You can now configure the cookie expiration period from 1 to 5 years, while the default remains as 6 months. The encrypted cookie stored on an Large Scale VPN (LSVPN) satellite expires after every 6 months. This causes the VPN tunnels associated with the satellite to go down, causing an outage until the satellite is re-authenticated to the LSVPN portal or gateway and a new cookie is generated. A re-authentication every six months causes administrative overhead, affecting productivity, network stability, and resources of the company.

To reduce administrative overhead, we’ve extended the cookie expiration period from 6 months to 5 years.

Some networks are designed around a proxy for compliance and other requirements. The Web Proxy capability available in PAN-OS 11.0 allows these customers to migrate to NGFW without changing their proxy network to secure web as well as non-web traffic. With web proxy available for both NGFW and Prisma Access, Palo Alto Networks helps you transition to a single, integrated security stack for web security across on-premises and cloud-delivered form factors. By configuring seamless synchronization between your on-premises proxy device and the cloud-based proxy, you can enable Prisma Access as a SASE solution for your SWG-based network architecture to ensure consistent policy application regardless of location.

The firewall now supports a stateful DHCPv6 Client to obtain IPv6 addresses and other parameters. This feature also supports Prefix Delegation by assigning prefixes received from the DHCP server to configured pools. A prefix from the pool is distributed using SLAAC to a host-facing (inherited) interface.

In addition to the default tunnel mode, you can now configure IPSec tunnels to use Transport Mode when encrypting host-to-host communications. Transport mode encrypts only the payload while retaining the original IP header. You can use Transport mode to encrypt the management traffic with the most secure protocols.

The Advanced Routing Engine adds support for MSDP. MSDP interconnects multiple IPv4 PIM Sparse-Mode (PIM-SM) domains, enables the discovery of multicast sources in other PIM-SM domains, and reduces the complexity of interconnecting multiple PIM-SM domains by allowing PIM-SM domains to use an interdomain source tree.

Bidirectional Forwarding Detection (BFD) support is extended to the PA-400 Series firewalls (PA-410, PA-440, PA-450, and PA-460 firewalls) for both the legacy routing engine and Advanced Routing Engine.

On the Advanced Routing Engine, BGP peer groups and peers now support both an IPv4 address family (AFI profile) for unicast SAFI and an IPv6 AFI profile for unicast SAFI over a single peering. This means that, regardless of whether the BGP local address and peer address are IPv4 or IPv6, the peering supports both IPv4 and IPv6 unicast routes being carried over a single BGP session that uses IPv4 or IPv6.

PoE enables you to transfer electrical power from a supported firewall to a powered device. Using interfaces that have been configured for PoE, you can allocate power to multiple powered devices while still maintaining data transfer over an Ethernet connection. PoE is supported on many of the new models introduced with PAN-OS 11.0, including PA-1420, PA-1410, PA-445, and PA-415.