Tunnel Content Inspection is enhanced so that you can separate logs for outer tunnel traffic from logs for inside traffic, which is subject to security policy rules. This separation provides more reporting options, enhanced ACC statistics, and makes troubleshooting long-lived sessions, such as GRE, easier. For example, using only the default logging for a security policy rule (which logs at session end) might not provide any logs, but now you can log tunnel sessions at the start and end of a session, allowing you to view all GRE traffic. You can also now forward tunnel inspection logs to one or more servers or to Panorama, which makes it more convenient to access log data. Additionally, when you view a detailed tunnel inspection log, it includes the name of the tunnel inspection rule applied to a session that was captured in the log, which makes it easier to track information about non-encrypted tunnel traffic.

You can now configure destination NAT to a translated destination host that has a DHCP-assigned IP address (not just to a host with a static IP address) because the translated address can now be an FQDN. This means that when the DHCP server assigns a new address to the host, you don’t have to manually update the FQDN, the DNS server, or the NAT policy rule—nor do you need to use a separate external component to update the DNS server with the latest FQDN-to-IP address mapping.

With this capability, if the FQDN resolves to more than one address, the firewall automatically distributes sessions among those addresses (based on a round-robin algorithm) to provide more evenly distributed session loading. Also, in a single NAT rule, you can translate multiple pre-NAT destination IP addresses to multiple post-NAT destination IP addresses to support a many-to-many destination NAT translation.

When you configure an IPSec tunnel with an IKE gateway peer, the peer’s address can now be an FQDN or an address object that uses an FQDN, which helps you avoid the need to reconfigure changed IP addresses for IKE endpoints. For example, if you have several satellite offices with multiple hub locations and VPN connectivity between firewalls at the satellites and hub gateway, you can now configure the firewall in each satellite office with the IKE peer address of the hub as an FQDN. So if one hub goes down, the DNS server for that FQDN automatically resolves the FQDN to the IP address for the second hub and you don’t have to manually reconfigure the IKE peer to use the IP address of the second hub.

To help you scale your deployment and ease the migration to Palo Alto Networks firewalls, there are several configuration capacity improvements. Depending on the model, firewalls running PAN-OS 8.1 now support more address groups, service groups, service entries per service group, address objects, service objects, FQDN address objects, zones, tunnel zones, security rules, and tunnel inspection rules. Additionally, all firewalls running PAN-OS 8.1 support 63 characters per rule name.

The certificate authorities (CAs) that the firewalls trusts by default are updated in PAN-OS 8.1; new CAs are added and expired CAs are removed. The pre-installed list of CAs includes the most common and trusted certificate providers responsible for issuing the certificates the firewall requires to secure the connections to the internet. Because these CAs are trusted by default, you need to add only those additional trusted enterprise CAs that are required by your organization.

The fixed 1800-second timeout of ARP cache entries (mappings of IP addresses to hardware addresses) set on the firewall might not have suited your environment. You can now change the ARP cache timeout to a value in the range of 60 to 65,535 seconds.