Changes to Default Behavior
Focus
Focus

Changes to Default Behavior

Table of Contents
End-of-Life (EoL)

Changes to Default Behavior

Changes to the default behavior in PAN-OS® 9.0
The following table details the changes in default behavior upon upgrade to PAN-OS® 9.0. You may also want to review the CLI Changes in PAN-OS 9.0 and the Upgrade/Downgrade Considerations before upgrading to this release.
FeatureChange
API Key Lifetime
When you generate a new API key, the key metadata includes a timestamp of the creation date which makes the key size larger than those generated with PAN-OS version earlier than 9.0.
Default Administrator Password Requirements
(PAN-OS 9.0.4 and later 9.0 releases)
Starting with PAN-OS 9.0.4, the firewall enforces password complexity for the default admin account on the first log in. If the current password doesn't meet the complexity requirements, the device prompts you to change it.
The new password must have a minimum of eight characters and include a minimum of one lowercase and one uppercase character, as well as one number or special character. On a new installation, password complexity is enabled with a minimum password length of eight characters.
This change does not affect other administrative users.
HTTP/2 Inspection
The firewall now processes and inspects HTTP/2 traffic by default.
If you want to disable HTTP/2 inspection, you can specify for the firewall to remove any value contained in the Application-Layer Protocol Negotiation (ALPN) TLS extension: select ObjectsDecryptionDecryption ProfileSSL DecryptionSSL Forward Proxy and then select Strip ALPN. ALPN is used to secure HTTP/2 connections—when there is no value specified for this TLS extension, the firewall either downgrades HTTP/2 traffic to HTTP/1.1 or classifies it as unknown TCP traffic.
Strict Default Ports for Decrypted Applications, Including Web-Browsing
Application default—which enables you to allow applications only on their most commonly-used ports—now enforces standard port usage for certain applications that use a different default port when encrypted: web-browsing, SMTP, FTP, LDAP, IMAP and POP3.
This means that, if you’re decrypting SSL traffic, a security policy that allows web-browsing on the application default ports now strictly enforces web-browsing on port 80 and SSL-tunneled web-browsing on port 443.
To enhance security, if you currently have a security policy rule configured to allow web-browsing on service-HTTP and service-HTTPS, you might consider updating the rule to instead allow web-browsing on the application-default ports:
Network Processing Card Session Capacity Change (PA-7000-20G-NPC and PA-7000-20GQ-NPC)
The session capacity for these two 20Gbps Network Processing Cards changed from 4 million sessions per NPC to 3.2 million sessions per NPC on firewalls running a PAN-OS 9.0 or later release.
PA-7000 Series Firewall Memory Limit for the Management Server
As of PAN-OS 9.0.10, the PA-7000 Series firewalls have new CLI commands to enable or disable resource control groups and new CLI commands to set an upper memory limit of 8G on a process (mgmtsrvr).
To enable resource-control groups, use:
debug software resource-control enable
To disable resource-control groups, use:
debug software resource-control disable
To set the memory limit, use:
debug management-server limit-memory enable
To remove the memory limit, use:
debug management-server limit-memory disable
Reboot the firewall to ensure the memory limit change takes effect.
Refresh of Default Trusted CAs
The certificate authorities (CAs) that the firewall trusts by default are updated; new trusted root CAs are added and expired CAs are removed. To view and manage the lists of CAs that the firewall trusts by default, select DeviceCertificate ManagementCertificatesDefault Trusted Certificate Authorities.
VM-50 and VM-50 Lite Firewalls
The minimum memory requirement has changed from 4GB to 4.5GB for the VM-50 Lite and from 4.5GB to 5.5GB for the VM-50 in PAN-OS 9.0. You cannot upgrade the VM-50 Lite without allocating additional memory. If you upgrade the VM-50 with less than 5.5GB memory, it will default to the system capacities (number of sessions, rules, security zones, address objects, etc) associated with the VM-50 Lite.
See Upgrade/Downgrade Considerations for more information.
VM-Series Plugin
Beginning with PAN-OS 9.0, the built-in VM-Series plugin manages interactions between the VM-Series firewalls and the supported public and private cloud platforms. Also, the bootstrap package now has an optional /plugins folder for upgrading a plugin. To configure plugin integrations, select DeviceVM-Series.
In Panorama™ 9.0 the VM-Series plugin is available in PanoramaPlugins but must be manually installed.
VXLAN Tunnel Content Inspection
In PAN-OS 8.1 and earlier releases, the firewall used the UDP Session key to create UDP sessions for all tunnel content inspection protocols. It is a six-tuple key (zone, source IP, destination IP, protocol, source port, and destination port), and it remains in use.
PAN-OS 9.0 introduces the VNI Session key specifically for VXLAN tunnel content inspection. The VNI Session key is a five-tuple key incorporating the zone, source IP, destination IP, protocol, and the VXLAN Network Identifier (VNI).
By default, VXLAN tunnels now automatically use the VNI Session key to create a VNI Session, which is visible in logs.
If you prefer to use the UDP Session key for VXLAN (as you did in previous releases), you can define a custom application for VXLAN and use an application override policy to invoke your custom application.
Panorama Commit and push operations
  • Commit is unavailable (grayed out) when you have no pending changes on Panorama and all managed firewalls and Log Collectors are in sync with Panorama (which means that you have successfully pushed all changes you made on Panorama to all managed firewalls and appliances).
  • Commit displays as a green downward arrow (
    ) when you have pending changes on Panorama that must be committed and pushed to managed devices.
  • Commit displays as a yellow sideways arrow (
    ) when managed firewalls and Log Collectors are out of sync, and you must push the committed Panorama configuration.
  • When you Commit and Push your configuration changes on Panorama, you must Edit Selections to specify the Push Scope to managed devices.
Security Group Tag (SGT) Ethertype Support
If you're using Security Group Tags (SGTs) to control user and device access in a Cisco Trustsec network, inline firewalls in Layer 2 or Virtual Wire mode now inspect and provide threat prevention for the tagged traffic by default. Before PAN-OS 9.0, a firewall in Layer 2 or virtual wire mode could allow SGT traffic but did not process and inspect it.
The firewall does not enforce security policy based on SGTs.
Authentication Policy
In PAN-OS 8.1 and earlier, administrators needed to add a rule to decrypt TLS sessions to apply authentication policy. In PAN-OS 9.0, the firewall applies the authentication policy without needing to decrypt the session.
IP Address Registration and Dynamic Address Groups
In PAN-OS 8.1 and earlier, it could take up to 60 seconds to register an IP address, and the associated tags, and update the membership information for a dynamic address group (DAG). In PAN-OS 9.0, IP address registration occurs in real time. Any policy matches for updates on a registered IP address (IP-tag mapping) are reflected only in new sessions. Any existing sessions are reevaluated for a policy match when you perform a commit or the App-ID™ on the session changes.
URL Filtering Overrides
In earlier release versions, URL category overrides received priority enforcement over custom URL categories. However, override priority goes away in PAN-OS 9.0 with the conversion of URL category overrides to custom URL categories. After you upgrade, the firewall enforces the new custom URL category using the Security policy rule with the strictest URL Filtering profile action. From most to least strict, possible URL Filtering profile actions are: block, override, continue, alert, and allow. As a result, overrides with the allow action might be blocked after being converted to custom URL categories.
For more details on this, review PAN-OS 9.0 Upgrade and Downgrade Considerations.
Workaround:
  1. Create a URL Filtering Profile that defines site access for a custom URL category. Select ObjectsSecurity ProfilesURL FilteringCategories, and set the Site Access (like allow or block) for custom URL categories that you want to exclude from a URL category.
  2. Create a new Security policy rule to prioritize enforcement for URL category exceptions. Attach the URL Filtering profile you just created to that rule (PoliciesSecurityActionsProfile SettingProfiles). Because the firewall evaluates rules from top to bottom, make sure that this rule appears at the top of your security policy (PoliciesSecurity).
The Overrides tab objects are removed and Custom URL Category objects are created for firewalls running PAN-OS 8.1 or earlier releases when managed by a Panorama management server that is upgraded to PAN-OS 9.0.
CLI Commands for the Option to Hold Web Requests During URL Category Lookup
(PAN-OS 9.0.4 or later 9.0 releases)
The CLI commands for this feature are now the following:
  1. Enter configure to access Configuration Mode.
  2. Enter set deviceconfig setting ctd hold-client-request yes to enable the feature.
  3. Commit your changes.
URL Filtering CLI Change
You no longer need to download a predefined set of URLs after activating a URL Filtering license, so the following commands associated with that operation have been removed:
  • request url-filtering download paloaltonetworks region <region>
  • request url-filtering download status vendor paloaltonetworks
SAML Authentication
(PAN-OS 9.0.9 and later 9.0 releases)
To ensure your users can continue to authenticate successfully with SAML Authentication, you must:
  • Ensure that you configure the signing certificate of your SAML Identity Provider as the Identity Provider Certificate on the SAML Identity Provider Server Profile.
  • Ensure that your SAML IdP sends signed SAML Responses, Assertions, or both.
SIP TCP Cleartext
The cleartext proxy is enabled by default for SIP TCP sessions when a segmented SIP header is detected. This helps with the correct reassembly and ordering of TCP segments for proper ALG operation.
You can disable this option if SIP message sizes are generally smaller than the MSS and when the SIP messages fit within a single segment, or if you need to ensure TCP proxy resources are reserved for SSL forward proxy or HTTP/2.
Resolution of FQDN Address Objects
Firewalls started using DNSProxy daemon instead of Linux network stack to resolve FQDNs, and therefore there is a difference in the ability of Panorama and firewalls to resolve FQDNs. Both Panorama and firewalls require that when you create an address object using an FQDN, you enter an FQDN and not just a hostname.
URL Filtering PAN-DB Updates
In PAN-OS 9.0 and later, firewalls no longer download a PAN-DB seed database or incremental database updates; instead, firewalls populate the cache as URL queries are made. In an active/passive HA environment, as database updates are no longer applicable, only the active firewall connects to PAN-DB to perform URL lookups. Should a failure occur, the passive firewall transitions to an active state, and will establish a connection to PAN-DB.
Forwarded Emails for System Events
After a successful upgrade to PAN-OS 9.0, the subject line for system events forwarded to an email address have a maximum of 99 characters. This means that email subject lines that exceed 95 characters are truncated with an ellipsis (...) to indicate there is additional text to review.
View Rulebase as Groups
On upgrade to PAN-OS 9.0, View Rulebase as Groups replaces the Tag Browser in the Policies tab. In this view, select the group tag to view the policy rules grouped by the selected tag.