BPA Release Notes v3.14

Printer Friendly Page

Security Rule Hit Count

New Feature

 

Details: This tracks how often traffic matches the policy rules you configured on the firewall. It also identifies the inactive rules. When enabled, you can view the total Hit Count for total traffic matches against each rule along with First Hit and Last Hit.

 

View of Device Policy Rulebase Hit Count.png

 

API Key Lifetime

New Feature

 

Details: Set the API key lifetime to protect against compromise and to reduce the effects of accidental exposure. To ensure that your keys are frequently rotated and each key is unique when regenerated, you must specify a validity period that ranges between 1-525,600 minutes. Refer to the Audit and Compliance policies for your enterprise to determine how you should specify the lifetime for which your API keys are valid.

 

View of Device Authentication Settings API Key Lifetime.png

 

Server Monitoring Transport Protocol

New Feature

 

Details: Using the Windows Remote Management (WinRM) protocol greatly improves the speed, efficiency, and security when monitoring server events to map usernames to IP addresses. Leverage one of the WinRM protocols to monitor Active Directory Windows Servers 2008 or Microsoft Exchange Servers 2008 or later. 

 

View of Device User-ID Transport Protocol.pngScreen Shot 2019-07-24 at 3.47.35 PM.png

 

Time to Refresh FQDN

New Feature

 

Details: Set a limit on how fast the firewall refreshes FQDNs that it receives from a DNS. This check ensures the FQDN is not outdated by setting refresh interval at default 30 sec.

 

View of Device Services Settings FQDN Refresh Time.png

 

GRE Tunnel Keep-Alive

New Feature

 

Details: Configure Keep-Alive on the GRE Tunnel to ensure stability and monitoring of tunnel activity.

 

View of GRE Tunnel Keep-Alive.png

 

Tunnel Inspection Security Options

New Feature

 

Details: The best practice is to create tunnel zones for your tunnel traffic. Thus, the firewall creates separate sessions for tunneled and non-tunneled packets that have the same five-tuple (source IP address and port, destination IP address and port, and protocol). By doing so, we can inspect at Layer 7 for Applications, Threat, URL filtering and apply granular policy conditions to permit just the right traffic.

 

View of Tunnel Inspection Security Options.png

 

Inter-vsys User-ID Data Sharing

New Feature

 

Details: To simplify User-ID source configuration if you have multiple virtual systems, you can now share user mappings across virtual systems. To share User-ID IP address-to-username mappings, choose a virtual system to use as a User-ID hub that collects and stores the mappings in a centralized table that is accessible by all the virtual systems. This helps in not retaining the same user IP addresses multiple times on the firewall for each single vsys. This also helps in increasing the User-ID limit on the device by not retaining the same names multiple times.

 

View of Template Virtual Systems.png

 

WildFire File Size Limits Updated for PAN-OS 9.0

Enhancement

 

Details: The best practice file size limit for each file type has changed for PAN-OS version 9.0. We have updated the checks with new file sizes as per best practices for PAN-OS 9.0.

 

View of Device WildFire Settings Size Limits.png

 

Ask Questions Get Answers Join the Live Community
Article Dashboard
Version history
Revision #:
11 of 11
Last update:
‎07-29-2019 09:12 AM
Updated by: