Details: New App-IDs can cause a change in policy enforcement for traffic that is newly identified as belonging to a certain application. To mitigate any impact to security policy enforcement, you can use the new App-ID characteristic within the application filter in a security policy rule, so the rule always enforces the most recently introduced App-IDs without requiring you to make configuration changes when new App-IDs are installed.
New App-IDs are released monthly, so a policy rule that allows the latest App-IDs gives you time (or if the firewall is not installing content updates on a schedule until the next time you manually install content) to assess how newly categorized applications might impact security policy enforcement and make any necessary adjustments.
Apply a security rule permitting traffic for new App-IDs only. Create an application filter with check enabled on new App-IDs only or necessary new App-IDs by filtering in application filter. Apply this application filter on a security policy with action set to "Allow." In Apps and Threats content Dynamic update, ensure the check for "Disable new apps in content update" is disabled.
Details: Set the file size for script files to 20KB, so all script files that pass through the firewall are sent to WildFire for inspection. This file type was introduced in Apps and Threats content update 8101 and later. This file type is supported on PAN-OS version 8.1 and later.
Details: The firewalls consume memory and compute resources in generating the predefined report results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing) to reduce memory usage. You can disable the reports that are not relevant to you.
Before disabling a report, verify that there isn’t a "Group Report" or a "PDF Summary Report" feature using it. If you disable a predefined report assigned to a set of reports, the entire set of reports will have no data.
Details: The Center for Internet Security released Critical Security Controls (CSC) version 7. The Best Practice Assessment Report was covering CSC version 6 until now. With this release, we have updated our Best Practice checks to align with CSC version 7.
The BPA Summary in the BPA report will now show Best Practice checks aligned with CSC version 7. In the failed Best Practice spreadsheet, we provide both CSC version 6 and CSC version 7, so you can reference to v6 details as needed.
Details: On PAN-OS versions 8.1 and later when referencing template stacks, the label in the BPA report was mentioning template. This has been corrected and the right label will be reflected now.
Details: In the Heatmap component "Rule Detail" tab, when we want to select the available options for the filters and when we click the drop down, we made sure that the option "any" is available on the top so it is easily accessible to be selected.
Details: In the Heatmap Summary view, we have Decryption Summary details. Here we also indicate if there are any URL Categories that are exempted from decryption rules. There was a bug where we use to show "any" as a category. With this update, we only show URL categories that are exempted.
Details: There was a minor update made on a Label and Display to correct on the PDF chart in the PDF summary report.