Changes to Default Behavior

Changes to the default behavior in PAN-OS® 9.0
The following table details the changes in default behavior upon upgrade to PAN-OS
9.0. You may also want to review the CLI Changes in PAN-OS 9.0 and the Upgrade/Downgrade Considerations before upgrading to this release.
API Key Lifetime
When you generate a new API key, the key metadata includes a timestamp of the creation date which makes the key size larger than those generated with PAN-OS version earlier than 9.0.
Default Administrator Password Requirements
PAN-OS 9.0.4 and later 9.0 releases
Starting with PAN-OS 9.0.4, the firewall enforces password complexity for the default admin account on the first log in. If the current password doesn't meet the complexity requirements, the device prompts you to change it.
The new password must have a minimum of eight characters and include a minimum of one lowercase and one uppercase character, as well as one number or special character. On a new installation, password complexity is enabled with a minimum password length of eight characters.
This change does not affect other administrative users.
HTTP/2 Inspection
The firewall now processes and inspects HTTP/2 traffic by default.
If you want to disable HTTP/2 inspection, you can specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension: select
Decryption Profile
SSL Decryption
SSL Forward Proxy
and then select
Strip ALPN
. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
Strict Default Ports for Decrypted Applications, Including Web-Browsing
Application default—which enables you to allow applications only on their most commonly-used ports—now enforces standard port usage for certain applications that use a different default port when encrypted: web-browsing, SMTP, FTP, LDAP, IMAP and POP3.
This means that, if you’re decrypting SSL traffic, a security policy that allows web-browsing on the application default ports now strictly enforces web-browsing on port 80
SSL-tunneled web-browsing on port 443.
To enhance security, if you currently have a security policy rule configured to allow web-browsing on
, you might consider updating the rule to instead allow web-browsing on the
Network Processing Card Session Capacity Change (PA-7000-20G-NPC and PA-7000-20GQ-NPC)
The session capacity for these two 20Gbps Network Processing Cards changed from 4 million sessions per NPC to 3.2 million sessions per NPC on firewalls running a PAN-OS 9.0 or later release.
Refresh of Default Trusted CAs
The certificate authorities (CAs) that the firewall trusts by default are updated; new trusted root CAs are added and expired CAs are removed. To view and manage the lists of CAs that the firewall trusts by default, select
Certificate Management
Default Trusted Certificate Authorities
VM-50 and VM-50 Lite Firewalls
The minimum memory requirement has changed from 4GB to 4.5GB for the VM-50 Lite and from 4.5GB to 5.5GB for the VM-50 in PAN-OS 9.0. You cannot upgrade the VM-50 Lite without allocating additional memory. If you upgrade the VM-50 with less than 5.5GB memory, it will default to the system capacities (number of sessions, rules, security zones, address objects, etc) associated with the VM-50 Lite.
See Upgrade/Downgrade Considerations for more information.
VM-Series Plugin
Beginning with PAN-OS 9.0, the built-in VM-Series plugin manages interactions between the VM-Series firewalls and the supported public and private cloud platforms. Also, the bootstrap package now has an optional
folder for upgrading a plugin. To configure plugin integrations, select
In Panorama™ 9.0 the VM-Series plugin is available in
but must be manually installed.
VXLAN Tunnel Content Inspection
In PAN-OS 8.1 and earlier releases, the firewall used the UDP Session key to create UDP sessions for all tunnel content inspection protocols. It is a six-tuple key (zone, source IP, destination IP, protocol, source port, and destination port), and it remains in use.
PAN-OS 9.0 introduces the VNI Session key specifically for VXLAN tunnel content inspection. The VNI Session key is a five-tuple key incorporating the zone, source IP, destination IP, protocol, and the VXLAN Network Identifier (VNI).
By default, VXLAN tunnels now automatically use the VNI Session key to create a VNI Session, which is visible in logs.
If you prefer to use the UDP Session key for VXLAN (as you did in previous releases), you can define a custom application for VXLAN and use an application override policy to invoke your custom application.
Panorama Commit and push operations
  • Commit
    is unavailable (grayed out) when you have no pending changes on Panorama and all managed firewalls and Log Collectors are in sync with Panorama (which means that you have successfully pushed all changes you made on Panorama to all managed firewalls and appliances).
  • Commit
    displays as a green downward arrow ( commit-button-pending-commit-push.png ) when you have pending changes on Panorama that must be committed and pushed to managed devices.
  • Commit
    displays as a yellow sideways arrow ( commit-button-pending-push.png ) when managed firewalls and Log Collectors are out of sync, and you must push the committed Panorama configuration.
  • When you
    Commit and Push
    your configuration changes on Panorama, you must
    Edit Selections
    to specify the Push Scope to managed devices.
Security Group Tag (SGT) Ethertype Support
If you're using Security Group Tags (SGTs) to control user and device access in a Cisco Trustsec network, inline firewalls in Layer 2 or Virtual Wire mode now inspect and provide threat prevention for the tagged traffic by default. Before PAN-OS 9.0, a firewall in Layer 2 or virtual wire mode could allow SGT traffic but did not process and inspect it.
The firewall does not enforce security policy based on SGTs.
Authentication Policy
In PAN-OS 8.1 and earlier, administrators needed to add a rule to decrypt TLS sessions to apply authentication policy. In PAN-OS 9.0, the firewall applies the authentication policy without needing to decrypt the session.
IP Address Registration and Dynamic Address Groups
In PAN-OS 8.1 and earlier, it could take up to 60 seconds to register an IP address, and the associated tags, and update the membership information for a dynamic address group (DAG). In PAN-OS 9.0, IP address registration occurs in real time. Any policy matches for updates on a registered IP address (IP-tag mapping) are reflected only in new sessions. Any existing sessions are reevaluated for a policy match when you perform a commit or the App-ID™ on the session changes.
URL Filtering Overrides
In earlier release versions, URL Filtering overrides had priority enforcement ahead of custom URL categories. As part of the upgrade to PAN-OS 9.0, URL category overrides are converted to custom URL categories, and no longer receive priority enforcement over other custom URL categories. Instead of the action you defined for the category override in previous release versions, the new custom URL category is enforced by the security policy rule with the strictest URL Filtering profile action. From most strict to least strict, possible URL Filtering profile actions are: block, override, continue, alert, and allow. This means that, if you had URL category overrides with the action allow, there’s a possibility the overrides might be blocked after they are converted to custom URL categories in PAN-OS 9.0.
  1. Create a URL Filtering Profile that defines site access for a custom URL category. Select
    Security Profiles
    URL Filtering
    , and set the
    Site Access
    (like allow or block) for Custom URL Categories that you want to exclude from a URL category.
  2. Create a new security policy rule to prioritize enforcement for URL category exceptions. Attach the URL Filtering profile you just created to that rule (
    Profile Setting
    ). Because the firewall evaluates rules from top to bottom, make sure that this rule appears at the top of your security policy (
tab objects are removed and
Custom URL Category
objects are created for firewalls running PAN-OS 8.1 or earlier releases when managed by a Panorama management server that is upgraded to PAN-OS 9.0.
For more details on this, review PAN-OS 9.0 Upgrade and Downgrade Considerations.
CLI Commands for the Option to Hold Web Requests During URL Category Lookup
PAN-OS 9.0.4 or later 9.0 releases
The CLI commands for this feature are now the following:
  1. Enter
    to access Configuration Mode.
  2. Enter
    set deviceconfig setting ctd hold-client-request yes
    to enable the feature.
  3. Commit your changes.
SAML Authentication
PAN-OS 9.0.9 and later 9.0 releases
To ensure your users can continue to authenticate successfully with SAML Authentication, you must:
  • Ensure that you configure the signing certificate of your SAML Identity Provider as the
    Identity Provider Certificate
    on the SAML Identity Provider Server Profile.
  • Ensure that your SAML IdP sends signed SAML Responses, Assertions, or both.

Recommended For You