PAN-OS 6.1 New Features Guide - · PDF fileSecurity Policy Rulebase ... traffic is denied. However, you can now ... interzone traffic is denied. Session End Reason

PANOSNewFeaturesGuide

Version6.1

ContactInformation

CorporateHeadquarters:

PaloAltoNetworks

4401GreatAmericaParkway

SantaClara,CA95054

https://www.paloaltonetworks.com/company/contactus

AboutthisGuide

ThisguidedescribeshowtousethenewfeaturesintroducedinPANOS6.1.Foradditionalinformation,refertothefollowingresources:

Forinformationontheadditionalcapabilitiesandforinstructionsonconfiguringthefeaturesonthefirewall,refertohttps://www.paloaltonetworks.com/documentation.

Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopenasupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.

ForthemostcurrentPANOSandPanorama6.1releasenotes,gotohttps://www.paloaltonetworks.com/documentation/61/panos/panosreleasenotes.html.

Toprovidefeedbackonthedocumentation,pleasewritetousat:[email protected].

PaloAltoNetworks,Inc.www.paloaltonetworks.com20142016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefoundathttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheirrespectivecompanies.

RevisionDate:July11,2016

2 PANOS6.1NewFeaturesGuide PaloAltoNetworks,Inc.

https://www.paloaltonetworks.com/company/contact-ushttps://live.paloaltonetworks.comhttps://www.paloaltonetworks.com/support/tabs/overview.htmlmailto:[email protected]://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes.htmlhttps://www.paloaltonetworks.com/company/contact-ushttps://www.paloaltonetworks.comhttps://www.paloaltonetworks.com/company/trademarks.htmlhttps://www.paloaltonetworks.com/documentation

TableofContents

UpgradeYourFirewallstoPANOS6.1 .................................. 5Upgrade/DowngradeConsiderations .................................................6UpgradetoPANOS6.1.............................................................8

UpgradeFirewallsUsingPanorama ...............................................8UpgradetheFirewalltoPANOS6.1 .............................................11UpgradeanHAFirewallPairtoPANOS6.1 ......................................12

DowngradefromPANOS6.1 ......................................................16DowngradetoaPreviousMaintenanceRelease ...................................16DowngradetoaPreviousFeatureRelease........................................17

ManagementFeatures................................................ 19AuthenticatedNTP ................................................................20AppScopeEnhancements ..........................................................21SecurityPolicyRulebaseEnhancements ..............................................22

UsetheNewRuleTypesinPolicy................................................22ModifytheDefaultRules.......................................................23

MultipleM100ApplianceInterfaces ................................................26ExtendedSNMPSupport ...........................................................28

SNMPSupportforLACP .......................................................28SNMPSupportforM100ApplianceEth1andEth2InterfaceStatistics...............29

ConfigurableKeySizeforSSLForwardProxyServerCertificates ........................30DefaultProfileGroupandLogForwardingSettings ....................................31

SetUpaDefaultSecurityProfileGroup ..........................................31SetUpaDefaultLogForwardingProfile ..........................................32

WildFireFeatures .................................................... 35UpgradetheWF500ApplianceandEnableWindows764bitSupport ..................36Signature/URLGenerationontheWildFireAppliance..................................39

EnableSignature/URLGenerationontheWF500Appliance........................39ConfigureaFirewalltoRetrieveUpdatesFromaWF500Appliance.................40

ContentUpdatesontheWF500WildFireAppliance..................................42InstallContentUpdatesDirectlyfromtheUpdateServer ...........................42InstallContentUpdatesfromanSCPEnabledServer...............................44

WildFireEmailLinkAnalysis ........................................................45ConfigureEmailLinkAnalysis ...................................................45

EmailHeaderInformationinWildFireLogs ...........................................48FlashandOfficeOpenXMLFileTypeSupport........................................50WildFireAnalysisReportEnhancements .............................................51WildFireXMLAPISupportontheWF500Appliance ..................................53

GenerateAPIKeysontheWildFireAppliance .....................................53ManageAPIKeysontheWildFireAppliance......................................53UsetheWildFireAPIonaWildFireAppliance .....................................55

PaloAltoNetworks,Inc. PANOS6.1NewFeaturesGuide 3

TableofContents

URLFilteringFeatures ................................................57LogHTTPHeadersinWebRequests ................................................. 58ManualUploadofBrightCloudDatabase ............................................. 60

GlobalProtectFeatures ...............................................61DisconnectonIdle ................................................................. 62DisableBrowserAccesstothePortalLoginPage ...................................... 63ExtendedSSOSupportforGlobalProtectAgents ...................................... 64

EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry ......... 64EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller ......... 66

NetworkingFeatures .................................................67LACP............................................................................. 68NATCapacityEnhancements ....................................................... 71

IncreaseinNumberofNATRulesAllowed ........................................ 71AdditionalDataplaneNATMemoryStatistics ...................................... 71DynamicIPandPortNATOversubscription ....................................... 72ModifytheOversubscriptionRateforDIPPNAT................................... 74

TCPSessionClosingTimers ......................................................... 75TCPHalfClosedandTCPTimeWaitTimers ....................................... 75UnverifiedRSTTimer........................................................... 77ModifyGlobalTCPWaitTimersorUnverifiedRSTTimer ........................... 77ModifyApplicationLevelTCPWaitTimers........................................ 78

SessionEndReasonLogging ........................................................ 79SessionEndReasons ........................................................... 79DisplayandFilterSessionEndReasons ........................................... 80ConfigureaCustomReportwithSessionEndReasons .............................. 81

VirtualizationFeatures................................................83KVMSupport ..................................................................... 84

SystemRequirementsforVMSeriesonKVM ..................................... 84OptionsforAttachingtheVMSeriesontheNetwork .............................. 85PrerequisitesforVMSeriesonKVM ............................................. 85SupportedDeployments........................................................ 88InstalltheVMSeriesFirewallonKVM............................................ 89

AmazonAWSSupport.............................................................. 95AbouttheVMSeriesFirewallinAWS ............................................ 95DeploymentsSupportedinAWS ................................................. 97DeploytheVMSeriesFirewallonAWS........................................... 98ListofAttributesMonitoredontheAWSVPC ....................................107

VMInformationSources...........................................................108

4 PANOS6.1NewFeaturesGuide PaloAltoNetworks,Inc.

UpgradeYourFirewallstoPANOS6.1

Upgrade/DowngradeConsiderations

UpgradetoPANOS6.1

DowngradefromPANOS6.1

PaloAltoNetworks,Inc. PANOS6.1NewFeaturesGuide 5

Upgrade/DowngradeConsiderations UpgradeYourFirewallstoPANOS6.1

Upgrade/DowngradeConsiderations

Table:PANOS6.1Upgrade/DowngradeConsiderationsliststhenewfeaturesthathaveupgradeand/ordowngradeimpact.MakesureyouunderstandthechangesthatwilloccurintheconfigurationpriortoupgradingtoordowngradingfromPANOS6.1.Foradditionalinformationaboutthisrelease,refertotheReleaseNotes.

Table:PANOS6.1Upgrade/DowngradeConsiderations

Feature UpgradeConsiderations DowngradeConsiderations

ConfigurableKeySizeforSSLForwardProxyServerCertificates

ThedefaultkeysizeforSSL/TLSForwardProxyServercertificateschangesfrom1024bitRSAtoDefined by destination host.

ThedefaultkeysizefortheSSL/TLSForwardProxyServercertificateschangesfromDefined by destination hostto1024bitRSA.

LACP Beforedowngrading,youmustdisableLACPforanyaggregategroupthatusesit.PANOSretainsallotheraggregategroupandinterfacesettings.

SecurityPolicyRulebaseEnhancements

AnewRule Typeclassificationindicateswhetherasecurityrulematchesintrazonetraffic,interzonetraffic,orboth(calleduniversal).

Allexistingrulesintherulebaseareconvertedtouniversalrules.

Defaultrulesaredisplayedattheendofthesecurityrulebase.Bydefault,thetreatmentoftrafficthatdoesnotmatchanyruleintherulebaseisunchanged:intrazonetrafficisallowedandinterzonetrafficisdenied.However,youcannowoverridethisdefaultbehavior.

TheRule Typeisremovedfromallrulesandallintra