Changes to Default Behavior
Changes to the default behavior in PAN-OS® 9.1.
The following table details the changes
in default behavior upon upgrade to PAN-OS® 9.1. You may also want
to review the CLI Changes in PAN-OS 9.1 and
the Upgrade/Downgrade Considerations before upgrading
to this release.
Feature | Change |
---|---|
URL Filtering BrightCloud Support | With PAN-OS 9.1, BrightCloud is no longer supported
as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1,
you’ll first need to convert your BrightCloud URL Filtering license
to a PAN-DB URL Filtering license (contact your sales representative
to convert your license). Only upgrade to PAN-OS 9.1 after confirming
that the PAN-DB URL Filtering license is active on your firewall. |
PAN-OS REST API request parameters and
error responses |
|
URL Category Lookup Timeout | Cloud queries for uncached URL categories now
have a default timeout of two seconds instead of five. Also,
you can now adjust this timeout in the web interface by navigating
to Device Setup Content-ID Category lookup timeout . |
Web Interface Configuration to Hold Web
Requests During URL Category Lookups | The web interface now features the option
to hold web requests during URL category lookups. Enable this setting
by navigating to Device Setup Content-ID Hold client request for category lookup . |
GlobalProtect Host Information | On the ACC, the GlobalProtect Host
Information widget under the Network Activity tab is
now renamed HIP Information . |
SCTP Service Object | In PAN-OS 9.1 and later versions, the Stream Control
Transmission Protocol (SCTP) service object is no longer supported
in policy rules. |
SD-WAN Auto VPN Configuration ( PAN-OS
9.1.2 and SD-WAN Plugin 1.0.2 ) | Auto VPN configuration no longer creates VPN
tunnels between SD-WAN hubs in a VPN cluster. (Auto VPN still creates
VPN tunnels between a branch and a hub.) When you upgrade to PAN-OS 9.1.2
and SD-WAN Plugin 1.0 2 and push the configuration from Panorama,
Panorama removes the VPN tunnels between hubs that it previously created. |
SAML Authentication ( PAN-OS
9.1.3 and later 9.1 releases ) | To ensure your users can continue to authenticate
successfully with SAML Authentication, you must:
|
PA-7000 Series Firewall Memory Limit
for the Management Server ( PAN-OS 9.1.5 and later
9.1 releases ) | As of PAN-OS 9.1.5, the PA-7000 Series firewalls
have new CLI commands to enable or disable resource control groups
and new CLI commands to set an upper memory limit of 8G on a process
(mgmtsrvr). To enable resource-control groups,
use: debug software resource-control enable To
disable resource-control groups, use: debug software resource-control disable To
set the memory limit, use: debug management-server limit-memory enable To
remove the memory limit, use: debug management-server limit-memory disable Reboot
the firewall to ensure the memory limit change takes effect. |
OSPF | In prior releases, redistributed static
routes in OSPF had the forwarding address set to 0.0.0.0 unconditionally.
Beginning with PAN-OS 9.1, the forwarding address is set to the
next hop if the next hop is part of the OSPF domain; otherwise,
the forwarding address is set to 0.0.0.0. |
IKEv2 ( PAN-OS 9.1.13 and
later 9.1 releases ) | Prior to PAN-OS 9.1.13, when one end of
an IKEv2 tunnel was a PAN-OS firewall, even if an IKEv2 tunnel was
configured with SHA2 authentication (sha512, sha384, or sha256), PAN-OS
always used SHA1 authentication. Beginning with PAN-OS 9.1.13:
|
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.