BPA Release Notes v3.15

Printer Friendly Page

New Apps with Application Filter

New Feature

 

Details: New App-IDs can cause a change in policy enforcement for traffic that is newly identified as belonging to a certain application. To mitigate any impact to security policy enforcement, you can use the new App-ID characteristic within the application filter in a security policy rule, so the rule always enforces the most recently introduced App-IDs without requiring you to make configuration changes when new App-IDs are installed. 

 

New App-IDs are released monthly, so a policy rule that allows the latest App-IDs gives you time (or if the firewall is not installing content updates on a schedule until the next time you manually install content) to assess how newly categorized applications might impact security policy enforcement and make any necessary adjustments.

 

Apply a security rule permitting traffic for new App-IDs only. Create an application filter with check enabled on new App-IDs only or necessary new App-IDs by filtering in application filter. Apply this application filter on a security policy with action set to "Allow." In Apps and Threats content Dynamic update, ensure the check for "Disable new apps in content update" is disabled.

 

View of App-filter-NewApps Interface.png

 

View of Security Rulebase in New App Filter.png

Script File Size 

New Feature

 

Details: Set the file size for script files to 20KB, so all script files that pass through the firewall are sent to WildFire for inspection. This file type was introduced in Apps and Threats content update 8101 and later. This file type is supported on PAN-OS version 8.1 and later.

 

View of Device WildFire Settings.png

 

Predefined Reports

New Feature

 

Details: The firewalls consume memory and compute resources in generating the predefined report results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing) to reduce memory usage. You can disable the reports that are not relevant to you. 

Before disabling a report, verify that there isn’t a "Group Report" or a "PDF Summary Report" feature using it. If you disable a predefined report assigned to a set of reports, the entire set of reports will have no data.

 

View of Device Logging Reporting Settings.png

 

BPA Summary with CIS Critical Security Controls version 7

Enhancement

 

Details: The Center for Internet Security released Critical Security Controls (CSC) version 7. The Best Practice Assessment Report was covering CSC version 6 until now. With this release, we have updated our Best Practice checks to align with CSC version 7.

The BPA Summary in the BPA report will now show Best Practice checks aligned with CSC version 7. In the failed Best Practice spreadsheet, we provide both CSC version 6 and CSC version 7, so you can reference to v6 details as needed.

View of CIS Critical Security Controls 7.0 Summary.png

 

Template Stack Label Update

Bug

 

Details: On PAN-OS versions 8.1 and later when referencing template stacks, the label in the BPA report was mentioning template. This has been corrected and the right label will be reflected now.

 

Rule Detail Tab Filters Update

Enhancement

 

Details: In the Heatmap component "Rule Detail" tab, when we want to select the available options for the filters and when we click the drop down, we made sure that the option "any" is available on the top so it is easily accessible to be selected. 

 

Decryption Summary Update

Bug

 

Details: In the Heatmap Summary view, we have Decryption Summary details. Here we also indicate if there are any URL Categories that are exempted from decryption rules. There was a bug where we use to show "any" as a category. With this update, we only show URL categories that are exempted.

 

Labels and Display in PDF Report

Enhancement

 

Details: There was a minor update made on a Label and Display to correct on the PDF chart in the PDF summary report.

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
5 of 5
Last update:
‎07-29-2019 08:19 AM
Updated by: