NEW Features in PAN-OS 9.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L7 Applicator
No ratings

New Features in PAN-OS SD-WAN and moreNew Features in PAN-OS SD-WAN and more

Palo Alto Networks released PAN-OS 9.1 with new features for SD-WAN, App-ID, User-ID, Panorama, GlobalProtect, Virtualization, and changes in default behavior for PAN-OS 9.1. Find out how these new features can help increase your security posture. 

 

 

You may have seen my blog last week talking about Secure SD-WAN and New PAN-OS 9.1

 

Well, PAN-OS 9.1 has been released!

 

There are a lot of parts to this, so please bear with me.

First are the new features, and then I'll go through the changes to the default behavior.

 

PAN-OS 9.1 New Features


As I just mentioned, SD-WAN (Software Defined-Wide Area Network) is the newest features of PAN-OS 9.1, and it's also a very exciting part. There are also the new App-ID, Panorama, User-ID, GlobalProtect, and some new Virtualization features that have been added. Let's dive in and see what's new here.

 

New SD-WAN Features

With PAN-OS 9.1, you will have SD-WAN capabilities to use multiple ISP links to ensure application performance and capacity scaling.

 

Key features of the SD-WAN implementation include:*

NEW SD-WAN FEATURE DESCRIPTION
Centralized Configuration Management Leverage Panorama to manage your SD-WAN configuration for hub and branch locations. This will enable you to reuse configurations across locations, reducing management requirements and operational overhead for your deployment.
Automatic VPN Topology Creation VPN clusters simplify the creation of complex VPN topologies using logical groupings of branches and hubs to accelerate the configuration and deployment of secure communications between all locations.
Traffic Distribution Take advantage of multiple ISP links to scale capacity and reduce costs. Path selection and brownout and blackout detection are per application to ensure the best performance and user experience for critical business applications. By default, you can achieve sub-second failover between paths, ensuring the best possible performance of applications.
Monitoring and Troubleshooting Panorama provides complete operational awareness into your SD-WAN environment, including application performance, link performance, and path health using historical trend analysis tools.

*- Information adopted from the following page on TechDocs: SD-WAN Features Guide.

 

App-ID Features

The following App-ID features have been added:*

NEW APP-ID FEATURE DESCRIPTION
Streamlined Application-Based Policy You can now safely enable a broad set of applications with common attributes using a single policy rule. For example, you can enable broad access for your users to web-based applications using the Web App tag in an application filter, or safely enable all enterprise VoIP applications using the Enterprise VoIP tag. Palo Alto Networks researches new and updated applications, groups those with common attributes, and delivers this through tags in content releases. This update will help with the following:

 

  • Minimizes errors and saves time
  • Helps you create policy rules that automatically update to safely enable newly released applications
  • Simplifies the transition toward an App-ID based rule set using Policy Optimizer

You can also apply your own tags and create application filters based on those tags to address your own application security requirements.

Simplified Application Dependency Workflows You now have simplified workflows to find and manage application dependencies.
  • You can see and address application dependencies immediately in the Application tab as you create a new security policy rule or add new applications to an existing rule.
  • Commits provide another checkpoint for dependencies. When a policy rule does not include all application dependencies, you can directly access the associated security policy rule from the commit dialog to add the required applications.

*- Information adopted from the following page on TechDocs: PAN-OS 9.1 App-ID Features Guide.

 

Panorama Features

The following Panorama features have been added in PAN-OS 9.1:*

NEW PANORAMA FEATURE DESCRIPTION
Automatic Panorama Connection Recovery To ensure that you do not commit a configuration change that inadvertently causes the firewall to lose connectivity to Panorama, PAN-OS 9.1 can automatically revert the Panorama and firewall configuration to the previous running configuration. For example, if you perform configuration changes to the service routes, and as a result the change blocks traffic from the firewall to Panorama, the firewall’s hourly connectivity checks can trigger Automatic Panorama Connection Recovery to revert the configuration back to the last running configuration to restore the connection to Panorama. This recovery ensures that a configuration change will not cause a loss in productivity or require you to physically access the firewall.

*- Information adopted from the following page on TechDocs: PAN-OS 9.1 Panorama features guide.

 

User-ID Features

The following new User-ID features have been added:*

NEW USER-ID FEATURE DESCRIPTION
Include Username in HTTP Header Insertion Entries Allows the firewall to relay a user’s identity when they are accessing your network through secondary security appliances that are connected to your Palo Alto Networks firewall. You can configure your firewall to include the username in the HTTP header so that other security appliances in your network can identify the user without additional infrastructure (such as proxies used to insert the username). This simplifies deployment, reduces page-load latency, and eliminates multiple authentications for users.
Dynamic User Groups You can now use tags to dynamically group users and automate security, decryption, or authentication actions for the group based on user behavior (such as downloading risky software). You can gather information from security sources such as Cortex XDR, User and Entity Behavior Analytics (UEBA), or Security Information and Event Management (SIEM) and use that data to determine a user’s risk level. By using these sources to gain a more comprehensive view of the user’s risk level than provided by directory attributes, the firewall can now interpret user and device information to define user groups that mitigate threats and vulnerabilities regardless of the user’s device or location. These tag-based groups can also provide temporary access for users who need temporary privilege escalation to fix an issue on a production system they wouldn’t normally have access to without requiring you to create rules or modify directories.

*- Information adopted from the following page on TechDocs: PAN-OS 9.1 User-ID Features Guide.

 

GlobalProtect Features

The following table describes new GlobalProtect features introduced in PAN-OS 9.1.

For features related to the GlobalProtect app, see the GlobalProtect App 5.0 Release Notes.*

NEW GLOBALPROTECT FEATURE DESCRIPTION
Enhanced Logging for GlobalProtect To help you monitor and troubleshoot issues with your GlobalProtect deployment, PAN-OS now provides the following logging enhancements:
  • GlobalProtect Activity charts and graphs on the ACC – Displays a graphical representation of activity in your GlobalProtect deployment. Information includes the number of users and number of times users connected, the gateways to which users connected, the number of connection failures (and failure reason), a summary of authentication methods and GlobalProtect app versions used, and the number of endpoints that are quarantined.
  • New GlobalProtect Log table – Displays GlobalProtect connection logs all in one place. Easily view all GlobalProtect events without using complex queries to identify GlobalProtect specific events, troubleshoot connection and performance issues, and identify the gateways to which users connect.
  • Log Forwarding of GlobalProtect logs – You can now customize the log storage and Log Forwarding profiles for GlobalProtect and forward logs to a third-party receiver or ticketing system.
  • Custom reports for GlobalProtect – You can now run custom reports on detailed logs for GlobalProtect. You can use predefined templates or create your custom reports from scratch.
These features are available for any Palo Alto Networks next-generation firewall deployed as a GlobalProtect gateway or portal.

*- Information adopted from the following page on TechDocs: PAN-OS 9.1 GlobalProtect Features Guide.

 

Virtualization Features

NOTE: When it comes to Virtualization and PAN-OS 9.1, one very important note is that the VM-Series firewall running PAN-OS 9.1 requires the VM-Series plugin 1.0.8.

 

NEW VIRTUALIZATION FEATURES DESCRIPTION
East-West Traffic Inspection with VM-Series Firewall on VMware NSX-T You can now integrate the VM-Series firewall with VMware NSX-T to provide comprehensive visibility and safe application enablement of all east-west traffic in your NSX-T deployment. When you deploy the VM-Series firewall as part of a service chain in a Host Based (per ESXi host) or Clustered (as part of an ESXi service cluster) NSX-T managed cloud environment, you can inspect and secure lateral traffic between virtual machines in the data center and implement micro-segmentation.
Performance Improvements for C5/M5 Instances on AWS VM-Series firewalls deployed on C5 or M5 instances on AWS that use the Elastic Network Adapter (ENA), now support DPDK. With DPDK, VM-Series firewalls provide higher throughput performance for use cases in manual or managed firewall deployments and elastic scale out deployments. The range of instance sizes in the C5 or M5 instance family that support these use cases include 5.xlarge to m5.4xlarge, and c5.18xlarge. DPDK is disabled by default on the VM-Series on AWS, and you must enable it upon upgrade.
Support for DPDK on Cisco ENCS For faster packet processing, the VM-Series firewall running on Cisco Enterprise Network Compute System (ENCS) supports DPDK on Cisco 5400 ENCS appliances with the NFVIS 3.10.x and 3.12.x.
Support for DPDK on VM-Series on Azure DPDK support for VM-Series firewall instances on Azure with Azure Accelerated Networking (AN) enables higher throughput. This is achieved with a design change for efficiently processing packets as they pass from the Azure network fabric to the VM-Series firewall.

*- Information adopted from the following page on TechDocs: PAN-OS 9.1 Virtualization Features Guide.

 

Changes in Default Behavior

So, we now have a new version of PAN-OS. What kind of changes do you need to know about before upgrading to PAN-OS 9.1?

Here are the new changes in default behavior for PAN-OS 9.1: *

FEATURE CHANGE
URL Filtering BrightCloud Support With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license (contact your sales representative to convert your license).
Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
PAN-OS REST API request parameters and error responses
  • The REST API methods now accept the API key only through a custom HTTP header and no longer as a query parameter. To authenticate your REST API request to the firewall or Panorama, use the custom HTTP header X-PAN-Key: <key> to include the API key in the HTTP header. This change applies only to the REST API; the XML API is unchanged.
  • The REST API methods now implement both rename and move with custom HTTP mappings instead of action query parameters. Examples of the new and previous conventions are below.

    - New convention: POST /restapi/<version>/objects/addresses:rename

    - Replaces: POST /restapi/<version>/objects/addresses?action=rename

     

    Move a security policy rule:

    - New convention: POST /restapi/<version>/policies/securityrules:move

    - Replaces: POST /restapi/<version>/policies/securityrules?action=move

  • There is a new error response format for all REST API methods. This new format offers consistent and reliable error reporting that includes both human-readable messages and parsable error codes. The format includes overall request status, product-specific error codes, and details that will give the caller the maximum amount of data available if an error does occur.
  • The REST API URIs now denote version with a v prefix for versions 9.1 and beyond. Examples of the new and previous conventions are below:

    - New convention: GET /restapi/v9.1/objects/addresses

    - Replaces: GET /restapi/9.0/objects/addresses

URL Category Lookup Timeout Cloud queries for uncached URL categories now have a default timeout of two seconds instead of five.

Also, you can now adjust this timeout in the web interface by navigating to Device > Setup > Content-ID and changing the value for Category lookup timeout.

Web Interface Configuration to Hold Web Requests During URL Category Lookups

The web interface now features the option to hold web requests during URL category lookups. Enable this setting by navigating to Device > Setup > Content-ID and checking the box next to Hold client request for category lookup.

GlobalProtect Host Information On the ACC, the GlobalProtect Host Information widget under the Network Activity tab is now renamed HIP Information.

*- Information adopted from the following page on TechDocs: PAN-OS 9.1 Changes to Default Behavior Guide.

 

More Info

For additional information about all of the new features included with PAN-OS 9.1 and a video about SD-WAN, please see the

PAN-OS® New Features Guide.

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunity Blog area.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

Rate this article:
(1)
Comments
L1 Bithead

Hi,

there is a feedback from paloalto users that after the upgrade to 9.1 it is not more possible to commit configuration changes if there are more than one IKE profile used on the same interface. But I cannot find it in the release notes.

L0 Member

Hi,

 

Plugin vmware_nsx-2.0.6 is not compatible to the new software version.Please upgrade the plugin to 3.0.0 before Software Upgrade.

 

I am getting above error and i am not release notes for plugin 3.0.0 in software updates 

please help me out

L7 Applicator

@SivaKumar_Kali  I am sorry to hear about this error message.  You are getting this for PAN-OS 9.1 inside VMWARE?

 

@ppk_vs I have not heard of that issue with PAN-OS 9.1, I would recommend posting in the General Topics discussion area first or contacting support if you have not already.

  • 12798 Views
  • 3 comments
  • 5 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎01-29-2020 01:54 PM
Updated by:
Retired Member