Content Inspection Changes

PAN-OS® 8.0 has the following changes in default behavior for content inspection features:
Feature
Change
TCP settings
The defaults for the following TCP Settings (DeviceSetupSessionTCP Settings) is changed in 8.0:
  • Drop segments without flag is now enabled by default. The corresponding CLI command, set deviceconfig setting tcp drop-zero-flag is now set to yes by default.
  • Drop segments with null timestamp option is now enabled by default. The corresponding CLI command, set deviceconfig setting tcp check-timestamp-option is now set to yes by default.
  • Forward segments exceeding TCP out-of-order queue is now disabled by default. The corresponding CLI command, set deviceconfig setting tcp bypass-exceed-oo-queue is now set to no by default.
Content-ID™
Forward segments exceeding TCP App-ID inspection queue (DeviceSetupContent-IDContent-ID Settings) is now disabled by default. The corresponding CLI command, set deviceconfigsetting application bypass-exceed-queue is now set to no by default.
Zone Protection profiles
In a Zone Protection profile for Packet Based Attack Protection, the default setting is now to drop TCP SYN and SYN-ACK packets that contain data in the payload during a three-way handshake. (In prior PAN-OS releases, firewall allowed such packets.) By default, a Zone Protection profile is set to allow TCP handshake packets that use the TCP Fast Open option if they contain a valid Fast Open cookie. If you have existing Zone Protection profiles in place when you upgrade to PAN-OS 8.0, the three default settings will apply to each profile and the firewall will act accordingly.
Decryption
The firewall does not support SSL decryption of RSA keys that exceed 8Kb in size. You can either block connections to servers that use certificates with RSA keys exceeding 8Kb or skip SSL decryption for such connections. To block such connections, select ObjectsDecryption Profile, edit the profile, select SSL DecryptionSSL Forward Proxy, and in the Unsupported Mode Checks section select Block sessions with unsupported cipher suites. To skip decryption for such connections, clear Block sessions with unsupported cipher suites.
URL Filtering
When a firewall running PAN-OS 8.0 connects with PAN-DB (public or private cloud), it validates the Common Name on the server certificate before establishing an SSL connection. If the validation fails, the connection is refused and the firewall generates a system log.
Data Pattern objects
ObjectsCustom ObjectsData Patterns provides predefined patterns (Pattern TypePredefined Pattern), such as social security numbers and credit card numbers, to check for in the incoming file types that you specify. The firewall no longer supports checking for these predefined patterns in GZIP and ZIP files.
Application filters
You must now select at least one Category when creating or modifying an application filter (ObjectsApplication Filters). This optimizes firewall performance when filtering applications, as the firewall includes only the categories that are relevant to you.
DoS Protection and Vulnerability Protection Profiles
When you use a Classified DoS Protection profile for flood protection or a Vulnerability Protection profile that is configured to Block IP addresses, the firewall will now block IP addresses in hardware first, and then in software if the hardware block list has reached its capacity.

Related Documentation