PAN-OS 9.0 Release Features: Networking and Virtualization
a week ago
- last edited
a week ago
We are happy to announce the release of PAN-OS version 9.0. In this blog I will be covering the new Networking and Virtualization features included with PAN-OS 9.0. I decided to group these together because they are related for many of these features.
There are a bunch of new changes and additions when it comes to the features, so I will dive right in. I tried to give a highlight of each of the new Networking and Virtualization features.
Here are the New Networking features in PAN-OS 9.0:
NEW NETWORKING FEATURE
Security Group Tag (SGT) EtherType Support
New support for Security Group Tags (SGT’s) has been added for both Layer 2 with Cisco Trustsec network as well as Layer 3 as long as it is deployed between two SGT Exchange Protocol (SXP) peers.
You can continue to define SGT-based policies the same way because the firewall does not use SGT’s for match criteria. No configuration changes are needed as the processing of SGT traffic works by default.
Because of how frequent that cloud applications require FQDN refresh rates, PAN-OS 9 now support the ability to refresh cached entires based on the DNS TTL value. FQDN cache entries are now configurable with a minimum refresh time to limit how often the firewall is refreshing the FQDN cache. This can be nice in the event of a network failure and the DNS server is unreachable.
Because Cloud services and related networks tend to use GRE tunnels for point-to-point connectivity, the firewall can now be a GRE tunnel endpoint. This allows the firewall to inspect and enforce security policies for both non tunneling traffic and GRE tunneled traffic. Also GRE over IPSec has been added to work with other vendors implementations that encrypt GRE within IPSec.
With the new Wildcard Address Support in security rules will now give you the ability to use Wildcard masks to help define specific IPv4 network addresses. Giving you the flexibility in creating security policy rules that use a wildcard for sources and destinations. This can help prevent keeping a very large number of address objects and IP addresses. This will help add flexibility to security policies.
The Hostname option for DHCP clients now gives you the ability to assign a hostname and in turn send that hostname to the DHCP server. Which can automatically manage the hostname-to-dynamic IP address resolutions.
FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer
Use of FQDNs can help reduce the complexity of configuration and management of a firewall. You now have the ability to configure an FQDN or FQDN address object in a static route next hop, PBF next hop as well as a BGP peer address. To simplify provisioning, you can now use a FQDN, to eliminate the need to configure static IP’s to this function. Also, FQDN’s can be mapped based upon location and deployment requirements to limit what is resolved for the FQDN.
Whether you need to provide remote access to the firewall or host services behind the firewall, you now have the ability to register IPv4 and IPv6 address changes automatically to a Dynamic DNS (DDNS) provider in the event the firewall’s ip DHCP address changes. We currently have support for the following 5 DDNS providers:
Advanced Session Distribution Algorithms for Destination NAT
To help enhance the use of Destination NAT, the following distribution methods have been added: source IP hash, IP modulo, IP hash, and least sessions. Now you can use different distribution methods to better suit your destination NAT use cases.
The now have ability to use Tunnel Content Inspection Policy to scan for traffic within a VXLAN tunnel if you are using VXLAN as a transport overlay. This will give you visibility into VXLAN Traffic and control the traffic with security policies without implementing network changes or terminating the tunnel.
LACP and LLDP Pre-Negotiation on an HA Passive Firewall
In order to help reduce failover times caused by delays incurred by LACP and LLDP, an HA Firewall now has the ability to pre-negotiate LACP and LLDP before it becomes active. This feature was only included on limited firewall models, but now it has been extended to the following models:
Here are the New Virtualization features in PAN-OS 9.0:
NEW VIRTUALIZATION FEATURES
VM-Series on AWS—Support for C5 and M5 Instance Types with ENA
New support for C5 and M5 instance types that use the Elastic Network Adapter (ENA) has been added to VM-Series firewall on AWS. This will allow you deploy the VM Series firewall in all regions that support C5/M5. This includes new AWS regions that exclusively use newer instance types, such as Paris.
A New VM-Series plugin will allow Palo Alto Networks to deliver cloud features and updates to VM-Series firewalls. This includes integrations with new cloud platforms or hypervisors, independent of a PAN-OS release. This new plugin also will manage interactions between the VM-Series firewalls and the supported public and private cloud deployments.
Since this plugin is digitally signed by Palo Alto Networks, it can be updated just like software and or dynamic content updates.
Higher Performance for VM-Series on Azure using Azure Accelerated Networking (SR-IOV)
Support for higher throughput performance has been added to VM-Series that are deployed on D/DSv2 and D/DSv3 class of Azure VMs, including support for Accelerated Networking (SR-IOV). This allows you to deploy as an active/passive HA pair or in a scale out deployment with Azure load balancers.
For a full list of all the new features with PAN-OS 9.0, which covers all the new features, as well as links to the Release Notes, and Getting Started information with the new features and instructions on Upgrading to PAN-OS 9.0, please check out the new features guide here: