PAN-OS 8.1 introduces the following new management features: Configuration Table Export, Reporting Engine Enhancements, and Policy Rule Hit Count. PAN-OS 8.1.1 introduces a Software Integrity Check.
New Management Feature
Rule Usage Tracking
Obsolete or outdated firewall rules introduce unnecessary security risks that can be exploited by an attacker to execute a successful cyber attack. With rule usage tracking, you can readily identify unused rules, validate additions to the rulebase, and evaluate whether the policy implementation matches your enforcements needs. This capability gives you a way to identify obsolete rules to aid in the transition from port-based rules to App-ID based rules. The statistics for monitoring rule use include a timestamp for the most recent rule match, a timestamp for the first rule match, and a rule hit counter.
Configuration Table Export
Auditors often require snapshots of Panorama and firewall configuration in order to track and validate changes over time or to demonstrate compliance with industry standards. You can now export the configuration table of your rulebases and objects into a PDF or CSV format directly from the web interface, and provide the auditor an easy way to read and manipulate the data for analysis.
Reporting Engine Enhancements
Correlate system events with user activity to investigate network and platform behavior and use these correlations to create policies that guard against security risks and patterns you observe on your network. When a network event occurs, you can now overlay system logs on top of available activity logs in the ACC and use the newly added User Activity Report filters to include or exclude specific users, applications, IP addresses, or URL categories. Then, use the results of this reporting engine enhancements to reduce or prevent future risky behavior in your network.
Enhanced Application Logging
Enable the firewall to collect data that increases network visibility for Palo Alto Networks applications. For example, this increased network visibility enables Palo Alto Networks Magnifier to better categorize and establish a baseline for normal network activity, in order to detect unusual behavior that might indicate an attack. Enhanced Application Logging requires a Logging Service license, and you cannot view enhanced application logs; they are designed to be consumed only by Palo Alto Networks applications and services.
Software Integrity Check
Starting with PAN-OS 8.1.1, firewalls and Panorama perform software integrity checks for tamper detection and software corruption. The software integrity check validates that the operating system and data file structure are intact and as delivered by Palo Alto Networks. When the check is successful, a System log of informational severity is generated. If the check detects a software corruption or possible appliance tampering, it generates a System log of critical severity on PAN-OS 8.1.1 and 8.1.2. Starting PAN-OS 8.1.3, the appliance goes in to maintenance mode when the check fails. For more details on how the software integrity check works, see the PAN-OS 8.1.1 Software Integrity Check article.
If you're using Panorama with GlobalProtect Cloud Service or the Logging Service, you must install Cloud Services plugin 1.0.3 before you upgrade Panorama to PAN-OS 8.1.1. If you attempt to upgrade Panorama to 8.1.1 with an Cloud Services plugin version earlier than 1.0.3, the Panorama upgrade will fail.