Describes all the exciting new content inspection capabilities
in PAN-OS® 9.0.
New Content Inspection Feature
The firewall can now access
the full database of Palo Alto Networks DNS signatures through a
new DNS Security service.
The DNS Security service also performs pro-active analysis of DNS
data to predict new malicious domains and to detect C2 evasion techniques—like
domain generation algorithms and DNS tunneling—that aim to bypass
New Security-Focused URL Categories
New Security-focused URL categories enable
you to implement simple security and decryption policies based on
website safety, without requiring you to decide (or even know) what
website is likely to expose you to web-based threats:
—These categories indicate the level of suspicious
activity that a site displays. All URLs—except those that are confirmed
malware, C2, or phishing sites—now include this risk rating.
identifies sites that were registered within the last 32 days. New
domains are frequently used as tools in malicious campaigns.
new categories help you to reduce your attack surface by providing
targeted decryption and enforcement for sites that pose varying
levels of risk but are not confirmed malicious. Websites are classified
with a Security-related category only when they meet the criteria for
that category; as site content changes, policy enforcement dynamically
Multi-Category URL Filtering
PAN-DB, the Palo Alto Networks
URL database, now assigns multiple categories to
URLs that classify the content, purpose, and safety of a
site. Every URL now has up to four categories, including a risk
rating that indicates how likely it is that the page will expose
you to threats. More granular URL categorizations means that you
can move beyond a basic block-or-allow approach to web access. Instead,
control how your users interact with content, especially websites
that, while necessary for business, are more likely to be used as
part of a cyberattack (like blogs or cloud storage services). For example,
allow your users to visit high-risk websites, but enforce read-only
and preventing dangerous file downloads.
Built-In External Dynamic List
for Bulletproof Hosts
Because bulletproof hosting
providers place few, if any, restrictions on content, attackers
frequently use these services to host and distribute malicious,
illegal, and unethical material. The Threat Prevention subscription
now includes a new built-in external dynamic
list (EDL) that you can use to block IP addresses associated
with bulletproof hosting providers.
EDL Capacity Increases
External dynamic list (EDL) capacities are increased to
better accommodate the use of third-party intelligence feeds, significantly
expanding the number of threat indicators you can leverage within
your network Security policies. Additionally, you can now prioritize
EDLs to make sure lists containing critical threat indicators are
committed before capacity limits are reached.
Support for New Predefined
Data Filtering Patterns
To identify and protect sensitive
information from leaving your network, the firewall provides 19 new predefined data filtering
patterns that identify specific (regulated) information from
different countries of the world, such as INSEE Identification (France)
and New Zealand Internal Revenue Department Identification Numbers.
software also performs a checksum validation
for all patterns to eliminate false positives.
Cellular IoT Security
As your business moves to cellular IoT (CIoT)
and the network adopts 3GPP CIoT technologies, you need to secure
CIoT traffic to protect your network and CIoT from attacks. Cellular IoT Security allows
you to secure CIoT traffic and gain visibility into CIoT and device-to-device
communication over your network. If you are a mobile network operator
(MNO) or a mobile virtual network operator (MVNO), such as a utility
company focused on oil, gas, or energy operating as an MVNO, you can
now secure CIoT traffic. CIoT security also allows you to protect
MNO infrastructure and CIoT devices from DoS attacks on both Signaling/Control
and Data layers, from attacks from infected CIoTs, and from spying
attacks; and it allows you to detect and prevent malware, ransomware, and
vulnerabilities. Additionally, the firewall now supports Narrowband
IoT (NB-IoT) radio access technology (RAT), 3GPP TS 29.274 for GTPv2-C
up to Release 15.2.0, and 3GPP TS 29.060 for GTPv1-C up to Release
CIoT security is supported on VM-Series firewalls, PA-5200
Series firewalls, and PA-7000 Series firewalls that have all new
cards, including new 100G NPC, new second-generation SMCs, and new
Log Forwarding Card (LFC).
GTP Event Packet Capture
Firewalls now support packet capture for
a GTP event to make troubleshooting easier. GTP packet capture is
supported for events such as GTP-in-GTP, end user IP address spoofing,
and abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have missing mandatory
information elements (IE), invalid IE, invalid header, out-of-order
IE, or unsupported message type.
GTP event packet capture
is supported on VM-Series firewalls, PA-5200 Series firewalls, and
PA-7000 Series firewalls that have all new cards, including new
100G NPC, new second-generation SMCs, and new Log Forwarding Card
Graceful Enablement of GTP Stateful Inspection
PAN-OS 9.0.3 and later releases
You can now enable GTP stateful inspection in
the firewall gracefully with minimal disruption to GTP traffic. You
can allow GTPv2, GTPv1-C, and GTP-U packets that fail GTP stateful
inspection to pass through a firewall. Although the firewall drops
such packets by default after GTP stateful inspection is enabled,
allowing them to pass minimizes disruption when you deploy a new
firewall or when you migrate GTP traffic.
Graceful Enablement of SCTP Stateful Inspection
PAN-OS 9.0.4 and later releases
You can now enable SCTP stateful inspection in
the firewall gracefully with minimal disruption to SCTP traffic. You
can allow SCTP packets that fail SCTP stateful inspection to pass
through a firewall. Although the firewall drops such packets by
default after SCTP stateful inspection is enabled, allowing them
to pass minimizes disruption when you deploy a new firewall or when
you migrate SCTP traffic.
One of the
new App-ID Features, HTTP/2 Inspection, enables you to enforce threat prevention
on a per-stream basis.