In mobile network operator environments, you can now enforce multilayer security on Stream Control Transmission Protocol (SCTP) traffic to prevent information from leaking and prevent attackers from causing denial of service, network congestion, and outages that disrupt data and voice services for mobile subscribers.

In addition to enabling stateful inspection with multi-homing support, multi-chunk inspection and protocol validation of SCTP, this feature enables you to filter SCTP traffic based on payload protocol IDs (PPIDs) and to filter Diameter and SS7 traffic over SCTP.

SCTP security is supported only on PA-5200 Series and VM-Series firewalls and requires content release version 785 or a later version.

When thinking about how best to deploy the latest application and threat updates, you might have had to previously choose between a mission-critical approach—where you delay content installation until you can assess impact to application availability—and a security-first approach—where you prioritize immediate threat protection over possible impact to application availability.

Now, you don’t need to choose. The following features enable a blend of both approaches, so that you can quickly deploy the latest threat prevention updates while ensuring application availability:

Palo Alto Networks application and threat content releases undergo rigorous performance and quality assurance; however, because there are so many possible variables in a customer environment, there are rare occasions where a content release might impact a network in an unexpected way. The following features are now available to help you to avoid or mitigate an issue with a content release, so that there is as little impact to your network as possible:

Firewall SMB support now includes SMBv3 (3.0, 3.0.2, and 3.1.1) and has additional threat detection and file identification capabilities, performance, and reliability across all versions of SMB. These improvements provide an additional layer of security for networks, such as data center deployments, network segments, and internal networks by allowing files transmitted using SMB to be forwarded to WildFire for analysis. Because of the way that SMBv3 multi-channel works in splitting up files, customers should disable the use of multi-channel file transfer for maximum protection and inspection of files. As a result, Palo Alto Networks recommends disabling SMB multi-channel through the Windows PowerShell. For more information on this task, please refer to: technet.microsoft.com/en-us/library/dn610980(v=ws.11).aspx

(PAN-OS 8.1.10 and later PAN-OS 8.1 releases) You can now decide whether to hold or allow web requests while the firewall performs a URL category lookup. By default, the firewall allows requests to be made while it looks up uncached URLs in PAN-DB. Now, you can hold requests during this lookup, which can improve third-party security ratings.

(PAN-OS 8.1.9 and later PAN-OS 8.1 releases) You can now enable GTP stateful inspection in the firewall gracefully with minimal disruption to GTP traffic. You can allow GTPv2, GTPv1-C, and GTP-U packets that fail GTP stateful inspection to pass through a firewall. Although the firewall drops such packets by default after GTP stateful inspection is enabled, allowing them to pass minimizes disruption when you deploy a new firewall or when you migrate GTP traffic.