Policy Features
Focus
Focus

Policy Features

Table of Contents
End-of-Life (EoL)

Policy Features

Learn about the Policy features on PAN-OS® 10.0.
New Policy FeatureDescription
IP Range and Subnet Support in Dynamic Address Groups
Dynamic address groups were previously limited to tagging single IP address for membership; only the first address in an IP group or subnet was included in the dynamic address group. You can now populate dynamic address group membership based on IP address ranges or IP subnets. This allows you to build and enforce policy based on changes in a specific range of IP addresses or on a particular subnet. For example, in a VMware NSX environment, if you run similar types of workloads on a dedicated IP range or subnet, it may not be efficient to tag every workload that joins the IP range. Now, you no longer need to tag each workload to ensure security. Additionally, you can see source and destination dynamic address groups in the firewall logs. This gives you additional visibility in your traffic logs for auditing and troubleshooting. And you can now take automated security actions on IP ranges and subnets, such as quarantining infected devices.
X-Forwarded-For HTTP Header Data Support in Policy
To help you enforce security policy on an endpoint that originates a request when it is behind an upstream device, such as an explicit HTTP proxy server or load balancer, the firewall can now use the source IP address contained in the X-Forwarded-For (XFF) field in the packet HTTP header. With the IP address of the original initiator of the request, you can ensure that the correct security policy rules are applied and use other features such as geoblocking, IP blocking, and DoS protection. For example, if you want to block traffic originating in North Korea, so you create policy based on North Korean IP addresses. The firewall can identify those location-based IPs and enforce policy, even if that traffic passes through a explicit HTTP proxy. Additionally, the firewall now displays the endpoint IP address and upstream device IP address in logs to aid troubleshooting and remediation.