Wall's Week - August 17th, 2018

by kwall00 a month ago - last edited a month ago by (1,833 Views)


PAN-OS 8.1.3 now available

This version is now available on the Support site. Since it has just released, it will take a few weeks before we have any metrics! The release notes may be found here:




Azure firewall – Update and blog site

Recently, Microsoft announced that the Azure Firewall is in public preview (beta). The Azure Firewall is a new, optional set of extra cost security features that would be deployed in conjunction with Azure Network Security Groups. Key capabilities include:

  • A stateful firewall as a service that provides outbound control over traffic based on port, protocol and fully qualified domain name (FQDN – i.e., www.github.com). 
  • Built-in high availability with unrestricted cloud scalability; fully integrated with Azure Monitor for logging and analytics.
  • Price based on each FW instance deployed + bandwidth consumed.

More info can be found here: https://azure.microsoft.com/en-us/services/azure-firewall/

Public facing blog: https://researchcenter.paloaltonetworks.com/2018/08/cloud-understanding-differences-azure-firewall-v...



Cyber Range

If you’re interested in participating in or learning more about our Cyber Range, visit here:


Red team, Blue team real-time exercises designed to sharpen your cyber skills on the Palo Alto Networks platform. Participate individually, with your team, or with other organizations (max of 12 people). Locations include:

  • Amsterdam, Netherlands
  • Sydney, Australia
  • Washington, D.C. / Reston area
  • Santa Clara, CA at Palo Alto Networks headquarters 


End-of-Sale and End-of-Life

As of August 1st, the following products are end-of-sale:

  • PA-5000 series firewall appliance
  • PA-7000 series network processing line cards

The end-of-sale date for these items will be January 31, 2019. They will continue to be supported of course (for 5 years), but will no longer be available for purchase. Going forward customers should purchase the newer PA-5200 series appliances which have more capacity at a similar cost as the PA-5000 series. The PA-7000 NPC line cards effected are the PA-7000-20G-NPC and PA-7000-20GQ-NPC. The remaining NPC cards are not effected (PA-7000-20GXM-NPC and PA-7000-20GQXM-NPC).


Also, in case you missed it, the PA-200, PA-500, and M-100 appliances were announced end-of-sale in May (with an EOS date of October 31, 2018). Newer hardware should be considered: PA-220, PA-800 series, and the M-200. More information may be found here:



Beta customers needed for next major release

Interested in testing the next major release (a.k.a. Kiev)? If you have a good understanding of PAN-OS, would like to test new features, and be willing to provide feedback – sign up here:


Note that the following devices are not supported in the beta: PA-200, PA-500, PA-5000, and M-100.


Security advisories

The following security advisories were announced earlier this week:

  • PAN-SA-2018-0009 – Cross-site scripting in GlobalProtect portal
    • Medium severity, fixed in PAN-OS 7.1.19, and 8.0.12
    • Note: PAN-OS 8.1 is NOT effected
  • PAN-SA-2018-0019 – Denial of service in PAN-OS management web interface
    • Low severity, fixed in 8.1.3
    • Note: PAN-OS 6.1, 7.1, and 8.0 are NOT effected

See more details here:




Sign-up for various updates

If you aren’t receiving updates from Palo Alto Networks and would like to, here are the steps:

  • Browse to https://support.paloaltonetworks.com/
  • In the upper-right-hand corner, select the drop-down on your name and select Preferences
  • Click the boxes where you would like to be notified and Save the changes


Unit-42 blog

If threat research if your ambition and you aren’t aware of our Unit-42 team, you should check it out.


This team takes on the task of dissecting various malware campaigns through all means available (reverse engineering, WildFire analysis, AutoFocus data, etc.) and reports back in blog format the IOC’s and other interesting data. Of course, their research also feeds back into WildFire so customers with that subscription are auto-inoculated ;-)



Considerations when upgrading to PAN-OS 8.1

If you have the need to upgrade to PAN-OS 8.1, like all new releases, be sure to read the upgrade/downgrade considerations before making plans. Here are the ones we know about:


In addition, there are ones I have heard from my customers:

  • Once upgraded, you may encounter an error when committing/pushing changes if you have multiple policies with the same name (i.e. one active, one disabled). Either remove or rename the duplicates.
  • If you have an Active-Active firewall pair, you now must include a Device-ID in the configuration. This was not required before, but is enforced now.


What’s new in PAN-OS 8.1

There are a lot of nice additions to your security arsenal in PAN-OS 8.1. Some of my favorites include:

  • SSL Decryption Broker
  • Rule usage counters (immensely useful)!
  • Separate App-ID installation parameters
  • HTTP header insertion
  • New SaaS application characteristics
  • Template/Template Stack/Device variables (simple, but brilliant)
  • Device health metrics

Click here for more information:


Ask Questions Get Answers Join the Live Community