PAN-OS® 8.0 has the following changes in default behavior for firewall and Panorama™ management features:
|Log Forwarding||(PAN-OS 8.0.6 and later releases) Connections to a Syslog server over TLS are validated using the Online Certificate Status Protocol (OCSP) when available. However, you cannot bypass OCSP failures so you must ensure the certificate chain is valid and can be verified using OCSP.|
PA-7000 Series Log Collection
After you upgrade to PAN-OS 8.0, Panorama will no longer consider the PA-7000 Series firewall as a Log Collector; all logs the firewall generates after upgrade will be viewable only from the local firewall and not from Panorama.
After you upgrade your Panorama appliance to PAN-OS 8.0.8 (or a later release), you can configure Panorama to directly query PA-7000 Series firewalls when you select Remote Device Data as the Data Source by running the following command from the Panorama CLI:
> debug-reportd send-request-to-7k yes
This only enables Panorama to query the PA-7000 Series firewalls it manages. To run reports on PA-7000 Series log data, you must enable log forwarding to Panorama on each PA-7000 Series firewall that Panorama manages.
This means that, after you upgrade you must enable log forwarding to Panorama if you want to continue to see an aggregated view of your logs from Panorama.
Before you upgrade your PA-7000 Series firewall to PAN-OS 8.0, make sure your Log Collectors have enough capacity to support the log collection rates required by your PA-7000 Series firewall. Refer to the Table: Panorama Log Storage and Collection Rates (Panorama Models) to determine if you existing logging infrastructure can handle the logging rate and log storage requirements of your PA-7000 Series firewalls. If you are not sure of the logging rate, run the following CLI command from the firewall:
> debug log-receiver statistics
As soon as you enable log forwarding to Panorama, the PA-7000 Series firewall begins forwarding new logs to Panorama. However, to maintain the ability to view historic log data on Panorama, you need to migrate the logs from the PA-7000 Series firewall to the Log Collector.
To create a snapshot file for the candidate configuration, you must now select ConfigSave Changes instead of Save at the top right of the web interface.
External dynamic lists
In PAN-OS 7.1 and earlier releases, passive DNS monitoring was a setting you could enable in an Anti-Spyware Profile. You could attach the Anti-Spyware Profile to a policy rule and then sessions that match that rule will trigger passive DNS monitoring. Beginning in PAN-OS 8.0, passive DNS monitoring is a global setting that you can enable through the Telemetry and Threat Intelligence feature, and when enabled, the firewall acts as a passive DNS sensor for all traffic that passes through the firewall.
The firewall now uses the new service route Palo Alto Networks Services to access external services that it accessed via the service routes Palo Alto Updates and WildFire Public prior to PAN-OS 8.0.
Content and software updates
Logging for RAID events
M-Series appliances, PA-7000 Series firewalls, and PA-5200 Series firewalls now generate System logs with a severity level set to critical instead of medium for the disk-failed, disk-faulty, and pair-disappeared RAID events.
Upgrade/Downgrade Considerations The following table lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before you upgrade ...
PA-7000 Series Firewall Log Forwarding to Panorama
PA-7000 Series Firewall Log Forwarding to Panorama You can now forward logs from PA-7000 Series firewalls to Panorama for improved log retention, which helps you ...
Direct Query of PA-7000 Series Firewalls from Panorama
Learn how to directly query managed PA-7000 Series firewalls from Panorama without enabling log forwarding. ...
Management Features PAN-OS 8.0.5 introduces support for the Logging Service . New Management Features Description Administrator-Level Commit and Revert You can now commit, validate, preview, ...
Panorama Features New Panorama Features Description Direct Query of PA-7000 Series Firewalls from Panorama ( PAN-OS 8.0.8 and later releases ) With the new support ...