PAN-OS® 8.0 has the following changes in default behavior for firewall and Panorama™ management features:
PAN-OS 8.0.6 and later releases) Connections to a Syslog server over TLS are validated using the Online Certificate Status Protocol (OCSP) when available. However, you cannot bypass OCSP failures so you must ensure the certificate chain is valid and can be verified using OCSP.
PA-7000 Series Log Collection
After you upgrade to PAN-OS 8.0, Panorama will no longer consider the PA-7000 Series firewall as a Log Collector; all logs the firewall generates after upgrade will be viewable only from the local firewall and not from Panorama.
After you upgrade your Panorama appliance to PAN-OS 8.0.8 (or a later release), you can configure Panorama to directly query PA-7000 Series firewalls when you select
Remote Device Dataas the
Data Sourceby running the following command from the Panorama CLI:
This only enables Panorama to query the PA-7000 Series firewalls it manages. To run reports on PA-7000 Series log data, you must enable log forwarding to Panorama on each PA-7000 Series firewall that Panorama manages.
This means that, after you upgrade you must enable log forwarding to Panorama if you want to continue to see an aggregated view of your logs from Panorama.
Before you upgrade your PA-7000 Series firewall to PAN-OS 8.0, make sure your Log Collectors have enough capacity to support the log collection rates required by your PA-7000 Series firewall. Refer to the Table: Panorama Log Storage and Collection Rates (Panorama Models) to determine if you existing logging infrastructure can handle the logging rate and log storage requirements of your PA-7000 Series firewalls. If you are not sure of the logging rate, run the following CLI command from the firewall:
As soon as you enable log forwarding to Panorama, the PA-7000 Series firewall begins forwarding new logs to Panorama. However, to maintain the ability to view historic log data on Panorama, you need to migrate the logs from the PA-7000 Series firewall to the Log Collector.
To create a snapshot file for the candidate configuration, you must now select
Saveat the top right of the web interface.
External dynamic lists
In PAN-OS 7.1 and earlier releases, passive DNS monitoring was a setting you could enable in an Anti-Spyware Profile. You could attach the Anti-Spyware Profile to a policy rule and then sessions that match that rule will trigger passive DNS monitoring. Beginning in PAN-OS 8.0, passive DNS monitoring is a global setting that you can enable through the Telemetry and Threat Intelligence feature, and when enabled, the firewall acts as a passive DNS sensor for all traffic that passes through the firewall.
The firewall now uses the new service route
Palo Alto Networks Servicesto access external services that it accessed via the service routes
Palo Alto Updatesand
WildFire Publicprior to PAN-OS 8.0.
Content and software updates
Logging for RAID events
M-Series appliances, PA-7000 Series firewalls, and PA-5200 Series firewalls now generate System logs with a severity level set to critical instead of medium for the