New DNS Security Log Type

Features Introduced in PAN-OS 12.1
This release introduces two key features to enhance network security and visibility.

New DNS Security Log Type:

• Previously, DNS security events were mixed with threat logs. A new, dedicated log type now provides a separate, more detailed view of all DNS traffic—both malicious and benign.
• These new logs include comprehensive transaction details, such as query and response information, enabling better threat detection, incident investigation, and retrospective analysis.
• Logs can be forwarded to external systems and are available in the log viewer and dashboard.

Support for Brotli Decompression:

• The Content-Based Threat Detection (CTD) engine now supports Brotli, a high-efficiency compression format used for web content.
• This allows the firewall to decompress and inspect traffic that was previously passed through, protecting against attackers who use Brotli to bypass security.
• This feature improves threat detection for various security services, including Advanced WildFire, Advanced Threat Prevention, and Advanced URL Filtering. Due to resource requirements, it's available on select platforms.

Telemetry Autoenablement

• Telemetry is now automatically enabled on device onboarding and configured to stream data to the correct region. This eliminates manual setup and simplifies management through Strata Cloud Manager, offering faster support and real-time performance insights.

Quantum Key Distribution

• This feature allows your firewall to use quantum-safe cryptography for IPsec VPN connections, protecting against advanced threats like "Harvest Now, Decrypt Later" attacks. It is ideal for industries handling sensitive data.

Security Enhancements

• PAN-OS now uses Integrity Measurement Architecture (IMA) to protect against sophisticated attacks. IMA only allows cryptographically signed binaries to execute, preventing malware and file tampering. You can configure the system to either log violations or reboot to maintenance mode for investigation.

Device Security Settings

• This feature gives you control over how your firewall responds to system-level security violations. You can configure the system to either continue running or automatically enter a maintenance mode to contain potential compromises.

Plugin Bundling

• The new Plugin Bundling feature automates plugin management by including compatible plugins directly with the base image during an upgrade. This eliminates manual downloads, prevents version mismatches, and ensures a seamless, conflict-free update process.
  -
  Upgrade Checks
• This feature helps you prepare for upgrades by generating reports on critical issues like disk space and license validation. After an upgrade, you can create a comparison report to verify functionality, which helps reduce failures and minimize downtime, especially in large deployments.

Zero Touch Provisioning Over Cellular

• ZTP over Cellular enables the automated deployment and configuration of firewalls in remote locations using cellular interfaces. This streamlines setups, reduces operational costs, and ensures a consistent management experience for distributed networks or sites with limited wired connectivity.

DNS Rewrite with Condition Check

• This feature allows for granular control over DNS address translation. You can now configure DNS rewrite to apply only to specific clients based on source zone or address, rather than globally. This is useful for environments with diverse user groups that require different DNS resolution behaviors.

GRE Tunnel over a Cellular Interface

• You can now establish GRE tunnels using cellular connections on NGFWs. This is especially useful for securely connecting remote IoT devices and extending routing infrastructure in locations without traditional wired connectivity, offering flexibility for dynamic IP addresses in mobile environments.

PA-5450 Firewall Support for Secure Web Gateway

• The PA-5450 firewall now supports the Secure Web Gateway (SWG) feature. This leverages the PA-5450's high-performance, multi-CPU architecture to provide improved performance and scalability for high-traffic proxy solutions in large enterprises and data centers.

IPv6 Geolocation Support

• This update adds IPv6 support for IP geolocation, providing visibility and control in dual-stack and IPv6-only environments. It simplifies policy management by allowing you to enforce consistent security policies across both IPv4 and IPv6 networks using a single global switch.

Enhanced Application Logs for ICMPv6

• PAN-OS now uses deep packet inspection to generate enhanced application logs from ICMPv6 neighbor discovery protocol (NDP) packets. This allows for better device learning and supports Advanced Device-ID for IPv6 deployments.

Enhanced Packet Capture with Support for Range Filters

• You can now use range filters when taking custom packet captures (PCAPs). This new capability simplifies troubleshooting by allowing you to capture packets based on a range of IP addresses, ports, or protocols, even when the exact values are unknown.

Log Collector Scaling Optimization

• To address performance bottlenecks in large-scale log collection environments, the Log Collector now optimizes the master node selection process. With Log Collector Scaling, you can explicitly select master-eligible nodes. Select a maximum of four Log Collectors per Collector Group for best performance.
  Previously, all Log Collectors within a Collector Group were eligible to become the master node. When the active master failed, the system would dynamically elect a new one. This election process involved continuous communication among numerous nodes, creating significant overhead, particularly in larger deployments. By reducing the number of potential master nodes, you can now achieve a higher logging rate.
  Log Collector scaling supports all platforms allowing a significantly higher logging rate. With a Collector Group utilizing up to 16 M-700 appliances, you can now scale log ingestion rates to over 1 million Logs Per Second (lps). This level of scaling is currently supported only on M-700 appliances.
  You can designate specific Log Collectors as master-eligible nodes based on strategic criteria such as hardware capacity, network resiliency, or geographic distribution to optimize your logging architecture.
  You can configure master-eligible nodes through either the Panorama web interface or the command-line interface. When implementing this feature, consider selecting nodes with the best hardware specifications, network connectivity, and geographic placement to ensure optimal performance and availability. This approach provides more predictable behavior during failover scenarios and more efficient resource utilization across your Collector Group. By strategically designating your master-eligible nodes, you can create a more resilient logging infrastructure that maintains high performance even under demanding conditions.
  Enhanced Shared Optimization

Introduced in PAN-OS 12.1.2

• The Enhanced Shared Optimization feature now significantly improves how Panorama pushes configurations to multi-vsys firewalls, resolving critical challenges like object duplication, memory exhaustion, and commit failures.
  The feature introduces the Full optimization mode, which lets you move all firewall objects into the shared location of the firewall. This includes the previously excluded objects, such as external dynamic lists (EDLs), Custom URL categories, and various Security Profiles, such as antivirus, antispyware, URL Filtering, and HIP objects. This eliminates object replication across individual virtual systems. It drastically reduces configuration size in typical deployments and prevents commit failures caused by exceeding object limits.
  This enhancement streamlines management, increases scalability, and prevents deployments from hitting object limits.