Palo Alto Networks released PAN-OS 9.1 with new features for SD-WAN, App-ID, User-ID, Panorama, GlobalProtect, Virtualization, and changes in default behavior for PAN-OS 9.1. Find out how these new features can help increase your security posture.
There are a lot of parts to this, so please bear with me.
First are the new features, and then I'll go through the changes to the default behavior.
PAN-OS 9.1 New Features
As I just mentioned, SD-WAN (Software Defined-Wide Area Network) is the newest features of PAN-OS 9.1, and it's also a very exciting part. There are also the new App-ID, Panorama, User-ID, GlobalProtect, and some new Virtualization features that have been added. Let's dive in and see what's new here.
New SD-WAN Features
With PAN-OS 9.1, you will have SD-WAN capabilities to use multiple ISP links to ensure application performance and capacity scaling.
Key features of the SD-WAN implementation include:*
NEW SD-WAN FEATURE
Centralized Configuration Management
Leverage Panorama to manage your SD-WAN configuration for hub and branch locations. This will enable you to reuse configurations across locations, reducing management requirements and operational overhead for your deployment.
Automatic VPN Topology Creation
VPN clusters simplify the creation of complex VPN topologies using logical groupings of branches and hubs to accelerate the configuration and deployment of secure communications between all locations.
Take advantage of multiple ISP links to scale capacity and reduce costs. Path selection and brownout and blackout detection are per application to ensure the best performance and user experience for critical business applications. By default, you can achieve sub-second failover between paths, ensuring the best possible performance of applications.
Monitoring and Troubleshooting
Panorama provides complete operational awareness into your SD-WAN environment, including application performance, link performance, and path health using historical trend analysis tools.
You can now safely enable a broad set of applications with common attributes using a single policy rule. For example, you can enable broad access for your users to web-based applications using the Web App tag in an application filter, or safely enable all enterprise VoIP applications using the Enterprise VoIP tag. Palo Alto Networks researches new and updated applications, groups those with common attributes, and delivers this through tags in content releases. This update will help with the following:
Minimizes errors and saves time
Helps you create policy rules that automatically update to safely enable newly released applications
Simplifies the transition toward an App-ID based rule set using Policy Optimizer
You can also apply your own tags and create application filters based on those tags to address your own application security requirements.
Simplified Application Dependency Workflows
You now have simplified workflows to find and manage application dependencies.
You can see and address application dependencies immediately in the Application tab as you create a new security policy rule or add new applications to an existing rule.
Commits provide another checkpoint for dependencies. When a policy rule does not include all application dependencies, you can directly access the associated security policy rule from the commit dialog to add the required applications.
The following Panorama features have been added in PAN-OS 9.1:*
NEW PANORAMA FEATURE
Automatic Panorama Connection Recovery
To ensure that you do not commit a configuration change that inadvertently causes the firewall to lose connectivity to Panorama, PAN-OS 9.1 can automatically revert the Panorama and firewall configuration to the previous running configuration. For example, if you perform configuration changes to the service routes, and as a result the change blocks traffic from the firewall to Panorama, the firewall’s hourly connectivity checks can trigger Automatic Panorama Connection Recovery to revert the configuration back to the last running configuration to restore the connection to Panorama. This recovery ensures that a configuration change will not cause a loss in productivity or require you to physically access the firewall.
The following new User-ID features have been added:*
NEW USER-ID FEATURE
Include Username in HTTP Header Insertion Entries
Allows the firewall to relay a user’s identity when they are accessing your network through secondary security appliances that are connected to your Palo Alto Networks firewall. You can configure your firewall to include the username in the HTTP header so that other security appliances in your network can identify the user without additional infrastructure (such as proxies used to insert the username). This simplifies deployment, reduces page-load latency, and eliminates multiple authentications for users.
Dynamic User Groups
You can now use tags to dynamically group users and automate security, decryption, or authentication actions for the group based on user behavior (such as downloading risky software). You can gather information from security sources such as Cortex XDR, User and Entity Behavior Analytics (UEBA), or Security Information and Event Management (SIEM) and use that data to determine a user’s risk level. By using these sources to gain a more comprehensive view of the user’s risk level than provided by directory attributes, the firewall can now interpret user and device information to define user groups that mitigate threats and vulnerabilities regardless of the user’s device or location. These tag-based groups can also provide temporary access for users who need temporary privilege escalation to fix an issue on a production system they wouldn’t normally have access to without requiring you to create rules or modify directories.
To help you monitor and troubleshoot issues with your GlobalProtect deployment, PAN-OS now provides the following logging enhancements:
GlobalProtect Activity charts and graphs on the ACC – Displays a graphical representation of activity in your GlobalProtect deployment. Information includes the number of users and number of times users connected, the gateways to which users connected, the number of connection failures (and failure reason), a summary of authentication methods and GlobalProtect app versions used, and the number of endpoints that are quarantined.
New GlobalProtect Log table – Displays GlobalProtect connection logs all in one place. Easily view all GlobalProtect events without using complex queries to identify GlobalProtect specific events, troubleshoot connection and performance issues, and identify the gateways to which users connect.
Log Forwarding of GlobalProtect logs – You can now customize the log storage and Log Forwarding profiles for GlobalProtect and forward logs to a third-party receiver or ticketing system.
Custom reports for GlobalProtect – You can now run custom reports on detailed logs for GlobalProtect. You can use predefined templates or create your custom reports from scratch.
These features are available for any Palo Alto Networks next-generation firewall deployed as a GlobalProtect gateway or portal.
NOTE: When it comes to Virtualization and PAN-OS 9.1, one very important note is that the VM-Series firewall running PAN-OS 9.1 requires the VM-Series plugin 1.0.8.
NEW VIRTUALIZATION FEATURES
East-West Traffic Inspection with VM-Series Firewall on VMware NSX-T
You can now integrate the VM-Series firewall with VMware NSX-T to provide comprehensive visibility and safe application enablement of all east-west traffic in your NSX-T deployment. When you deploy the VM-Series firewall as part of a service chain in a Host Based (per ESXi host) or Clustered (as part of an ESXi service cluster) NSX-T managed cloud environment, you can inspect and secure lateral traffic between virtual machines in the data center and implement micro-segmentation.
Performance Improvements for C5/M5 Instances on AWS
VM-Series firewalls deployed on C5 or M5 instances on AWS that use the Elastic Network Adapter (ENA), now support DPDK. With DPDK, VM-Series firewalls provide higher throughput performance for use cases in manual or managed firewall deployments and elastic scale out deployments. The range of instance sizes in the C5 or M5 instance family that support these use cases include 5.xlarge to m5.4xlarge, and c5.18xlarge. DPDK is disabled by default on the VM-Series on AWS, and you must enable it upon upgrade.
Support for DPDK on Cisco ENCS
For faster packet processing, the VM-Series firewall running on Cisco Enterprise Network Compute System (ENCS) supports DPDK on Cisco 5400 ENCS appliances with the NFVIS 3.10.x and 3.12.x.
Support for DPDK on VM-Series on Azure
DPDK support for VM-Series firewall instances on Azure with Azure Accelerated Networking (AN) enables higher throughput. This is achieved with a design change for efficiently processing packets as they pass from the Azure network fabric to the VM-Series firewall.
So, we now have a new version of PAN-OS. What kind of changes do you need to know about before upgrading to PAN-OS 9.1?
Here are the new changes in default behavior for PAN-OS 9.1: *
URL Filtering BrightCloud Support
With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license (contact your sales representative to convert your license). Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall.
PAN-OS REST API request parameters and error responses
The REST API methods now accept the API key only through a custom HTTP header and no longer as a query parameter. To authenticate your REST API request to the firewall or Panorama, use the custom HTTP header X-PAN-Key: <key> to include the API key in the HTTP header. This change applies only to the REST API; the XML API is unchanged.
The REST API methods now implement both rename and move with custom HTTP mappings instead of action query parameters. Examples of the new and previous conventions are below.
- New convention: POST /restapi/<version>/objects/addresses:rename
- Replaces: POST /restapi/<version>/objects/addresses?action=rename
Move a security policy rule:
- New convention: POST /restapi/<version>/policies/securityrules:move
- Replaces: POST /restapi/<version>/policies/securityrules?action=move
There is a new error response format for all REST API methods. This new format offers consistent and reliable error reporting that includes both human-readable messages and parsable error codes. The format includes overall request status, product-specific error codes, and details that will give the caller the maximum amount of data available if an error does occur.
The REST API URIs now denote version with a v prefix for versions 9.1 and beyond. Examples of the new and previous conventions are below:
- New convention: GET /restapi/v9.1/objects/addresses
- Replaces: GET /restapi/9.0/objects/addresses
URL Category Lookup Timeout
Cloud queries for uncached URL categories now have a default timeout of two seconds instead of five.
Also, you can now adjust this timeout in the web interface by navigating to Device > Setup > Content-ID and changing the value for Category lookup timeout.
Web Interface Configuration to Hold Web Requests During URL Category Lookups
The web interface now features the option to hold web requests during URL category lookups. Enable this setting by navigating to Device > Setup > Content-ID and checking the box next to Hold client request for category lookup.
GlobalProtect Host Information
On the ACC, the GlobalProtect Host Information widget under the Network Activity tab is now renamed HIP Information.