Attackers often use Brotli compression to bypass traditional security mechanisms. To close this visibility gap and improve security, the Content-Based Threat Detection (CTD) engine, used by Palo Alto Networks NGFWs, now supports Brotli decompression for improved analysis and threat detection of HTTP content. Brotli is a high-efficiency data compression format that Google developed for HTTP web applications and content. Palo Alto Networks Security subscription services, such as Advanced Threat Prevention, Advanced WildFire, and Advanced URL Filtering, rely on the CTD engine to facilitate traffic inspection. With the addition of the Brotli decoder, the CTD engine now processes traffic that it previously dropped or passed through the network as an unsupported content-encoding type, making the traffic available for inspection by various Palo Alto Networks content inspection features. This includes, but is not limited to, Precision AI® optimized features such as Advanced WildFire: Inline Cloud Analysis, Advanced Threat Prevention: Inline Cloud Analysis, and Inline Deep Learning Analysis for Advanced URL Filtering. This also applies to any HTTP traffic payloads that a configured and enabled security policy processes. This new capability allows for broader visibility into traffic. When you enable the feature, the existing content decoder framework integrates this software-based Brotli library.

The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting the DNS infrastructure configuration settings in order to redirect users to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gain the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it through unauthorized administrative access to a DNS provider or the DNS server itself, or an MiTM attack during the DNS resolution process. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, such as outdated DNS records, which can enable attackers to take ownership of the customer’s subdomain.

Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no updates by the user. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

When handling high volumes of evasive threats or operating under challenging network conditions, relying solely on cloud-based threat analysis can introduce unwanted latency. Local Deep Learning for Advanced Threat Prevention solves this challenge by providing fast, local deep learning-based analysis for zero-day threats, complementing the cloud-based Inline Cloud Analysis component of Advanced Threat Prevention.

With an active Advanced Threat Prevention license, the system quickly analyzes known malicious traffic matching published signatures and applies the configured action, such as dropping the session. For suspicious content, the Deep Learning Analysis detection module reroutes the traffic locally for immediate analysis. Because this module is based on the proven detection engines operating in the Advanced Threat Prevention cloud, you gain the same zero-day and advanced threat detection capabilities, but with the added benefit of processing a much higher traffic volume locally. This allows you to inspect more traffic and receive rapid verdicts without the lag associated with cloud queries. Content updates deliver the latest Local Deep Learning models, ensuring your detection remains current.