Legacy port based to app-id security policy converter.

Legacy Port-Based to App-ID Rule Converter identifies port-based Security policy rules so you can convert them to application-based rules without compromising application availability and identifies rules configured with unused applications. Rule Usage application information helps you prioritize which port-based rules to migrate to application-based rules first, identify rules to clean up, and analyze rule usage characteristics. Use Legacy Port-Based to App-ID Rule Converter to maintain the rulebase as you add new applications.

As your rulebase evolves, changes and audit information get lost over time unless they are archived at the time the rule was created or modified. The Rule Changes Archive is complimented by the Enforcement of Rule Description, Tag, and Audit Comment, and allows you to view the Audit Comment Archive, which contains audit comment history, configuration log history and enables you to compare rule configuration versions for the selected policy rule.

Audit information :

Unique identifier :

Policy testing from the management interface.

You can test policy rule and device configurations to ensure the running configuration appropriately secure your network and maintain connectivity to important network resources. In PAN-OS 9.0, you can perform policy match and connectivity tests for devices directly from the web interface rather than the CLI. By surfacing the policy match and connectivity tests to the web interface, you can easily test and verify traffic and connectivity to ensure policy rules are allowing and denying the correct traffic, and that devices can connect to network resources such as WildFire, Log Collectors, or the configured Update Server.

Policy testing from the management interface.

You can test policy rule and device configurations to ensure the running configuration appropriately secure your network and maintain connectivity to important network resources. In PAN-OS 9.0, you can perform policy match and connectivity tests for devices directly from the web interface rather than the CLI. By surfacing the policy match and connectivity tests to the web interface, you can easily test and verify traffic and connectivity to ensure policy rules are allowing and denying the correct traffic, and that devices can connect to network resources such as WildFire, Log Collectors, or the configured Update Server.

Application default for both standard and secure ports is supported for web-browsing, SMTP, FTP, LDAP, and IMAP traffic. For any of these applications, you can view the Secure Ports that Palo Alto Networks has defined for the application, and on which the application default setting can enforce the application.

Redesigned API Json and API key lifetimes.

The new PAN-OS REST API allows you to access the Policy and Network resources on the firewall as toplevel URIs. You can use these APIs to create, update, and delete these resources directly on the firewall or from Panorama.

To use the API on the firewall and Panorama, you need to generate an API key that authenticates API calls to the XML API and new REST API. Starting with PAN-OS 9.0, you can now specify an API key lifetime to enforce key rotation and have the ability to revoke all currently valid API keys, in the event one or more keys are compromised. When you generate a new API key, after you specify the key lifetime, each key is unique. These new capabilities help you protect your keys and meet the audit and compliance requirements for your enterprise.

Filter in the logs based on object names.

New option added to Query the logs in the object context. This will create a filter with the object name and open the traffic log with this filter.