Changes to Default Behavior

When you generate a new API key, the key metadata includes a timestamp of the creation date which makes the key size larger than those generated with PAN-OS version earlier than 9.0.

Starting with PAN-OS 9.0.4, the firewall enforces password complexity for the default admin account on the first log in. If the current password doesn't meet the complexity requirements, the device prompts you to change it.

The new password must have a minimum of eight characters and include a minimum of one lowercase and one uppercase character, as well as one number or special character. On a new installation, password complexity is enabled with a minimum password length of eight characters.

This change does not affect other administrative users.

The firewall now processes and inspects HTTP/2 traffic by default.

If you want to disable HTTP/2 inspection, you can specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension: select ObjectsDecryptionDecryption ProfileSSL DecryptionSSL Forward Proxy and then select Strip ALPN. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.

Application default—which enables you to allow applications only on their most commonly-used ports—now enforces standard port usage for certain applications that use a different default port when encrypted: web-browsing, SMTP, FTP, LDAP, IMAP and POP3.

This means that, if you’re decrypting SSL traffic, a security policy that allows web-browsing on the application default ports now strictly enforces web-browsing on port 80 and SSL-tunneled web-browsing on port 443.

To enhance security, if you currently have a security policy rule configured to allow web-browsing on service-HTTP and service-HTTPS, you might consider updating the rule to instead allow web-browsing on the application-default ports:

The session capacity for these two 20Gbps Network Processing Cards changed from 4 million sessions per NPC to 3.2 million sessions per NPC on firewalls running a PAN-OS 9.0 or later release.

As of PAN-OS 9.0.10, the PA-7000 Series firewalls have new CLI commands to enable or disable resource control groups and new CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).

To enable resource-control groups, use:

To disable resource-control groups, use:

To set the memory limit, use:

To remove the memory limit, use:

Reboot the firewall to ensure the memory limit change takes effect.

The certificate authorities (CAs) that the firewall trusts by default are updated; new trusted root CAs are added and expired CAs are removed. To view and manage the lists of CAs that the firewall trusts by default, select DeviceCertificate ManagementCertificatesDefault Trusted Certificate Authorities.

The minimum memory requirement has changed from 4GB to 4.5GB for the VM-50 Lite and from 4.5GB to 5.5GB for the VM-50 in PAN-OS 9.0. You cannot upgrade the VM-50 Lite without allocating additional memory. If you upgrade the VM-50 with less than 5.5GB memory, it will default to the system capacities (number of sessions, rules, security zones, address objects, etc) associated with the VM-50 Lite.

Beginning with PAN-OS 9.0, the built-in VM-Series plugin manages interactions between the VM-Series firewalls and the supported public and private cloud platforms. Also, the bootstrap package now has an optional /plugins folder for upgrading a plugin. To configure plugin integrations, select DeviceVM-Series.

In Panorama™ 9.0 the VM-Series plugin is available in PanoramaPlugins but must be manually installed.

In PAN-OS 8.1 and earlier releases, the firewall used the UDP Session key to create UDP sessions for all tunnel content inspection protocols. It is a six-tuple key (zone, source IP, destination IP, protocol, source port, and destination port), and it remains in use.

PAN-OS 9.0 introduces the VNI Session key specifically for VXLAN tunnel content inspection. The VNI Session key is a five-tuple key incorporating the zone, source IP, destination IP, protocol, and the VXLAN Network Identifier (VNI).

By default, VXLAN tunnels now automatically use the VNI Session key to create a VNI Session, which is visible in logs.

If you prefer to use the UDP Session key for VXLAN (as you did in previous releases), you can define a custom application for VXLAN and use an application override policy to invoke your custom application.

If you're using Security Group Tags (SGTs) to control user and device access in a Cisco Trustsec network, inline firewalls in Layer 2 or Virtual Wire mode now inspect and provide threat prevention for the tagged traffic by default. Before PAN-OS 9.0, a firewall in Layer 2 or virtual wire mode could allow SGT traffic but did not process and inspect it.

In PAN-OS 8.1 and earlier, administrators needed to add a rule to decrypt TLS sessions to apply authentication policy. In PAN-OS 9.0, the firewall applies the authentication policy without needing to decrypt the session.

In PAN-OS 8.1 and earlier, it could take up to 60 seconds to register an IP address, and the associated tags, and update the membership information for a dynamic address group (DAG). In PAN-OS 9.0, IP address registration occurs in real time. Any policy matches for updates on a registered IP address (IP-tag mapping) are reflected only in new sessions. Any existing sessions are reevaluated for a policy match when you perform a commit or the App-ID™ on the session changes.

In earlier release versions, URL category overrides received priority enforcement over custom URL categories. However, override priority goes away in PAN-OS 9.0 with the conversion of URL category overrides to custom URL categories. After you upgrade, the firewall enforces the new custom URL category using the Security policy rule with the strictest URL Filtering profile action. From most to least strict, possible URL Filtering profile actions are: block, override, continue, alert, and allow. As a result, overrides with the allow action might be blocked after being converted to custom URL categories.

For more details on this, review PAN-OS 9.0 Upgrade and Downgrade Considerations.

To ensure your users can continue to authenticate successfully with SAML Authentication, you must:

The cleartext proxy is enabled by default for SIP TCP sessions when a segmented SIP header is detected. This helps with the correct reassembly and ordering of TCP segments for proper ALG operation.

You can disable this option if SIP message sizes are generally smaller than the MSS and when the SIP messages fit within a single segment, or if you need to ensure TCP proxy resources are reserved for SSL forward proxy or HTTP/2.

Firewalls started using DNSProxy daemon instead of Linux network stack to resolve FQDNs, and therefore there is a difference in the ability of Panorama and firewalls to resolve FQDNs. Both Panorama and firewalls require that when you create an address object using an FQDN, you enter an FQDN and not just a hostname.

In PAN-OS 9.0 and later, firewalls no longer download a PAN-DB seed database or incremental database updates; instead, firewalls populate the cache as URL queries are made. In an active/passive HA environment, as database updates are no longer applicable, only the active firewall connects to PAN-DB to perform URL lookups. Should a failure occur, the passive firewall transitions to an active state, and will establish a connection to PAN-DB.

After a successful upgrade to PAN-OS 9.0, the subject line for system events forwarded to an email address have a maximum of 99 characters. This means that email subject lines that exceed 95 characters are truncated with an ellipsis (...) to indicate there is additional text to review.