- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Read about the new PAN-OS 9.0 Release Features: Networking and Virtualization. Learn about all the new networking features offered from improvements to the Networking and Virtualization in PAN-OS 9.0. Got Questions? Get Answers on LIVEcommunity!
We are happy to announce the release of PAN-OS version 9.0. In this blog I will be covering the new Networking and Virtualization features included with PAN-OS 9.0. I decided to group these together because they are related for many of these features.
There are a bunch of new changes and additions when it comes to the features, so I will dive right in. I tried to give a highlight of each of the new Networking and Virtualization features.
NEW NETWORKING FEATURES |
DESCRIPTION |
Security Group Tag (SGT) EtherType Support |
New support for Security Group Tags (SGT’s) has been added for both Layer 2 with Cisco Trustsec network as well as Layer 3 as long as it is deployed between two SGT Exchange Protocol (SXP) peers. You can continue to define SGT-based policies the same way because the firewall does not use SGT’s for match criteria. No configuration changes are needed as the processing of SGT traffic works by default.
Read more about new SGT support here: Security Group Tag (SGT) EtherType Support |
FQDN Refresh Enhancement |
Because of how frequent that cloud applications require FQDN refresh rates, PAN-OS 9 now support the ability to refresh cached entires based on the DNS TTL value. FQDN cache entries are now configurable with a minimum refresh time to limit how often the firewall is refreshing the FQDN cache. This can be nice in the event of a network failure and the DNS server is unreachable.
Read more about the new FQDN enhancements here: FQDN Refresh Enhancements |
GRE Tunneling Support |
Because Cloud services and related networks tend to use GRE tunnels for point-to-point connectivity, the firewall can now be a GRE tunnel endpoint. This allows the firewall to inspect and enforce security policies for both non tunneling traffic and GRE tunneled traffic. Also GRE over IPSec has been added to work with other vendors implementations that encrypt GRE within IPSec.
Read more about the GRE tunnel features here: GRE Tunneling Support |
Wildcard Address Support in Security Policy Rules |
With the new Wildcard Address Support in security rules will now give you the ability to use Wildcard masks to help define specific IPv4 network addresses. Giving you the flexibility in creating security policy rules that use a wildcard for sources and destinations. This can help prevent keeping a very large number of address objects and IP addresses. This will help add flexibility to security policies.
Read more about Wildcard Address Support in rules here: Wildcard Address Support |
Hostname Option Support for DHCP Clients |
The Hostname option for DHCP clients now gives you the ability to assign a hostname and in turn send that hostname to the DHCP server. Which can automatically manage the hostname-to-dynamic IP address resolutions.
Read more about the DHCP Hostname support here: Hostname Option Support for DHCP clients |
FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer |
Use of FQDNs can help reduce the complexity of configuration and management of a firewall. You now have the ability to configure an FQDN or FQDN address object in a static route next hop, PBF next hop as well as a BGP peer address. To simplify provisioning, you can now use a FQDN, to eliminate the need to configure static IP’s to this function. Also, FQDN’s can be mapped based upon location and deployment requirements to limit what is resolved for the FQDN.
Read more about new FQDN support here: FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer |
Dynamic DNS Support for Firewall Interfaces |
Whether you need to provide remote access to the firewall or host services behind the firewall, you now have the ability to register IPv4 and IPv6 address changes automatically to a Dynamic DNS (DDNS) provider in the event the firewall’s ip DHCP address changes. We currently have support for the following 5 DDNS providers: · DuckDNS · DynDNS · FreeDNS Afraid.org · FreeDNS Afraid.org Dynamic API · No-IP
Read more about new Dynamic DNS support here: Dynamic DNS Support for Firewall Interfaces |
HA1 SSH Key Refresh |
In the past, if you have ever needed to change your SSH key pairs to secure HA1 communications, you needed to restart the firewall. Now that is no longer needed.
Read more about SSH Key Refresh here: HA1 SSH Key Refresh |
Advanced Session Distribution Algorithms for Destination NAT |
To help enhance the use of Destination NAT, the following distribution methods have been added: source IP hash, IP modulo, IP hash, and least sessions. Now you can use different distribution methods to better suit your destination NAT use cases.
Read more about Destination NAT enhancements: Advanced Session Distribution Algorithms for Destination NAT |
VXLAN Tunnel Content Inspection |
The now have ability to use Tunnel Content Inspection Policy to scan for traffic within a VXLAN tunnel if you are using VXLAN as a transport overlay. This will give you visibility into VXLAN Traffic and control the traffic with security policies without implementing network changes or terminating the tunnel.
Read more about new Tunnel content inspection: VXLAN Tunnel Content Inspection |
LACP and LLDP Pre-Negotiation on an HA Passive Firewall |
In order to help reduce failover times caused by delays incurred by LACP and LLDP, an HA Firewall now has the ability to pre-negotiate LACP and LLDP before it becomes active. This feature was only included on limited firewall models, but now it has been extended to the following models: · PA-220 · PA-220R · PA-820 · PA-850 · PA-3200 Series · PA-5280 firewalls
Read more about LACP and LLDP Pre-Negotiation here: LACP and LLDP Pre-Negotiation on an HA Passive Firewall |
NEW VIRTUALIZATION FEATURES |
DESCRIPTION |
VM-Series on AWS—Support for C5 and M5 Instance Types with ENA |
New support for C5 and M5 instance types that use the Elastic Network Adapter (ENA) has been added to VM-Series firewall on AWS. This will allow you deploy the VM Series firewall in all regions that support C5/M5. This includes new AWS regions that exclusively use newer instance types, such as Paris. Also, the C5 and M5 instance types are supported in SR-IOV mode; DPDK is not supported.
Read more about AWS support for C5 and M5 here: VM-Series on AWS—Support for C5 and M5 Instance Types with ENA |
VM-Series Plugin |
A New VM-Series plugin will allow Palo Alto Networks to deliver cloud features and updates to VM-Series firewalls. This includes integrations with new cloud platforms or hypervisors, independent of a PAN-OS release. This new plugin also will manage interactions between the VM-Series firewalls and the supported public and private cloud deployments. Since this plugin is digitally signed by Palo Alto Networks, it can be updated just like software and or dynamic content updates.
Read more about the new VM-Series Plugin here: VM-Series Plugin |
Support for HA for VM-Series on Azure |
Support for active/passive HA configuration has now been added to VM-Series firewalls on Azure. This support is added with the VM-Series plugin (discussed above)
Read more about HA on Azure support here: Support for HA for VM-Series on Azure |
Higher Performance for VM-Series on Azure using Azure Accelerated Networking (SR-IOV) |
Support for higher throughput performance has been added to VM-Series that are deployed on D/DSv2 and D/DSv3 class of Azure VMs, including support for Accelerated Networking (SR-IOV). This allows you to deploy as an active/passive HA pair or in a scale out deployment with Azure load balancers.
Read more about Azure performance features here: Higher Performance for VM-Series on Azure using Azure Accelerated Networking (SR-IOV) |
New Features Guide
For a full list of all the new features with PAN-OS 9.0, which covers all the new features, as well as links to the Release Notes, and Getting Started information with the new features and instructions on upgrading to PAN-OS 9.0, please check out the new features guide here:
PAN-OS 9.0 New Features Guide.
You can also see what's new on our main website: What's New in PAN-OS 9.0.
Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the Live Community Blog area.
As always, we welcome all comments and feedback in the comments section below.
Stay Secure,
Joe Delio
End of line
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |