Content Inspection Changes

PAN-OS® 8.0 has the following changes in default behavior for content inspection features:
Feature
Change
TCP settings
The defaults for the following TCP Settings (
Device
Setup
Session
TCP Settings
) is changed in 8.0:
  • Drop segments without flag
    is now enabled by default. The corresponding CLI command,
    set deviceconfig setting tcp drop-zero-flag
    is now set to
    yes
    by default.
  • Drop segments with null timestamp option
    is now enabled by default. The corresponding CLI command,
    set deviceconfig setting tcp check-timestamp-option
    is now set to
    yes
    by default.
  • Forward segments exceeding TCP out-of-order queue
    is now disabled by default. The corresponding CLI command,
    set deviceconfig setting tcp bypass-exceed-oo-queue
    is now set to
    no
    by default.
Content-ID™
Forward segments exceeding TCP App-ID inspection queue
(
Device
Setup
Content-ID
Content-ID Settings
) is now disabled by default. The corresponding CLI command,
set deviceconfigsetting application bypass-exceed-queue
is now set to
no
by default.
Zone Protection profiles
In a Zone Protection profile for Packet Based Attack Protection, the default setting is now to drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake. (In prior PAN-OS releases, firewall allowed such packets.) By default, a Zone Protection profile is set to allow TCP handshake packets that use the TCP Fast Open option if they contain a valid Fast Open cookie. If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
Decryption
The firewall does not support SSL decryption of RSA keys that exceed 8Kb in size. You can either block connections to servers that use certificates with RSA keys exceeding 8Kb or skip SSL decryption for such connections. To block such connections, select
Objects
Decryption Profile
, edit the profile, select
SSL Decryption
SSL Forward Proxy
, and in the Unsupported Mode Checks section select
Block sessions with unsupported cipher suites
. To skip decryption for such connections, clear
Block sessions with unsupported cipher suites
.
URL Filtering
When a firewall running PAN-OS 8.0 connects with PAN-DB (public or private cloud), it validates the Common Name on the server certificate before establishing an SSL connection. If the validation fails, the connection is refused and the firewall generates a system log.
Data Pattern objects
Objects
Custom Objects
Data Patterns
provides predefined patterns (
Pattern Type
Predefined Pattern
), such as social security numbers and credit card numbers, to check for in the incoming file types that you specify. The firewall no longer supports checking for these predefined patterns in GZIP and ZIP files.
Application filters
You must now select at least one
Category
when creating or modifying an application filter (
Objects
Application Filters
). This optimizes firewall performance when filtering applications, as the firewall includes only the categories that are relevant to you.
DoS Protection and Vulnerability Protection Profiles
When you use a Classified DoS Protection profile for flood protection or a Vulnerability Protection profile that is configured to Block IP addresses, the firewall will now block IP addresses in hardware first, and then in software if the hardware block list has reached its capacity.

Related Documentation