Changes to Default Behavior
Table of Contents
Expand all | Collapse all
-
- Changes to Default Behavior
- Limitations
-
-
- PAN-OS 9.1.16 Known Issues
- PAN-OS 9.1.15 Known Issues
- PAN-OS 9.1.14 Known Issues
- PAN-OS 9.1.13 Known Issues
- PAN-OS 9.1.12 Known Issues
- PAN-OS 9.1.11 Known Issues
- PAN-OS 9.1.10 Known Issues
- PAN-OS 9.1.9 Known Issues
- PAN-OS 9.1.8 Known Issues
- PAN-OS 9.1.7 Known Issues
- PAN-OS 9.1.6 Known Issues
- PAN-OS 9.1.5 Known Issues
- PAN-OS 9.1.4 Known Issues
- PAN-OS 9.1.3 Known Issues
- PAN-OS 9.1.2 Known Issues
- PAN-OS 9.1.1 Known Issues
-
-
- PAN-OS 9.1.16 Addressed Issues
- PAN-OS 9.1.15-h1 Addressed Issues
- PAN-OS 9.1.15 Addressed Issues
- PAN-OS 9.1.14-h4 Addressed Issues
- PAN-OS 9.1.14-h1 Addressed Issues
- PAN-OS 9.1.14 Addressed Issues
- PAN-OS 9.1.13-h3 Addressed Issues
- PAN-OS 9.1.13-h1 Addressed Issues
- PAN-OS 9.1.13 Addressed Issues
- PAN-OS 9.1.12-h4 Addressed Issues
- PAN-OS 9.1.12-h3 Addressed Issues
- PAN-OS 9.1.12 Addressed Issues
- PAN-OS 9.1.11-h3 Addressed Issues
- PAN-OS 9.1.11-h2 Addressed Issues
- PAN-OS 9.1.11 Addressed Issues
- PAN-OS 9.1.10 Addressed Issues
- PAN-OS 9.1.9 Addressed Issues
- PAN-OS 9.1.8 Addressed Issues
- PAN-OS 9.1.7 Addressed Issues
- PAN-OS 9.1.6 Addressed Issues
- PAN-OS 9.1.5 Addressed Issues
- PAN-OS 9.1.4 Addressed Issues
- PAN-OS 9.1.3-h1 Addressed Issues
- PAN-OS 9.1.3 Addressed Issues
- PAN-OS 9.1.2-h1 Addressed Issues
- PAN-OS 9.1.2 Addressed Issues
- PAN-OS 9.1.1 Addressed Issues
- PAN-OS 9.1.0 Addressed Issues
Changes to Default Behavior
Changes to the default behavior in PAN-OS® 9.1.
The following table details the changes
in default behavior upon upgrade to PAN-OS® 9.1. You may also want
to review the CLI Changes in PAN-OS 9.1 and
the Upgrade/Downgrade Considerations before upgrading
to this release.
Feature | Change |
---|---|
URL Filtering BrightCloud Support | With PAN-OS 9.1, BrightCloud is no longer supported
as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1,
you’ll first need to convert your BrightCloud URL Filtering license
to a PAN-DB URL Filtering license (contact your sales representative
to convert your license). Only upgrade to PAN-OS 9.1 after confirming
that the PAN-DB URL Filtering license is active on your firewall. |
PAN-OS REST API request parameters and
error responses |
|
URL Category Lookup Timeout | Cloud queries for uncached URL categories now
have a default timeout of two seconds instead of five. Also,
you can now adjust this timeout in the web interface by navigating
to Device Setup Content-ID Category lookup timeout . |
Web Interface Configuration to Hold Web
Requests During URL Category Lookups | The web interface now features the option
to hold web requests during URL category lookups. Enable this setting
by navigating to Device Setup Content-ID Hold client request for category lookup . |
GlobalProtect Host Information | On the ACC, the GlobalProtect Host
Information widget under the Network Activity tab is
now renamed HIP Information . |
SCTP Service Object | In PAN-OS 9.1 and later versions, the Stream Control
Transmission Protocol (SCTP) service object is no longer supported
in policy rules. |
SD-WAN Auto VPN Configuration ( PAN-OS
9.1.2 and SD-WAN Plugin 1.0.2 ) | Auto VPN configuration no longer creates VPN
tunnels between SD-WAN hubs in a VPN cluster. (Auto VPN still creates
VPN tunnels between a branch and a hub.) When you upgrade to PAN-OS 9.1.2
and SD-WAN Plugin 1.0 2 and push the configuration from Panorama,
Panorama removes the VPN tunnels between hubs that it previously created. |
SAML Authentication ( PAN-OS
9.1.3 and later 9.1 releases ) | To ensure your users can continue to authenticate
successfully with SAML Authentication, you must:
|
PA-7000 Series Firewall Memory Limit
for the Management Server ( PAN-OS 9.1.5 and later
9.1 releases ) | As of PAN-OS 9.1.5, the PA-7000 Series firewalls
have new CLI commands to enable or disable resource control groups
and new CLI commands to set an upper memory limit of 8G on a process
(mgmtsrvr). To enable resource-control groups,
use: debug software resource-control enable To
disable resource-control groups, use: debug software resource-control disable To
set the memory limit, use: debug management-server limit-memory enable To
remove the memory limit, use: debug management-server limit-memory disable Reboot
the firewall to ensure the memory limit change takes effect. |
OSPF | In prior releases, redistributed static
routes in OSPF had the forwarding address set to 0.0.0.0 unconditionally.
Beginning with PAN-OS 9.1, the forwarding address is set to the
next hop if the next hop is part of the OSPF domain; otherwise,
the forwarding address is set to 0.0.0.0. |
IKEv2 ( PAN-OS
9.1.13 and later 9.1 releases ) | Prior to PAN-OS 9.1.13, when
one end of an IKEv2 tunnel was a PAN-OS firewall, even if an IKEv2
tunnel was configured with SHA2 authentication (sha512, sha384,
or sha256), PAN-OS always used SHA1 authentication. Beginning with
PAN-OS 9.1.13:
|
Scheduled Log Export ( PAN-OS
9.1.13 and later 9.1 releases ) | Scheduled log exports ( Device Log Export Workaround: When scheduling your log exports,
maintain at least 6 hours between each scheduled log export. |
Proxy Decryption ( PAN-OS 9.1.12 and
later releases ) | Beginning in PAN-OS 9.1.12, the firewall starts
denying web sessions if a client presents a truncated Client Hello
message that lacks critical information, such as supported cipher
suites and TLS versions. Without this information, the firewall cannot
accurately decrypt the session. Sessions with traffic excluded
from decryption may also be denied if the Client Hello is truncated
and missing critical information. If critical information
is present in the truncated Client Hello, the firewall attempts decryption.
Specifically, the firewall examines the first packet of the truncated
Client Hello for the Server Name Indication (SNI) extension. The firewall
can use the SNI value to identify and apply the matching Decryption
policy rule to the traffic. In the absence of an SNI value in the
first packet, the firewall makes a best-effort match to a Decryption policy
rule. SNI parsing is opportunistic. Even if an SNI value
is present in the first packet, a Decryption policy rule mismatch
may occur. In PAN-OS 9.1 and earlier, the firewall attempted
to decrypt web sessions with incomplete Client Hello messages even
if the message was missing critical information. SNI values were
not used to match traffic with a Decryption policy rule. This made
traffic more susceptible to policy rule mismatches. To allow
the firewall to process web sessions with incomplete Client Hellos
that are missing critical information, use the debug proxy discard-partial-client-hello enable no CLI
command. The firewall will also examine the first packet for an
SNI value. The CTD engine will discard sessions if its traffic matches
a known threat pattern. If the traffic does not match a known threat,
the CTD engine may allow the session to continue undecrypted. |
Test SCP Server Connection PAN-OS 9.1.16 and later releases | To test the SCP server connection when you schedule a configuration
export ( Panorama Schedule Config Export Device Scheduled Log Export Password and
Confirm Password to test the SCP server
connection and enable the secure transfer of data.You must also enter the clear text SCP server
Password and Confirm
Password when you test the SCP server connection
from the firewall or Panorama
CLI.
|