PAN-OS 9.0 - DNS Security and Content Inspection

Read about the new Palo Alto Networks PAN-OS 9.0 and its new features to Content Inspection, including DNS Security, URL Filtering Categories and WildFire upload sizes. Got Questions? Get answers on LIVEcommunity.

PAN-OS 9.0 Release Features: DNS Security and Content Inspection

The new PAN-OS version 9.0 was just released, and there's excitement at Palo Alto Networks about the new features that are included. Before you update to PAN-OS 9, check out some of the big changes add to Content inspection.

DNS Security

With the addition of DNS Security, the full database of Palo Alto Networks DNS signatures can now be leveraged for content scanning. By adding the DNS Security cloud to an AntiSpyware DNS, signature configuration will enable real-time, on-demand lookups of all DNS requests against a massive database, which will greatly expand the available signatures from the content updates.

The DNS cloud service is equipped with built-in domain detection logic that can identify potentially malicious C2 domains by analyzing lookups to suspiciously named domains as well as unusual DNS query patterns. New DNS protections are generated by using this C2 prevention service and is distributed by the cloud without the limitations of the downloadable DNS signature sets, which come with a hard-coded capacity limitation of 100k signatures.

Adding the DNS Security cloud to AntiSpyware Sinkhole configuration

URL Filtering New Categories

We've added new Security-Focused URL categories to help you implement simple security in decryption policies based on a website's overall safety.

High Risk

Sites that have previously been confirmed malware, phishing or C2 but have displayed only benign activity in at least 30 days
Sites that are associated with confirmed malware activity (i.e., a malicious host may be on the same domain)
Unknown sites that still need a full site analysis (these sites share the unknown category, more on that below)
Sites hosted on ASNs that allow malicious content

Medium Risk

All Cloud Storage sites
Sites that have previously been confirmed malware, phishing or C2, but have only displayed benign activity for at least 60 days

Low Risk

All web content that is not medium or high risk and has displayed only benign activity for at least 90 days

Newly-Registered-Domains

Any domains that were registered within the last 32 days (It is recommended to block this category as malware commonly generates new websites to try and circumvent URL filtering)

New URL categories in a URL Filtering profile

Multi-Category URL Filtering

Starting from PAN-OS 9.0, every URL now has up to four categories, including a risk category. More granular URL categorizations mean that you can move beyond a basic "block-or-allow" approach to web access. Instead, you can control how your users interact with online content that, while necessary for business, is more likely to be used as part of a cyberattack.

For instance, you might consider certain URL categories risky to your organization but are hesitant to block them outright as they also provide valuable resources or services (such as cloud storage services or blogs). Now, you can allow users to visit sites that fall into these types of URL categories while also protecting your network by decrypting and inspecting traffic and enforcing read-only access to the content.

This opens a new option in the Custom URL Filtering profiles as you can now build a custom profile for sites that match a set of categories rather than a RegEx string. A site must match all the categories for it to be matched to the custom profile.

Category Match Custom URL Filtering Profile

WildFire

The quantity and maximum size of files that a PAN-OS firewall can forward to WildFire has increased to provide greater visibility and detection of uncommonly large malicious samples.