The PAN-OS

®

pattern-matching engine now supports new regular expression (regex) syntax and shorter data patterns, which dramatically expand the number of possible custom threat signatures that you can create and ingest from a third-party intrusion prevention system (IPS).

To maximize the benefits of this new compatibility with third-party signatures, install the IPS Signature Converter for Panorama, which provides an automated solution for converting Snort and Suricata signatures into custom Palo Alto Networks threat signatures.

You can also use the new pattern-matching capabilities to more finely control application usage with custom application signatures.

The IPS signature converter plugin leverages the new Enhanced Pattern-Matching Engine to automatically convert rules for Snort and Suricata intrusion prevention system (IPS) software into custom Palo Alto Networks threat signatures. This enables you to immediately augment existing Threat Prevention coverage with Snort and Suricata rules that you receive from threat intelligence sources or that you write specifically for your network environment.

Panorama 10.0 supports the IPS signature converter plugin and supplies the compatible version but does not install the plugin automatically. You should install the plugin if you have or expect to receive Snort and Suricata rules that you want to use in Security policy rules on your Panorama-managed firewalls.

The DNS Security service now features individually configurable and extensible DNS Security Signature Categories, which enables you to create discrete Security policies based on the risk factors associated with certain types of DNS traffic. You can apply these new domain categories in your DNS Security policies to implement granular access control for different categories of domains based on the risk that these domains pose to your organization. These categories currently include C2 (encompasses DGA and DNS tunneling), malware, DDNS, newly registered domains, and phishing and we can expand these categories through PAN-OS content releases.

The DNS Security service now collects additional server response and request information to provide improved analytics, DNS detection, and prevention.

The firewall can now use machine learning (ML) on the dataplane to analyze web page content and determine if the pages contain malicious JavaScript or other content used for credential phishing. Inline ML prevents web page threats from infiltrating your network by providing real-time analysis capabilities on the firewall, which reduces the possibility of proliferation of unknown JavaScript variants and other phishing vectors.