pan-os 6.1 new features guide - · pdf filesecurity policy rulebase ... traffic is denied....
TRANSCRIPT
PANOSNewFeaturesGuide
Version6.1
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
https://www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidedescribeshowtousethenewfeaturesintroducedinPANOS6.1.Foradditionalinformation,refertothefollowingresources:
Forinformationontheadditionalcapabilitiesandforinstructionsonconfiguringthefeaturesonthefirewall,refertohttps://www.paloaltonetworks.com/documentation.
Foraccesstotheknowledgebaseandcommunityforums,refertohttps://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopenasupportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama6.1releasenotes,gotohttps://www.paloaltonetworks.com/documentation/61/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:[email protected].
PaloAltoNetworks,Inc.www.paloaltonetworks.com20142016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefoundathttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheirrespectivecompanies.
RevisionDate:July11,2016
2 PANOS6.1NewFeaturesGuide PaloAltoNetworks,Inc.
https://www.paloaltonetworks.com/company/contact-ushttps://live.paloaltonetworks.comhttps://www.paloaltonetworks.com/support/tabs/overview.htmlmailto:[email protected]://www.paloaltonetworks.com/documentation/71/pan-os/pan-os-release-notes.htmlhttps://www.paloaltonetworks.com/company/contact-ushttps://www.paloaltonetworks.comhttps://www.paloaltonetworks.com/company/trademarks.htmlhttps://www.paloaltonetworks.com/documentation
TableofContents
UpgradeYourFirewallstoPANOS6.1 .................................. 5Upgrade/DowngradeConsiderations .................................................6UpgradetoPANOS6.1.............................................................8
UpgradeFirewallsUsingPanorama ...............................................8UpgradetheFirewalltoPANOS6.1 .............................................11UpgradeanHAFirewallPairtoPANOS6.1 ......................................12
DowngradefromPANOS6.1 ......................................................16DowngradetoaPreviousMaintenanceRelease ...................................16DowngradetoaPreviousFeatureRelease........................................17
ManagementFeatures................................................ 19AuthenticatedNTP ................................................................20AppScopeEnhancements ..........................................................21SecurityPolicyRulebaseEnhancements ..............................................22
UsetheNewRuleTypesinPolicy................................................22ModifytheDefaultRules.......................................................23
MultipleM100ApplianceInterfaces ................................................26ExtendedSNMPSupport ...........................................................28
SNMPSupportforLACP .......................................................28SNMPSupportforM100ApplianceEth1andEth2InterfaceStatistics...............29
ConfigurableKeySizeforSSLForwardProxyServerCertificates ........................30DefaultProfileGroupandLogForwardingSettings ....................................31
SetUpaDefaultSecurityProfileGroup ..........................................31SetUpaDefaultLogForwardingProfile ..........................................32
WildFireFeatures .................................................... 35UpgradetheWF500ApplianceandEnableWindows764bitSupport ..................36Signature/URLGenerationontheWildFireAppliance..................................39
EnableSignature/URLGenerationontheWF500Appliance........................39ConfigureaFirewalltoRetrieveUpdatesFromaWF500Appliance.................40
ContentUpdatesontheWF500WildFireAppliance..................................42InstallContentUpdatesDirectlyfromtheUpdateServer ...........................42InstallContentUpdatesfromanSCPEnabledServer...............................44
WildFireEmailLinkAnalysis ........................................................45ConfigureEmailLinkAnalysis ...................................................45
EmailHeaderInformationinWildFireLogs ...........................................48FlashandOfficeOpenXMLFileTypeSupport........................................50WildFireAnalysisReportEnhancements .............................................51WildFireXMLAPISupportontheWF500Appliance ..................................53
GenerateAPIKeysontheWildFireAppliance .....................................53ManageAPIKeysontheWildFireAppliance......................................53UsetheWildFireAPIonaWildFireAppliance .....................................55
PaloAltoNetworks,Inc. PANOS6.1NewFeaturesGuide 3
TableofContents
URLFilteringFeatures ................................................57LogHTTPHeadersinWebRequests ................................................. 58ManualUploadofBrightCloudDatabase ............................................. 60
GlobalProtectFeatures ...............................................61DisconnectonIdle ................................................................. 62DisableBrowserAccesstothePortalLoginPage ...................................... 63ExtendedSSOSupportforGlobalProtectAgents ...................................... 64
EnableSSOWrappingforThirdPartyCredentialswiththeWindowsRegistry ......... 64EnableSSOWrappingforThirdPartyCredentialswiththeWindowsInstaller ......... 66
NetworkingFeatures .................................................67LACP............................................................................. 68NATCapacityEnhancements ....................................................... 71
IncreaseinNumberofNATRulesAllowed ........................................ 71AdditionalDataplaneNATMemoryStatistics ...................................... 71DynamicIPandPortNATOversubscription ....................................... 72ModifytheOversubscriptionRateforDIPPNAT................................... 74
TCPSessionClosingTimers ......................................................... 75TCPHalfClosedandTCPTimeWaitTimers ....................................... 75UnverifiedRSTTimer........................................................... 77ModifyGlobalTCPWaitTimersorUnverifiedRSTTimer ........................... 77ModifyApplicationLevelTCPWaitTimers........................................ 78
SessionEndReasonLogging ........................................................ 79SessionEndReasons ........................................................... 79DisplayandFilterSessionEndReasons ........................................... 80ConfigureaCustomReportwithSessionEndReasons .............................. 81
VirtualizationFeatures................................................83KVMSupport ..................................................................... 84
SystemRequirementsforVMSeriesonKVM ..................................... 84OptionsforAttachingtheVMSeriesontheNetwork .............................. 85PrerequisitesforVMSeriesonKVM ............................................. 85SupportedDeployments........................................................ 88InstalltheVMSeriesFirewallonKVM............................................ 89
AmazonAWSSupport.............................................................. 95AbouttheVMSeriesFirewallinAWS ............................................ 95DeploymentsSupportedinAWS ................................................. 97DeploytheVMSeriesFirewallonAWS........................................... 98ListofAttributesMonitoredontheAWSVPC ....................................107
VMInformationSources...........................................................108
4 PANOS6.1NewFeaturesGuide PaloAltoNetworks,Inc.
UpgradeYourFirewallstoPANOS6.1
Upgrade/DowngradeConsiderations
UpgradetoPANOS6.1
DowngradefromPANOS6.1
PaloAltoNetworks,Inc. PANOS6.1NewFeaturesGuide 5
Upgrade/DowngradeConsiderations UpgradeYourFirewallstoPANOS6.1
Upgrade/DowngradeConsiderations
Table:PANOS6.1Upgrade/DowngradeConsiderationsliststhenewfeaturesthathaveupgradeand/ordowngradeimpact.MakesureyouunderstandthechangesthatwilloccurintheconfigurationpriortoupgradingtoordowngradingfromPANOS6.1.Foradditionalinformationaboutthisrelease,refertotheReleaseNotes.
Table:PANOS6.1Upgrade/DowngradeConsiderations
Feature UpgradeConsiderations DowngradeConsiderations
ConfigurableKeySizeforSSLForwardProxyServerCertificates
ThedefaultkeysizeforSSL/TLSForwardProxyServercertificateschangesfrom1024bitRSAtoDefined by destination host.
ThedefaultkeysizefortheSSL/TLSForwardProxyServercertificateschangesfromDefined by destination hostto1024bitRSA.
LACP Beforedowngrading,youmustdisableLACPforanyaggregategroupthatusesit.PANOSretainsallotheraggregategroupandinterfacesettings.
SecurityPolicyRulebaseEnhancements
AnewRule Typeclassificationindicateswhetherasecurityrulematchesintrazonetraffic,interzonetraffic,orboth(calleduniversal).
Allexistingrulesintherulebaseareconvertedtouniversalrules.
Defaultrulesaredisplayedattheendofthesecurityrulebase.Bydefault,thetreatmentoftrafficthatdoesnotmatchanyruleintherulebaseisunchanged:intrazonetrafficisallowedandinterzonetrafficisdenied.However,youcannowoverridethisdefaultbehavior.
TheRule Typeisremovedfromallrulesandallintra