PAN-OS 9.0 Features

60+ additional capabilities to prevent successful cyberattacks

Fast, smart, efficient enterprise protection

With PAN-OS 9.0 we released features to keep you on the cutting edge with tightly integrated innovations. This release simplifies your operations through analytics and automation while giving you consistent protection through exceptional visibility and control across the data center, perimeter, branch, mobile and cloud networks.


Try the integrated DNS Security service

The DNS Security service applies predictive analytics to disrupt attacks that use DNS for command and control (C2) or data theft. Tight integration with the next-generation firewall gives you automated protections and eliminates the need for stand-alone tools. Threats hidden in DNS traffic are rapidly identified with shared threat intelligence and machine learning. Cloud-based protections are always up to date and scale infinitely, giving your organization a critical new control point to stop attacks that use DNS.

Visit the webpage


Stunning performance improvements

Enhancements in PAN-OS 9.0 make the PA-7000 Series the fastest Next-Generation Firewall ever. The Network Processing Card (NPC), Switch Management Card (SMC), and Log Forwarding Card (LFC) intelligently distribute processing demands, each with massive amounts of computing power and dedicated memory. The combination of amazing performance and advanced prevention capabilities makes it possible for the new PA-7000 Series to stop the most sophisticated cyberattacks even at the highest throughput levels.


Close dangerous policy gaps using Policy Optimizer

Moving from port-based legacy firewall rules to App-ID™ technology-based ones greatly reduces the opportunity for attack. However, that transformation takes time, effort and resources. The new Policy Optimizer makes it easy. It uses simple workflows and intelligence gathered by PAN-OS to move from legacy rules to App-ID-based controls and strengthen your security.


Look beneath the content with URL Filtering

URL Filtering enhancements let you go beyond black-and-white categorization, using analytics to build a security profile of each site to reduce web-based threat exposure. The service automatically examines different layers of a website’s characteristics for granular policy enforcement, including new multiple URL categories and risk ratings. With PAN-OS 9.0, URL Filtering continues to improve phishing detection with innovative new machine learning-based image recognition techniques to find and stop the most evasive phishing attempts.

Visit the webpage


Expand the diversity of your cloud environments

We’ve expanded the line of public, private/SDN and hybrid cloud environments supported by our VM-Series virtualized next-generation firewalls, allowing you to securely diversify your multi-cloud initiatives. In the public cloud, VM-Series firewalls now support Oracle Cloud® and Alibaba Cloud, complementing our existing support for AWS®, Microsoft Azure® and Google Cloud Platform. In the virtualized data center/SDN and hybrid arena, Cisco Enterprise Network Compute System (ENCS), VMware Cloud on AWS/NSX®-T and Nutanix® are now supported. Cisco ACI® unmanaged mode is now supported using a Panorama plugin.

VM-Series on Oracle Cloud
VM-Series on Alibaba Cloud


Scale performance, capacity and availability

Leveraging cloud-native services and infrastructure enhancements, the VM-Series can be deployed in both auto scaling and transitive architectures to scale up and scale out to secure dynamic and large-scale deployments. The results are a reduction in your administrative effort and a more cost-effective use of security resources. For organizations that require a data center-oriented approach to availability, the VM-Series on Azure can now be deployed in an active-passive, two-instance high availability configuration.


Accelerate the addition of cloud-centric security features

In PAN-OS 8.0, we released the Panorama Plugin Architecture to help accelerate the addition of new management feature velocity. PAN-OS 9.0 introduces the VM-Series Plugin Architecture to accelerate the addition of new cloud and virtualized data center security features. Support for Azure HA is delivered through the VM-Series plugin in this release. Future examples of how the plugin might be used include adding new hypervisors, licensing and provisioning/deprovisioning. For Panorama™ network security management, plugin examples include Dynamic Address Group capacity increases for AWS and Azure, delivered in October 2018, and Cisco ACI unmanaged mode, delivered with this release.


Manage network security on a whole new scale

New innovations to Panorama make it a whole lot easier to scale your network security. With the latest release, you can now manage up to 5,000 firewalls with a single instance of Panorama. That simplifies life for security teams and meets tight budget constraints. In addition, you can manage more firewalls using Panorama Interconnect, which links multiple Panorama instances so that you can manage up to 30,000 firewalls in a single deployment. This cuts the operational workload for administrators while also improving your company’s overall security posture.


Introducing the K2-Series 5G-ready next-generation firewall

The Palo Alto Networks K2-Series 5G-ready next-generation firewall prevents successful cyberattacks targeting mobile network services, IoT devices and subscribers. It simplifies operations by providing robust, prevention-oriented security to build resilient and high-value mobile networks for a secure 5G digital economy.

Read the K2-Series Datasheet


Secure cellular IoT

Wide adoption of cellular IoT (CIoT) technologies for low-power wide area network (LPWAN) connectivity is enabling industrial digitalization. In particular, Narrowband IoT (NB-IoT) is one of the CIoT technologies well-suited for the LPWAN connectivity standard developed by 3GPP to enable a wide range of cellular devices and services. Complete visibility and control of the NB-IoT traffic on both signaling/control and data planes is essential to secure your CIoT services against DoS attacks from weaponized devices, malware, ransomware and other vulnerabilities.

Narrowband IoT brief