New Networking Features
Tunnel Content Inspection
The firewall can now inspect the traffic content of cleartext tunnel protocols:
This enables you to enforce Security, DoS Protection, and QoS policies on traffic in these types of tunnels and traffic nested within another cleartext tunnel (for example, Null Encrypted IPSec inside a GRE tunnel). You can also view tunnel inspection logs and tunnel activity in the ACC to verify that tunneled traffic complies with corporate security and usage policies.
The firewall supports tunnel content inspection of GRE and non-encrypted IPSec on all firewall models. It supports tunnel content inspection of GTP-U on PA-5200 Series firewalls and VM-Series firewalls. The firewall is not terminating the GRE, non-encrypted IPSec, or GTP-U tunnel. For information on full GTP inspection, see GPRS Tunneling Protocol (GTP) Security.
The firewall now supports Multiprotocol BGP (MP-BGP) so that a firewall enabled with BGP can advertise IPv4 multicast routes and IPv6 unicast routes (in addition to the IPv4 unicast routes it already supports) in BGP Update messages. In this way, MP-BGP provides IPv6 connectivity for your BGP networks that use either native IPv6 or dual stack IPv4 and IPv6. For example, in a service provider environment, you can offer IPv6 service to customers. In an enterprise environment, you can use IPv6 service from service providers.
You can also separate your unicast and multicast traffic so they take different paths, in case you need multicast traffic to undergo less latency or take fewer hops.
Static Route Removal Based on Path Monitoring
You can now use path monitoring to determine if a static or default route is down. If path monitoring to one or more monitored destinations fails, the firewall considers the static or default route down and uses an alternative route so that the traffic is not black-holed (silently discarded). Likewise, the firewall advertises an alternative static route (rather than a failed route) for route redistribution into a dynamic routing protocol.
You can enable path monitoring on static routes between routers, on static routes where a peer does not support Bidirectional Forwarding Detection (BFD), and on static routes where policy-based forwarding (PBF) path monitoring is insufficient because it does not replace failed routes with alternative routes.
IPv6 Router Advertisement for DNS Configuration
To make DNS resolution easier for your IPv6 hosts, the firewall now has enhanced Neighbor Discovery (ND) so that you can provision IPv6 hosts joining the network with Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) options, eliminating the need for a separate DHCPv6 server. The firewall sends IPv6 Router Advertisements with these options; thus, your IPv6 hosts are configured with:
NDP Monitoring for Fast Device Location
You can now enable Neighbor Discovery Protocol (NDP) monitoring for a dataplane interface on the firewall so that you can view the IPv6 addresses of devices on the link local network, their corresponding MAC address, and username from User-ID™ (if the user of that device uses the directory service to log in). Having these three pieces of information in one place about a device that violates a security rule allows you to quickly track the device. You can also monitor IPv6 ND logs to make troubleshooting easier.
Zone Protection for Non-IP Protocols on a Layer 2 VLAN or Virtual Wire
You can now whitelist or blacklist non-IP protocols between security zones or between interfaces within a security zone in a Layer 2 VLAN or on a virtual wire. The firewall normally passes non-IP protocols between Layer 2 zones and between virtual wire zones; with this feature, you can now control non-IP protocols between these zones. For example, if you don’t want legacy Windows XP hosts to discover other NetBEUI-enabled hosts on another zone, you can configure a Zone Protection profile to blacklist NetBEUI on the ingress zone.
Global and Zone Protection for Multi-path TCP (MPTCP) Evasions
You can now enable or disable Multi-path TCP (MPTCP) globally or for each network zone. MPTCP is an extension of TCP that allows a client to simultaneously use multiple paths (instead of a single path) to connect with a destination host. MPTCP especially benefits mobile users, enabling them to maintain dual connections to both Wi-Fi and cellular networks as they move—this improves both the resilience and quality of the mobile connection and enhances the user experience. However, MPTCP can also potentially be leveraged by attackers as part of an evasion technique. This feature provides the flexibility to enable or disable MPTCP for all firewall traffic or for individual network zones, based on the visibility, performance, and security requirements for each network zone.
Zone Protection for SYN Data Payloads
You can now drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake. In case the payload is malicious—for example if it contains command and control traffic or it is being used to exfiltrate data—dropping such packets can prevent successful attacks.
The TCP Fast Open option preserves the speed of a connection setup by including data in the payload of SYN and SYN-ACK packets. The Zone Protection profile treats TCP handshakes that use the Fast Open option separately from other SYN and SYN-ACK packets; the profile is set to allow the handshake packets if they contain a valid Fast Open cookie.
Hardware IP Address Blocking
When you configure the firewall with a DoS Protection policy or Vulnerability Protection profile to block packets from specific IPv4 addresses, the firewall now automatically blocks that traffic in hardware before those packets use CPU or packet buffer resources. Blocking traffic by default in hardware allows the firewall to stop DoS attacks even faster than blocking traffic in software. If the amount of attack traffic exceeds the hardware block capacity, then IP blocking mechanisms in the software block the excess traffic. This feature is supported on PA-3050, PA-3060, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls.
Packet Buffer Protection
Packet buffer protection allows you to protect the firewall from being impacted by single source denial of service (DoS) attacks. These attacks come from sessions or IP addresses that are not blocked by Security policy. After a session is permitted by the firewall, it can generate such a high volume of traffic that it overwhelms the firewall packet buffer and causes the firewall to appear to hang as both attack and legitimate traffic are dropped. The firewall tracks the top packet buffer consumers and gives you the ability to configure global thresholds that specify when action is taken against these sessions. After identifying a session as abusive, the firewall uses Random Early Drop (RED) as a first line of defense to throttle the offending session and then discards the session if the abuse continues. If a particular IP address creates many sessions that are discarded, the firewall blocks it.
Reconnaissance Protection Source Address Exclusion
Zone protection’s reconnaissance protection detects and takes action against host sweep and TCP and UDP port scans. This is useful against attackers searching for vulnerabilities. However, it can also negatively impact scanning activities, such as network security testing or fingerprinting. You can now whitelist source addresses to exclude them fromreconnaissanceprotection. This allows you to protect your network from reconnaissance attacks while allowing legitimate monitoring tools.
IKE Peer and IPSec Tunnel Capacity Increases
The PA-7000 Series, PA-5000 Series, and PA-3000 Series firewalls now support more IKE peers and IPSec tunnels than in prior releases. This is a benefit in service provider and large enterprise environments where you need to support many site-to-site VPN peers and IPSec VPN connections between remote sites.
ECMP Enhancement to IP Hash
PAN-OS 8.0.3 and later releases)
ECMP has a new load balancing option that uses an IP hash of the source address in the packet header. The
Use Source Address Onlyoption ensures that all sessions belonging to the same source IP address always take the same path from the available multiple paths, thus making troubleshooting easier.
If you enable the
Use Source Address Onlyoption, you shouldn’t push the configuration from Panorama™ to firewalls running PAN-OS 8.0.2, 8.0.1, or 8.0.0.