Focus

Policy Features

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

User-ID Features

Authentication Features

Policy Features

Learn about the Policy features on PAN-OS® 10.0.

New Policy Feature	Description
IP Range and Subnet Support in Dynamic Address Groups	Dynamic address groups were previously limited to tagging single IP address for membership; only the first address in an IP group or subnet was included in the dynamic address group. You can now populate dynamic address group membership based on IP address ranges or IP subnets. This allows you to build and enforce policy based on changes in a specific range of IP addresses or on a particular subnet. For example, in a VMware NSX environment, if you run similar types of workloads on a dedicated IP range or subnet, it may not be efficient to tag every workload that joins the IP range. Now, you no longer need to tag each workload to ensure security. Additionally, you can see source and destination dynamic address groups in the firewall logs. This gives you additional visibility in your traffic logs for auditing and troubleshooting. And you can now take automated security actions on IP ranges and subnets, such as quarantining infected devices.
X-Forwarded-For HTTP Header Data Support in Policy	To help you enforce security policy on an endpoint that originates a request when it is behind an upstream device, such as an explicit HTTP proxy server or load balancer, the firewall can now use the source IP address contained in the X-Forwarded-For (XFF) field in the packet HTTP header. With the IP address of the original initiator of the request, you can ensure that the correct security policy rules are applied and use other features such as geoblocking, IP blocking, and DoS protection. For example, if you want to block traffic originating in North Korea, so you create policy based on North Korean IP addresses. The firewall can identify those location-based IPs and enforce policy, even if that traffic passes through a explicit HTTP proxy. Additionally, the firewall now displays the endpoint IP address and upstream device IP address in logs to aid troubleshooting and remediation.

New Policy Feature

Description

IP Range and Subnet Support in Dynamic Address Groups

Dynamic address groups were previously limited to tagging single IP address for membership; only the first address in an IP group or subnet was included in the dynamic address group. You can now populate dynamic address group membership based on IP address ranges or IP subnets. This allows you to build and enforce policy based on changes in a specific range of IP addresses or on a particular subnet. For example, in a VMware NSX environment, if you run similar types of workloads on a dedicated IP range or subnet, it may not be efficient to tag every workload that joins the IP range. Now, you no longer need to tag each workload to ensure security. Additionally, you can see source and destination dynamic address groups in the firewall logs. This gives you additional visibility in your traffic logs for auditing and troubleshooting. And you can now take automated security actions on IP ranges and subnets, such as quarantining infected devices.

X-Forwarded-For HTTP Header Data Support in Policy

To help you enforce security policy on an endpoint that originates a request when it is behind an upstream device, such as an explicit HTTP proxy server or load balancer, the firewall can now use the source IP address contained in the X-Forwarded-For (XFF) field in the packet HTTP header. With the IP address of the original initiator of the request, you can ensure that the correct security policy rules are applied and use other features such as geoblocking, IP blocking, and DoS protection. For example, if you want to block traffic originating in North Korea, so you create policy based on North Korean IP addresses. The firewall can identify those location-based IPs and enforce policy, even if that traffic passes through a explicit HTTP proxy. Additionally, the firewall now displays the endpoint IP address and upstream device IP address in logs to aid troubleshooting and remediation.

User-ID Features

Authentication Features

Next-Generation Firewall Docs

Policy Features

Next-Generation Firewall Docs

Policy Features

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner