1. Home
    2. PAN-OS
    3. PAN-OS® Release Notes
    4. PAN-OS 9.1 Release Information
    5. Changes to Default Behavior

    Changes to Default Behavior

    Changes to the default behavior in PAN-OS® 9.1.
    The following table details the changes in default behavior upon upgrade to PAN-OS® 9.1. You may also want to review the CLI Changes in PAN-OS 9.1 and the Upgrade/Downgrade Considerations before upgrading to this release.
    Feature
    Change
    URL Filtering BrightCloud Support
    With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license (contact your sales representative to convert your license). Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
    PAN-OS REST API request parameters and error responses
    • The REST API methods now accept the API key only through a custom HTTP header and no longer as a query parameter. To authenticate your REST API request to the firewall or Panorama, use the custom HTTP header
      X-PAN-Key: <key>
       to include the API key in the HTTP header. This change applies only to the REST API; the XML API is unchanged.
    • The REST API methods now implement both
      rename
       and
      move
       with custom HTTP mappings instead of action query parameters. Examples of the new and previous conventions are below.
      Rename an address:
      • New convention:
        POST /restapi/<version>/objects/addresses:rename
      • Replaces:
        POST /restapi/<version>/objects/addresses?action=rename
      Move a security policy rule:
      • New convention:
        POST /restapi/<version>/policies/securityrules:move
      • Replaces:
        POST /restapi/<version>/policies/securityrules?action=move
    • There is a new error response format for all REST API methods. This new format offers consistent and reliable error reporting that includes both human-readable messages and parsable error codes. The format includes overall request status, product-specific error codes, and details that will give the caller the maximum amount of data available if an error does occur.
    • The REST API URIs now denote version with a
      v
       prefix for versions 9.1 and beyond. Examples of the new and previous conventions are below:
      • New convention:
        GET /restapi/v9.1/objects/addresses
      • Replaces:
        GET /restapi/9.0/objects/addresses
    URL Category Lookup Timeout
    Cloud queries for uncached URL categories now have a default timeout of two seconds instead of five.
    Also, you can now adjust this timeout in the web interface by navigating to
    Device
    Setup
    Content-ID
     and changing the value for
    Category lookup timeout
    .
    Web Interface Configuration to Hold Web Requests During URL Category Lookups
    The web interface now features the option to hold web requests during URL category lookups. Enable this setting by navigating to
    Device
    Setup
    Content-ID
     and checking the box next to
    Hold client request for category lookup
    .
    GlobalProtect Host Information
    On the ACC, the
    GlobalProtect Host Information
     widget under the Network Activity tab is now renamed
    HIP Information
    .
    SCTP Service Object
    In PAN-OS 9.1 and later versions, the Stream Control Transmission Protocol (SCTP) service object is no longer supported in policy rules.
    SD-WAN Auto VPN Configuration
    (
    PAN-OS 9.1.2 and SD-WAN Plugin 1.0.2
    )
    Auto VPN configuration no longer creates VPN tunnels between SD-WAN hubs in a VPN cluster. (Auto VPN still creates VPN tunnels between a branch and a hub.) When you upgrade to PAN-OS 9.1.2 and SD-WAN Plugin 1.0 2 and push the configuration from Panorama, Panorama removes the VPN tunnels between hubs that it previously created.
    SAML Authentication
    (
    PAN-OS 9.1.3 and later 9.1 releases
    )
    To ensure your users can continue to authenticate successfully with SAML Authentication, you must:
    • Ensure that you configure the signing certificate of your SAML Identity Provider as the
      Identity Provider Certificate
       on the SAML Identity Provider Server Profile.
    • Ensure that your SAML IdP sends signed SAML Responses, Assertions, or both.
    PA-7000 Series Firewall Memory Limit for the Management Server
    (
    PAN-OS 9.1.5 and later 9.1 releases
    )
    As of PAN-OS 9.1.5, the PA-7000 Series firewalls have new CLI commands to enable or disable resource control groups and new CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
    To enable resource-control groups, use:
    debug software resource-control enable
    To disable resource-control groups, use:
    debug software resource-control disable
    To set the memory limit, use:
    debug management-server limit-memory enable
    To remove the memory limit, use:
    debug management-server limit-memory disable
    Reboot the firewall to ensure the memory limit change takes effect.
    OSPF
    In prior releases, redistributed static routes in OSPF had the forwarding address set to 0.0.0.0 unconditionally. Beginning with PAN-OS 9.1, the forwarding address is set to the next hop if the next hop is part of the OSPF domain; otherwise, the forwarding address is set to 0.0.0.0.
    IKEv2
    (
    PAN-OS 9.1.13 and later 9.1 releases
    )
    Prior to PAN-OS 9.1.13, when one end of an IKEv2 tunnel was a PAN-OS firewall, even if an IKEv2 tunnel was configured with SHA2 authentication (sha512, sha384, or sha256), PAN-OS always used SHA1 authentication. Beginning with PAN-OS 9.1.13:
    • If an IKEv2 tunnel is configured with SHA2 authentication only, PAN-OS uses SHA2 authentication only.
    • If an IKEv2 tunnel is configured with SHA2 and SHA1 authentication, PAN-OS accepts SHA1 authentication as a responder if SHA2 verification fails.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo