The NAT DIPP scalability enhancement for the PA-7500 Series increases the maximum number of supported translated IP addresses from 16,000 to 32,000, enabling large-scale service provider deployments that require extensive source NAT capabilities. This enhancement addresses the critical networking requirements of major telecommunications providers who need to support hundreds of millions of subscribers across multiple regions while maintaining robust internet connectivity and internal infrastructure interconnectivity.

You would benefit from this feature if you operate a large service provider network where traditional NAT translation limits constrain your ability to scale operations effectively. The enhanced capacity is particularly valuable when you need to accommodate substantial customer bases spanning multiple countries or regions. The feature maintains all existing NAT functionality while doubling the translation capacity, ensuring that your network can grow without requiring architectural changes or additional hardware investments.

When deploying the PA-7500 series in your service provider environment, you can now configure up to 32,000 translated IP addresses across standalone deployments, high availability configurations, and clustered environments using C3 Clustering with MLAG. This scalability improvement ensures that PA-7500 Series firewalls can support current operational requirements while providing headroom for future growth, making it possible to standardize on a single firewall platform across your entire network infrastructure without capacity limitations forcing you to seek alternative solutions.

You can now configure DNS rewrite conditions to control when DNS address translation occurs based on the DNS client's characteristics. This enhancement allows you to specify that DNS responses should only be modified when the DNS client matches particular source zones or source addresses configured in your NAT rules. When you enable DNS rewrite conditions, the firewall evaluates whether the DNS client requesting the resolution matches your configured criteria before performing any address translation in the DNS response.

You might want to use this feature when you have specific DNS clients that require a different DNS resolution behavior from others in your network. For example, if you have internal users who should receive translated addresses for certain services, while external or guest users should receive the original addresses, you can configure DNS rewrite conditions to apply translation only to traffic from designated internal zones. This gives you granular control over which clients receive modified DNS responses, rather than applying DNS rewrite globally to all clients requesting resolution for a particular address.

The feature supports both positive matching (where you can specify that DNS rewrite should occur only when the client matches the NAT rule's source zone and address) and negative matching (through exclusion lists, where you can specify particular source zones or IP address ranges that shouldn't undergo a DNS rewrite for the specific NAT policy rule).

When you configure these conditions, the firewall performs the same DNS rewrite mapping lookup process as before, but adds an additional validation step to verify that the requesting DNS client meets your specified criteria. If the client does not match the configured conditions, the firewall skips the DNS rewrite for that particular request, while still processing other DNS rewrite rules that might apply to different clients requesting the same address resolution.

GRE support over the PAN-OS cellular interface enables you to establish GRE tunnels using cellular connections on next-generation firewalls. This feature allows you to configure GRE tunnels with dynamic IP addressing, supporting IPv4 for tunnel endpoints and traffic. You can use this capability to securely connect remote IoT devices, such as video cameras and sensors, back to a mobile headend over cellular networks.

A GRE tunnel over a cellular interface is particularly useful for large service providers looking to extend their routing infrastructure while minimizing operational expenses. By supporting dynamic addressing, it accommodates scenarios where IP addresses may change, providing flexibility in mobile and cellular environments. This GRE over cellular solution allows you to deploy NGFWs in locations without traditional Ethernet connectivity, making it ideal for government, industrial, and remote site applications where secure, reliable communication over cellular networks is essential.

High-performance network environments, such as large enterprises, headquarters, and data centers, frequently experience significant bottlenecks when processing high volumes of proxy traffic through their Secure Web Gateway (SWG) solutions. This performance limitation restricts necessary network scalability. PAN-OS ^® 12.1 solves this critical challenge by introducing support for the PA-5450 firewall. This enhancement specifically leverages the PA-5450's multi-CPU chassis architecture to deliver powerful improvements in throughput and scalability for high-traffic proxy deployments. This update ensures that users in demanding environments benefit fully from the enhanced capabilities of the Secure Web Gateway solution.

Many organizations are rapidly migrating to IPv6 networks, driven by ISP adoption and the depletion of IPv4 space. This transition often introduces security blind spots, making it challenging to maintain consistent country-based policy enforcement across dual-stack or IPv6-only environments. IPv6 support for IP geolocation supplements the existing IPv4 geolocation support for country-based Security, Decryption, and DoS Protection NGFW policies by providing visibility and control in dual-stack and IPv6-only environments using your current security policy rules with a single global switch. This unified approach simplifies policy management and ensures consistent security enforcement across both IPv4 and IPv6 networks. This addresses the growing adoption of IPv6 by ISPs and other large enterprise organizations as well as customers who are required to phase out IPv4 and implement IPv6 as part of a larger migration process.

To ensure up-to-date geolocation data, Palo Alto Networks provides a regularly updated global content file which includes an IPv4/IPv6 to country mapping database to determine the ownership of a given IP space. The IP to geolocation mapping for IPv6 addresses is supported with the same level of granularity and coverage as for IPv4 addresses, ensuring consistent policy enforcement across both address types. Alternatively, you can create your own custom mappings by providing a range of IPv6 addresses to a specified region; these have precedence over the default mapping and can be used to fine-tune your security policies.

Device Security uses ARP Enhanced Application Logs (EAL) to provide visibility and identification for devices on IPv4 networks. However, IPv6 deployments use Neighbor Discovery Protocol (NDP) instead of ARP, which means a lack of EAL visibility prevents full IPv6 support for Device Security.

PAN-OS® now uses Deep Packet Inspection (DPI) to generate EALs from ICMPv6 NDP packets, providing the same level of functionality for IPv6 environments. With ICMPv6 EALs, Device Security can use this data to support Device-ID in IPv6 deployments. This change ensures that Device Security has the necessary visibility to identify and classify devices communicating over IPv6.

EALs for ICMPv6 NDP are enabled by default and are generated for both Network Solicitation (NS) and Network Advertisement (NA) packets. These logs are transmitted over the acknowledgment (ACK) channel for reliable delivery to prevent loss due to congestion. If you experience log flooding in high-volume IPv6 deployments, you can disable ICMPv6 EAL logging using the following CLI command:

set deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp

To complete the configuration and apply the change, commit the device configuration. To re-enable the feature, use the following command:

delete deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp

PAN-OS® 12.1 introduces support for range filters when configuring custom Packet Captures (PCAPs). This feature addresses troubleshooting challenges with batch traffic where specific source IP addresses, ports, or protocols are unknown.

You can configure capture filters to define ranges using a dash (-) to separate values for:

The system captures any packets that fall within the defined ranges, including the boundary values. You can also combine single-value filters with range filters to refine your packet captures.