Content Inspection Features
Focus
Focus

Content Inspection Features

Table of Contents
End-of-Life (EoL)

Content Inspection Features

Describes all the exciting new content inspection capabilities in PAN-OS® 9.0.
New Content Inspection FeatureDescription
DNS Security
The firewall can now access the full database of Palo Alto Networks DNS signatures through a new DNS Security service. The DNS Security service also performs pro-active analysis of DNS data to predict new malicious domains and to detect C2 evasion techniques—like domain generation algorithms and DNS tunneling—that aim to bypass common protections.
New Security-Focused URL Categories
New Security-focused URL categories enable you to implement simple security and decryption policies based on website safety, without requiring you to decide (or even know) what website is likely to expose you to web-based threats:
  • High risk, medium risk, and low risk—These categories indicate the level of suspicious activity that a site displays. All URLs—except those that are confirmed malware, C2, or phishing sites—now include this risk rating.
  • Newly-registered domains—This category identifies sites that were registered within the last 32 days. New domains are frequently used as tools in malicious campaigns.
These new categories help you to reduce your attack surface by providing targeted decryption and enforcement for sites that pose varying levels of risk but are not confirmed malicious. Websites are classified with a Security-related category only when they meet the criteria for that category; as site content changes, policy enforcement dynamically adapts.
Multi-Category URL Filtering
PAN-DB, the Palo Alto Networks URL database, now assigns multiple categories to URLs that classify the content, purpose, and safety of a site. Every URL now has up to four categories, including a risk rating that indicates how likely it is that the page will expose you to threats. More granular URL categorizations means that you can move beyond a basic block-or-allow approach to web access. Instead, control how your users interact with content, especially websites that, while necessary for business, are more likely to be used as part of a cyberattack (like blogs or cloud storage services). For example, allow your users to visit high-risk websites, but enforce read-only access to questionable content by blocking obfuscated JavaScript and preventing dangerous file downloads.
Built-In External Dynamic List for Bulletproof Hosts
Because bulletproof hosting providers place few, if any, restrictions on content, attackers frequently use these services to host and distribute malicious, illegal, and unethical material. The Threat Prevention subscription now includes a new built-in external dynamic list (EDL) that you can use to block IP addresses associated with bulletproof hosting providers.
EDL Capacity Increases
External dynamic list (EDL) capacities are increased to better accommodate the use of third-party intelligence feeds, significantly expanding the number of threat indicators you can leverage within your network Security policies. Additionally, you can now prioritize EDLs to make sure lists containing critical threat indicators are committed before capacity limits are reached.
Support for New Predefined Data Filtering Patterns
To identify and protect sensitive information from leaving your network, the firewall provides 19 new predefined data filtering patterns that identify specific (regulated) information from different countries of the world, such as INSEE Identification (France) and New Zealand Internal Revenue Department Identification Numbers. PAN-OS® software also performs a checksum validation for all patterns to eliminate false positives.
Cellular IoT Security
As your business moves to cellular IoT (CIoT) and the network adopts 3GPP CIoT technologies, you need to secure CIoT traffic to protect your network and CIoT from attacks. Cellular IoT Security allows you to secure CIoT traffic and gain visibility into CIoT and device-to-device communication over your network. If you are a mobile network operator (MNO) or a mobile virtual network operator (MVNO), such as a utility company focused on oil, gas, or energy operating as an MVNO, you can now secure CIoT traffic. CIoT security also allows you to protect MNO infrastructure and CIoT devices from DoS attacks on both Signaling/Control and Data layers, from attacks from infected CIoTs, and from spying attacks; and it allows you to detect and prevent malware, ransomware, and vulnerabilities. Additionally, the firewall now supports Narrowband IoT (NB-IoT) radio access technology (RAT), 3GPP TS 29.274 for GTPv2-C up to Release 15.2.0, and 3GPP TS 29.060 for GTPv1-C up to Release 15.1.0.
CIoT security is supported on VM-Series firewalls, PA-5200 Series firewalls, and PA-7000 Series firewalls that have all new cards, including new 100G NPC, new second-generation SMCs, and new Log Forwarding Card (LFC).
GTP Event Packet Capture
Firewalls now support packet capture for a GTP event to make troubleshooting easier. GTP packet capture is supported for events such as GTP-in-GTP, end user IP address spoofing, and abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have missing mandatory information elements (IE), invalid IE, invalid header, out-of-order IE, or unsupported message type.
GTP event packet capture is supported on VM-Series firewalls, PA-5200 Series firewalls, and PA-7000 Series firewalls that have all new cards, including new 100G NPC, new second-generation SMCs, and new Log Forwarding Card (LFC).
Graceful Enablement of GTP Stateful Inspection
(PAN-OS 9.0.3 and later releases) You can now enable GTP stateful inspection in the firewall gracefully with minimal disruption to GTP traffic. You can allow GTPv2, GTPv1-C, and GTP-U packets that fail GTP stateful inspection to pass through a firewall. Although the firewall drops such packets by default after GTP stateful inspection is enabled, allowing them to pass minimizes disruption when you deploy a new firewall or when you migrate GTP traffic.
Graceful Enablement of SCTP Stateful Inspection
(PAN-OS 9.0.4 and later releases) You can now enable SCTP stateful inspection in the firewall gracefully with minimal disruption to SCTP traffic. You can allow SCTP packets that fail SCTP stateful inspection to pass through a firewall. Although the firewall drops such packets by default after SCTP stateful inspection is enabled, allowing them to pass minimizes disruption when you deploy a new firewall or when you migrate SCTP traffic.
One of the new App-ID Features, HTTP/2 Inspection, enables you to enforce threat prevention on a per-stream basis.