You asked for networking features, and we listened! Here are the top five networking features that we think have the biggest impact in PAN-OS 7.0.
The firewall now supports Equal Cost Multipath (ECMP). With ECMP enabled, the forwarding table can have up to four equal-cost paths to a single destination, which allows you to load balance traffic, use more of the available bandwidth, and have traffic dynamically shift to another ECMP member if one path fails. You can choose one of several load-balancing algorithms to determine which equal-cost path a virtual router uses for a new session to the destination.
DHCP Option Support
A firewall configured as a DHCP server can now send a full range of DHCP options to clients, including vendor-specific and customized options that support a wide variety of office equipment, such as IP phones and wireless infrastructure devices. Each option code supports multiple values, which can be IP addresses, ASCII text, or hexadecimal values. With the enhanced DCHP option support enabled on the firewall, branch offices do not need to purchase and manage their own DHCP servers in order to provide vendor-specific and customized options to DHCP clients.
Granular Options when Blocking Traffic in Security Policies
When you configure the firewall to block traffic, the firewall either resets the connection or silently drops packets. When the firewall silently drops packets, it causes some applications to break and appear unresponsive to the user. Therefore, we now have new actions to gracefully block traffic and provide a better user experience.
Read more about Granular Actions for Blocking Traffic in Security Policy in the PAN-OS® New Features Guide Version 7.0.
QoS on Aggregate Interfaces
You can now enable QoS on AE interfaces configured on PA-5000 Series, PA-3000 Series, PA-2000 Series, and PA-500 platforms. An AE interface is two or more interfaces linked together for combined bandwidth and link redundancy. When using AE interfaces to scale your network, enable QoS on an AE interface to prioritize, allocate, and guarantee the increased bandwidth supported on the AE interface. Support for QoS on AE interfaces on PA-7050 firewalls began in PAN-OS 6.0.0.
Site-to-site IPSec VPN is enhanced to support Internet Key Exchange Version 2 (IKEv2), in addition to IKEv1. (GlobalProtect Client is not included in this feature support.) IKEv2:
- Exchanges fewer messages than IKEv1 when setting up the tunnel endpoints.
- Can negotiate multiple sets of traffic selectors to control which traffic can access the tunnel.
- Provides a liveness check to determine if a peer gateway and tunnel are still up.
- Supports NAT Traversal.
- Supports the Hash and URL certificate exchange, which reduces fragmentation and the potential for IKE to incur DoS attacks.
- Supports cookie validation of a connection if a threshold number of concurrent IKE SA sessions is exceeded, reducing the potential for DoS attacks.
Can’t Get Enough of PAN-OS 7.0?
Your friendly Technical Publications team
[Palo Alto Networks Blog]