Professional Documents
Culture Documents
10.2
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2021–2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.
Last Revised
June 6, 2022
PAN-OS ® New Features Guide Version 10.2 2 ©2022 Palo Alto Networks, Inc.
Table of Contents
Panorama Features.............................................................................................5
Administrator-Level Push...........................................................................................................6
Automac Content Push for VM-Series and CN-Series Firewalls................................... 8
Log Collector Health Monitoring on Panorama................................................................. 10
Management Features.................................................................................... 25
AIOps for NGFW.......................................................................................................................26
Selecve Commit of Configuraon Changes......................................................................27
Simplified Soware Upgrade.................................................................................................. 28
Networking Features.......................................................................................29
Advanced Roung Engine....................................................................................................... 30
IPv4 Mulcast for Advanced Roung Engine.................................................................... 31
Policy Features..................................................................................................33
Security Policy Rule Top-Down Order When Wildcard Masks Overlap.......................34
Decrypon Features........................................................................................41
Mulple Cerficate Support for SSL Inbound Inspecon................................................42
Virtualizaon Features....................................................................................59
CN-Series Firewall as a Kubernetes CNF............................................................................60
High Availability Support for CN-Series Firewall as a Kubernetes CNF.......................61
High Availability Support for CN-Series Firewall on AWS EKS......................................62
DPDK Support for CN-Series Firewall................................................................................. 63
PAN-OS ® New Features Guide Version 10.2 3 ©2022 Palo Alto Networks, Inc.
Table of Contents
PAN-OS ® New Features Guide Version 10.2 4 ©2022 Palo Alto Networks, Inc.
Panorama Features
> Administrator-Level Push
> Automac Content Push for VM-Series and CN-Series Firewalls
> Log Collector Health Monitoring on Panorama
5
Panorama Features
Administrator-Level Push
PAN-OS 10.2 enables Panorama administrators to push just their own configuraon changes to
managed firewalls. Addionally, a Panorama administrator can specify one or more Panorama
administrators with commied configuraon changes to include in the push. Leveraging an
administrator-level push to managed firewalls reduces the risk of pushing incomplete device
group and template configuraons to managed firewalls by allowing you to explicitly exclude
incomplete configuraon changes when you push to managed firewalls. This helps migate and
avoid potenal outages and configuraon related issues that could cause network disrupons.
For mul-vsys managed firewalls running PAN-OS 10.2, configuraons in the Shared device group
are now pushed to a Shared configuraon context for all virtual systems rather than duplicang
the shared configuraon to each virtual system. This reduces the operaonal burden of scaling
configuraons for mul-vsys firewalls.
STEP 1 | Log in to the Panorama web interface.
STEP 2 | Aer you upgrade to PAN-OS 10.2, Commit and Push to Devices the enre Panorama
managed configuraon to your managed firewalls.
This is required to ulize the administrator-level push and leverage the improved shared
configuraon object management for mul-vsys firewalls managed by Panorama.
STEP 3 | (Oponal) Create a custom Panorama admin role to allow the Panorama administrator to
push configuraon changes for other admins.
The default Superuser or Panorama admin role privileges support full object level configuraon
privileges.
1. Select Panorama > Admin Roles and Add a new admin role.
2. Enter a descripve Name for the admin role.
3. Select the Panorama admin role.
4. Select Web UI and navigate to the Commit privileges.
5. Configure the object level configuraon privileges as needed.
All object level configuraon privileges are enabled by default.
• Push All Changes—Allow the administrator to push all changes made by all admins.
• Push For Other Admins—Allows the administrator select and push configuraon
changes made by other administrators.
• Object Level Changes—Allows the administrator to view individual configuraon
objects to push. If disabled, the list of configuraon objects is not displayed in the
Push Scope.
6. Click OK.
7. Configure a Panorama administrator and select the Admin Role you created.
8. Commit and Commit to Panorama.
STEP 4 | Perform device group and template stack configuraon changes and Commit > Commit to
Panorama.
See Selecve Commit of Configuraon Changes to make object-level selecons to commit.
PAN-OS ® New Features Guide Version 10.2 6 ©2022 Palo Alto Networks, Inc.
Panorama Features
PAN-OS ® New Features Guide Version 10.2 7 ©2022 Palo Alto Networks, Inc.
Panorama Features
VM-Series firewalls deployed on NSX and hardware firewalls are not supported.
STEP 3 | Configure Panorama to automacally push the latest dynamic content updates to VM-Series
and CN-Series firewalls on first connecon.
This step assumes you have already configured a template stack for your VM-Series and CN-
Series firewall configuraon.
1. Select Panorama > Templates and click the template stack that contains the VM-Series
and CN-Series firewall configuraon.
2. Check (enable) Automacally push content when soware device registers to
Panorama.
3. Click OK.
PAN-OS ® New Features Guide Version 10.2 8 ©2022 Palo Alto Networks, Inc.
Panorama Features
to automacally push the dynamic content updates installed on Panorama to the firewalls on
first connecon.
Panorama does not push the installed dynamic content updates if the VM-Series or CN-Series
firewall is not assigned to a Template Stack prior to first connecon.
PAN-OS ® New Features Guide Version 10.2 9 ©2022 Palo Alto Networks, Inc.
Panorama Features
STEP 2 | Select Panorama > Managed Collectors and navigate to the Health column.
STEP 4 | View the Health Status details to view the health status of each log collecon process.
• logd— Process responsible for ingesng logs received from the managed firewall and for
transferring ingested logs to the vldmgr.
• vldmgr—Process responsible for managing the vld processes.
• vlds—Process responsible for managing individual logging disks, wring logs to the logging
disks, and ingesng logs into ElascSearch.
• es—ElascSearch process running on the Log Collector.
PAN-OS ® New Features Guide Version 10.2 10 ©2022 Palo Alto Networks, Inc.
IoT Security Features
> Simplified IoT Security Onboarding
> Data Collecon for IoT Security
11
IoT Security Features
To use this workflow, you must have already configured Security policy rules, enabled
logging on the rules, and enabled logging services with enhanced applicaon logging.
PAN-OS ® New Features Guide Version 10.2 12 ©2022 Palo Alto Networks, Inc.
IoT Security Features
STEP 1 | Apply a Log Forwarding profile for IoT Security to Security policy rules.
1. Log in to your next-generaon firewall, select Policies > Log Forwarding for Security
Services in the Policy Opmizer secon.
2. To view all your Security policy rules—including those with a Log Forwarding profile and
those without it—choose All for Log Forwarding Profile.
3. Select the rules for which you want to forward logs to the logging service and Aach Log
Forwarding Profile.
4. To apply the default Log Forwarding profile to your rules, choose IoT Security Default
Profile - EAL Enabled and then OK.
The default profile is preconfigured to provide IoT Security with all the log types it requires,
including enhanced applicaon logs (EALs).
You don’t have to select Enable Enhanced IoT Logging because enhanced
applicaon logging (EAL) is already enabled on IoT Security Default Profile.
PAN-OS ® New Features Guide Version 10.2 13 ©2022 Palo Alto Networks, Inc.
IoT Security Features
or
To add the forwarding of EALs to an exisng Log Forwarding profile that doesn’t already
have it, choose it from the Log Forwarding Profile list, select Enable Enhanced IoT Logging,
and then OK.
When you select Enable Enhanced IoT Logging, PAN-OS updates the chosen Log
Forwarding profile itself and thereby enables enhanced log forwarding on all rules
that use the same Log Forwarding profile.
PAN-OS adds the chosen Log Forwarding profile to those rules that don’t already have one
and replaces previously assigned profiles with this one.
PAN-OS ® New Features Guide Version 10.2 14 ©2022 Palo Alto Networks, Inc.
IoT Security Features
You can use this feature for any deployments where traffic from remote switches needs to
be inspected. IoT Security is just one use case.
This feature requires switches that support ERSPAN such as Catalyst 6500, 7600, Nexus,
and ASR 1000 plaorms.
STEP 1 | Configure a switch that supports ERSPAN to mirror traffic on one or more source ports or
VLANs, and forward it through a GRE tunnel to a desnaon port on a next-generaon
firewall.
For configuraon instrucons, see the Cisco documentaon for your switch.
PAN-OS ® New Features Guide Version 10.2 15 ©2022 Palo Alto Networks, Inc.
IoT Security Features
The ERSPAN Support check box in the Session Sengs secon is now selected.
PAN-OS ® New Features Guide Version 10.2 16 ©2022 Palo Alto Networks, Inc.
IoT Security Features
STEP 4 | Create a Layer 3 security zone specifically to terminate the GRE tunnel and receive mirrored
IoT device traffic from the source port on the network switch.
1. Select Network > Zones and Add a zone.
2. Enter the following and leave the other sengs at their default values:
Name: Enter a meaningful name for the zone such as ERSPAN-IoT-data.
Log Seng: Select IoT Security Default Profile or another log forwarding profile that sends
the required types of logs to the logging service for IoT Security.
Type: Layer3
3. Click OK.
PAN-OS ® New Features Guide Version 10.2 17 ©2022 Palo Alto Networks, Inc.
IoT Security Features
STEP 5 | Create a Layer 3 interface and bind it to the zone you just created.
1. Select Network > Interfaces > Ethernet and then click the Ethernet interface on which you
want to terminate the GRE tunnel from the switch. Oponally, use a subinterface.
2. Enter the following and leave the other sengs at their default values:
Comment: Enter a meaningful note about the interface for later reference.
Interface Type: Layer3
Virtual Router: Choose the virtual router you want to route to the interface. Consider using
a separate virtual router exclusively for ERSPAN traffic.
Security Zone: Choose the zone you just created.
3. Click IPv4, select Stac for the address type, and Add an IP address for the interface.
The switch uses this in its GRE tunnel configuraon as the IP address of its peer.
4. Click Advanced and either add a New Management Profile or select a previously defined
profile that allows the Ethernet interface to accept different types of administrave traffic.
PAN-OS ® New Features Guide Version 10.2 18 ©2022 Palo Alto Networks, Inc.
IoT Security Features
5. Click OK to save the new interface management profile and then click OK again to save the
Ethernet interface configuraon.
PAN-OS ® New Features Guide Version 10.2 19 ©2022 Palo Alto Networks, Inc.
IoT Security Features
STEP 6 | Create a tunnel interface with an IP address in the same subnet as that of the corresponding
tunnel interface on the switch and bind it to the zone you just created.
1. Select Network > Interfaces > Tunnel and Add the logical tunnel interface for the GRE
tunnel from the switch.
2. Enter the following and leave the other sengs at their default values:
Interface Name: The field on the le is read-only and contains the text “tunnel”. Enter a
number in the field on the right to complete the name. For example, enter 8 to make the
name tunnel.8.
Virtual Router: Choose the same router you used for the Layer 3 interface.
Security Zone: Choose the same zone to which you bound the Layer 3 interface.
3. Click IPv4 and Add an IP address that’s in the same subnet as the IP address of the logical
tunnel interface on the switch.
4. Click Advanced and either add a New Management Profile, or select a previously defined
profile, to allow the tunnel interface to accept different types of administrave traffic.
PAN-OS ® New Features Guide Version 10.2 20 ©2022 Palo Alto Networks, Inc.
IoT Security Features
5. Click OK.
STEP 7 | Configure stac routes for the virtual router (VR) for ERSPAN.
1. Select Network > Virtual Routers and click the virtual router for ERSPAN.
2. Click Stac Routes and then click + Add.
3. Enter the following and leave the other sengs at their default values:
Name: Enter a name for the stac route.
Desnaon: 0.0.0.0/0
If you know the subnets beyond the switch, create individual stac routes for each
of them. Otherwise, use a separate VR for ERSPAN and set a default route.
PAN-OS ® New Features Guide Version 10.2 21 ©2022 Palo Alto Networks, Inc.
IoT Security Features
3. Click OK.
The IP addresses of the Ethernet and tunnel interfaces in relaon to each other and the rest
of the network look like this.
PAN-OS ® New Features Guide Version 10.2 22 ©2022 Palo Alto Networks, Inc.
IoT Security Features
PAN-OS ® New Features Guide Version 10.2 23 ©2022 Palo Alto Networks, Inc.
IoT Security Features
PAN-OS ® New Features Guide Version 10.2 24 ©2022 Palo Alto Networks, Inc.
Management Features
> AIOps for NGFW
> Selecve Commit of Configuraon Changes
> Simplified Soware Upgrade
25
Management Features
PAN-OS ® New Features Guide Version 10.2 26 ©2022 Palo Alto Networks, Inc.
Management Features
PAN-OS ® New Features Guide Version 10.2 27 ©2022 Palo Alto Networks, Inc.
Management Features
PAN-OS ® New Features Guide Version 10.2 28 ©2022 Palo Alto Networks, Inc.
Networking Features
The networking features for PAN-OS 10.2 are documented in the 10.2 PAN-OS
Networking Administrator’s Guide.
29
Networking Features
STEP 6 | Create BGP roung profiles for authencaon, mers, address families, dampening, route
redistribuon to BGP, and BGP filtering.
STEP 7 | Create filters for the advanced roung engine, such as access lists, prefix lists, AS Path access
lists, community lists, and route maps.
STEP 9 | Create OSPFv2 roung profiles for mers, authencaon, and route redistribuon to
OSPFv2.
STEP 11 | Create OSPFv3 roung profiles for mers, authencaon, and route redistribuon to
OSPFv3.
STEP 13 | Create RIPv2 roung profiles for mers, authencaon, and route redistribuon to RIPv2.
PAN-OS ® New Features Guide Version 10.2 30 ©2022 Palo Alto Networks, Inc.
Networking Features
PAN-OS ® New Features Guide Version 10.2 31 ©2022 Palo Alto Networks, Inc.
Networking Features
PAN-OS ® New Features Guide Version 10.2 32 ©2022 Palo Alto Networks, Inc.
Policy Features
> Security Policy Rule Top-Down Order When Wildcard Masks Overlap
33
Policy Features
3. Click OK.
PAN-OS ® New Features Guide Version 10.2 34 ©2022 Palo Alto Networks, Inc.
Policy Features
STEP 2 | Create a Security Policy Rule that has a Source IP Address or Desnaon IP Address that is
an IP address/wildcard mask.
STEP 3 | Create another Security policy rule that uses the same source or desnaon IP address as
the rule in the prior step, and uses an overlapping wildcard mask. Place the more specific rule
closer to the top of the list.
STEP 4 | Commit.
PAN-OS ® New Features Guide Version 10.2 35 ©2022 Palo Alto Networks, Inc.
Policy Features
PAN-OS ® New Features Guide Version 10.2 36 ©2022 Palo Alto Networks, Inc.
Content Inspecon Features
> Advanced Threat Prevenon: Inline Cloud Analysis
> Domain Fronng Detecon
37
Content Inspecon Features
STEP 2 | To take advantage of inline categorizaon, you must have an acve Advanced Threat
Prevenon subscripon.
To verify subscripons for which you have currently-acve licenses, select Device > Licenses
and verify that the appropriate licenses are available and have not expired.
PAN-OS ® New Features Guide Version 10.2 38 ©2022 Palo Alto Networks, Inc.
Content Inspecon Features
STEP 3 | Update or create a new An-Spyware Security profile to enable inline cloud analysis.
1. Select an exisng An-Spyware Profile or Add a new one (Objects > Security Profiles >
An-Spyware).
2. Select your An-Spyware profile and then go to Inline Cloud Analysis and Enable inline
cloud analysis.
3. Specify an Acon to take when a threat is detected using a corresponding analysis engine.
The following opons are available:
STEP 4 | Install an updated firewall device cerficate used to authencate to the Advanced Threat
Prevenon inline cloud analysis service. Repeat for all firewalls enabled for inline cloud
analysis.
For addional informaon about configuring inline Cloud Analysis, including adding excepons,
verifying connecvity to the service, and monitoring details, refer to Configure Inline Cloud
Analysis.
PAN-OS ® New Features Guide Version 10.2 39 ©2022 Palo Alto Networks, Inc.
Content Inspecon Features
Enable SSL decrypon to detect domain fronng techniques. You must also enable
inspecon of SSL/TLS handshakes by CTD at Device > Setup Session > Decrypon
Sengs > SSL Decrypon Sengs > Send handshake messages to CTD for inspecon.
In cases where certain apps are excluded from decrypon by default (such as Signal), you
must disable Exclude from Decrypon for the specific apps under Device > Cerficate
Management > SSL Decrypon Exclusion.
PAN-OS ® New Features Guide Version 10.2 40 ©2022 Palo Alto Networks, Inc.
Decrypon Features
> Mulple Cerficate Support for SSL Inbound Inspecon
41
Decrypon Features
Perform the following steps to update your firewall and SSL Inbound Inspecon rule with a newly
issued server cerficate.
STEP 1 | Import the new cerficate and private key for the internal server whose inbound SSL traffic
you want to decrypt and inspect to the firewall.
Depending on the TLS version in use, you may need to upload the end-enty (leaf)
cerficate as part of a cerficate bundle (single file) to the firewall to prevent server
cerficate validaon errors.
PAN-OS ® New Features Guide Version 10.2 42 ©2022 Palo Alto Networks, Inc.
Decrypon Features
STEP 2 | Add the cerficate to your Decrypon policy rule, then click OK.
Upon clicking OK, the firewall automacally sorts the cerficates alphabecally.
PAN-OS ® New Features Guide Version 10.2 43 ©2022 Palo Alto Networks, Inc.
Decrypon Features
PAN-OS ® New Features Guide Version 10.2 44 ©2022 Palo Alto Networks, Inc.
URL Filtering Features
> Inline Deep Learning Analysis for Advanced URL Filtering
> HTTP Header Expansion
45
URL Filtering Features
STEP 2 | To take advantage of inline categorizaon, you must have an acve Advanced URL Filtering.
Verify that you have an Advanced URL Filtering subscripon. To verify subscripons for which
you have currently-acve licenses, select Device > Licenses and verify that the appropriate
licenses are available and have not expired.
STEP 3 | Update or create a new URL Filtering Security profile to enable cloud inline categorizaon.
The policy acon used by local and cloud inline categorizaon is dependent on the
configured sengs under the Categories tab.
1. Select an exisng URL Filtering Profile or Add a new one (Objects > Security Profiles > URL
Filtering).
2. Select your URL Filtering profile and then go to Inline Categorizaon and enable the cloud
inline categorizaon.
3. Click OK to exit the URL Filtering Profile configuraon dialog and Commit your changes.
STEP 4 | Install an updated firewall device cerficate used to authencate to the Advanced URL
Filtering cloud service. Repeat for all firewalls enabled for inline cloud categorizaon.
PAN-OS ® New Features Guide Version 10.2 46 ©2022 Palo Alto Networks, Inc.
URL Filtering Features
For addional informaon about configuring cloud inline categorizaon, including adding
excepons, verifying connecvity to the required servers, validaon processes, and monitoring
details, refer to Configure Inline Categorizaon.
PAN-OS ® New Features Guide Version 10.2 47 ©2022 Palo Alto Networks, Inc.
URL Filtering Features
STEP 1 | Add or select a URL Filtering Profile to include the HTTP header inseron entry.
Select Objects > Security Profiles > URL Filtering > HTTP Header Inseron.
PAN-OS ® New Features Guide Version 10.2 48 ©2022 Palo Alto Networks, Inc.
URL Filtering Features
PAN-OS ® New Features Guide Version 10.2 49 ©2022 Palo Alto Networks, Inc.
URL Filtering Features
PAN-OS ® New Features Guide Version 10.2 50 ©2022 Palo Alto Networks, Inc.
Mobile Infrastructure Security Features
> New Deployment Opon for GTP Security in 3G/4G Networks
> Mobile Network Security Support on New Mid-Range Hardware Plaorms
51
Mobile Infrastructure Security Features
In the following network topology, to apply security policy to user and control traffic, the firewall
must be posioned on the 4G/LTE interfaces, including the Control Plane (S11) and User Plane
(S1-U), as well as the 3G interfaces which include the Control Plane (Gn [SGSN-MME]) and the
Control and User Plane (Gn [SGSN-GGSN]). You must enable enable GTP Security for complete
subscriber level and equipment level visibility and policy control for threat and traffic in their
network.
PAN-OS ® New Features Guide Version 10.2 52 ©2022 Palo Alto Networks, Inc.
Mobile Infrastructure Security Features
PAN-OS ® New Features Guide Version 10.2 53 ©2022 Palo Alto Networks, Inc.
Mobile Infrastructure Security Features
For complete subscriber-level and equipment-level visibility and security policy control for
network traffic threats, enable GTP Security.
The second firewall in this diagram is posioned on the perimeter (the SGI interface connected to
the internet and the enterprise IT datacenter).
PAN-OS ® New Features Guide Version 10.2 54 ©2022 Palo Alto Networks, Inc.
Mobile Infrastructure Security Features
In the following private 5G network deployment scenario, only the User Plane Funcon (UPF)
is located on-premises. The 5G Core is located remotely in a central core site or public cloud.
To enforce security policy for user and control traffic, the firewall must be posioned on the 5G
interfaces, including the User Plane (N3) and Control Plane (N4).
For complete subscriber-level and equipment-level visibility and security policy control for
network traffic threats, enable GTP Security.
The second firewall in the diagram is posioned on the perimeter (the N6 interface connected to
the internet and the enterprise IT datacenter).
In the following private 5G network deployment scenario, the 5G Core, including the User Plane
Funcon (UPF), is located on-premises. The 5G Core includes network funcons (NFs) such as
Session Management (SMF) and Access and Mobility Management Funcon (AMF), as well as
others. To enforce security policy for user and control traffic, the firewall must be posioned on
the 5G interfaces, including the User Plane (N3) and the Control Plane (N4).
For complete subscriber-level and equipment-level visibility and security policy control for
network traffic threats, enable GTP Security. Apply security policy to the Control Plane
(N2) between the 5G RAN and the 5G Core for signaling protecon by enabling SCTP
Security.
PAN-OS ® New Features Guide Version 10.2 55 ©2022 Palo Alto Networks, Inc.
Mobile Infrastructure Security Features
The second firewall in the diagram is posioned on the perimeter (the N6 interface connected to
the internet and the enterprise IT datacenter).
In the following private 5G network deployment scenario, only the Radio Access Network (RAN) is
located on-premises.
The firewall must be posioned on the 5G interface for the User Plane (N3).
In the following 5G MEC deployment scenario, the User Plane Funcon (UPF) is located on the
MEC in the service provider’s edge locaon or on the public cloud edge and the 5G Core is located
remotely in a central core site or the public cloud. To enforce security policy for user and control
traffic, the firewall must be posioned on the 5G interfaces, including the User Plane (N3) and the
Control Plane (N4).
PAN-OS ® New Features Guide Version 10.2 56 ©2022 Palo Alto Networks, Inc.
Mobile Infrastructure Security Features
For complete subscriber-level and equipment-level visibility and security policy control for
network traffic threats, enable GTP Security.
The second firewall in the diagram is posioned on the perimeter (the N6 interface connected to
the internet and the enterprise IT datacenter).
PAN-OS ® New Features Guide Version 10.2 57 ©2022 Palo Alto Networks, Inc.
Mobile Infrastructure Security Features
PAN-OS ® New Features Guide Version 10.2 58 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
> CN-Series Firewall as a Kubernetes CNF
> High Availability Support for CN-Series Firewall as a Kubernetes CNF
> High Availability Support for CN-Series Firewall on AWS EKS
> DPDK Support for CN-Series Firewall
> Daemonset(vWire) IPv6 Support
> Panorama Plugin for Kubernetes 3.0.0
> L3 IPV4 Support for CN-Series
> 47 Dataplane Cores Support for VM-Series and CN-Series Firewalls
> Memory Scaling of the VM-Series Firewall
59
Virtualizaon Features
PAN-OS ® New Features Guide Version 10.2 60 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
PAN-OS ® New Features Guide Version 10.2 61 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
PAN-OS ® New Features Guide Version 10.2 62 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
PAN-OS ® New Features Guide Version 10.2 63 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
IPv6 addresses are supported only on the k8s-daemonset and not on the k8s-CNF or k8s-
service mode.
PAN-OS ® New Features Guide Version 10.2 64 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
PAN-OS ® New Features Guide Version 10.2 65 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
Dashboard
For tags not used in DG security policies, Panorama only holds tags without IP addresses. With
Tag Pruning, the plugin pushes the IP/tag mappings on to the plugin UI and you will be able to
navigate the Dashboard to see the IP/tag mappings. You will have an opon to view IP addresses
(IPv4 and IPv6) associated to all tags learnt by the plugin and then, look for the tags associated to
each IP address when you click associated tags.
PAN-OS ® New Features Guide Version 10.2 66 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
The Kubernetes 3.0.0 Plugin works only with Panorama 10.2 and Pan OS 10.2 devices. However,
it can manage 10.1 firewall devices on 10.2 Panorama.
• To upgrade to a Kubernetes 3.0.0 Plugin, download the Kubernetes 3.0.0 Plugin and
upgrade your Panorama to 10.2, which will automacally install the downloaded
Kubernetes 3.0.0 Plugin. However, if you have not downloaded the Kubernetes 3.0.0
Plugin before upgrading the Panorama, the upgrade will be stopped.
• You cannot use a Kubernetes 2.0.0 Plugin with Panorama 10.2.
• You will find four default templates on Panorama aer downgrading the Kubernetes
plugin from 3.0.0. The unnecessary templates can be deleted manually.
PAN-OS ® New Features Guide Version 10.2 67 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
In kubernetes CNF mode, only one CN-NFGW pod is supported with an CN-MGMT pod.
CN-Series supports Stac and Connected routes and BGP protocol. OSPF is supported on Nave/
OnPrem environments, but not supported on Public clouds, due to the limitaon in the cloud
infrastructure. BFD and tunnel interfaces are not supported.
vWire can sll be used on dataplane ports where an external ToR is configured to manage
L1 PBR.
PAN-OS ® New Features Guide Version 10.2 68 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
For VM-Series, if you have NUMA performance opmizaon enabled with custom
dataplane core sengs, the NUMA seng takes precedence.
For example, for a 64 CPU VM with NUMA performance opmizaon enabled
and 47 dataplane core seng, the NUMA sengs take precedence. The command
—show plugins vm_series dp-cores displays—Current DP cores:31
configured custom DP cores: 47 (Current total cores: 64).
For more informaon, see Enable NUMA Performance Opmizaon on VM-Series.
PAN-OS ® New Features Guide Version 10.2 69 ©2022 Palo Alto Networks, Inc.
Virtualizaon Features
PAN-OS ® New Features Guide Version 10.2 70 ©2022 Palo Alto Networks, Inc.
PAN-OS SD-WAN Features
> Copy ToS Header Support
71
PAN-OS SD-WAN Features
STEP 2 | Select Panorama > SD-WAN > Devices and select a branch or hub.
STEP 6 | Commit.
PAN-OS ® New Features Guide Version 10.2 72 ©2022 Palo Alto Networks, Inc.
Enterprise Data Loss Prevenon
Features
> Web Form Data Inspecon for Enterprise Data Loss Prevenon
73
Enterprise Data Loss Prevenon Features
Web form inspecon for non-file based traffic is supported only for the HTTP/1.x network
protocol. Web form inspecon for non-file based traffic is not supported for the HTTP/2
network protocol.
The steps below describe how to configure web form inspecon Enterprise DLP on Panorama and
Prisma Access (Panorama Managed).
STEP 1 | Log in to the Panorama web interface.
STEP 3 | (Oponal) Create a custom URL category for URL or domain traffic you do not want to send
to the DLP cloud service for inspecon.
PAN-OS ® New Features Guide Version 10.2 74 ©2022 Palo Alto Networks, Inc.
Enterprise Data Loss Prevenon Features
STEP 4 | (Oponal) Create a custom applicaon filter for applicaon traffic you do not want to send to
the DLP cloud service for inspecon.
1. Select Objects > Applicaon Filters and Add a new applicaon filter.
You can also select and Clone the predefined DLP App Exclusion Filter
to create a custom applicaon filter.
2. Check (enabled) Shared.
3. Configure the applicaon filter as needed.
See Create an Applicaon Filter for more informaon.
4. Click OK.
5. Select Commit and Commit to Panorama.
PAN-OS ® New Features Guide Version 10.2 75 ©2022 Palo Alto Networks, Inc.
Enterprise Data Loss Prevenon Features
STEP 7 | Commit and push your configuraon changes to your managed firewalls that are leveraging
Enterprise DLP.
The Commit and Push command is not recommended for Enterprise DLP configuraon
changes. Using the Commit and Push command requires the addional and
unnecessary overheard of manually selecng the impacted templates and managed
firewalls in the Push Scope Selecon.
PAN-OS ® New Features Guide Version 10.2 76 ©2022 Palo Alto Networks, Inc.