Content Inspection Changes
PAN-OS® 8.0 has the following changes in default behavior for content inspection features:
The defaults for the following TCP Settings (DeviceSetupSessionTCP Settings) is changed in 8.0:
Forward segments exceeding TCP App-ID inspection queue (DeviceSetupContent-IDContent-ID Settings) is now disabled by default. The corresponding CLI command, set deviceconfigsetting application bypass-exceed-queue is now set to no by default.
Zone Protection profiles
In a Zone Protection profile for Packet Based Attack Protection, the default setting is now to drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake. (In prior PAN-OS releases, firewall allowed such packets.) By default, a Zone Protection profile is set to allow TCP handshake packets that use the TCP Fast Open option if they contain a valid Fast Open cookie. If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
The firewall does not support SSL decryption of RSA keys that exceed 8Kb in size. You can either block connections to servers that use certificates with RSA keys exceeding 8Kb or skip SSL decryption for such connections. To block such connections, select ObjectsDecryption Profile, edit the profile, select SSL DecryptionSSL Forward Proxy, and in the Unsupported Mode Checks section select Block sessions with unsupported cipher suites. To skip decryption for such connections, clear Block sessions with unsupported cipher suites.
When a firewall running PAN-OS 8.0 connects with PAN-DB (public or private cloud), it validates the Common Name on the server certificate before establishing an SSL connection. If the validation fails, the connection is refused and the firewall generates a system log.
Data Pattern objects
ObjectsCustom ObjectsData Patterns provides predefined patterns (Pattern TypePredefined Pattern), such as social security numbers and credit card numbers, to check for in the incoming file types that you specify. The firewall no longer supports checking for these predefined patterns in GZIP and ZIP files.
You must now select at least one Category when creating or modifying an application filter (ObjectsApplication Filters). This optimizes firewall performance when filtering applications, as the firewall includes only the categories that are relevant to you.
DoS Protection and Vulnerability Protection Profiles
When you use a Classified DoS Protection profile for flood protection or a Vulnerability Protection profile that is configured to Block IP addresses, the firewall will now block IP addresses in hardware first, and then in software if the hardware block list has reached its capacity.
Device > Setup > Content-ID
Device > Setup > Content-ID Use the Content-ID ™ tab to define settings for URL filtering, data protection, and container pages. Content-ID Settings Description URL ...
Best Practices for Securing Your Network from Layer 4 and L...
Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions To monitor and protect your network from most Layer 4 and Layer ...
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
SSL Inbound Inspection Decryption Profile
The SSL Inbound Inspection Decryption profile blocks risky inbound sessions and provides session failure checks. ...
Create a Decryption Policy Rule
Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...
Configure SSL Inbound Inspection
SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those ...
Create the Data Center Best Practice Decryption Profiles
Decryption Profiles define the SSL Protocol settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. ...
SSH Proxy Decryption Profile
The SSH Proxy Decryption profile blocks risky SSH sessions and blocks or restricts SSH tunneled traffic according to your Security policy. ...