PAN-OS 8.0: What’s it worth?
“The biggest release in the history of the company”, that’s how Palo Alto Networks described their PAN-OS 8.0, the system software for Palo Alto Networks appliances.
As a security consultant, I have been working with Palo Alto Networks’ products since 2010. Over the last years, there have been some major PAN-OS software releases. Each time, new features with great value regarding network security were added. When PAN-OS 8.0 came out, I did some research. I performed multiple tests on our network and in our lab and recently, I even had the opportunity to migrate to the new hardware models (see image 2) which run with PAN-OS 8.0X by default.
So, the ultimate question: am I convinced of this product?
Should you upgrade to PAN-OS 8.0?
Even though PAN-OS 8.0 was already released in February this year, I did not recommend costumers to install this early 8.0.0 version. Why? Because this is a major upgrade release which contains more than 70 new features. The risk of hitting 1 or more bugs that can impact your environments is too high. This is not a reproach to Palo Alto Networks, it is just a pattern I have recognized in many vendor releases.
I did start recommending our Palo Alto Networks customers to activate this OS when the 8.0.4 maintenance release came out. This version is generally known as a stable one, running in several environments already.
What are the new features of PAN-OS 8.0?
In my opinion, these are the most interesting new features you will definitely benefit from:
- Leverage advanced intel sharing
- Secure any cloud! AWS, Azure and more
- Secure SaaS (Office 365®, Box, Slack®) with visibility and enforcement
- Prevent credential theft usage and abuse
- Simplify security operations with enhanced management, speed and automation
- New high-performance hardware models to tackle encrypted traffic and more
- Clientless SSL VPN: see further
A complete overview of all newly-introduced features can be found on this page:
Clientless SSL VPN
There is one feature which I would like to explain more profoundly: the GlobalProtect Clientless VPN.
The traffic for accessing the application passes through the next-generation firewall, allowing organizations to set up User-ID policies to control who can access the application, along with the content inspection capabilities for stopping threats in traffic. You can use security policies to control file blocking functionality when accessing internal applications on non-trusted endpoints.
Image 1: Clientless SSL VPN Web Portal
I’m convinced that the clientless SSL VPN (web portal ) feature combined with the Global Protect agent VPN feature can replace a dedicated SSL VPN solution in some environments. Certainly where basic functionality is sufficient.
New high-performance hardware models
As a replacement for the old PA-200, PA-500 and PA-5000 series, some new high-performance models were introduced together with the release of PAN-OS 8.0:
The PA-5260, PA5250, PA-5220, PA-850, PA-820 and PA-220 enable advanced security protections for large data centers (PA-5260, PA-5250 and PA-5220) to smaller environments (PA-850 and PA-820) and branch offices (PA-220).
These appliances were designed to handle the increasing throughput needs due to increased SSL-encrypted traffic, the consolidated data center throughput and increased traffic at the internet gateway. Take a look at the comparison below:
Image 2: Hardware Models Palo Alto Networks
After some recent implementations with the new hardware platforms running the new PAN OS 8.0.4, I can only conclude that Palo Alto offers a new stable PAN-OS with more security and networking features than ever before on some new performant platforms (See Image 2 – green). I heard nothing but positive comments from customers that decided to upgrade already, even to an early 8.0.2 and 8.0.3 version. Palo Alto Networks has been offering a strong next-generation security platform for a while now and this seems to look better than ever now!Do you have a question about this blog post or about Palo Alto Networks? Please, do not hesitate to contact us.