How the New PAN-OS 7.1 Release Benefits Government Organizations


We’ve just announced the newest release of our operating system, PAN-OS 7.1. You can read all of the details about this new release but, for our government customers, I wanted to highlight a few particular things that you have been talking about and deploying.

1. Extending Our VM-Series Private Cloud Support to Hyper-V and Azure

Our government customers are using a breadth of hypervisors within their virtualized data centers, or private clouds. With the release of PAN-OS 7.1, we extend our cloud support to include all major virtualization environments, including VMware, KVM/OpenStack, Amazon Web Services (AWS) and Microsoft with our VM-Series. In fact, a large Western military organization recently chose one of these hypervisor environments for its network, taking full advantage of Palo Alto Networks support for Hyper-V. Other large Western civilian governments have chosen Palo Alto Networks to secure their Microsoft Azure environments.

2. Full Visibility for PFS/SSL Encrypted Communications

Are you thinking about the many encrypted communications that could bring threats into your environments? Hopefully by now you’ve got a plan to decrypt those communications with our onboard SSL decryption (you can read more about how we support SSL decryption for governments in our Uncover SSL-Encrypted Attacks in Government Networks white paper). With this new release, we’re providing PFS/SSL decryption for ECDSA for SSL Forward Proxy. For U.S. and U.K. government customers, this adds yet another capability to the many we support for Suite B crypto ciphers.

3. Five-Minute Signatures and Dynamic Blocking for Highly Targeted Government Networks

The rate at which our government networks are attacked is staggering. So government agencies appreciate that Palo Alto Networks already highly automates the prevention of threats across their networks. Civilian agencies and military services tell us every day how better-protected they are when they turn on their Palo Alto Networks Next-Generation Security Platform. With PAN-OS 7.1, we’ve further reduced the time WildFire takes to identify and prevent zero-day threats to five minutes. In addition, WildFire can analyze Mac OS binaries, so malware that targets Apple products can be prevented. And newly discovered phishing websites are now categorized within 30 minutes. WildFire analyzes email links for indicators of phishing, such as spoofed URLs and credential-seeking form fields, and updates PAN-DB within 30 minutes. For URLs and DNS, we’ve added more block lists. In addition to the block lists based on IP addresses, you can now have URL and DNS block lists.

Note that if you’re attending Ignite 2016, we hope you’ll be participating in Cyber Range. Cyber Range participants will get real, hands-on experience with WildFire as the teams compete to mitigate actual single-vector and multi-vector attacks. If you didn’t get a seat at Cyber Range this year, don’t worry. Ignite 2016 attendees can still observe the teams as they compete to see who can prevent threats the fastest.

4. Deploying on Ships, Tanks, and Elsewhere? Offline NSX Registration

There are numerous examples of how Palo Alto Networks platforms are supporting these tactical deployments. With this release, you can now complete NSX registration offline, which our customers told us is important for their tactical environments.

5. Consolidating Your Insights on IOCs: Consolidated Log Viewer

And speaking of all of those threats hitting government networks today, we’ve consolidated threat, traffic and WildFire logs for you into a single view. We hope you’re already using AutoFocus for your threat intelligence analysis. Now you can query from within AutoFocus across all of our threat insights to simplify the task of tracking an IOC or IP address. You also can query all of your appliances across the network for potential artifacts.

6. Certifications for Government: FIPS 140 and Common Criteria

With PAN-OS 7.1, our government customers are getting FIPS-140 certifications for Panorama, Log Collector and Offline PAN-DB. You’ll also appreciate our compliance with the VPN Gateway Extended Package and the IPsec VPN Gateway Security Characteristics. Finally, for those U.S. agencies having to comply with the DISA Security Technical Implementation Guides (STIGs) for information assurance, you’re getting last login time, last unsuccessful login, accept login banner verification, and classification banners.

Want to learn more? We hope to see you at Ignite 2016, where you’ll learn more about all of these new features in PAN-OS 7.1. But don’t worry if you can’t make it. If you’re a U.S. government agency, we’ll see you at our annual Federal Forum in Washington, D.C. This year’s Federal Forum will be held July 16 at the Newseum. See you there!

For more information, please visit our Technical Documentation page or any of the following resources:

[Palo Alto Networks Research Center]

Leave a Reply