PAN-OS 9.0 Features: Networking and Virtualization

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L7 Applicator

PAN-OS 9 Release Features Network and Virtualization - green.jpg

Read about the new PAN-OS 9.0 Release Features: Networking and Virtualization. Learn about all the new networking features offered from improvements to the Networking and Virtualization in PAN-OS 9.0. Got Questions? Get Answers on LIVEcommunity!

 

 

We are happy to announce the release of PAN-OS version 9.0.  In this blog I will be covering the new Networking and Virtualization features included with PAN-OS 9.0. I decided to group these together because they are related for many of these features.

 

There are a bunch of new changes and additions when it comes to the features, so I will dive right in. I tried to give a highlight of each of the new Networking and Virtualization features.

 

Here are the new networking features in PAN-OS 9.0:

NEW NETWORKING FEATURES

DESCRIPTION

Security Group Tag (SGT) EtherType Support

New support for Security Group Tags (SGT’s) has been added for both Layer 2 with Cisco Trustsec network as well as Layer 3 as long as it is deployed between two SGT Exchange Protocol (SXP) peers.

You can continue to define SGT-based policies the same way because the firewall does not use SGT’s for match criteria. No configuration changes are needed as the processing of SGT traffic works by default.

 

Read more about new SGT support here: Security Group Tag (SGT) EtherType Support

FQDN Refresh Enhancement

Because of how frequent that cloud applications require FQDN refresh rates, PAN-OS 9 now support the ability to refresh cached entires based on the DNS TTL value. FQDN cache entries are now configurable with a minimum refresh time to limit how often the firewall is refreshing the FQDN cache.  This can be nice in the event of a network failure and the DNS server is unreachable.

 

Read more about the new FQDN enhancements here: FQDN Refresh Enhancements

GRE Tunneling Support

Because Cloud services and related networks tend to use GRE tunnels for point-to-point connectivity, the firewall can now be a GRE tunnel endpoint. This allows the firewall to inspect and enforce security policies for both non tunneling traffic and GRE tunneled traffic. Also GRE over IPSec has been added to work with other vendors implementations that encrypt GRE within IPSec.

 

Read more about the GRE tunnel features here: GRE Tunneling Support

Wildcard Address Support in Security Policy Rules

With the new Wildcard Address Support in security rules will now give you the ability to use Wildcard masks to help define specific IPv4 network addresses. Giving you the flexibility in creating security policy rules that use a wildcard for sources and destinations. This can help prevent keeping a very large number of address objects and IP addresses. This will help add flexibility to security policies.

 

Read more about Wildcard Address Support in rules here: Wildcard Address Support

Hostname Option Support for DHCP Clients

The Hostname option for DHCP clients now gives you the ability to assign a hostname and in turn send that hostname to the DHCP server. Which can automatically manage the hostname-to-dynamic IP address resolutions.

 

Read more about the DHCP Hostname support here: Hostname Option Support for DHCP clients

FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer

Use of FQDNs can help reduce the complexity of configuration and management of a firewall. You now have the ability to configure an FQDN or FQDN address object in a static route next hop, PBF next hop as well as a BGP peer address. To simplify provisioning, you can now use a FQDN, to eliminate the need to configure static IP’s to this function. Also, FQDN’s can be mapped based upon location and deployment requirements to limit what is resolved for the FQDN.

 

Read more about new FQDN support here: FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer

Dynamic DNS Support for Firewall Interfaces

Whether you need to provide remote access to the firewall or host services behind the firewall, you now have the ability to register IPv4 and IPv6 address changes automatically to a Dynamic DNS (DDNS) provider in the event the firewall’s ip DHCP address changes. We currently have support for the following 5 DDNS providers:

·         DuckDNS

·         DynDNS

·         FreeDNS Afraid.org

·         FreeDNS Afraid.org Dynamic API

·         No-IP

 

Read more about new Dynamic DNS support here: Dynamic DNS Support for Firewall Interfaces

HA1 SSH Key Refresh

In the past, if you have ever needed to change your SSH key pairs to secure HA1 communications, you needed to restart the firewall. Now that is no longer needed.

 

Read more about SSH Key Refresh here: HA1 SSH Key Refresh

Advanced Session Distribution Algorithms for Destination NAT

To help enhance the use of Destination NAT, the following distribution methods have been added: source IP hash, IP modulo, IP hash, and least sessions. Now you can use different distribution methods to better suit your destination NAT use cases.

 

Read more about Destination NAT enhancements: Advanced Session Distribution Algorithms for Destination NAT

VXLAN Tunnel Content Inspection

The now have ability to use Tunnel Content Inspection Policy to scan for traffic within a VXLAN tunnel if you are using VXLAN as a transport overlay. This will give you visibility into VXLAN Traffic and control the traffic with security policies without implementing network changes or terminating the tunnel.

 

Read more about new Tunnel content inspection: VXLAN Tunnel Content Inspection

LACP and LLDP Pre-Negotiation on an HA Passive Firewall

In order to help reduce failover times caused by delays incurred by LACP and LLDP, an HA Firewall now has the ability to pre-negotiate LACP and LLDP before it becomes active. This feature was only included on limited firewall models, but now it has been extended to the following models:

·         PA-220

·         PA-220R

·         PA-820

·         PA-850

·         PA-3200 Series

·         PA-5280 firewalls

 

Read more about LACP and LLDP Pre-Negotiation here: LACP and LLDP Pre-Negotiation on an HA Passive Firewall

 

 

Here are the New Virtualization features in PAN-OS 9.0:

NEW VIRTUALIZATION FEATURES

DESCRIPTION

VM-Series on AWS—Support for C5 and M5 Instance Types with ENA

New support for C5 and M5 instance types that use the Elastic Network Adapter (ENA) has been added to VM-Series firewall on AWS. This will allow you deploy the VM Series firewall in all regions that support C5/M5. This includes new AWS regions that exclusively use newer instance types, such as Paris. Also, the C5 and M5 instance types are supported in SR-IOV mode; DPDK is not supported.

 

Read more about AWS support for C5 and M5 here: VM-Series on AWS—Support for C5 and M5 Instance Types with ENA

VM-Series Plugin

A New VM-Series plugin will allow Palo Alto Networks to deliver cloud features and updates to VM-Series firewalls. This includes integrations with new cloud platforms or hypervisors, independent of a PAN-OS release. This new plugin also will manage interactions between the VM-Series firewalls and the supported public and private cloud deployments.

Since this plugin is digitally signed by Palo Alto Networks, it can be updated just like software and or dynamic content updates.

 

Read more about the new VM-Series Plugin here: VM-Series Plugin

Support for HA for VM-Series on Azure

Support for active/passive HA configuration has now been added to VM-Series firewalls on Azure. This support is added with the VM-Series plugin (discussed above)

 

Read more about HA on Azure support here: Support for HA for VM-Series on Azure

Higher Performance for VM-Series on Azure using Azure Accelerated Networking (SR-IOV)

Support for higher throughput performance has been added to VM-Series that are deployed on D/DSv2 and D/DSv3 class of Azure VMs, including support for Accelerated Networking (SR-IOV). This allows you to deploy as an active/passive HA pair or in a scale out deployment with Azure load balancers.

 

Read more about Azure performance features here: Higher Performance for VM-Series on Azure using Azure Accelerated Networking (SR-IOV)

 

 

Additional Information

New Features Guide

For a full list of all the new features with PAN-OS 9.0, which covers all the new features, as well as links to the Release Notes, and Getting Started information with the new features and instructions on upgrading to PAN-OS 9.0, please check out the new features guide here: 

PAN-OS 9.0 New Features Guide. 

 

You can also see what's new on our main website: What's New in PAN-OS 9.0.

 

Thanks for taking time to read my blog.

If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the Live Community Blog area.

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,

Joe Delio

End of line

  • 10178 Views
  • 0 comments
  • 4 Likes
Register or Sign-in
Labels