Changes to Default Behavior
The following topics describe changes to default behavior in PAN-OS and Panorama 8.0:
Authentication Changes
PAN-OS 8.0 has the following changes in default behavior for authentication features:
Feature Change
Hardware security modules ( PAN-OS 8.0.2 and later releases ) To downgrade to a release earlier than PAN-OS 8.0.2, you must ensure that the master key is stored locally on Panorama or on the firewall, not on a hardware security module (HSM).
Authentication policy Authentication policy replaces Captive Portal policy.
Logging When an authentication event invokes a policy rule, the firewall now generates Authentication logs instead of System logs.
RADIUS and TACACS+ You now use the web interface instead of a CLI command to set the authentication protocol to CHAP or PAP for TACACS+ and RADIUS server profiles.
Content Inspection Changes
PAN-OS 8.0 has the following changes in default behavior for content inspection features:
Feature Change
TCP settings The defaults for the following TCP Settings ( Device > Setup > Session > TCP Settings) have been changed in 8.0: Drop segments without flag is now enabled by default. The corresponding CLI command, set deviceconfig setting tcp drop-zero-flag is now set to yes by default. Drop segments with null timestamp option is now enabled by default. The corresponding CLI command, set deviceconfig setting tcp check-timestamp-option is now set to yes by default. Forward segments exceeding TCP out-of-order queue is now disabled by default. The corresponding CLI command, set deviceconfig setting bypass-exceed-op-queue is now set to no by default.
Content-ID Forward segments exceeding TCP App-ID inspection queue ( Device > Setup > Content-ID > Content-ID Settings) is now disabled by default. The corresponding CLI command, set deviceconfig setting application bypass-exceed-queue is now set to no by default.
Zone Protection profiles In a Zone Protection profile for Packet Based Attack Protection, the default setting is now to drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake. (In prior PAN-OS releases, firewall allowed such packets.) By default, a Zone Protection profile is set to allow TCP handshake packets that use the TCP Fast Open option if they contain a valid Fast Open cookie. If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
Decryption The firewall does not support SSL decryption of RSA keys that exceed 8Kb in size. You can either block connections to servers that use certificates with RSA keys exceeding 8Kb or skip SSL decryption for such connections. To block such connections, select Objects > Decryption Profile, edit the profile, select SSL Decryption > SSL Forward Proxy, and in the Unsupported Mode Checks section select Block sessions with unsupported cipher suites. To skip decryption for such connections, clear Block sessions with unsupported cipher suites.
URL Filtering When a firewall running PAN-OS 8.0 connects with PANDB (public or private cloud), it validates the Common Name on the server certificate before establishing an SSL connection. If the validation fails, the connection is refused and the firewall generates a system log.
Data Pattern objects Objects > Custom Objects > Data Patterns provides predefined patterns ( Pattern Type > Predefined Pattern), such as social security numbers and credit card numbers, to check for in the incoming file types that you specify. The firewall no longer supports checking for these predefined patterns in GZIP and ZIP files.
Application filters You must now select at least one Category when creating or modifying an application filter ( Objects > Application Filters). This optimizes firewall performance when filtering applications, as the firewall includes only the categories that are relevant to you.
GlobalProtect Changes
PAN-OS 8.0 has the following changes in default behavior for GlobalProtect features:
Feature Change
GlobalProtect portals and gateways The Agent > Gateways tab for GlobalProtect portal configurations is split into two separate tabs: Internal and External. Use the Internal tab to specify internal gateway settings for GlobalProtect agents and apps. Use the External tab to specify external gateway settings for GlobalProtect agents and apps. These are layout changes only—your existing PAN-OS 7.1 configuration is preserved. The Agent > Client Settings> Network Settings tab for GlobalProtect gateway configurations is replaced with two separate tabs: IP Pools and Split Tunnel. These are layout changes only—your existing PAN-OS 7.1 configuration is preserved. The Disable login page check box on the General tab for GlobalProtect portal configurations is now a Disable command in the Portal Login Page. This is a layout change only—your existing PAN-OS 7.1 configuration is preserved. ( PAN-OS 8.0.5 and later releases ) To improve access control for GlobalProtect portals and gateways (internal or external), even when user endpoints have valid authentication override cookies, PAN-OS now matches the users against the Allow List of authentication profiles ( Device > Authentication Profile > <authentication_profile> > Advanced). Modifying the Allow List is an easy way to prevent unauthorized access by users who have valid cookies but disabled accounts.
IP address pools In PAN-OS 7.1 and earlier releases, to prevent potential IP address conflicts, the GlobalProtect gateway did not assign an IP address if the local network IP address sent from the endpoint was in the same subnet as the IP address pool. Users had to configure a second IP address pool that contained addresses from a separate subnet. Beginning in PAN-OS 8.0, when you configure only one IP address pool, GlobalProtect assigns an IP address regardless of subnet overlap. This change may cause warning messages on Windows endpoints. If you are concerned about the warning message, configure a second IP address pool.
Clientless VPN The option to Allow user to launch unpublished applications is now renamed Display application URL address bar. The new option name better reflects the purpose of this option.
Web interfaces changes GlobalProtect has the following minor changes to menu and check box labels. These are changes to wording only—your existing PAN-OS 7.1 configuration is preserved.
Location PAN-OS 7.1 Label PAN-OS 8.0 Label
The General tab for GlobalProtect portal configurations Custom Login Page Portal Login Page
The General tab for GlobalProtect portal configurations Custom Help Page App Help Page
The Agent > External > Add > External Gateway for GlobalProtect portal configurations If this GlobalProtect gateway can be manually selected Manual (the user can manually select this gateway)
Management Changes
PAN-OS 8.0 has the following changes in default behavior for firewall and Panorama management features:
Feature Change
PA-7000 Series Log Collection Upon upgrade to PAN-OS 8.0, Panorama will no longer consider the PA-7000 Series firewall as a log collector; all logs the firewall generates after upgrade will only be viewable from the local firewall and not from Panorama. This means, that upon upgrade you must enable log forwarding to Panorama if you want to continue to see an aggregated view of your logs from Panorama. Before upgrading the PA-7000 Series firewall to PAN-OS 8.0, make sure your Log Collectors have enough capacity to support the log collection rates required by your PA-7000 Series firewalls. Refer to Table: Panorama Log Storage and Collection Rates in Panorama Models to determine if you existing logging infrastructure can handle the logging rate and log storage requirements of your PA-7000 Series firewalls. If you are not sure of the logging rate, run the following CLI command from the firewall: > debug log-receiver statistics As soon as you enable log forwarding to Panorama, the PA-7000 Series firewall will begin forwarding new logs to Panorama. However, to continue to be able to view historic log data on Panorama, you will need migrate the logs from the PA-7000 Series firewall to the Log Collector.
Management access By default, the firewall and Panorama no longer allow management access over TLSv1.0 connections. If you accept this default, any scripts that require management access (such as API scripts) must support TLSv1.1 or later TLS versions. To overcome the default restriction, you can configure an SSL/TLS service profile that allows TLSv1.0 and assign the profile to the interface used to access the firewall or Panorama. To configure the management (MGT) interface on the firewall, you now select Device > Setup > Interfaces instead of Device > Setup > Management.
Configuration backups To create a snapshot file for the candidate configuration, you must now select Config > Save Changes instead of Save at the top right of the web interface.
External dynamic lists When retrieving an external dynamic list from a source with an HTTPS URL, the firewall now authenticates the digital certificates of the list source. You must configure a certificate profile to authenticate the source. If the source authentication fails, the firewall stops enforcing policy based on the list contents. In PAN-OS 7.1, the firewall supported a maximum of 30 unique sources for external dynamic lists and enforced the maximum number even if the external dynamic list was not used in policy. Beginning in PAN-OS 8.0, only the lists you use to enforce policy will count toward the maximum number allowed. Entries in an external dynamic list (IP addresses, domains, and URLs) now only count toward the maximum number that the firewall supports if a security policy rule references the external dynamic list.
Anti-Spyware profiles In PAN-OS 7.1 and earlier releases, passive DNS monitoring was a setting you could enable in an Anti-Spyware Profile. You could attach the Anti-Spyware Profile to a policy rule and then sessions that match that rule will trigger passive DNS monitoring. Beginning in PAN-OS 8.0, passive DNS monitoring is a global setting that you can enable through the Telemetry and Threat Intelligence feature, and when enabled, the firewall acts as a passive DNS sensor for all traffic that passes through the firewall.
Service routes The firewall now uses the new service route Palo Alto Networks Services to access external services that it accessed via the service routes Palo Alto Updates and WildFire Public prior to PAN-OS 8.0.
Content and software updates Beginning with PAN-OS 8.0, the Verify Update Server Identity global services setting for installing content and software updates is enabled by default ( Device > Setup > Services > Global). PAN-OS now evaluates the last five content release versions instead of just the newest version when checking the Palo Alto Networks Update Server for a version that matches the Threshold age configured in an update schedule on a firewall ( Device > Dynamic Updates > <update_type_schedule>) or a Panorama management server ( Panorama > Dynamic Updates > <update_type_schedule>). This change ensures that an update is available for PAN-OS to perform the Action configured in an update schedule ( download-only or download-and-install) when the Threshold age exceeds the frequency at which Palo Alto Networks releases the updates. For example, if a firewall has a Threshold of 48 hours for Applications and Threats content updates but Palo Alto Networks releases the updates every 24 hours, the latest update will never reach the 48-hour age Threshold required to trigger the Action, but one of the four previous updates will. PAN-OS checks the last five content release versions for Antivirus updates also.
Log forwarding When forwarding logs to syslog servers, the firewall and Panorama now support only TLSv1.2 for SSL/TLS connections to the syslog servers.
Panorama Changes
PAN-OS 8.0 has the following changes in default behavior for Panorama features:
Feature Change
Management access To configure interfaces on Panorama, you now select Panorama > Setup > Interfaces (instead of Panorama > Setup > Management).
Log collection When adding or editing a Log Collector ( Panorama > Managed Collectors), you now configure interfaces in the Interfaces tab, which replaces the Management, Eth1, and Eth2 tabs in the Collector dialog. When the Panorama virtual appliance is in Panorama mode and is deployed in a high availability (HA) configuration, you can configure both HA peers to collect logs, not just the active peer. Logs databases have been consolidated on both M-Series appliances in Panorama mode and Dedicated Log Collectors. Detailed Firewall Logs—Traffic, Threat, Application Statistics, URL, Wildfire Submissions, Data Filtering, HIP Match, User-ID, Tunnel, Authentication Summary Firewall Logs—Traffic Summary, Threat Summary, URL Summary, Tunnel Inspection Summary Infrastructure and Audit Logs—Config, System, User-ID Palo Alto Networks Platform Logs—Traps ESM, Aperture 3rd Party External Logs By default, 4% of the total disk space has been allocated for the newly introduced Palo Alto Networks Platform Logs and 3rd Party External Logs and databases.
Commit and push operations When pushing configurations to managed firewalls or Log Collectors, Panorama now pushes the running configuration instead of the candidate configuration. Therefore, you must commit changes to Panorama before pushing the changes to firewalls or Log Collectors. With the commit workflow changes on Panorama that allow you to choose whether to commit on Panorama, Push to devices, or Commit and push, the Commit button is grayed out only when the two conditions are met—you have no pending changes on Panorama, and all managed firewalls and log collectors are in sync with Panorama (which means that you have pushed changes to the devices).
Content and software updates Firewalls and Log Collectors now retrieve software and content updates from Panorama over port 28443 instead of Panorama pushing the updates over port 3978.
VM-Series Firewall Changes
PAN-OS 8.0 has the following changes in default behavior for VM-Series firewalls:
Feature Change
Management interfaces In PAN-OS 8.0, the use of hypervisor-assigned MAC addresses and DHCP on management interfaces are enabled on new VM-Series firewall installations. These options are not enabled automatically when upgrading a VM-Series firewall to PAN-OS 8.0 from PAN-OS 7.1 or earlier releases.
Licensing Beginning with PAN-OS 7.1.7, to deactivate a VM-Series license you must first install a license API key on your firewall or Panorama. For more information, see Virtualization Features.
Large Receive Offload Large Receive Offload (LRO) is enabled by default on the new deployments of the VM-Series firewall for NSX or deployments upgraded to 8.0.
Data Plane Development Kit Support for Data Plane Development Kit (DPDK) is enabled by default on the VM-Series for KVM and ESXi. However, to take advantage of DPDK, you must install the required NIC driver on your hypervisor. DPDK support is disabled by default on the VM-Series for AWS.
WildFire Changes
PAN-OS 8.0 has the following changes in default behavior for WildFire features:
Feature Change
Logging If you previously enabled WildFire forwarding on your firewall, the firewall now forwards blocked files that match existing signatures, in addition to unknown files, for WildFire analysis. The WildFire Submissions log now includes log entries for blocked files. The Action column in the WildFire Submissions log now indicates if the firewall action for a sample was allow or block. In PAN-OS 7.1 and earlier versions, the action displayed for all samples in the WildFire Submissions log was alert.
DoS Protection profiles When you use a Classified DoS Protection profile for flood protection or a Vulnerability Protection profile that is configured to Block IP addresses, the firewall will now block IP addresses in hardware first, and then in software if the hardware block list has reached its capacity.

Related Documentation