a week ago
- last edited
a week ago
Read about the Palo Alto Networks new PAN-OS version 9.0 and its new management features. Learn more about PAN-OS 9.0 and new Audit Comments and new Rule Usage Filtering.
We are happy to announce the release of PAN-OS version 9.0. In this blog, I will be covering the new Management features included with PAN-OS 9.0.
There are a slew of new changes and additions when it comes to the features, so I will dive right in. I tried to give a highlight of each of the new Management features.
Here are the New Management features in PAN-OS 9.0:
NEW MANAGEMENT FEATURE
Enforcement of Description, Tag and Audit Comment
Helps keep track of your rules is important, and it is easy to forget why a specific rule was put in place. With the new Enforcement of Description, Tag and Audit comments, you can keep track of your rules easier. This now can be mandatory, instead of an optional item that is never filled out.
In order to help track how your policy rules have changed over time, we have added the new Rule Changes Archive. With this archive, you now have the ability to see the exact differences between two rule versions. And once you use this feature along with the Enforcement of Rule Description, Tag and Audit Comments shown above, this will make auditing your security rulebase a lot easier.
Group related rules using a new group tag to efficiently manage large sets of related rules within any policy rulebase. You can use any tag as a group tag to organize related rules, so you can easily move, clone or delete the rules in the selected group. This allows you to see the organizational changes that are happening to your rulebase and increase the efficiency of managing large sets of rules.
Policy Match and Connectivity Tests from the Web Interface
Validating your policy is a very important step before committing your policy changes. Now you have the ability to ensure that network traffic will match the expected policy rules inside of the web interface. There is even a new feature that allows you to test connectivity to network resources.
An important step when managing and auditing rules is being able to identify and filter unused rules. Being able to disable or remove any unused rules will improve your security posture. This can be very handy if you are changing over from Port-Based rules to App-ID based rules to ensure that the correct rules are used.
Objects Capacity Improvements on the PA-5220 and the PA-3200 Series Firewalls
Being able to scale your deployment of Palo Alto Networks firewalls has been improved with increased capacities. The number of Address Objects, Address Groups, Service groups, Service Objects, Zones and Policy Rules have been increased.
A whole new set of features has been added to allow you to manage API keys—from being able to specify the API Key Lifetime to being able to expire all API keys at the same time in an emergency has been added.
PAN-OS REST API for a Simplified Automation/Integration Experience
One of the new things added to PAN-OS 9.0 is the integration of a more simplified Rest API interface. This gives you the ability to easily map firewall tasks to the API interface. The Rest API interface now provides the ability to use JSON and XML data formats in API requests and responses. This also will provide versioning for backwards compatibility with future PAN-OS versions.
Everyday use (auditing, searching, reporting and tracking changes) of security rules has been enhanced by the user of Universal Unique Identifiers (UUIDs). This way, if a rule is renamed, moved or deleted, the UUID will remain the same, allowing the rule’s history of any changes to remain intact. With UUIDs, you have the ability to find a rule across multiple rulebases, even if they contain thousands of rules.
You now have the ability to extend the lifetime of the master key from the Web Interface on firewalls or Panorama. This can come in handy if you need to postpone any maintenance until the next maintenance window, ensuring the firewall is fully functional.
Real-Time Enforcement and Expanded Capacities for Dynamic Address Groups
If you use IoT devices, virtual workloads or containters (with burts of traffic or short lifecycles), you now have the ability to enforce security policies for these objects. This will allow you to help monitor and troubleshoot Dynamic Address Groups with the new IP-Tag log that has been added to the firewall and Panorama. Also increased capacity (up to 5 times) has been added to select firewall models to help handle larger volume of entities for registered IP addresses.
That wraps up the new Management features added to PAN-OS 9.0.
New Features Guide
For a full list of all the new features for PAN-OS 9.0, which covers all the New Features as well as links to the Release Notes, Getting Started information with the new features, and instructions on Upgrading to PAN-OS 9.0, please check out the new features guide here: PAN-OS 9 New Features Guide.
Take a closer look at our take on PAN-OS 9.0 features: