5 Networking Features to Check Out in PAN-OS 7.0

You asked for networking features, and we listened! Here are the top five networking features that we think have the biggest impact in PAN-OS 7.0.

ECMP

The firewall now supports Equal Cost Multipath (ECMP). With ECMP enabled, the forwarding table can have up to four equal-cost paths to a single destination, which allows you to load balance traffic, use more of the available bandwidth, and have traffic dynamically shift to another ECMP member if one path fails. You can choose one of several load-balancing algorithms to determine which equal-cost path a virtual router uses for a new session to the destination.

Read more about ECMP in the PAN-OS® New Features Guide Version 7.0.

DHCP Option Support

A firewall configured as a DHCP server can now send a full range of DHCP options to clients, including vendor-specific and customized options that support a wide variety of office equipment, such as IP phones and wireless infrastructure devices. Each option code supports multiple values, which can be IP addresses, ASCII text, or hexadecimal values. With the enhanced DCHP option support enabled on the firewall, branch offices do not need to purchase and manage their own DHCP servers in order to provide vendor-specific and customized options to DHCP clients.

Read more about DHCP Options in the PAN-OS® New Features Guide Version 7.0.

Granular Options when Blocking Traffic in Security Policies

When you configure the firewall to block traffic, the firewall either resets the connection or silently drops packets. When the firewall silently drops packets, it causes some applications to break and appear unresponsive to the user. Therefore, we now have new actions to gracefully block traffic and provide a better user experience.

Read more about Granular Actions for Blocking Traffic in Security Policy in the PAN-OS® New Features Guide Version 7.0.

QoS on Aggregate Interfaces

You can now enable QoS on AE interfaces configured on PA-5000 Series, PA-3000 Series, PA-2000 Series, and PA-500 platforms. An AE interface is two or more interfaces linked together for combined bandwidth and link redundancy. When using AE interfaces to scale your network, enable QoS on an AE interface to prioritize, allocate, and guarantee the increased bandwidth supported on the AE interface. Support for QoS on AE interfaces on PA-7050 firewalls began in PAN-OS 6.0.0.

Read more about Quality of Service in the PAN-OS® Administrator’s Guide Version 7.0.

IKEv2

Site-to-site IPSec VPN is enhanced to support Internet Key Exchange Version 2 (IKEv2), in addition to IKEv1. (GlobalProtect Client is not included in this feature support.) IKEv2:

• Exchanges fewer messages than IKEv1 when setting up the tunnel endpoints.
• Can negotiate multiple sets of traffic selectors to control which traffic can access the tunnel.
• Provides a liveness check to determine if a peer gateway and tunnel are still up.
• Supports NAT Traversal.
• Supports the Hash and URL certificate exchange, which reduces fragmentation and the potential for IKE to incur DoS attacks.
• Supports cookie validation of a connection if a threshold number of concurrent IKE SA sessions is exceeded, reducing the potential for DoS attacks.

Read more about IKEv2 in the PAN-OS® New Features Guide Version 7.0.

Can’t Get Enough of PAN-OS 7.0?

Check out the PAN-OS® 7.0 Release Notes and PAN-OS® Administrator’s Guide Version 7.0on the Technical Documentation Site, or select the 7.0 facet (under OS Version) on theDocument Search page!

Happy reading!
Your friendly Technical Publications team

[Palo Alto Networks Blog]