Networking Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
- Management Interfaces
-
- Launch the Web Interface
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Commit Selective Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
-
-
- Define Access to the Web Interface Tabs
- Provide Granular Access to the Monitor Tab
- Provide Granular Access to the Policy Tab
- Provide Granular Access to the Objects Tab
- Provide Granular Access to the Network Tab
- Provide Granular Access to the Device Tab
- Define User Privacy Settings in the Admin Role Profile
- Restrict Administrator Access to Commit and Validate Functions
- Provide Granular Access to Global Settings
- Provide Granular Access to the Panorama Tab
- Provide Granular Access to Operations Settings
- Panorama Web Interface Access Privileges
-
- Reset the Firewall to Factory Default Settings
-
- Plan Your Authentication Deployment
- Pre-Logon for SAML Authentication
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure TACACS Accounting
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Troubleshoot Authentication Issues
-
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Deployment
- Configure the Master Key
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Configure an SSH Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
-
- HA Overview
-
- Prerequisites for Active/Active HA
- Configure Active/Active HA
-
- Use Case: Configure Active/Active HA with Route-Based Redundancy
- Use Case: Configure Active/Active HA with Floating IP Addresses
- Use Case: Configure Active/Active HA with ARP Load-Sharing
- Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall
- Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses
- Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT
- Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3
- HA Clustering Overview
- HA Clustering Best Practices and Provisioning
- Configure HA Clustering
- Refresh HA1 SSH Keys and Configure Key Options
- HA Firewall States
- Reference: HA Synchronization
-
- Use the Dashboard
- Monitor Applications and Threats
- Monitor Block List
-
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
-
- Configure Syslog Monitoring
-
- Traffic Log Fields
- Threat Log Fields
- URL Filtering Log Fields
- Data Filtering Log Fields
- HIP Match Log Fields
- GlobalProtect Log Fields
- IP-Tag Log Fields
- User-ID Log Fields
- Decryption Log Fields
- Tunnel Inspection Log Fields
- SCTP Log Fields
- Authentication Log Fields
- Config Log Fields
- System Log Fields
- Correlated Events Log Fields
- GTP Log Fields
- Audit Log Fields
- Syslog Severity
- Custom Log/Event Format
- Escape Sequences
- Forward Logs to an HTTP/S Destination
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
- Monitor Transceivers
-
- User-ID Overview
- Enable User-ID
- Map Users to Groups
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts
- Verify the User-ID Configuration
-
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
-
- Prepare to Deploy App-ID Cloud Engine
- Enable or Disable the App-ID Cloud Engine
- App-ID Cloud Engine Processing and Policy Usage
- New App Viewer (Policy Optimizer)
- Add Apps to an Application Filter with Policy Optimizer
- Add Apps to an Application Group with Policy Optimizer
- Add Apps Directly to a Rule with Policy Optimizer
- Replace an RMA Firewall (ACE)
- Impact of License Expiration or Disabling ACE
- Commit Failure Due to Cloud Content Rollback
- Troubleshoot App-ID Cloud Engine
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Maintain Custom Timeouts for Data Center Applications
-
- Policy Types
- Policy Objects
- Track Rules Within a Rulebase
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
-
- External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Use Dynamic User Groups in Policy
- Use Auto-Tagging to Automate Security Actions
- CLI Commands for Dynamic IP Addresses and Tags
- Application Override Policy
- Test Policy Rules
-
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 9.0 (EoL)
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
-
- Changes to Default Behavior
- Associated Software and Content Versions
- Limitations
-
-
- PAN-OS 9.0.17 Known Issues
- PAN-OS 9.0.16 Known Issues
- PAN-OS 9.0.15 Known Issues
- PAN-OS 9.0.14 Known Issues
- PAN-OS 9.0.13 Known Issues
- PAN-OS 9.0.12 Known Issues
- PAN-OS 9.0.11 Known Issues
- PAN-OS 9.0.10 Known Issues
- PAN-OS 9.0.9 Known Issues
- PAN-OS 9.0.8 Known Issues
- PAN-OS 9.0.7 Known Issues
- PAN-OS 9.0.6 Known Issues
- PAN-OS 9.0.5 (and 9.0.5-h3) Known Issues
- PAN-OS 9.0.4 Known Issues
- PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues
- PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues
- PAN-OS 9.0.1 Known Issues
- Known Issues Specific to the WildFire Appliance
-
-
- PAN-OS 9.0.17-h5 Addressed Issues
- PAN-OS 9.0.17-h4 Addressed Issues
- PAN-OS 9.0.17-h1 Addressed Issues
- PAN-OS 9.0.17 Addressed Issues
- PAN-OS 9.0.16-h7 Addressed Issues
- PAN-OS 9.0.16-h6 Addressed Issues
- PAN-OS 9.0.16-h5 Addressed Issues
- PAN-OS 9.0.16-h3 Addressed Issues
- PAN-OS 9.0.16-h2 Addressed Issues
- PAN-OS 9.0.16 Addressed Issues
- PAN-OS 9.0.15 Addressed Issues
- PAN-OS 9.0.14-h4 Addressed Issues
- PAN-OS 9.0.14-h3 Addressed Issues
- PAN-OS 9.0.14 Addressed Issues
- PAN-OS 9.0.13 Addressed Issues
- PAN-OS 9.0.12 Addressed Issues
- PAN-OS 9.0.11 Addressed Issues
- PAN-OS 9.0.10 Addressed Issues
- PAN-OS 9.0.9-h1 Addressed Issues
- PAN-OS 9.0.9 Addressed Issues
- PAN-OS 9.0.8 Addressed Issues
- PAN-OS 9.0.7 Addressed Issues
- PAN-OS 9.0.6 Addressed Issues
- PAN-OS 9.0.5-h3 Addressed Issues
- PAN-OS 9.0.5 Addressed Issues
- PAN-OS 9.0.4 Addressed Issues
- PAN-OS 9.0.3-h3 Addressed Issues
- PAN-OS 9.0.3-h2 Addressed Issues
- PAN-OS 9.0.3 Addressed Issues
- PAN-OS 9.0.2-h4 Addressed Issues
- PAN-OS 9.0.2 Addressed Issues
- PAN-OS 9.0.1 Addressed Issues
- PAN-OS 9.0.0 Addressed Issues
End-of-Life (EoL)
Networking Features
PAN-OS 9.0 supports new networking features.
New Networking Feature | Description |
---|---|
Security Group Tag (SGT) EtherType Support | If you're using Security Group Tags (SGTs)
in a Cisco TrustSec network, inline firewalls in Layer 2 or Virtual
Wire mode can now inspect and enforce the tagged traffic. Layer 3
firewalls in a Cisco TrustSec network can also inspect and enforce
SGT traffic when deployed between two SGT exchange protocol (SXP)
peers. Processing of SGT traffic works
by default and without any configuration changes. Because the firewall
does not use SGTs as match criteria for security policy enforcement,
you should continue to define SGT-based policy in the same way you
do today. |
FQDN Refresh Enhancement | With cloud applications requiring frequent
FQDN refresh rates to ensure nonstop services, the FQDN refresh feature
now supports the ability to refresh cached entries based
on the DNS TTL value. You can set a minimum FQDN refresh
time to limit how frequently the firewall will refresh the FQDN
cache entries to avoid refreshing too frequently, and state how
long the firewall continues to use FQDN cached entries in the event
of a network failure where the DNS server is unreachable. |
GRE Tunneling Support | The firewall can now be a GRE tunnel
endpoint, so you can send traffic through a GRE tunnel to
a point-to-point tunneling peer, and the firewall will inspect and
enforce policies as it does for non-tunneling traffic. Cloud services
and partner networks often use GRE tunnels for point-to-point connectivity
to customer networks. The firewall also supports GRE over IPSec
to interoperate with other vendors’ implementations in deployments
that encrypt GRE within IPSec. |
Wildcard Address Support in Security Policy Rules | When you define private IPv4 addresses to
internal devices, you can use an IP addressing pattern that assigns special
meaning to certain bits in the IP address. For example, the first
three bits in the third octet of an IP address might signify the
device type. This structure helps you easily identify device type,
location, and other information, based on the IP address of the
device. You can also use your same address structure in Security
policy rules on the firewall for easier deployment. Additionally,
you can now build Security policy rules based
on sources and destinations that use a wildcard address and
use only specific bits in an IP address as a match. This means you
don’t need to manage an unnecessarily large number of address objects
to cover all the matching IP addressees or use less restrictive
Security policy rules than needed due to IP address capacity constraints.
For example, a rule using a single wildcard address can allow all
cash registers in the northeastern region of the U.S. to access
a specific application. This helps make your Security deployment
easier in an environment that uses a discontiguous addressing scheme. |
Hostname Option Support for DHCP Clients | When your firewall interface is a DHCP client
(a DHCP server assigns a dynamic IPv4 address to the interface), you
can now assign a hostname to the interface and
send the hostname (Option 12) to the DHCP server. The DHCP
server can register the hostname with the DNS server, which can
automatically manage hostname-to-dynamic IP address resolutions. |
FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer | You can now use an FQDN or FQDN address object
in a static route next hop, a PBF next hop, and a BGP peer address.
Use of FQDNs reduces configuration and management overhead. Also,
in order to simplify provisioning, you can use an FQDN (instead
of statically assigning IP addresses to these functions) and the
FQDN resolution can change from location to location. You can map
the FQDN to the IP address based on the location and deployment
requirements. For example, if you are a service provider, you can
provide FQDNs for accessing the services and resolve these to the
IP address of the closest server for the client (based on the client’s
geo-location), so that the same FQDN can be used globally for the
service connection. |
Dynamic DNS Support for Firewall Interfaces | When you have services hosted behind the
firewall or you need to provide remote access to the firewall, you
can now automatically register IPv4 and IPv6 address
changes to a Dynamic DNS (DDNS) provider whenever the IP address
on the firewall interface changes (for example, if the interface
is a DHCP client). The firewall registers the change with the DDNS
service, which automatically updates the DNS record (IP address-to-hostname
mappings). DDNS support helps avoid using external mechanisms to
keep the DNS records up to date. The firewall currently supports
five DDNS providers: DuckDNS, DynDNS, FreeDNS Afraid.org, FreeDNS
Afraid.org Dynamic API, and No-IP. |
HA1 SSH Key Refresh | When you need to change your SSH key pairs to
secure HA1 communications, you can now refresh the keys without
needing to restart the firewalls. |
Advanced Session Distribution Algorithms for Destination NAT | In destination NAT, translation to a pool
of IP addresses or an FQDN that resolves to multiple IP addresses
can be distributed among the addresses based on one of four additional session distribution
methods (or the existing round-robin method). The additional
distribution methods are source IP hash, IP modulo, IP hash, and
least sessions. You can use the distribution method that best suits
your destination NAT use case. |
VXLAN Tunnel Content Inspection | If you use VXLAN as a transport overlay
you can use Tunnel Content Inspection Policy to natively scan traffic within
the VXLAN tunnel. For example, if you use VXLAN as a transport overlay
to connect your geographically dispersed data centers you can scan
and control the individual flows within the tunnel. With support for the VXLAN protocol
in Tunnel Content Inspection Policy, you have visibility into
VXLAN traffic and can enforce Security Policy rules to this traffic
without terminating the tunnel or implementing network changes. |
LACP and LLDP Pre-Negotiation on an HA Passive Firewall | An HA passive firewall can negotiate
LACP and LLDP before it becomes active. This pre-negotiation
reduces failover times by eliminating the delays incurred by LACP
or LLDP negotiations. This functionality, previously supported on
several firewall models, extends to PA-220, PA-220R, PA-820, PA-850, PA-3200
Series, and PA-5280 firewalls. |
DNS Rewrite for Destination NAT (Available
with PAN-OS® 9.0.2 and later 9.0 releases) | (Requires Applications and Threats content release
version 8147 or a later version) You can configure a destination
NAT policy rule for a static translation of an IPv4 address to also translate the IPv4 address in
a DNS response that matches the rule. This DNS rewrite (translation)
prevents the DNS server on one side of the firewall from providing
an internal IP address to its client on the external side of the
firewall or vice versa. Thus, the IPv4 address in the DNS response undergoes
NAT and the firewall forwards the appropriate IPv4 address to the
client to reach the destination service. |
Ignore DF (don’t fragment) Bit (Available
with PAN-OS 9.0.9 and later 9.0 releases) | You can configure the firewall globally
to fragment IPv4 packets when the DF (don't fragment) bit is set
for packets that exceed the egress interface maximum transmission
unit (MTU). This feature is applied to Layer 3 and tunnel interfaces
when enabled through the CLI. |