Enhanced Security for Application and URL Category-Based Policy
New in PAN-OS 7.1.1
A new security enhancement prevents evasions of policy rules that block or allow traffic based on URL category and/or application. Now, after a firewall performs DNS resolutions to classify traffic as belonging to an App-ID
or a URL category, the firewall also checks to ensure that the hostname or SNI indicated in the initial HTTP or TLS request corresponds to the destination IP address for the established session.
To benefit from the increased security for application and URL category-based policy rules, you must:Upgrade the firewall to PAN-OS 7.1.1.
Install the Applications and Threats content version 579 or a later release.
Set up the firewall to act as a DNS proxy—this allows the firewall to ensure that DNS resolutions match connecting clients.
Configure an anti-spyware profile to alert on or block traffic that matches the signatures 14984 and 14978, and attach the anti-spyware profile to a policy rule.Review this detailed workflow
to make sure you have enabled prevention for HTTP hostname and TLS SNI evasions.
Protection Against LZMA Compressed Adobe Flash Files
The firewall now supports hash-based protection against malicious Adobe flash files that have undergone Lempel-Ziv-Markov chain algorithm (LZMA) compression. Though LZMA compression is a legitimate type of compression that allows data to be reconstructed in its original form without data loss, it can also be used to compress malicious files so that they evade detection.
Extended Support for URLs and Domain Names in an External Dynamic List
External Dynamic Lists (formerly called Dynamic Block Lists) now support URLs and domain names
in addition to IP addresses. External dynamic lists allow you to automate and simplify the process of importing URLs, domain names, and IP addresses into the firewall. These lists allow you to take prompt action when you receive threat intelligence from external sources because they do not require a configuration change or commit on the firewall. For domains, you can configure the firewall to alert, block, or sinkhole traffic when performing a DNS resolution. For URLs, you can trigger an alert or block the traffic when the user makes an HTTP request. IP address lists continue to be available for use in policy rules and are best suited for enforcing an IP block list.
Each External Dynamic List can include entries of one type only—IP address, URL, or domain. You cannot combine different types of entries in a single list.
TCP Sessions and Content-ID™ Settings in the Web Interface.