Content Inspection Changes
PAN-OS® 8.0 has the following changes in default behavior for content inspection features:
The defaults for the following TCP Settings (
) is changed in 8.0:
Forward segments exceeding TCP App-ID inspection queue(
) is now disabled by default. The corresponding CLI command,
set deviceconfigsetting application bypass-exceed-queueis now set to
Zone Protection profiles
In a Zone Protection profile for Packet Based Attack Protection, the default setting is now to drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake. (In prior PAN-OS releases, firewall allowed such packets.) By default, a Zone Protection profile is set to allow TCP handshake packets that use the TCP Fast Open option if they contain a valid Fast Open cookie. If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
The firewall does not support SSL decryption of RSA keys that exceed 8Kb in size. You can either block connections to servers that use certificates with RSA keys exceeding 8Kb or skip SSL decryption for such connections. To block such connections, select
, edit the profile, select
, and in the Unsupported Mode Checks section select
SSL Forward Proxy
Block sessions with unsupported cipher suites. To skip decryption for such connections, clear
Block sessions with unsupported cipher suites.
When a firewall running PAN-OS 8.0 connects with PAN-DB (public or private cloud), it validates the Common Name on the server certificate before establishing an SSL connection. If the validation fails, the connection is refused and the firewall generates a system log.
Data Pattern objects
provides predefined patterns (
), such as social security numbers and credit card numbers, to check for in the incoming file types that you specify. The firewall no longer supports checking for these predefined patterns in GZIP and ZIP files.
You must now select at least one
Categorywhen creating or modifying an application filter (
). This optimizes firewall performance when filtering applications, as the firewall includes only the categories that are relevant to you.
DoS Protection and Vulnerability Protection Profiles
When you use a Classified DoS Protection profile for flood protection or a Vulnerability Protection profile that is configured to Block IP addresses, the firewall will now block IP addresses in hardware first, and then in software if the hardware block list has reached its capacity.