PANOS 12.1 ORION installation on PA-440 and Panorama
Bad start on the Panorama for me:
Failed to create required free space. Free space: 2778 MB, Required space: 3717 MB
Found a guide for cloning Panorama disk to a new and larger disk. Only used 15 minutes to clone and remove the old disk.
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/increase-the-system-disk-on-the-panorama-virtual-appliance/increase-the-system-disk-for-panorama-on-an-esxi-server#id27229f7c-6701-4fef-9ad7-cb630ea5cbcb
Guide worked perfect and I booted up Panorama with free space available.
PA-440:
Reboot take about 15 minutes.
....and some more waiting time before login is up and running.
Welcome to PAN-OS 12.1!
With this release, Palo Alto Networks extends and improves your security posture with our innovative approach. PAN-OS 12.1 provides passwordless authentication capabilities, additional quantum protections, expanded Device-ID capabilities, decryption enhancements, and more. Highlights include:
Passwordless Authentication for Kerberos Protected Applications—Enables your Palo Alto Networks firewall to act as a Kerberos Constrained Delegation (KCD) agent. This feature allows seamless access to enterprise applications using Kerberos authentication, eliminating the need for users to repeatedly enter credentials. Enhances security by reducing password-related vulnerabilities and improves productivity by streamlining access to multiple Kerberos-protected applications.
Quantum Key Distribution (QKD)—Provides protection for VPN key exchanges by using the ETSI GS QKD 014 standard, QKD, to provide a set of standardized API calls that enable a PAN-OS firewall to communicate with and request symmetric encryption keys from a QKD Device. The PAN-OS firewall acts as the secure application entity (SAE) device and makes API calls to the QKD device, called the key management entity (KME). Depending on the QKD vendor’s implementation, you can use TLSv1.3 to secure the key generation process.
Advanced Device-ID—Enables more granular and precise device-based policy recommendations by enhancing the existing Device-ID functionality. Advanced Device-ID enables the creation of least-privilege access policies by creating device object groupings based on device attributes. With Advanced Device-ID, you can now create more complex Device-ID objects by matching grouping criteria using multiple asset categories and attributes (10x more than before) such as asset type, device profiles, operating systems, site, location, subnet, risk, internet access, and user tag to match assets and enforce security policies based on changing security posture.
Post-Quantum Cryptography (PQC) SSL Support for PAN-OS Management—Supports PQC in TLSv1.3 for administrative access to firewalls and Panorama and facilitates a smooth adoption of PQCs as a proactive defense against PQC threats. This feature prioritizes maximum interoperability and adaptability to future PQC updates. You can also generate self-signed certificates with the NIST-approved digital signatures, ML-DSA and SLH-DSA (based on SPHINCS+), for experimental use as the industry works toward a standard approach for PKI certificates.
Post-Quantum Cryptography (PQC) Cipher Support for TLSv1.3 Inline Decryption—Enables PQC cipher support in TLSv1.3 for SSL Forward Proxy and SSL Inbound Inspection, as well as the decryption mirror and Network Packet Broker features. You can now use PQC preferred ciphers in the decryption profile either for client session, server session, or both. This flexibility allows for post-quantum migration as either the client or server side could be first to adopt PQCs and this feature supports cipher translations across the client and server sessions of the decryption proxy. You can also elect to negotiate Standard (ML-KEM) and/or Experimental (BIKE, Frodo, HQC) ciphers to support NIST and EU requirements allowing for Crypto Agility of ciphers as required.
Decryption Simplification—New options have been added to decryption functionality to simplify certificate verification and log analysis. For example:
Use the new Bypass Server Certificate Verification option in decryption profiles to disable the verification of server certificates, so that the firewall can decrypt outbound SSL traffic from an internal client to the web. This ensures the availability of websites and applications without compromising deep packet inspection for threats during SSL Forward Proxy sessions when servers present incomplete or invalid SSL certificates.
More easily analyze log entries and troubleshoot decryption issues using the new columns provided. For example, Decryption Status lists the reason a session was or was not decrypted, whether by failure or design. In addition, new and existing columns that concern one side of a decrypted session are labeled with client or server if conditions apply to only one or the other.
Zero Touch Provisioning (ZTP) for Cellular—Enables automated deployment and configuration of NGFW in remote locations with limited connectivity or lacking traditional wired connections using cellular interfaces. With the expanded support for cellular connections, ZTP now supports multiple connectivity scenarios, including cellular-only, ethernet-only, or both to provide the flexibility to adapt to various network environments. The feature is designed to work with current and future 5G-enabled platforms, ensuring long-term value and adaptability as your network evolves.
For descriptions of the new features, associated software and content releases, changes in default behavior, and other release information, refer to the PAN-OS 12.1 Release Notes.
I really like the new report, telling me what I need to fix, and how!
New AI Security profile, this can be fun.
Was hoping for more SD-WAN updated, didn't find anything so far.