You asked for networking features, and we listened! Here are the top five networking features that we think have the biggest impact in PAN-OS 7.0.
The firewall now supports Equal Cost Multipath (ECMP). With ECMP enabled, the forwarding table can have up to four equal-cost paths to a single destination, which allows you to load balance traffic, use more of the available bandwidth, and have traffic dynamically shift to another ECMP member if one path fails. You can choose one of several load-balancing algorithms to determine which equal-cost path a virtual router uses for a new session to the destination.
A firewall configured as a DHCP server can now send a full range of DHCP options to clients, including vendor-specific and customized options that support a wide variety of office equipment, such as IP phones and wireless infrastructure devices. Each option code supports multiple values, which can be IP addresses, ASCII text, or hexadecimal values. With the enhanced DCHP option support enabled on the firewall, branch offices do not need to purchase and manage their own DHCP servers in order to provide vendor-specific and customized options to DHCP clients.
When you configure the firewall to block traffic, the firewall either resets the connection or silently drops packets. When the firewall silently drops packets, it causes some applications to break and appear unresponsive to the user. Therefore, we now have new actions to gracefully block traffic and provide a better user experience.
Read more about Granular Actions for Blocking Traffic in Security Policy in the PAN-OS® New Features Guide Version 7.0.
You can now enable QoS on AE interfaces configured on PA-5000 Series, PA-3000 Series, PA-2000 Series, and PA-500 platforms. An AE interface is two or more interfaces linked together for combined bandwidth and link redundancy. When using AE interfaces to scale your network, enable QoS on an AE interface to prioritize, allocate, and guarantee the increased bandwidth supported on the AE interface. Support for QoS on AE interfaces on PA-7050 firewalls began in PAN-OS 6.0.0.
Site-to-site IPSec VPN is enhanced to support Internet Key Exchange Version 2 (IKEv2), in addition to IKEv1. (GlobalProtect Client is not included in this feature support.) IKEv2:
Your friendly Technical Publications team