Management Changes

PAN-OS® 8.0 has the following changes in default behavior for firewall and Panorama™ management features:
Log Forwarding(PAN-OS 8.0.6 and later releases) Connections to a Syslog server over TLS are validated using the Online Certificate Status Protocol (OCSP) when available. However, you cannot bypass OCSP failures so you must ensure the certificate chain is valid and can be verified using OCSP.
PA-7000 Series Log Collection
After you upgrade to PAN-OS 8.0, Panorama will no longer consider the PA-7000 Series firewall as a Log Collector; all logs the firewall generates after upgrade will be viewable only from the local firewall and not from Panorama.
After you upgrade your Panorama appliance to PAN-OS 8.0.8 (or a later release), you can configure Panorama to directly query PA-7000 Series firewalls when you select Remote Device Data as the Data Source by running the following command from the Panorama CLI:
> debug-reportd send-request-to-7k yes
This only enables Panorama to query the PA-7000 Series firewalls it manages. To run reports on PA-7000 Series log data, you must enable log forwarding to Panorama on each PA-7000 Series firewall that Panorama manages.
This means that, after you upgrade you must enable log forwarding to Panorama if you want to continue to see an aggregated view of your logs from Panorama.
Before you upgrade your PA-7000 Series firewall to PAN-OS 8.0, make sure your Log Collectors have enough capacity to support the log collection rates required by your PA-7000 Series firewall. Refer to the Table: Panorama Log Storage and Collection Rates (Panorama Models) to determine if you existing logging infrastructure can handle the logging rate and log storage requirements of your PA-7000 Series firewalls. If you are not sure of the logging rate, run the following CLI command from the firewall:
> debug log-receiver statistics
As soon as you enable log forwarding to Panorama, the PA-7000 Series firewall begins forwarding new logs to Panorama. However, to maintain the ability to view historic log data on Panorama, you need to migrate the logs from the PA-7000 Series firewall to the Log Collector.
Management access
  • By default, the firewall and Panorama no longer allow management access over TLSv1.0 connections. If you accept this default, any scripts that require management access (such as API scripts) must support TLSv1.1 or later TLS versions. To overcome the default restriction, you can configure an SSL/TLS service profile that allows TLSv1.0 and assign the profile to the interface used to access the firewall or Panorama.
  • To configure the management (MGT) interface on the firewall, you now select DeviceSetupInterfaces instead of DeviceSetupManagement.
Configuration backups
To create a snapshot file for the candidate configuration, you must now select ConfigSave Changes instead of Save at the top right of the web interface.
External dynamic lists
  • When retrieving an external dynamic list from a source with an HTTPS URL, the firewall now authenticates the digital certificates of the list source. You must configure a certificate profile to authenticate the source. If the source authentication fails, the firewall stops enforcing policy based on the list contents.
  • In PAN-OS 7.1, the firewall supported a maximum of 30 unique sources for external dynamic lists and enforced the maximum number even if the external dynamic list was not used in policy. Beginning in PAN-OS 8.0, only the lists you use to enforce policy will count toward the maximum number allowed.
  • Entries in an external dynamic list (IP addresses, domains, and URLs) now only count toward the maximum number that the firewall supports if a security policy rule references the external dynamic list.
Anti-Spyware profiles
In PAN-OS 7.1 and earlier releases, passive DNS monitoring was a setting you could enable in an Anti-Spyware Profile. You could attach the Anti-Spyware Profile to a policy rule and then sessions that match that rule will trigger passive DNS monitoring. Beginning in PAN-OS 8.0, passive DNS monitoring is a global setting that you can enable through the Telemetry and Threat Intelligence feature, and when enabled, the firewall acts as a passive DNS sensor for all traffic that passes through the firewall.
Service routes
The firewall now uses the new service route Palo Alto Networks Services to access external services that it accessed via the service routes Palo Alto Updates and WildFire Public prior to PAN-OS 8.0.
Content and software updates
  • Beginning with PAN-OS 8.0, the Verify Update Server Identity global services setting for installing content and software updates is enabled by default (DeviceSetupServicesGlobal).
  • PAN-OS now evaluates the last five content release versions instead of just the newest version when checking the Palo Alto Networks Update Server for a version that matches the Threshold age configured in an update schedule on a firewall (DeviceDynamic Updates<update_type_schedule>) or a Panorama management server (PanoramaDynamic Updates<update_type_schedule>). This change ensures that an update is available for PAN-OS to perform the Action configured in an update schedule (download-only or download-and-install) when the Threshold age exceeds the frequency at which Palo Alto Networks releases the updates. For example, if a firewall has a Threshold of 48 hours for Applications and Threats content updates but Palo Alto Networks releases the updates every 24 hours, the latest update will never reach the 48-hour age Threshold required to trigger the Action, but one of the four previous updates will. PAN-OS checks the last five content release versions for Antivirus updates also.
Log Forwarding
  • Firewalls, Panorama management servers, and Dedicated Log Collectors now support only TLSv1.2 for the SSL/TLS connections used to forward logs to syslog servers.
  • (PAN-OS 8.0.6 and later releases) Firewalls, Panorama management servers, and Dedicated Log Collectors now check the revocation status of syslog server certificates as an enhancement to improve security when connecting to syslog servers.
Logging for RAID events
M-Series appliances, PA-7000 Series firewalls, and PA-5200 Series firewalls now generate System logs with a severity level set to critical instead of medium for the disk-failed, disk-faulty, and pair-disappeared RAID events.

Related Documentation