PAN-OS 8.1 introduces the following new management features:
Configuration Table Export, Reporting Engine Enhancements, and Policy
Rule Hit Count. PAN-OS 8.1.1 introduces a Software Integrity Check.
New Management Feature
Rule Usage Tracking
Obsolete or outdated firewall
rules introduce unnecessary security risks that can be exploited
by an attacker to execute a successful cyber attack. With rule usage tracking, you
can readily identify unused rules, validate additions to the rulebase,
and evaluate whether the policy implementation matches your enforcements
needs. This capability gives you a way to identify obsolete rules
to aid in the transition from port-based rules to App-ID based rules.
The statistics for monitoring rule use include a timestamp for the
most recent rule match, a timestamp for the first rule match, and
a rule hit counter.
Configuration Table Export
Auditors often require snapshots of Panorama
and firewall configuration in order to track and validate changes
over time or to demonstrate compliance with industry standards.
You can now export the configuration table of
your rulebases and objects into a PDF or CSV format directly from
the web interface, and provide the auditor an easy way to read and
manipulate the data for analysis.
Reporting Engine Enhancements
Correlate system events with
user activity to investigate network and platform behavior and use
these correlations to create policies that guard against security
risks and patterns you observe on your network. When a network event
occurs, you can now overlay system logs on top of available activity
logs in the ACC and use the newly added User Activity Report filters
to include or exclude specific users, applications, IP addresses,
or URL categories. Then, use the results of this reporting engine enhancements to
reduce or prevent future risky behavior in your network.
Enhanced Application Logging
Enable the firewall to collect data that
increases network visibility for Palo Alto Networks applications.
For example, this increased network visibility enables Palo Alto
Networks Magnifier to better categorize and establish a baseline
for normal network activity, in order to detect unusual behavior
that might indicate an attack. Enhanced Application Logging requires
a Logging Service license, and you cannot view enhanced application
logs; they are designed to be consumed only by Palo Alto Networks
applications and services.
Software Integrity Check
Starting with PAN-OS 8.1.1, firewalls and
Panorama perform software integrity checks for tamper detection
and software corruption. The software integrity check validates
that the operating system and data file structure are intact and
as delivered by Palo Alto Networks. When the check is successful,
a System log of informational severity is generated. If the check
detects a software corruption or possible appliance tampering, it
generates a System log of critical severity on PAN-OS 8.1.1 and
8.1.2. Starting PAN-OS 8.1.3, the appliance goes in to maintenance
mode when the check fails.
If you're using Panorama with GlobalProtect
Cloud Service or the Logging Service, you must install Cloud Services
plugin 1.0.3 before you upgrade Panorama to PAN-OS 8.1.1. If you
attempt to upgrade Panorama to 8.1.1 with an Cloud Services plugin
version earlier than 1.0.3, the Panorama upgrade will fail.