Networking Features
PAN-OS® 8.1 includes Tunnel Content Inspection Logging, Dynamic
IP Address Support for Destination NAT, FQDN Support for IKE Gateway
Peer IP Address, Configuration Capacity Improvements, Refresh of Default
Trusted CAs, ARP Cache Timeout, and Logging of Packet-Based Attack Protection
Events.
New Networking Feature | Description |
|---|---|
Tunnel Content Inspection Logging | Tunnel Content Inspection is enhanced so
that you can separate logs for outer tunnel traffic from logs for inside
traffic, which is subject to security policy rules. This separation
provides more reporting options, enhanced ACC statistics, and makes
troubleshooting long-lived sessions, such as GRE, easier. For example,
using only the default logging for a security policy rule (which
logs at session end) might not provide any logs, but now you can
log tunnel sessions at the start and end of a session, allowing
you to view all GRE traffic. You can also now forward tunnel inspection
logs to one or more servers or to Panorama, which makes it more
convenient to access log data. Additionally, when you view a detailed
tunnel inspection log, it includes the name of the tunnel inspection
rule applied to a session that was captured in the log, which makes
it easier to track information about non-encrypted tunnel traffic. |
Dynamic IP Address Support for Destination NAT | You can now configure destination NAT to a translated destination
host that has a DHCP-assigned IP address (not just to a host with
a static IP address) because the translated address can now be an
FQDN. This means that when the DHCP server assigns a new address
to the host, you don’t have to manually update the FQDN, the DNS
server, or the NAT policy rule—nor do you need to use a separate
external component to update the DNS server with the latest FQDN-to-IP address
mapping. With this capability, if the FQDN resolves to more
than one address, the firewall automatically distributes sessions
among those addresses (based on a round-robin algorithm) to provide
more evenly distributed session loading. Also, in a single NAT rule,
you can translate multiple pre-NAT destination IP addresses to multiple post-NAT
destination IP addresses to support a many-to-many destination NAT
translation. |
FQDN Support for IKE Gateway
Peer IP Address | When you configure an IPSec
tunnel with an IKE gateway peer, the peer’s address can
now be an FQDN or an address object that uses an FQDN, which helps
you avoid the need to reconfigure changed IP addresses for IKE endpoints.
For example, if you have several satellite offices with multiple
hub locations and VPN connectivity between firewalls at the satellites and
hub gateway, you can now configure the firewall in each satellite office
with the IKE peer address of the hub as an FQDN. So if one hub goes
down, the DNS server for that FQDN automatically resolves the FQDN
to the IP address for the second hub and you don’t have to manually
reconfigure the IKE peer to use the IP address of the second hub. |
Configuration Capacity Improvements | To help you scale your deployment
and ease the migration to Palo Alto Networks firewalls, there are
several configuration capacity improvements. Depending
on the model, firewalls running PAN-OS 8.1 now support more address
groups, service groups, service entries per service group, address
objects, service objects, FQDN address objects, zones, tunnel zones,
security rules, and tunnel inspection rules. Additionally, all firewalls
running PAN-OS 8.1 support 63 characters per rule name. |
Refresh of Default Trusted CAs | The certificate authorities (CAs) that the firewalls
trusts by default are updated in PAN-OS 8.1; new CAs are added
and expired CAs are removed. The pre-installed list of CAs includes
the most common and trusted certificate providers responsible for
issuing the certificates the firewall requires to secure the connections
to the internet. Because these CAs are trusted by default, you need
to add only those additional trusted enterprise CAs that are required
by your organization. |
ARP Cache Timeout | The fixed 1800-second timeout
of ARP cache entries (mappings of IP addresses to hardware addresses)
set on the firewall might not have suited your environment. You
can now change the ARP cache timeout to a value in the range
of 60 to 65,535 seconds. |
Logging of Packet-Based Attack Protection Events | ( PAN-OS 8.1.2 or later releases ) You
now have a way to generate a Threat log when the firewall receives
certain types of packets, so that you can more easily analyze these
occurrences and also fulfill audit and compliance requirements.
If you enable the following types of Packet-Based Attack Protection in a Zone Protection
profile, you can generate a Threat log when the firewall receives
and drops such packets:
You
can also generate Threat logs on the following events (which don’t
require Packet-Based Attack Protection):
|
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
