Content Inspection Features
Describes all the exciting new content inspection capabilities in PAN-OS® 9.0.
New Content Inspection Feature
The firewall can now access the full database of Palo Alto Networks DNS signatures through a new DNS Security service. The DNS Security service also performs pro-active analysis of DNS data to predict new malicious domains and to detect C2 evasion techniques—like domain generation algorithms and DNS tunneling—that aim to bypass common protections.
New Security-Focused URL Categories
New Security-focused URL categories enable you to implement simple security and decryption policies based on website safety, without requiring you to decide (or even know) what website is likely to expose you to web-based threats:
These new categories help you to reduce your attack surface by providing targeted decryption and enforcement for sites that pose varying levels of risk but are not confirmed malicious. Websites are classified with a Security-related category only when they meet the criteria for that category; as site content changes, policy enforcement dynamically adapts.
Multi-Category URL Filtering
Built-In External Dynamic List for Bulletproof Hosts
Because bulletproof hosting providers place few, if any, restrictions on content, attackers frequently use these services to host and distribute malicious, illegal, and unethical material. The Threat Prevention subscription now includes a new built-in external dynamic list (EDL) that you can use to block IP addresses associated with bulletproof hosting providers.
EDL Capacity Increases
External dynamic list (EDL) capacities are increased to better accommodate the use of third-party intelligence feeds, significantly expanding the number of threat indicators you can leverage within your network Security policies. Additionally, you can now prioritize EDLs to make sure lists containing critical threat indicators are committed before capacity limits are reached.
Support for New Predefined Data Filtering Patterns
To identify and protect sensitive information from leaving your network, the firewall provides 19 new predefined data filtering patterns that identify specific (regulated) information from different countries of the world, such as INSEE Identification (France) and New Zealand Internal Revenue Department Identification Numbers. PAN-OS
®software also performs a checksum validation for all patterns to eliminate false positives.
Cellular IoT Security
As your business moves to cellular IoT (CIoT) and the network adopts 3GPP CIoT technologies, you need to secure CIoT traffic to protect your network and CIoT from attacks. Cellular IoT Security allows you to secure CIoT traffic and gain visibility into CIoT and device-to-device communication over your network. If you are a mobile network operator (MNO) or a mobile virtual network operator (MVNO), such as a utility company focused on oil, gas, or energy operating as an MVNO, you can now secure CIoT traffic. CIoT security also allows you to protect MNO infrastructure and CIoT devices from DoS attacks on both Signaling/Control and Data layers, from attacks from infected CIoTs, and from spying attacks; and it allows you to detect and prevent malware, ransomware, and vulnerabilities. Additionally, the firewall now supports Narrowband IoT (NB-IoT) radio access technology (RAT), 3GPP TS 29.274 for GTPv2-C up to Release 15.2.0, and 3GPP TS 29.060 for GTPv1-C up to Release 15.1.0.
CIoT security is supported on VM-Series firewalls, PA-5200 Series firewalls, and PA-7000 Series firewalls that have all new cards, including new 100G NPC, new second-generation SMCs, and new Log Forwarding Card (LFC).
GTP Event Packet Capture
Firewalls now support packet capture for a GTP event to make troubleshooting easier. GTP packet capture is supported for events such as GTP-in-GTP, end user IP address spoofing, and abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have missing mandatory information elements (IE), invalid IE, invalid header, out-of-order IE, or unsupported message type.
GTP event packet capture is supported on VM-Series firewalls, PA-5200 Series firewalls, and PA-7000 Series firewalls that have all new cards, including new 100G NPC, new second-generation SMCs, and new Log Forwarding Card (LFC).
Graceful Enablement of GTP Stateful Inspection
PAN-OS 9.0.3 and later releases) You can now enable GTP stateful inspection in the firewall gracefully with minimal disruption to GTP traffic. You can allow GTPv2, GTPv1-C, and GTP-U packets that fail GTP stateful inspection to pass through a firewall. Although the firewall drops such packets by default after GTP stateful inspection is enabled, allowing them to pass minimizes disruption when you deploy a new firewall or when you migrate GTP traffic.
Graceful Enablement of SCTP Stateful Inspection
PAN-OS 9.0.4 and later releases) You can now enable SCTP stateful inspection in the firewall gracefully with minimal disruption to SCTP traffic. You can allow SCTP packets that fail SCTP stateful inspection to pass through a firewall. Although the firewall drops such packets by default after SCTP stateful inspection is enabled, allowing them to pass minimizes disruption when you deploy a new firewall or when you migrate SCTP traffic.
One of the new App-ID Features, HTTP/2 Inspection, enables you to enforce threat prevention on a per-stream basis.
Recommended For You
Recommended videos not found.