PAN-OS 9.0 Release Features: Management

Community Team Member

Read about the new PAN-OS 9.0 Release Features: Management. Palo Alto Networks PAN-OS 9.0 has new management features to help you  Audit Comments and  there's even new Rule Usage Filtering. Learn about how to use it and some helpful links. Got Questions? Get Answers on Live Community!

Graphic banner of PAN-OS 9.0 Release Features: Management

 

We are happy to announce the release of PAN-OS version 9.0. In this blog, I will be covering the new Management features included with PAN-OS 9.0.

 

There are a slew of new changes and additions when it comes to the features, so I will dive right in. I tried to give a highlight of each of the new Management features.

 

Here are the New Management features in PAN-OS 9.0:

 

NEW MANAGEMENT FEATURE

DESCRIPTION

Enforcement of Description, Tag and Audit Comment

Helps keep track of your rules is important, and it is easy to forget why a specific rule was put in place. With the new Enforcement of Description, Tag and Audit comments, you can keep track of your rules easier. This now can be mandatory, instead of an optional item that is never filled out.

 

Read more about these new comments here: New Rule Description Tags.

Rule Changes Archive

In order to help track how your policy rules have changed over time, we have added the new Rule Changes Archive. With this archive, you now have the ability to see the exact differences between two rule versions. And once you use this feature along with the Enforcement of Rule Description, Tag and Audit Comments shown above, this will make auditing your security rulebase a lot easier.

 

Read more about the new Rules Archive here: New Rule Changes Archive.

Tag Based Rule Groups

Group related rules using a new group tag to efficiently manage large sets of related rules within any policy rulebase. You can use any tag as a group tag to organize related rules, so you can easily move, clone or delete the rules in the selected group. This allows you to see the organizational changes that are happening to your rulebase and increase the efficiency of managing large sets of rules.

 

Read more about these new group tags here: New Tag Based Rule Groups.

Policy Match and Connectivity Tests from the Web Interface

Validating your policy is a very important step before committing your policy changes. Now you have the ability to ensure that network traffic will match the expected policy rules inside of the web interface. There is even a new feature that allows you to test connectivity to network resources.

 

Read more about the new validation features here: Policy Match and Connectivity Tests.

Rule Usage Filtering

An important step when managing and auditing rules is being able to identify and filter unused rules. Being able to disable or remove any unused rules will improve your security posture. This can be very handy if you are changing over from Port-Based rules to App-ID based rules to ensure that the correct rules are used.

 

Read more about new ways to identify unused rules: Rule Usage Filtering.

Objects Capacity Improvements on the PA-5220 and the PA-3200 Series Firewalls

Being able to scale your deployment of Palo Alto Networks firewalls has been improved with increased capacities. The number of Address Objects, Address Groups, Service groups, Service Objects, Zones and Policy Rules have been increased.

 

Read more about the Capacity Improvements here: Objects Capacity Improvements.

API Key Lifetime

A whole new set of features has been added to allow you to manage API keys—from being able to specify the API Key Lifetime to being able to expire all API keys at the same time in an emergency has been added.

Read more about the new API Key features here: API Key Lifetime.

PAN-OS REST API for a Simplified Automation/Integration Experience

One of the new things added to PAN-OS 9.0 is the integration of a more simplified Rest API interface. This gives you the ability to easily map firewall tasks to the API interface. The Rest API interface now provides the ability to use JSON and XML data formats in API requests and responses. This also will provide versioning for backwards compatibility with future PAN-OS versions.

 

Read more about the new Rest API features here: Rest API Interface.

Universally Unique Identifiers for Policy Rules

Everyday use (auditing, searching, reporting and tracking changes) of security rules has been enhanced by the user of Universal Unique Identifiers (UUIDs). This way, if a rule is renamed, moved or deleted, the UUID will remain the same, allowing the rule’s history of any changes to remain intact. With UUIDs, you have the ability to find a rule across multiple rulebases, even if they contain thousands of rules.

 

Read more about new UUID features here: New Universal Unique Identifiers (UUIDs).

Temporary Master Key Expiration Extension

You now have the ability to extend the lifetime of the master key from the Web Interface on firewalls or Panorama. This can come in handy if you need to postpone any maintenance until the next maintenance window, ensuring the firewall is fully functional.

 

Read more about the new Master Key features here: Master Key Expiration Extension.

Real-Time Enforcement and Expanded Capacities for Dynamic Address Groups

If you use IoT devices, virtual workloads or containters (with burts of traffic or short lifecycles), you now have the ability to enforce security policies for these objects. This will allow you to help monitor and troubleshoot Dynamic Address Groups with the new IP-Tag log that has been added to the firewall and Panorama. Also increased capacity (up to 5 times) has been added to select firewall models to help handle larger volume of entities for registered IP addresses.

 

Read more about new Dynamic Address Groups here: Expanded Capacities for Dynamic Address Groups.

 

 

That wraps up the new Management features added to PAN-OS 9.0.

 

See Also

 

New Features Guide

For a full list of all the new features for PAN-OS 9.0, which covers all the new features as well as links to the Release Notes, Getting Started information with the new features, and instructions on upgrading to PAN-OS 9.0, please check out the new features guide here: PAN-OS 9.0 New Features Guide.

 

You can also see what's new here: What's New in PAN-OS 9.0.

  

Take a closer look at our take on PAN-OS 9.0 features:

 

PAN-OS 9.0 Release Features: DNS Security and Content Inspection

PAN-OS 9.0 Release Features: Policy Optimizer and App-ID

PAN-OS 9.0 Release Features: Panorama

PAN-OS 9.0 Release Features: GlobalProtect

PAN-OS 9.0 Release Features: User-ID

PAN-OS 9.0 Release Features: Networking and Virtualization

PAN-OS 9.0 Release Features: PA-7000 New Cards

PAN-OS 9.0: Got Questions? Get Answers!

 

Then ask a question, join a discussion, or answer someone else's inquiry—that's community!

 

Not a member of the Live Community yet? It's simple and easy to join. Just sign up with an email address. 

 

Follow us on Twitter.

 

Check out our YouTube channel and join more than 8,000 other subscribers learning about PAN-OS 9.0 and more!

 

 

 

Thanks for taking time to read my blog.

If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the Live Community blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,

Joe Delio

End of line

Comments
L0 Member

The link contained in the following line appears to broken: 'Read more about new UUID features here: New Universal Unique Identifiers (UUIDs).' 

 

I believe it should be: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/management-features/universally-uni...

 

Thanks for putting this information in one place! Very helpful!

Community Team Member

Thanks @lkrous , the link has been fixed, and yes that was the link I had intended.

 

Thanks for the kind words, and as always, don't forget to click the thumb up if you liked an article.

 

 

Ask Questions Get Answers Join the Live Community
Labels