>
    Strata Copilot
    Content Inspection Features
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Features Introduced in PAN-OS 12.1
    4. Content Inspection Features
    Download PDF
    Next-Generation Firewall

    Content Inspection Features

    Table of Contents

    Content Inspection Features

    Explore new content inspection features introduced in PAN-OS 12.1.
    The following section describes new Content Inspection features introduced in PAN-OS 12.1.

    DNS Security Log Type

    August 2025
    • Introduced in PAN-OS 12.1.2
    DNS Security now supports a new log type specifically tailored for DNS Security events, enhancing visibility and reporting for both benign and malicious DNS traffic, while also providing comprehensive DNS transaction details, including query and response information. Previously, DNS Security logs were generated for DNS traffic defined as a DNS threat category and were subsequently filed under the Threat log type. With the new DNS Security log type, you can configure the firewall to generate logs for benign DNS queries. Additionally, the logs can be forwarded to external logging systems, including Palo Alto Networks Strata Logging Service, and are accessible through the log viewer and dashboard.
    The updated DNS Security logs also provide comprehensive DNS transaction details. These include essential fields such as session ID, receive time, source and destination information, DNS category, threat name, severity, and action taken. It also provides detailed DNS response data, including flags, query name, record type, resolved IP addresses, and TTL values. This comprehensive logging enables you to identify compromised endpoints, assess potential risks to other clients, and perform retrospective analysis of DNS activity during security incidents. When enabled, you can capture all DNS traffic logs, allowing for more accurate analysis and enhanced ability to detect, investigate, and respond to DNS-based threats and improved incident response capabilities.

    Support for Brotli Decompression

    August 2025
    Attackers often use Brotli compression to bypass traditional security mechanisms. To close this visibility gap and improve security, the Content-Based Threat Detection (CTD) engine, used by Palo Alto Networks NGFWs, now supports Brotli decompression for improved analysis and threat detection of HTTP content. Brotli is a high-efficiency data compression format that Google developed for HTTP web applications and content. Palo Alto Networks Security subscription services, such as Advanced Threat Prevention, Advanced WildFire, and Advanced URL Filtering, rely on the CTD engine to facilitate traffic inspection. With the addition of the Brotli decoder, the CTD engine now processes traffic that it previously dropped or passed through the network as an unsupported content-encoding type, making the traffic available for inspection by various Palo Alto Networks content inspection features. This includes, but is not limited to, Precision AIĀ® optimized features such as Advanced WildFire: Inline Cloud Analysis, Advanced Threat Prevention: Inline Cloud Analysis, and Inline Deep Learning Analysis for Advanced URL Filtering. This also applies to any HTTP traffic payloads that a configured and enabled security policy processes. This new capability allows for broader visibility into traffic. When you enable the feature, the existing content decoder framework integrates this software-based Brotli library.

    © 2025 Palo Alto Networks, Inc. All rights reserved.