Home > Palo Alto > New features of PAN-OS version 7

New features of PAN-OS version 7

Quick summary of the awesome new features the version 7 of PAN-OS introduces:

  1. TLS 1.2 is finally supported! So we can do proper SSL-decryption now. Hooray!
  2. IKE v2 is finally supported! So the Azure Dynamic mode I struggled with in 2013 should now be possible. Hooray!
  3. TACACS+ authentication is now supported! Wow! Happy days for big enterprise networks full of Cisco kit – one password less to remember!
  4. ACC correlation engine – sounds like a really cool feature allowing to cross-reference Wildfire events with network activity (i.e. a host has received a file and then exhibited C&C traffic similar to that appearing during Wildfire sand-boxing). So no more manual looking through access logs after a malware slipped through. Should be a really good time saver for SOCs!
  5. Global Find command allowing to search in one go through Rules, Objects, Profiles et. etc. etc. – really useful thing! Before that the only way of doing so was to go through the raw XML config. Hooray!
  6. Deny action can now be specified in a rule (drop, reset client, reset server or reset both). Finally! You also can configure whether to send ICMP Unreachable message or not (before you ask – ICMP messages can be rate-limited of cause).
  7. Tag browser – allows to properly filter rules by Tags and work with these filtered rules. Finally something useful for big rule sets! Before that pretty much the only thing you could do was to view rules containing a certain tag. Hooray!
  8. QoS is now supported on Etherchannels (we getting there with etherchannels by looks of it – at some point PA introduced  Etherchannels on low-end platforms, then introduced LACP and now QoS – patience of early adopters of PAN technologies pays out :))
  9. A bit of L3 load balancing – ECMP support – may be useful in some cases, I guess…
  10. User-ID can now look into XFF header on HTTP. Finally! Happy days for those who configures their proxies to report requesters in XFF or those who does a load balancing with SNAT and injection of original IP into XFF

There are many other minor improvements but I appreciate only the ones above 🙂

Categories: Palo Alto Tags:
  1. Mario Andrade
    October 25, 2017 at 4:10 pm

    Hello ! This decryption of tls 1.2 is done directly without use of a “man-in-the-middle” certificate?

    • October 25, 2017 at 4:55 pm

      No, of course not. You still need a certificate trusted by the client to re-encrypt the connection after it was decrypted for inspection.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: