Networking Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Networking Features
What new Networking features are in PAN-OS 11.2?
The following section describes new networking features introduced in PAN-OS 11.2.
Preventing DoS Attacks with Enhanced DoS and PBP Configurations
September 2024
|
For the internet-facing zones, the current recommendation to configure a DoS
Protection policy rule is to classify the IP address based on the destination IP
address only method. We recommended this method because it's difficult to track all
the source IP addresses on the internet reaching the firewall.
Compared to the destination-ip-only method, both the
source-ip-only and
src-dest-ip-both method uses the software and hardware
block table to block the attacks efficiently and more effectively. As the
destination-ip-only method does not use the software and
hardware block table, it may result in the firewall getting exposed to the
attacks.
These sudden attacks lead to over consumption of the firewalls resources causing
unstable connectivity and network outages.
We have now introduced the following improvements to prevent the Palo Alto Networks
firewalls from the DoS attacks:
New Enhancements | Benefits |
---|---|
The firewall can now block the offending source IP address using
the software and hardware ACL blocking settings by classifying the IP address
based on the destination IP address only method.
|
With DoS enhancement, you can now configure the DoS
policy with destination IP address only classification for the
internet facing zones; this method strengthens the firewall’s
blocking efficacy from the DoS attacks that originate from the
internet and therefore protects the firewall resources.
|
Enhanced the packet buffer
protection that monitors session latency and buffer
utilization concurrently and activates mitigation when either
latency or buffer thresholds are exceeded.
|
With PBP enhancement, you can now configure both the buffer-based
and latency-based activation at the same time while configuring
the packet buffer protection. This configuration protects the
firewall resources by activating mitigation when either latency
or buffer thresholds are exceeded.
|
Increase or decrease the software block duration for the software
block table entries.
|
Configuring software block duration in the software block table
is more effective for the software-based platforms and for the
hardware platforms the software block table acts as an
additional protection along with the hardware block table.
|
Extended the SNMP support for
buffer and on-chip packet descriptor utilization.
|
With SNMP enhancement, you can now monitor software tags/on-chip
descriptors, buffer utilization (in percentage), and firewall
resources from the SNMP server.
|
IPv6 Support on Cellular Interface for PA-415-5G Firewall
September 2024
|
The PA-415-5G firewall supports dynamic IPv6 addressing and dual-stack networking on
a cellular interface. This is especially
helpful when your cellular operator provides only IPv6 services or your location
requires IPv6 connectivity. The cellular interface supports dynamically obtaining an
IPv6 prefix from the 5G provider network.
Encrypted DNS for DNS Proxy and the Management Interface
July 2024
|
When you use DNS on your operating systems and web browsers, you can encrypt the DNS
traffic to help maintain privacy and protect traffic from meddler (MitM) attacks. If
you configure your PAN-OS firewall to act as a DNS proxy, you can enable encrypted DNS and configure the DNS
proxy to accept one or more types of DNS communication from the client:
DNS-over-HTTP (DoH), DNS-over-TLS (DoT), or cleartext.
To enforce encryption, you specify the type of encryption that the DNS proxy should
use to communicate with DNS servers. If a DNS server rejects encrypted DNS or the
DNS proxy does not receive a response from the primary or secondary server within
the timeout period, you can configure the DNS proxy to fall back to unencrypted DNS
communications with the server.
Additionally, you can enable encrypted DNS on the management interface
of the firewall so that DNS requests use DoH, DoT, or fall back to
unencrypted DNS.
Post Quantum Hybrid Key Exchange VPN
May 2024
|
Post Quantum Hybrid Key Exchange VPN
extends your PAN-OS post-quantum VPN security by adding the ability to create
post-quantum cryptographic (PQC) hybrid keys using the NIST round 3 and round 4
cryptographic suites. You can future proof your VPN encryption keys and safeguard
against harvest now, decrypt later (HNDL) attacks by combining multiple key exchange
mechanisms (KEM) with full crypto agility.
The hybrid key technology is based on RFC 9242 and RFC 9370, and allows you to add up
to seven additional key exchange mechanisms (KEM). With each additional KEM added,
the level of quantum resistance increases as the attacker needs all used KEMs to
become vulnerable before the key can be broken. You can apply the hybrid key technology to both
IKEv2's key exchange and IPSec's rekey key exchange to ensure all VPN key exchanges
are quantum resistant.
To provide in-depth quantum defense, you can also enable both of its post quantum VPN
technologies together. If both the RFC 8784 post quantum pre-shared key (released
with PAN-OS 11.1) and this new PQ Hybrid Key feature are enabled, PAN-OS generates
the hybrid key and then mixes in the static pre-shared key.
Increased Maximum Number of Security Rules for the PA-3400 Series Firewall
May 2024
|
(PA-3410 and PA-3420 firewalls only) The maximum number of
security rules supported has increased from 2,500 to 10,000.
Authenticate LSVPN Satellite with Serial Number and IP Method
February 2024
May 2024
|
Beginning with PAN-OS 10.1 and later releases, we support Username/password and
Satellite Cookie Authentication method for a satellite to authenticate to the
portal. This method requires user intervention to get satellites authenticated by a
portal that prevents automating the deployment of remote satellites and adds
difficulty and complexity for the administrators to perform software upgrade and
deploy new firewalls.
To remove the user intervention while onboarding a remote satellite and to
enable automating the deployment of remote satellites, we introduce a new
authentication method called "Serial number and IP address
Authentication”. You can now onboard a remote satellite using the
combination of serial number and IP address in addition to the username/password and
satellite cookie authentication method. This authentication method reduces the
complexity by enabling you to deploy new firewalls without manual intervention.
However, Username/password and Satellite Cookie Authentication remains as a default
authentication method.
Before enabling the Serial number and IP address Authentication method, configure the
satellite serial number at the portal as one of the authentication verification
conditions.
- Configure the satellite IP address as an "IP allow list" at the portal using the set global-protect global-protect-portal portal <portal_name> satellite-serialnumberip-auth satellite-ip-allowlist entry <value> command to add a satellite device IP address on the GlobalProtect portal.
- Enable the Serial number and IP address Authentication method using the set global-protect-portal satellite-serialnumberip-auth enable CLI command. After you enable this method, the satellite continuously attempts to authenticate with the portal for the configured retry interval (in seconds) after power-on until the portal explicitly instructs the satellite to stop.
Upon successfully configuring a satellite device allowed IP address list per portal,
and configuring the satellite serial number on the GlobalProtect portal, the
satellite can initiate the connection to the portal.