Changes to Default Behavior
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Changes to Default Behavior
Changes to the default behavior in PAN-OS® 9.1.
The following table details the changes
in default behavior upon upgrade to PAN-OS® 9.1. You may also want
to review the CLI Changes in PAN-OS 9.1 and
the Upgrade/Downgrade Considerations before upgrading
to this release.
Feature | Change |
---|---|
URL Filtering BrightCloud Support | With PAN-OS 9.1, BrightCloud is no longer supported
as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1,
you’ll first need to convert your BrightCloud URL Filtering license
to a PAN-DB URL Filtering license (contact your sales representative
to convert your license). Only upgrade to PAN-OS 9.1 after confirming
that the PAN-DB URL Filtering license is active on your firewall. |
PAN-OS REST API request parameters and
error responses |
|
URL Category Lookup Timeout | Cloud queries for uncached URL categories now
have a default timeout of two seconds instead of five. Also,
you can now adjust this timeout in the web interface by navigating
to DeviceSetupContent-ID and changing the
value for Category lookup timeout. |
Web Interface Configuration to Hold Web
Requests During URL Category Lookups | The web interface now features the option
to hold web requests during URL category lookups. Enable this setting
by navigating to DeviceSetupContent-ID and checking the
box next to Hold client request for category lookup. |
GlobalProtect Host Information | On the ACC, the GlobalProtect Host
Information widget under the Network Activity tab is
now renamed HIP Information. |
SCTP Service Object | In PAN-OS 9.1 and later versions, the Stream Control
Transmission Protocol (SCTP) service object is no longer supported
in policy rules. |
SD-WAN Auto VPN Configuration (PAN-OS
9.1.2 and SD-WAN Plugin 1.0.2) | Auto VPN configuration no longer creates VPN
tunnels between SD-WAN hubs in a VPN cluster. (Auto VPN still creates
VPN tunnels between a branch and a hub.) When you upgrade to PAN-OS 9.1.2
and SD-WAN Plugin 1.0 2 and push the configuration from Panorama,
Panorama removes the VPN tunnels between hubs that it previously created. |
SAML Authentication (PAN-OS
9.1.3 and later 9.1 releases) | To ensure your users can continue to authenticate
successfully with SAML Authentication, you must:
|
PA-7000 Series Firewall Memory Limit
for the Management Server (PAN-OS 9.1.5 and later
9.1 releases) | As of PAN-OS 9.1.5, the PA-7000 Series firewalls
have new CLI commands to enable or disable resource control groups
and new CLI commands to set an upper memory limit of 8G on a process
(mgmtsrvr). To enable resource-control groups,
use: debug software resource-control enableTo
disable resource-control groups, use: debug software resource-control disableTo
set the memory limit, use: debug management-server limit-memory enableTo
remove the memory limit, use: debug management-server limit-memory disableReboot
the firewall to ensure the memory limit change takes effect. |
OSPF | In prior releases, redistributed static
routes in OSPF had the forwarding address set to 0.0.0.0 unconditionally.
Beginning with PAN-OS 9.1, the forwarding address is set to the
next hop if the next hop is part of the OSPF domain; otherwise,
the forwarding address is set to 0.0.0.0. |
IKEv2 (PAN-OS
9.1.13 and later 9.1 releases) | Prior to PAN-OS 9.1.13, when
one end of an IKEv2 tunnel was a PAN-OS firewall, even if an IKEv2
tunnel was configured with SHA2 authentication (sha512, sha384,
or sha256), PAN-OS always used SHA1 authentication. Beginning with
PAN-OS 9.1.13:
|
Scheduled Log Export (PAN-OS
9.1.13 and later 9.1 releases) | Scheduled log exports (DeviceLog Export) may not export
logs as scheduled if multiple logs are scheduled to export at the
same time. Workaround: When scheduling your log exports,
maintain at least 6 hours between each scheduled log export. |
Proxy Decryption (PAN-OS 9.1.12 and
later releases) | Beginning in PAN-OS 9.1.12, the firewall denies web sessions if a client presents a truncated
Client Hello message that lacks critical information, such as
supported cipher suites and TLS versions. Without this information,
the firewall can't accurately decrypt the session. Sessions with traffic excluded from decryption might also be denied if the Client Hello is
truncated and missing critical information. If critical information
is present in the truncated Client Hello, the firewall attempts decryption.
Specifically, the firewall examines the first packet of the truncated
Client Hello for the Server Name Indication (SNI) extension. The firewall
can use the SNI value to identify and apply the matching Decryption
policy rule to the traffic. In the absence of an SNI value in the
first packet, the firewall makes a best-effort match to a Decryption policy
rule. SNI parsing is opportunistic. Even if an SNI value is present in the first packet, a Decryption
policy rule mismatch can occur. In PAN-OS 9.1 and earlier, the firewall attempted
to decrypt web sessions with incomplete Client Hello messages even
if the message was missing critical information. SNI values were
not used to match traffic with a Decryption policy rule. This made
traffic more susceptible to policy rule mismatches. To allow the firewall to process web sessions with incomplete Client Hellos that are missing
critical information, use the debug proxy
discard-partial-client-hello enable no CLI command.
The firewall will also examine the first packet for an SNI value.
The CTD engine will discard sessions if its traffic matches a known
threat pattern. If the traffic doesn't match a known threat, the CTD
engine may allow the session to continue undecrypted. |
Test SCP Server Connection
PAN-OS 9.1.16 and later releases
|
To test the SCP server connection when you schedule a configuration
export (PanoramaSchedule Config Export) or log export (DeviceScheduled Log Export), a new pop-up window is displayed requiring you to
enter the SCP server clear textPassword and
Confirm Password to test the SCP server
connection and enable the secure transfer of data.
You must also enter the clear text SCP server
Password and Confirm
Password when you test the SCP server connection
from the firewall or Panorama
CLI.
|