Content Inspection Features

Learn about new content inspection capabilities in PAN-OS
®
10.0.
New Content Inspection Feature
Description
Enhanced Pattern-Matching Engine for Custom Signatures
The PAN-OS
®
pattern-matching engine now supports new regular expression (regex) syntax and shorter data patterns, which dramatically expand the number of possible custom threat signatures that you can create and ingest from a third-party intrusion prevention system (IPS).
To maximize the benefits of this new compatibility with third-party signatures, install the IPS Signature Converter for Panorama, which provides an automated solution for converting Snort and Suricata signatures into custom Palo Alto Networks threat signatures.
You can also use the new pattern-matching capabilities to more finely control application usage with custom application signatures.
IPS Signature Converter Plugin
The IPS signature converter plugin leverages the new Enhanced Pattern-Matching Engine to automatically convert rules for Snort and Suricata intrusion prevention system (IPS) software into custom Palo Alto Networks threat signatures. This enables you to immediately augment existing Threat Prevention coverage with Snort and Suricata rules that you receive from threat intelligence sources or that you write specifically for your network environment.
Panorama 10.0 supports the IPS signature converter plugin and supplies the compatible version but does not install the plugin automatically. You should install the plugin if you have or expect to receive Snort and Suricata rules that you want to use in Security policy rules on your Panorama-managed firewalls.
DNS Security Signature Categories
The DNS Security service now features individually configurable and extensible DNS Security Signature Categories, which enables you to create discrete Security policies based on the risk factors associated with certain types of DNS traffic. You can applying these new domain categories in your DNS Security policies to implement granular access control for different categories of domains based on the risk that these domains pose to your organization. These categories currently include C2 (encompasses DGA and DNS tunneling), malware, DDNS, newly registered domains, and phishing and we can expand these categories through PAN-OS content releases.
Expanded Data Collection for the DNS Security Service
The DNS Security service now collects additional server response and request information to provide improved analytics, DNS detection, and prevention.
URL Filtering Inline ML
The firewall can now use machine learning (ML) on the dataplane to analyze web page content and determine if the pages contain malicious JavaScript or other content used for credential phishing. Inline ML prevents web page threats from infiltrating your network by providing real-time analysis capabilities on the firewall, which reduces the possibility of proliferation of unknown JavaScript variants and other phishing vectors.
Increased Security Against Evasion Attacks
New protections bolster your defenses against evasion attacks where attackers attempt to breach your network by bypassing security inspection. The increased security measures cover evasion techniques that misuse URLs and Base64-encoded content. You begin receiving this protection as soon as you upgrade to a PAN-OS 10.0 release—no subscription or additional configuration is required.

Recommended For You