Cloud NGFW for Azure Security Features and CDSS Capabilities

To secure and protect your traffic, Cloud NGFW for Azure provides Palo Alto Networks protections through granular controls and Cloud Delivered Security Services (CDSS):

• App-ID. Based on patented Layer 7 traffic classification technology, the App-ID service allows you to see the applications on your network, learn how they work, observe their behavioral characteristics, and understand their relative risk. Cloud NGFW for Azure identifies applications and application functions via multiple techniques, including application signatures, decryption, protocol decoding, and heuristics. These capabilities determine the exact identity of applications traversing your network, including those attempting to evade detection by masquerading as legitimate traffic by hopping ports or using encryption.
• Threat Prevention. The Palo Alto Networks Threat Prevention service protects your network by providing multiple layers of prevention to confront each phase of an attack. In addition to essential intrusion prevention service (IPS) capabilities, Threat Prevention possesses the unique ability to detect and block threats on any ports—rather than simply invoking signatures based on a limited set of predefined ports.
• Advanced URL Filtering. This critical service built into Cloud NGFW for Azure stops unknown web-based attacks in real-time to prevent patient zero with the industry’s only ML-powered Advanced URL Filtering. Advanced URL Filtering combines the renowned Palo Alto Networks malicious URL database with the industry’s first real-time web protection engine so organizations can automatically and instantly detect and prevent new malicious and targeted web-based threats.
• DNS. DNS Security gives you real-time protection, applying industry-first protections to disrupt attacks that use DNS. Tight integration with a Palo Alto Networks Next-Generation Firewall (NGFW) gives you automated protections, prevents attackers from bypassing security measures, and eliminates the need for independent tools or changes to DNS routing. DNS Security gives your organization a critical new control point to stop attacks.
• WildFire. Palo Alto Networks Advanced WildFire® is the industry’s largest cloud-based malware prevention engine that protects organizations from highly evasive threats using patented machine learning detection engines, enabling automated protections across network, cloud, and endpoints. Advanced WildFire analyzes every unknown file for malicious intent and then distributes prevention in record time—60 times faster than the nearest competitor—to reduce the risk of patient zero.

Advanced Threat Protection

Advanced Threat Prevention (ATP) is an intrusion prevention system (IPS) solution that can detect and block malware, vulnerability exploits, and command and control (C2) across all ports and protocols, using a multilayered prevention system with components operating on Cloud NGFW for Azure and in the cloud. The Threat Prevention cloud operates a multitude of detection services using the combined threat data from Palo Alto Networks services to create signatures, each possessing specific identifiable patterns, and are used by the Cloud NGFW for Azure to enforce security policy rules when matching threats and malicious behaviors are detected. These signatures are categorized based on the threat type and are assigned unique identifier numbers. To detect threats that correspond with these signatures, Cloud NGFW for Azure operates analysis engines that inspect and classify network traffic exhibiting anomalous traits.

After enabling Advanced Threat Prevention, use Panorama to configure associated Advanced Threat Prevention policies.

In addition to the signature-based detection mechanism, Advanced Threat Prevention provides an inline detection system to prevent unknown and evasive C2 threats, including those produced through the Empire framework, as well as command injection and SQL injection vulnerabilities. The Advanced Threat Prevention cloud operates extensible deep learning models that enable inline analysis capabilities on Cloud NGFW for Azure, on a per-request basis to prevent zero-day threats from entering the network as well as to distribute protections. This allows you to prevent unknown threats using real-time traffic inspection with inline detectors. These deep learning, ML-based detection engines in the Advanced Threat Prevention cloud analyze traffic for unknown C2 and vulnerabilities that utilize SQL injection and command injection to protect against zero-day threats. To provide a threat context and comprehensive detection details, reports are generated that can include the tools and techniques used by the attacker, the scope, and impact of the detection, as well as the corresponding cyberattack classification as defined by the MITRE ATT&CK® framework.

Advanced URL Filtering

Advanced URL Filtering is a comprehensive URL filtering solution that protects your network and users from web-based threats. Combining the capabilities of PAN-DB with a web security engine powered by machine learning, Advanced URL Filtering categorizes and blocks malicious URLs in real-time. With an Advanced URL Filtering license (or legacy URL filtering license), you can restrict access to websites and control user interactions with web content. For example, you can prevent users from accessing websites known to host malware or entering corporate credentials into websites in specific categories.

Palo Alto Networks provides a set of predefined URL filtering categories. You can also specify your own URL filtering categories using a customer URL category object. For example, create a custom list of URLs that you want to use as match criteria in a Security policy rule. This is a good way to specify exceptions to URL categories, where you’d like to enforce specific URLs differently than the URL category to which they belong.

For a high-level summary of how Advanced URL Filtering provides best-in-class web protection for the modern enterprise, review the Advanced URL Filtering datasheet.

Wildfire Protection

Cloud NGFW can now detect and forward files, executables, and malicious scripts (such as JScript and PowerShell) in your VPC traffic to WildFire™ cloud service for analysis. WildFire then applies threat intelligence, analytics, and correlations on these forwarded files (executables or scripts) and delivers verdicts based on the analysis. If a threat is detected on them, WildFire creates protections to block malware, and globally distribute these protection for that threat in a few minutes.

WildFire goes beyond traditional sandboxing approaches and uses multiple techniques to identify files with potential malicious behaviors. These techniques include:

• Dynamic analysis - observes files as they execute in a purpose-built, evasion-resistant virtual environment, enabling detection of previously unknown malware using hundreds of behavioral characteristics.
• Static analysis - complements dynamic analysis with effective detection of malware, providing instant identification of malware variants. Static analysis further leverages dynamic unpacking to analyze threats attempting to evade detection through the use of packing tool sets.
• Network traffic profiles - detect malicious traffic patterns based on malware variants such as backdoor creation, download of next-stage malware, access to low-reputation domains, and network reconnaissance.
• Machine learning - extracts thousands of unique features from each file, training a predictive machine learning model to identify new malware, which isn't possible with static or dynamic analysis alone.
• A custom-built hypervisor - prevents attacker evasion techniques with a robust, proprietary hypervisor that does not depend on open-source projects or proprietary software to which attackers have access.