Content Inspection Features
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Content Inspection Features
Explore new content inspection features introduced in PAN-OS ®
11.2.
The following section describes new Content Inspection features introduced in
PAN-OS 11.2.
Support for Brotli Decompression
November 2024
|
The (CTD) Content-Based Threat Detection engine used by a multitude of Palo Alto
Networks platforms now provides support for Brotli decompression for improved
analysis and threat detection of HTTP content. Brotli is a high-efficiency data
compression format with widespread support that was developed by Google for HTTP web
applications and content. Palo Alto Networks Security subscription services, such as
Advanced Threat Prevention, Advanced WildFire Advanced URL Filtering, and others
rely on the CTD engine to facilitate traffic inspection. With the addition of the
Brotli decoder, traffic that was previously dropped, or is otherwise passed through
the network as an unsupported content-encoding type, is now processed and available
for inspection by various Palo Alto Networks content inspection features. This
includes, but is not limited to Precision AI™ optimized features such as Advanced WildFire: Inline Cloud Analysis,
Advanced Threat Prevention: Inline Cloud
Analysis, and Inline Deep Learning Analysis for Advanced URL
Filtering; but also includes any HTTP traffic payloads processed by a
configured and enabled security policy. This allows for broader visibility into
traffic and helps protect against attackers using Brotli compression to bypass
traditional security mechanisms. When enabled, this software-based Brotli
library is integrated into the existing content decoder framework. Due to the
expected increases in traffic inspection, the firewall requires additional resources
to enable the feature; and as a result, is only available on select platforms.
Advanced DNS Security
May 2024
|
The Advanced DNS Security service is a new
subscription offering by Palo Alto Networks that operates new domain detectors in
the Advanced DNS Security cloud that inspect changes in DNS responses to detect
various types of DNS hijacking in real-time. With access to Advanced DNS Security,
you can detect and block DNS responses from hijacked domains and misconfigured
domains. Hijacked and misconfigured domains can be introduced into your network by
either directly manipulating DNS responses or by exploiting the DNS infrastructure
configuration settings in order to redirect users to a malicious domain from which
they initiate additional attacks. The primary difference between these two
techniques is where the exploit occurs. In the case of DNS hijacking, the attackers
gain the ability to resolve DNS queries to attacker-operated domains by compromising
some aspect of an organization's DNS infrastructure, be it through unauthorized
administrative access to a DNS provider or the DNS server itself, or an MiTM attack
during the DNS resolution process. Misconfigured domains present a similar problem -
the attacker seeks to incorporate their own malicious domain into an organization’s
DNS by taking advantage of domain configuration issues, such as outdated DNS
records, which can enable attackers to take ownership of the customer’s subdomain.
Advanced DNS Security can detect and categorize hijacked and misconfigured domains in
real-time by operating cloud based detection engines, which provide DNS health
support by analyzing DNS responses using ML-based analytics to detect malicious
activity. Because these detectors are located in the cloud, you can access a wide
array of detection mechanisms that are updated and deployed automatically without
requiring the user to download update packages when changes to detectors are made.
Upon initial release, Advanced DNS Security supports two analysis engines: DNS
Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all
DNS queries are sent to the Advanced DNS Security cloud for enhanced response
analysis to more accurately categorize and return a result in a real-time exchange.
Analysis models are delivered through content updates, however, enhancements to
existing models are performed as a cloud-side update, requiring no updates by the
user. Advanced DNS Security is enabled and
configured through the Anti-Spyware (or DNS Security) profile and require
active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention)
licenses.
Local Deep Learning for Advanced Threat Prevention
May 2024
|
Advanced Threat Prevention now supports Local Deep Learning, which provides a
mechanism to perform fast, local deep learning-based analysis of zero-day and other
evasive threats, as a complementary feature to the cloud-based Inline Cloud Analysis component of
Advanced Threat Prevention. With an Advanced Threat Prevention license,
known malicious traffic that matches against Palo Alto Networks published signature
set are dropped (or have another user-defined action applied to them); however,
certain traffic that matches the criteria for suspicious content are rerouted for
analysis using the Deep Leaning Analysis detection module. If further analysis is
necessary, the traffic is sent to the Advanced Threat Prevention cloud for
additional analysis, as well as the requisite false-positive and false-negative
checks. The Deep Learning detection module is based on the proven detection modules
operating in the Advanced Threat Prevention cloud, and as such, have the same
zero-day and advanced threat detection capabilities. However, they also have the
added advantage of processing a much higher volume of traffic, without the lag
associated with cloud queries. This enables you to inspect more traffic and receive
verdicts in a shorter span of time. This is especially beneficial when faced with
challenging network conditions.
Updates to Local Deep Learning models are delivered through content updates. Local Deep Learning is enabled and configured
using the Anti-Spyware profile and requires an active Advanced Threat
Prevention license.