discard a session without a commit.
FPP Optimization on PA-7080 Firewalls
In PAN-OS 7.1.4-h2 and later PAN-OS 7.1 releases, First Packet Processor (FPP) performance on the PA-7080 firewall is further optimized to enhance maximum session establishment rate