Palo Alto Networks released PAN-OS 9.1 with new features for SD-WAN, App-ID, User-ID, Panorama, GlobalProtect, Virtualization, and changes in default behavior for PAN-OS 9.1. Find out how these new features can help increase your security posture.
You may have seen my blog last week talking about Secure SD-WAN and New PAN-OS 9.1.
There are a lot of parts to this, so please bear with me.
First are the new features, and then I'll go through the changes to the default behavior.
As I just mentioned, SD-WAN (Software Defined-Wide Area Network) is the newest features of PAN-OS 9.1, and it's also a very exciting part. There are also the new App-ID, Panorama, User-ID, GlobalProtect, and some new Virtualization features that have been added. Let's dive in and see what's new here.
With PAN-OS 9.1, you will have SD-WAN capabilities to use multiple ISP links to ensure application performance and capacity scaling.
Key features of the SD-WAN implementation include:*
| NEW SD-WAN FEATURE | DESCRIPTION |
| Centralized Configuration Management | Leverage Panorama to manage your SD-WAN configuration for hub and branch locations. This will enable you to reuse configurations across locations, reducing management requirements and operational overhead for your deployment. |
| Automatic VPN Topology Creation | VPN clusters simplify the creation of complex VPN topologies using logical groupings of branches and hubs to accelerate the configuration and deployment of secure communications between all locations. |
| Traffic Distribution | Take advantage of multiple ISP links to scale capacity and reduce costs. Path selection and brownout and blackout detection are per application to ensure the best performance and user experience for critical business applications. By default, you can achieve sub-second failover between paths, ensuring the best possible performance of applications. |
| Monitoring and Troubleshooting | Panorama provides complete operational awareness into your SD-WAN environment, including application performance, link performance, and path health using historical trend analysis tools. |
*- Information adopted from the following page on TechDocs: SD-WAN Features Guide.
The following App-ID features have been added:*
| NEW APP-ID FEATURE | DESCRIPTION |
| Streamlined Application-Based Policy | You can now safely enable a broad set of applications with common attributes using a single policy rule. For example, you can enable broad access for your users to web-based applications using the Web App tag in an application filter, or safely enable all enterprise VoIP applications using the Enterprise VoIP tag. Palo Alto Networks researches new and updated applications, groups those with common attributes, and delivers this through tags in content releases. This update will help with the following:
You can also apply your own tags and create application filters based on those tags to address your own application security requirements. |
| Simplified Application Dependency Workflows | You now have simplified workflows to find and manage application dependencies.
|
*- Information adopted from the following page on TechDocs: PAN-OS 9.1 App-ID Features Guide.
The following Panorama features have been added in PAN-OS 9.1:*
| NEW PANORAMA FEATURE | DESCRIPTION |
| Automatic Panorama Connection Recovery | To ensure that you do not commit a configuration change that inadvertently causes the firewall to lose connectivity to Panorama, PAN-OS 9.1 can automatically revert the Panorama and firewall configuration to the previous running configuration. For example, if you perform configuration changes to the service routes, and as a result the change blocks traffic from the firewall to Panorama, the firewall’s hourly connectivity checks can trigger Automatic Panorama Connection Recovery to revert the configuration back to the last running configuration to restore the connection to Panorama. This recovery ensures that a configuration change will not cause a loss in productivity or require you to physically access the firewall. |
*- Information adopted from the following page on TechDocs: PAN-OS 9.1 Panorama features guide.
The following new User-ID features have been added:*
| NEW USER-ID FEATURE | DESCRIPTION |
| Include Username in HTTP Header Insertion Entries | Allows the firewall to relay a user’s identity when they are accessing your network through secondary security appliances that are connected to your Palo Alto Networks firewall. You can configure your firewall to include the username in the HTTP header so that other security appliances in your network can identify the user without additional infrastructure (such as proxies used to insert the username). This simplifies deployment, reduces page-load latency, and eliminates multiple authentications for users. |
| Dynamic User Groups | You can now use tags to dynamically group users and automate security, decryption, or authentication actions for the group based on user behavior (such as downloading risky software). You can gather information from security sources such as Cortex XDR, User and Entity Behavior Analytics (UEBA), or Security Information and Event Management (SIEM) and use that data to determine a user’s risk level. By using these sources to gain a more comprehensive view of the user’s risk level than provided by directory attributes, the firewall can now interpret user and device information to define user groups that mitigate threats and vulnerabilities regardless of the user’s device or location. These tag-based groups can also provide temporary access for users who need temporary privilege escalation to fix an issue on a production system they wouldn’t normally have access to without requiring you to create rules or modify directories. |
*- Information adopted from the following page on TechDocs: PAN-OS 9.1 User-ID Features Guide.
The following table describes new GlobalProtect features introduced in PAN-OS 9.1.
For features related to the GlobalProtect app, see the GlobalProtect App 5.0 Release Notes.*
| NEW GLOBALPROTECT FEATURE | DESCRIPTION |
| Enhanced Logging for GlobalProtect | To help you monitor and troubleshoot issues with your GlobalProtect deployment, PAN-OS now provides the following logging enhancements:
|
*- Information adopted from the following page on TechDocs: PAN-OS 9.1 GlobalProtect Features Guide.
NOTE: When it comes to Virtualization and PAN-OS 9.1, one very important note is that the VM-Series firewall running PAN-OS 9.1 requires the VM-Series plugin 1.0.8.
| NEW VIRTUALIZATION FEATURES | DESCRIPTION |
| East-West Traffic Inspection with VM-Series Firewall on VMware NSX-T | You can now integrate the VM-Series firewall with VMware NSX-T to provide comprehensive visibility and safe application enablement of all east-west traffic in your NSX-T deployment. When you deploy the VM-Series firewall as part of a service chain in a Host Based (per ESXi host) or Clustered (as part of an ESXi service cluster) NSX-T managed cloud environment, you can inspect and secure lateral traffic between virtual machines in the data center and implement micro-segmentation. |
| Performance Improvements for C5/M5 Instances on AWS | VM-Series firewalls deployed on C5 or M5 instances on AWS that use the Elastic Network Adapter (ENA), now support DPDK. With DPDK, VM-Series firewalls provide higher throughput performance for use cases in manual or managed firewall deployments and elastic scale out deployments. The range of instance sizes in the C5 or M5 instance family that support these use cases include 5.xlarge to m5.4xlarge, and c5.18xlarge. DPDK is disabled by default on the VM-Series on AWS, and you must enable it upon upgrade. |
| Support for DPDK on Cisco ENCS | For faster packet processing, the VM-Series firewall running on Cisco Enterprise Network Compute System (ENCS) supports DPDK on Cisco 5400 ENCS appliances with the NFVIS 3.10.x and 3.12.x. |
| Support for DPDK on VM-Series on Azure | DPDK support for VM-Series firewall instances on Azure with Azure Accelerated Networking (AN) enables higher throughput. This is achieved with a design change for efficiently processing packets as they pass from the Azure network fabric to the VM-Series firewall. |
*- Information adopted from the following page on TechDocs: PAN-OS 9.1 Virtualization Features Guide.
So, we now have a new version of PAN-OS. What kind of changes do you need to know about before upgrading to PAN-OS 9.1?
Here are the new changes in default behavior for PAN-OS 9.1: *
| FEATURE | CHANGE |
| URL Filtering BrightCloud Support | With PAN-OS 9.1, BrightCloud is no longer supported as a URL Filtering vendor. Before you can upgrade to PAN-OS 9.1, you’ll first need to convert your BrightCloud URL Filtering license to a PAN-DB URL Filtering license (contact your sales representative to convert your license). Only upgrade to PAN-OS 9.1 after confirming that the PAN-DB URL Filtering license is active on your firewall. |
| PAN-OS REST API request parameters and error responses |
|
| URL Category Lookup Timeout | Cloud queries for uncached URL categories now have a default timeout of two seconds instead of five. Also, you can now adjust this timeout in the web interface by navigating to Device > Setup > Content-ID and changing the value for Category lookup timeout. |
| Web Interface Configuration to Hold Web Requests During URL Category Lookups |
The web interface now features the option to hold web requests during URL category lookups. Enable this setting by navigating to Device > Setup > Content-ID and checking the box next to Hold client request for category lookup. |
| GlobalProtect Host Information | On the ACC, the GlobalProtect Host Information widget under the Network Activity tab is now renamed HIP Information. |
*- Information adopted from the following page on TechDocs: PAN-OS 9.1 Changes to Default Behavior Guide.
For additional information about all of the new features included with PAN-OS 9.1 and a video about SD-WAN, please see the
Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunity Blog area.
As always, we welcome all comments and feedback in the comments section below.
Stay Secure,
Joe Delio
End of line
