Content Inspection Features
PAN-OS 8.1 provides the content inspection features: SCTP Security, Rapid Deployment of the Latest Threat Prevention Updates, and Tools to Avoid or Mitigate Content Update Issues.
|New Content Inspection Feature||Description|
In mobile network operator environments, you can now enforce multilayer security on Stream Control Transmission Protocol (SCTP) traffic to prevent information from leaking and prevent attackers from causing denial of service, network congestion, and outages that disrupt data and voice services for mobile subscribers.
In addition to enabling stateful inspection with multi-homing support, multi-chunk inspection and protocol validation of SCTP, this feature enables you to filter SCTP traffic based on payload protocol IDs (PPIDs) and to filter Diameter and SS7 traffic over SCTP.
SCTP security is supported only on PA-5200 Series and VM-Series firewalls and requires content release version 785 or a later version.
|Rapid Deployment of the Latest Threat Prevention Updates|
When thinking about how best to deploy the latest application and threat updates, you might have had to previously choose between a mission-critical approach—where you delay content installation until you can assess impact to application availability—and a security-first approach—where you prioritize immediate threat protection over possible impact to application availability.
Now, you don’t need to choose. The following features enable a blend of both approaches, so that you can quickly deploy the latest threat prevention updates whileensuring application availability:
|Tools to Avoid or Mitigate Content Update Issues|
Palo Alto Networks application and threat content releases undergo rigorous performance and quality assurance; however, because there are so many possible variables in a customer environment, there are rare occasions where a content release might impact a network in an unexpected way. The following features are now available to help you to avoid or mitigate an issue with a content release, so that there is as little impact to your network as possible:
|SMB Improvements with WildFire Support|
Firewall SMB support now includes SMBv3 (3.0, 3.0.2, and 3.1.1) and has additional threat detection and file identification capabilities, performance, and reliability across all versions of SMB. These improvements provide an additional layer of security for networks, such as data center deployments, network segments, and internal networks by allowing files transmitted using SMB to be forwarded to WildFire for analysis. Because of the way that SMBv3 multi-channel works in splitting up files, customers should disable the use of multi-channel file transfer for maximum protection and inspection of files. As a result, Palo Alto Networks recommends disabling SMB multi-channel through the Windows PowerShell. For more information on this task, please refer to: https://technet.microsoft.com/en-us/library/dn610980(v=ws.11).aspx
Content Inspection Features
Content Inspection Features SCTP Security Firewalls allow you to secure SCTP traffic by inspecting messages; by filtering SCTP, Diameter, and SS7 chunks; and by protecting ...
Tools to Avoid or Mitigate Content Update Issues
Tools to Avoid or Mitigate Content Update Issues Palo Alto Networks Application and Threat Content Updates undergo rigorous performance and quality assurance; however, because there ...
Applications and Threat Updates
Applications and Threats content updates equip Palo Alto Networks next-gen firewalls with the very latest threat prevention and application identification technology. ...
Troubleshoot Content Update Issues
Here’s what you should do to reduce the chance that a content release might impact your network in an unexpected way. ...
Best Practices for Content Updates—Mission-Critical
Follow these best practices to deploying content updates in a mission-critical network, where application availability is top priority. ...
Device > Dynamic Updates
Device > Dynamic Updates Device > Dynamic Updates Panorama > Dynamic Updates Palo Alto Networks regularly posts updates for new and modified applications, threat protection, ...
Best Practices for Content Updates—Security-First
Follow these best practices to deploying content updates in a security-first network, where threat prevention is top priority. ...
Upgrade Log Collectors When Panorama Is Internet-Connected
Upgrade Log Collector software to PAN-OS® 8.1 and install content updates using Panorama™ when Panorama is connected to the internet. ...