>
    Content Inspection Features
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Features Introduced in PAN-OS 11.2
    4. Content Inspection Features
    Download PDF

    Content Inspection Features

    Table of Contents

    Content Inspection Features

    Explore new content inspection features introduced in PAN-OS ® 11.2.
    The following section describes new Content Inspection features introduced in PAN-OS 11.2.

    Support for Brotli Decompression

    November 2024
    • Introduced in PAN-OS 11.2.4.
    The (CTD) Content-Based Threat Detection engine used by a multitude of Palo Alto Networks platforms now provides support for Brotli decompression for improved analysis and threat detection of HTTP content. Brotli is a high-efficiency data compression format with widespread support that was developed by Google for HTTP web applications and content. Palo Alto Networks Security subscription services, such as Advanced Threat Prevention, Advanced WildFire Advanced URL Filtering, and others rely on the CTD engine to facilitate traffic inspection. With the addition of the Brotli decoder, traffic that was previously dropped, or is otherwise passed through the network as an unsupported content-encoding type, is now processed and available for inspection by various Palo Alto Networks content inspection features. This includes, but is not limited to Precision AI™ optimized features such as Advanced WildFire: Inline Cloud Analysis, Advanced Threat Prevention: Inline Cloud Analysis, and Inline Deep Learning Analysis for Advanced URL Filtering; but also includes any HTTP traffic payloads processed by a configured and enabled security policy. This allows for broader visibility into traffic and helps protect against attackers using Brotli compression to bypass traditional security mechanisms. When enabled, this software-based Brotli library is integrated into the existing content decoder framework. Due to the expected increases in traffic inspection, the firewall requires additional resources to enable the feature; and as a result, is only available on select platforms.

    Advanced DNS Security

    May 2024
    • Introduced in PAN-OS 11.2.
    The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting the DNS infrastructure configuration settings in order to redirect users to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gain the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it through unauthorized administrative access to a DNS provider or the DNS server itself, or an MiTM attack during the DNS resolution process. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, such as outdated DNS records, which can enable attackers to take ownership of the customer’s subdomain.
    Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no updates by the user. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

    Local Deep Learning for Advanced Threat Prevention

    May 2024
    • Introduced in PAN-OS 11.2.
    Advanced Threat Prevention now supports Local Deep Learning, which provides a mechanism to perform fast, local deep learning-based analysis of zero-day and other evasive threats, as a complementary feature to the cloud-based Inline Cloud Analysis component of Advanced Threat Prevention. With an Advanced Threat Prevention license, known malicious traffic that matches against Palo Alto Networks published signature set are dropped (or have another user-defined action applied to them); however, certain traffic that matches the criteria for suspicious content are rerouted for analysis using the Deep Leaning Analysis detection module. If further analysis is necessary, the traffic is sent to the Advanced Threat Prevention cloud for additional analysis, as well as the requisite false-positive and false-negative checks. The Deep Learning detection module is based on the proven detection modules operating in the Advanced Threat Prevention cloud, and as such, have the same zero-day and advanced threat detection capabilities. However, they also have the added advantage of processing a much higher volume of traffic, without the lag associated with cloud queries. This enables you to inspect more traffic and receive verdicts in a shorter span of time. This is especially beneficial when faced with challenging network conditions.
    Updates to Local Deep Learning models are delivered through content updates. Local Deep Learning is enabled and configured using the Anti-Spyware profile and requires an active Advanced Threat Prevention license.

    © 2024 Palo Alto Networks, Inc. All rights reserved.