Paloalot-OS Release Notes Version 2.0 New Features.

PAN-OS Release Notes Version 2.0 New Features.
New Features
NETWORKING FEATURES
• Dynamic Routing – Adds the ability to deploy the device in a layer 3 environment where
dynamic routing is required. This release support the OSPF and RIPv2 routing protocols.
• Site-to-site IPSec *** – Adds the ability to connect two devices in an IPSec ***. This release
supports IKEv1 with 3DES and AES (128, 192, and 256) for encryption and SHA-1 and MD5
for authentication. Connections can be made between two Palo Alto Network's devices or to
another vendors IPSec equipment. Dynamic peers are supported but remote access clients are
not.
• DHCP Server and Relay – DHCP settings are now available on any layer 3 interface. The
interface can be configured with a DHCP server or to relay requests to up to four existing
DHCP servers.
• Interface State Changes – In order to allow neighboring devices to detect that we are down, the
following changes have been made to the interface state handling:
1. Default state of an interface without a configuration will be powered off to prevent link
prior to having a configuration.
2. Setting the interface state to "admin down" will power off the interface.
Once a configuration is present, the interface will be set to whatever the configuration dictates.
For interfaces that are not explicitly up or down, they will be disabled which will still allow
link – facilitating initial cabling activity.
PAN-OS Release Notes, Version 2.0.0 rev A
1
In HA configurations a configuration option (CLI only) has been added to not disable the links
when the device is passive. This should not be used in layer 2 environments.
VISIBILITY AND REPORTING FEATURES
• Custom Reporting – To extend the existing reporting capabilities, admins can now create
custom reports either from scratch or based on an existing report. These reports can pull data
from any of the log databases and can be configured to run on a regular basis just like the
predefined reports.
• PDF Summary Report – A one-page summary report can now be generated combining a
holistic view of application, threat, and user activity in the network. The summary report can
pull together data from any of the predefined reports or from new custom reports. The
summary report can be configured to be distributed automatically on a schedule via email.
• Report Exporting – Any of the reports – predefined or custom – can be exported to either CSV
or PDF. In addition, the system can be configured to email a set of PDF reports on a daily basis.
• Log Filtering – The log viewer has been redesigned for this release, significantly improving the
filtering usability. Filters can now be set by clicking on a cell value. More complex filters can be
created by combining multiple criteria using an expression builder. In addition, additional log
fields can be used for filtering, even if they are not visible in the log viewer. This can be used to
find all of the logs for sessions that were decrypted or that have a packet capture attached. Any
log filter can also be saved for future use.
• Log Exporting – An export button is now available to export any logs matching the current
filter to a CSV file for offline archival or analysis.
• PCAP Viewer – Clicking the PCAP icon on a threat or traffic log will now open the packet
capture in the browser, showing the decoded packet without launching an external application.
Optionally, the PCAP file can be downloaded for further analysis.
• Threat Information in ACC – Threat information is now available within ACC. The front page
has a summary of top threats. Clicking on a threat will now open a threat detail page that
shows the description of the threat as well as all of the hosts that have been affected by the
threat.
• User Profile in ACC – ACC now include user profiles in addition to the previously available
host profiles. With this view, all user activity, regardless of IP address, will be displayed in a
single screen.
• Geo-Scope – Within the App-Scope framework, two new views are available that leverage the
geographical data in the system. The Threat Map and Traffic Map visually show the country of
origin/destination for all traffic and threats.
APP-ID FEATURES
• New Application Taxonomy – The existing 14-category classification of applications has been
changed to a more flexible two-tier categorization with 5 categories and 26 subcategories.
PAN-OS Release Notes, Version 2.0.0 rev A
2
These categories are all based on application functionality and purpose. An additional field has
been added to each application to capture the technology that the application uses. Each
application will be characterized as one of the following: browser-based, peer-to-peer, clientserver,
or network-protocol.
• App Browser – To leverage the new application taxonomy, a new dynamic iTunes-like browser
to navigate growing application list. This interface also allows for creation of dynamic security
rules to enable control of applications by categories or characteristics. For example, a rule
could be added to control all instant-messaging applications that are browser-based.
• Heuristic P2P Detection – In order to better detect encrypted peer-to-peer sessions, heuristic
algorithms have been added.
THREAT PREVENTION AND URL FILTERING FEATURES
• ZIP/GZIP Decompression – ZIP/GZIP decompression enables the real-time scanning of
compressed files that use the deflate compression algorithm allowing the device to scan one
level deep into compressed files and/or traffic for viruses and spyware.
• Visible Default Actions – Visibility into default actions will help users to quickly understand the
recommended threat actions associated with each threat. Default actions for all threats are
shown as part of the descriptions and on the Application Command Center threat
characteristics. Custom profiles for spyware phone home and vulnerability protection also
show the default action in the Actions drop-down menu
• Zone Protection Profiles – New profiles for protecting against common denial of service
attempts can now be attached to a zone, providing flood, reconnaissance, and other packet
protections:
- Flood Protection: SYN flood, UDP flood, ICMP flood, and other IP packet flood protection
provides administrators with a method to detect and prevent flooding attacks that are
designed to overwhelm a victim using SYN packets, UDP packets, ICMP echo requests, or
any other IP packets. Each flood protection allows the administrator to define thresholds for
alerting, activating protection, and the maximum rate of acceptance. SYN flood protection
has 2 configurable protection actions – SYN cookies or random early drop.
- Reconnaissance Protection: Reconnaissance protection provides administrators with
configurable time (seconds) and event thresholds to protect against TCP and UDP port
scans and host sweeps.
- Other Packet Protection: Other packet protection settings allow administrators to protect
against other IP packet based anomalies and attacks such as, IP address spoofing,
fragmented IP traffic, ICMP fragments or large ICMP packets (>1024 bytes)
• Wildcard Whitelist/Blacklist – Wildcard capability on the whitelist and blacklist provides
administrators with the ability to use wildcards to perform partial matches (e.g. *.yahoo.com
to match [url]www.yahoo.com[/url], autos.yahoo.com). Administrators can use single or even multiple
asterisks(*) in a single block/allow list entry.
PAN-OS Release Notes, Version 2.0.0 rev A
3
• SSL Inbound Inspection – Using the destination server's SSL certificate, the device can perform
real-time decryption of inbound SSL traffic for threat inspection and application identification.
Similar to the existing SSL forward proxy rules, the inbound decryption behavior can be
controlled via rules.
• Bandwidth and Time for URL Filtering Categories – For web browsing traffic, the URL
category has been added to the traffic logs so reports can be generated that show the details of
how much time and bandwidth are being consumed in each URL filtering category.
USER IDENTIFICATION FEATURES
• Enterprise Scale Active Directory Support – In order to scale to large enterprise Active
Directory deployments, the User Identification infrastructure has been updated to allow for up
to 64,000 active users and the ability to support multiple AD domains.
• Captive Portal – A new captive portal allows non-Windows clients or users on machines not
added to the AD domain to be identified through a captive web login that authenticates via
RADIUS. The behavior is controllable through a new captive portal rulebase.
• Improved Usability – To improve the usability of the user identification features, the User
Identification Agent interface has been redesigned. In addition, the troubleshooting and
monitoring capabilities have been enhanced to provide a clearer view into the state of the
system.
MANAGEMENT FEATURES
• Custom Response Pages – To allow administrators to tailor the various response pages that the
device generates, the customization capability previously provided for URL filtering has been
extended to threat blocking, application blocking, and SSL decryption opt-out, and captive
portal.
• Automated Updates – Administrators can now schedule dynamic content download and
installation to occur automatically. The download and install operation can be scheduled
• Management Service Access Control – To control who can access the management services
(CLI, web, SNMP), a configurable list of permitted source IP addresses has been added.
• Configurable Administrative Timeouts – The timeout for the administrative web interface and CLI
are now configurable.
• Software Rollback Support – The software infrastructure has been modified to provide
consistent, seamless upgrades and downgrades. The device will now maintain two versions of
software that can be switched between by simply rebooting the device.
• HA Sync of Admin Accounts – In addition to the security and network configuration,
administrative accounts are now synchronized between HA pairs.
PAN-OS Release Notes, Version 2.0.0 rev A
4
Changes to Default Behavior
None.
Upgrade/Downgrade Procedures
Use the following steps to perform a software upgrade to the PAN-OS 2.0 release:
1. Ensure the device is connected to a reliable power source (preferably redundant
with UPS) as a loss of power during the upgrade could make the device unusable.
2. Navigate to the Device tab in the web interface and click the Software link.
3. Click Refresh to retrieve the currently available releases that can be installed.
4. Locate the latest release and download it to the device by clicking the Download
link in the row corresponding to that latest release.
5. Once downloaded, click the Install link to perform the upgrade.
Note: Log data is not migrated when upgrading to PAN-OS 2.0 or downgrading from PAN-OS
2.0 to a prior release.
Note: After upgrading, close and reopen your browser. This release includes updates to files that
the browser may have cached. Skipping this step will cause the older files to be used and
may lead to incorrect displays in the web interface.
Use the following steps to perform a dynamic content update, which consists of App-ID updates
as well as threat updates depending on subscription licenses. The device must be registered for
the following steps to work. Please go to HUhttps://support.paloaltonetworks.comUH to register your
device.
1. Navigate to the Device tab in the web interface and click the Dynamic Updates
link.
2. Click Refresh to retrieve the currently available updates that can be installed.
3. Download the latest update to the device by clicking the Download link in the row
corresponding to the latest update.
4. Once downloaded, click the Install link to perform the update.
Addressed Issues
The following issues have been addressed in this release:
• [9572] ACC only reports data for the first virtual system.
PAN-OS Release Notes, Version 2.0.0 rev A
5
• [8118] Pinging an L3 interface is not successful, even with Ping enabled on the interface.
• [7888] When connection to the User Identification Agent is lost, user associations are
retained.
• [6668] Syslog facility configuration is not available in the web interface.
• [6021] When loading a .pem file with a full certificate chain for SSL decryption an error
will occur if the certificates are not listed in hierarchal order in the .pem file. When the
certificates are ordered correctly the file loads successfully. This only applies to certificates
chains with 3 or more certificates.
• [5671] When an interface is in non-functional mode, link may still occur with neighboring
devices.
• [5359] Panorama: The NTP server settings do not take effect. The date and time must be
set manually.
• [5314] Occasionally when blocking a URL, part of the requested page will appear before
the block page appears.
• [5304] When installing content via the CLI, all management interfaces will block while
the content file is prepared for installation.
• [4635] When deployed between users and an explicit proxy, many applications will be
mis-identified. To workaround this, disable the App-ID cache by entering configure mode
in the CLI and entering the following command: set deviceconfig setting appid cache no
• [4271] Domain Local Security Groups are not available for use in security policies.
• [4264] Within ACC the threat count on the front page may differ than the totals on the
sub-pages because the sub-pages include files detected by a File Blocking profile while the
front page does not.
• [3836] It is possible to login to the system before it is ready. When this happens, you will
need to login again before you can use the management interface.
• [3809] Committing a configuration with a very large user database will fail.
• [3638] File Blocking will not function unless the threat prevention content is loaded.
• [3454] System Contact and Location as reported by the SNMP agent are incorrect.
• [3309] SNMP agent configuration is not available for in-band management. However, the
agent can be accessed on the out-of-band management port.
• [2813] CLI timeout does not fully close CLI session. An admin cannot execute commands
after the timeout, but the command history is available leading to potential of unwanted
exposure of previously executed commands.
PAN-OS Release Notes, Version 2.0.0 rev A
6
• [2797] When deploying HA, the devices must be preconfigured to the same virtual system
mode.
• [1961] Losing power during a software upgrade can cause the device to be unusable.
• [1397] Traceroute packets get dropped when attempting to traverse the device through a
NAT configuration.
• [1085] Application dependency warnings appear even if all of the dependent applications
are included in the policy or if the rule is a deny rule. The warnings can be safely ignored
if the requisite applications have been added to the policy.
Known Issues
This following is a list of known unresolved bugs in this release:
• [10557] When SYN cookie protection has been activated for a zone, the system may
return SYN-ACKs to a sender in excess of the maximal configured rate.
• [10493] In tap mode, sessions with a single UDP packet will incorrectly report 0 bytes
transferred.
• [10480] The system does not disallow two simultaneous URL filtering updates. If two
updates are attempted at once, both may fail.
• [10449] URL filtering downloads do not respect the web proxy settings. The system must
be able to contact the update server directly to get get an url filtering update.
• [10170] Exiting the paged display of the show arp all command via the 'q' key can cause
the CLI to become unresponsive if the ARP table is full.
• [10221] Spaces are not allowed in IKE gateway names but the system does not provide a
clear error message or validation to help identify the error.
• [10114] HA devices with very large configurations can will potentially both become active
when a configuration change is synchronizing. To avoid this, increase the passive hold
time.
• [9972] The traceroute command does not default to ICMP mode. Use the icmp option
manually when executing the command on the CLI.
• [9962] If the update server is unreachable, a request to check software or licenses will
block other management requests until the request times out.
• [9709] During an upgrade from 1.3.4 to 2.0.0, the web interface may not be able to detect
when the system has rebooted into the new software, and the popup status window may
remain open indefinitely. Closing the window will allow the browser to access the device
once it has rebooted.
PAN-OS Release Notes, Version 2.0.0 rev A
7
• [9220] The file blocking response page will only appear if file is detected in the first
packet.
• [8609] Requesting a dataplane restart multiple times before the dataplane can restart may
cause the device stop responding.
• [7877] The configuration log only shows that a commit was successful even when it does
not successfully run to completion. Refer to the commit window messages for accurate
status of the commit action.
• [7495] CLI allows the import of more keys than the system can use.
• [5145] Requesting an App-Scope graph for Source or Destination on a system with a very
large number of sources or destinations can take 5-10 minutes to complete.
• [4250] Deleting more than 110 objects in a single request from the web interface may fail.
If you need to delete more than 110 objects, do it in groups of less than 110.
• [3849] The App-Scope application reports only reflect the data from the first virtual
system.
• [3693] Panorama: Installation of Panorama on VMware Server 1.0.4 fails. This issue is
currently being investigated with VMware. Only version 1.0.2 or 1.0.3 are currently
supported.
• [2627] When loading SSL certificates via the web interface, the dataplane must be
restarted before they take effect.
• [1985] Using a straight cable between HA2 ports with high traffic load can lead to packet
loss. When connecting HA2, use a crossover Ethernet cable.
• [1382, 1475] Some non-browser based applications that use SSL do not function well
with SSL decryption. If encountered, use an SSL Decryption rule to bypass the decryption
function for these servers.
• [1377] The ACC and Monitor tabs are not available for virtual system administrators
• [908] LLC SNAP/802.2 packets do not pass through the device.
• [787] When using virtual systems, the validate action validates the entire configuration,
not just the configuration for the current virtual system.
• [688] Due to the dynamic nature of the web interface the browser back button may
sometimes return to a location earlier in the browsing history than the last page viewed.
Related Documentation
The following additional documentation is provided:
PAN-OS Release Notes, Version 2.0.0 rev A
8
• Palo Alto Networks Administrator’s Guide—Detailed guide explaining all features of the
High Definition Firewall and how the configure and use them.
• PAN-OS Command Line Interface Reference Guide—Detailed reference explaining all
CLI commands used to manage the High Definition Firewall.
• PA-4000 Hardware Reference Guide—Detailed reference containing the specifics of the
PA-4000 hardware, including specifications, LED behaviors, and installation procedures.
• Online Help System—Detailed, context-sensitive help system integrated with the High
Definition Firewall’s web interface.
Requesting Support
For technical support, call 1-866-898-9087 or send email to [email][email protected][/email].
Copyright © 2008, Palo Alto Networks. All rights reserved. PAN-OS, Palo Alto Networks are
either trademarks or trade names of Palo Alto Networks. All other trademarks are the property
of their respective owners.