Content Inspection Features
Focus
Focus

Content Inspection Features

Table of Contents
End-of-Life (EoL)

Content Inspection Features

PAN-OS 8.1 provides the content inspection features: SCTP Security, Rapid Deployment of the Latest Threat Prevention Updates, and Tools to Avoid or Mitigate Content Update Issues.
New Content Inspection FeatureDescription
SCTP Security
In mobile network operator environments, you can now enforce multilayer security on Stream Control Transmission Protocol (SCTP) traffic to prevent information from leaking and prevent attackers from causing denial of service, network congestion, and outages that disrupt data and voice services for mobile subscribers.
In addition to enabling stateful inspection with multi-homing support, multi-chunk inspection and protocol validation of SCTP, this feature enables you to filter SCTP traffic based on payload protocol IDs (PPIDs) and to filter Diameter and SS7 traffic over SCTP.
SCTP security is supported only on PA-5200 Series and VM-Series firewalls and requires content release version 785 or a later version.
Rapid Deployment of the Latest Threat Prevention Updates
When thinking about how best to deploy the latest application and threat updates, you might have had to previously choose between a mission-critical approach—where you delay content installation until you can assess impact to application availability—and a security-first approach—where you prioritize immediate threat protection over possible impact to application availability.
Now, you don’t need to choose. The following features enable a blend of both approaches, so that you can quickly deploy the latest threat prevention updates while ensuring application availability:
  • Installation Threshold for New-App-IDs—Fine tune content update thresholds to install threat updates and application updates separately based on your network security and availability requirements.
  • Streamlined Panorama Deployment for Content Releases—Use Panorama to more easily configure dynamic updates schedules for multiple firewalls, and stagger updates across your network (for example, deploy updates to locations with less business risk first, like satellite offices).
Tools to Avoid or Mitigate Content Update Issues
Palo Alto Networks application and threat content releases undergo rigorous performance and quality assurance; however, because there are so many possible variables in a customer environment, there are rare occasions where a content release might impact a network in an unexpected way. The following features are now available to help you to avoid or mitigate an issue with a content release, so that there is as little impact to your network as possible:
  • Content Release Validation Check—The firewall now validates that a previously-downloaded content release is still Palo Alto Networks-recommended at the time of installation.
  • Enhanced Telemetry—The threat intelligence telemetry data that the firewall sends to Palo Alto Networks now includes information that Palo Alto Networks can use to identify and troubleshoot issues with content updates.
  • Critical Content Alerts—Palo Alto Networks can now directly alert you to a critical content release issue; we’ll give you the information you need to understand if and how the issue affects you, along with steps to move forward. (If needed, you can also now use Panorama to easily revert managed firewalls to the latest content update version. See Panorama Features).
SMB Improvements with WildFire Support
Firewall SMB support now includes SMBv3 (3.0, 3.0.2, and 3.1.1) and has additional threat detection and file identification capabilities, performance, and reliability across all versions of SMB. These improvements provide an additional layer of security for networks, such as data center deployments, network segments, and internal networks by allowing files transmitted using SMB to be forwarded to WildFire for analysis. Because of the way that SMBv3 multi-channel works in splitting up files, customers should disable the use of multi-channel file transfer for maximum protection and inspection of files. As a result, Palo Alto Networks recommends disabling SMB multi-channel through the Windows PowerShell. For more information on this task, please refer to: technet.microsoft.com/en-us/library/dn610980(v=ws.11).aspx
Option to Hold Web Requests During URL Category Lookup
(PAN-OS 8.1.10 and later PAN-OS 8.1 releases) You can now decide whether to hold or allow web requests while the firewall performs a URL category lookup. By default, the firewall allows requests to be made while it looks up uncached URLs in PAN-DB. Now, you can hold requests during this lookup, which can improve third-party security ratings.
Graceful Enablement of GTP Stateful Inspection
(PAN-OS 8.1.9 and later PAN-OS 8.1 releases) You can now enable GTP stateful inspection in the firewall gracefully with minimal disruption to GTP traffic. You can allow GTPv2, GTPv1-C, and GTP-U packets that fail GTP stateful inspection to pass through a firewall. Although the firewall drops such packets by default after GTP stateful inspection is enabled, allowing them to pass minimizes disruption when you deploy a new firewall or when you migrate GTP traffic.
Graceful Enablement of SCTP Stateful Inspection
(PAN-OS 8.1.10 and later PAN-OS 8.1 releases) You can now enable SCTP stateful inspection in the firewall gracefully with minimal disruption to SCTP traffic. You can allow SCTP packets that fail SCTP stateful inspection to pass through a firewall. Although the firewall drops such packets by default after SCTP stateful inspection is enabled, allowing them to pass minimizes disruption when you deploy a new firewall or when you migrate SCTP traffic.