Changes to Default Behavior
Changes to the default behavior in PAN-OS® 9.0
API Key Lifetime
When you generate a new API key, the key metadata includes a timestamp of the creation date which makes the key size larger than those generated with PAN-OS version earlier than 9.0.
Default Administrator Password Requirements
Starting with PAN-OS 9.0.4, you must change the default administrator password (admin/admin) on the first admin account log in on a device. The new password must be a minimum of eight characters and include a minimum of one lowercase and one uppercase character, as well as one number or special character. On a new installation, password complexity is enabled with a minimum password length of eight characters. This change does not affect other administrative users on upgrades.
The firewall now processes and inspects HTTP/2 traffic by default.
If you want to disable HTTP/2 inspection, you can specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension: select
and then select
SSL Forward Proxy
Strip ALPN. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
Strict Default Ports for Decrypted Applications, Including Web-Browsing
Application default—which enables you to allow applications only on their most commonly-used ports—now enforces standard port usage for certain applications that use a different default port when encrypted: web-browsing, SMTP, FTP, LDAP, IMAP and POP3.
This means that, if you’re decrypting SSL traffic, a security policy that allows web-browsing on the application default ports now strictly enforces web-browsing on port 80
andSSL-tunneled web-browsing on port 443.
To enhance security, if you currently have a security policy rule configured to allow web-browsing on
service-HTTPS, you might consider updating the rule to instead allow web-browsing on the
Network Processing Card Session Capacity Change (PA-7000-20G-NPC and PA-7000-20GQ-NPC)
The session capacity for these two 20Gbps Network Processing Cards changed from 4 million sessions per NPC to 3.2 million sessions per NPC on firewalls running a PAN-OS 9.0 or later release.
Refresh of Default Trusted CAs
The certificate authorities (CAs) that the firewall trusts by default are updated; new trusted root CAs are added and expired CAs are removed. To view and manage the lists of CAs that the firewall trusts by default, select
Default Trusted Certificate Authorities
VM-50 and VM-50 Lite Firewalls
See Upgrade/Downgrade Considerations for more information.
The minimum memory requirement has changed from 4GB to 4.5GB for the VM-50 Lite and from 4.5GB to 5.5GB for the VM-50 in PAN-OS 9.0. You cannot upgrade the VM-50 Lite without allocating additional memory. If you upgrade the VM-50 with less than 5.5GB memory, it will default to the system capacities (number of sessions, rules, security zones, address objects, etc) associated with the VM-50 Lite.
Beginning with PAN-OS 9.0, the built-in VM-Series plugin manages interactions between the VM-Series firewalls and the supported public and private cloud platforms. Also, the bootstrap package now has an optional
/pluginsfolder for upgrading a plugin. To configure plugin integrations, select
In Panorama 9.0 the VM-Series plugin is available in
but must be manually installed.
VXLAN Tunnel Content Inspection
In PAN-OS 8.1 and earlier releases, the firewall used the UDP Session key to create UDP sessions for all tunnel content inspection protocols. It is a six-tuple key (zone, source IP, destination IP, protocol, source port, and destination port), and it remains in use.
PAN-OS 9.0 introduces the VNI Session key specifically for VXLAN tunnel content inspection. The VNI Session key is a five-tuple key incorporating the zone, source IP, destination IP, protocol, and the VXLAN Network Identifier (VNI).
By default, VXLAN tunnels now automatically use the VNI Session key to create a VNI Session, which is visible in logs.
Panorama Commit and push operations
Security Group Tag (SGT) Ethertype Support
If you're using Security Group Tags (SGTs) to control user and device access in a Cisco Trustsec network, inline firewalls in Layer 2 or Virtual Wire mode now inspect and provide threat prevention for the tagged traffic by default. Before PAN-OS 9.0, a firewall in Layer 2 or virtual wire mode could allow SGT traffic but did not process and inspect it.
The firewall does not enforce security policy based on SGTs.
In PAN-OS 8.1 and earlier, administrators needed to add a rule to decrypt TLS sessions to apply authentication policy. In PAN-OS 9.0, the firewall applies the authentication policy without needing to decrypt the session.
IP Address Registration and Dynamic Address Groups
In PAN-OS 8.1 and earlier, it could take up to 60 seconds to register an IP address, and the associated tags, and update the membership information for a dynamic address group (DAG). In PAN-OS 9.0, IP address registration occurs in real time. Any policy matches for updates on a registered IP address (IP-tag mapping) are reflected only in new sessions. Any existing sessions are reevaluated for a policy match when you perform a commit or the App-ID on the session changes.
URL Filtering Overrides
In earlier release versions, URL Filtering overrides had priority enforcement ahead of custom URL categories. As part of the upgrade to PAN-OS 9.0, URL category overrides are converted to custom URL categories, and no longer receive priority enforcement over other custom URL categories. Instead of the action you defined for the category override in previous release versions, the new custom URL category is enforced by the security policy rule with the strictest URL Filtering profile action. From most strict to least strict, possible URL Filtering profile actions are: block, override, continue, alert, and allow. This means that, if you had URL category overrides with the action allow, there’s a possibility the overrides might be blocked after they are converted to custom URL categories in PAN-OS 9.0.
Overridestab objects are removed and
Custom URL Categoryobjects are created for firewalls running PAN-OS 8.1 or earlier releases when managed by a Panorama management server that is upgraded to PAN-OS 9.0.
For more details on this, review PAN-OS 9.0 Upgrade and Downgrade Considerations.
CLI Commands for the Option to Hold Web Requests During URL Category Lookup (
PAN-OS 9.0.4 or later)
The CLI commands for this feature are now the following: