PAN-OS 9.0 Release Features: DNS Security and Content Inspection

Community Manager

Read about the new Palo Alto Networks PAN-OS 9.0 and its new features to Content Inspection, including DNS Security, URL filtering Catergories and WildFire upload sizes. Learn how the new PAN-OS 9.0 can help you keep information safe and improving your comapny's security posture. Got Questions? Get Answers on Live Community.

Graphic banner about PAN-OS 9.0 Release Features: dns security and content Inspection.

 

The new PAN-OS version 9.0 was just released, and there's excitement at Palo Alto Networks about the new features that are included. Before you update to PAN-OS 9, check out some of the big changes add to Content inspection.

 

DNS Security

With the addition of DNS Security, the full database of Palo Alto Networks DNS signatures can now be leveraged for content scanning. By adding the DNS Security cloud to an AntiSpyware DNS, signature configuration will enable real-time, on-demand lookups of all DNS requests against a massive database, which will greatly expand the available signatures from the content updates.

 

The DNS cloud service is equipped with built-in domain detection logic that can identify potentially malicious C2 domains by analyzing lookups to suspiciously named domains as well as unusual DNS query patterns. New DNS protections are generated by using this C2 prevention service and is distributed by the cloud without the limitations of the downloadable DNS signature sets, which come with a hard-coded capacity limitation of 100k signatures.

 

DNS Security.pngAdding the DNS Security cloud to AntiSpyware Sinkhole configuration

 

URL FilterinNew Categories

We've added new Security-Focused URL categories to help you implement simple security in decryption policies based on a website's overall safety.

 

High Risk

  • Sites that have previously been confirmed malware, phishing or C2 but have displayed only benign activity in at least 30 days
  • Sites that are associated with confirmed malware activity (i.e., a malicious host may be on the same domain)
  • Unknown sites that still need a full site analysis (these sites share the unknown category, more on that below)
  • Sites hosted on ASNs that allow malicious content

Medium Risk

  • All Cloud Storage sites
  • Sites that have previously been confirmed malware, phishing or C2, but have only displayed benign activity for at least 60 days

Low Risk

  • All web content that is not medium or high risk and has displayed only benign activity for at least 90 days

Newly-Registered-Domains

  • Any domains that were registered within the last 32 days (It is recommended to block this category as malware commonly generates new websites to try and circumvent URL filtering)

URL Filtering Profile with the new Risk Categories.pngNew URL categories in a URL Filtering profile

Multi-Category URL Filtering
Starting from PAN-OS 9.0, every URL now has up to four categories, including a risk category. More granular URL categorizations mean that you can move beyond a basic "block-or-allow" approach to web access. Instead, you can control how your users interact with online content that, while necessary for business, is more likely to be used as part of a cyberattack.
 
For instance, you might consider certain URL categories risky to your organization but are hesitant to block them outright as they also provide valuable resources or services (such as cloud storage services or blogs). Now, you can allow users to visit sites that fall into these types of URL categories while also protecting your network by decrypting and inspecting traffic and enforcing read-only access to the content.

 

This opens a new option in the Custom URL Filtering profiles as you can now build a custom profile for sites that match a set of categories rather than a RegEx string. A site must match all the categories for it to be matched to the custom profile.

Category match.pngCategory Match Custom URL Filtering Profile

WildFire

The quantity and maximum size of files that a PAN-OS firewall can forward to WildFire has increased to provide greater visibility and detection of uncommonly large malicious samples. 

 

 

Additional resources

See more about PAN-OS 9.0 by Palo Alto Networks

 

Take a closer look at our take on PAN-OS 9.0 features through the Live Community:

 

PAN-OS 9.0 Release Features: Policy Optimizer and App-ID

PAN-OS 9.0 Release Features: Panorama

PAN-OS 9.0 Release Features: GlobalProtect

PAN-OS 9.0 Release Features: User-ID

PAN-OS 9.0 Release Features: Networking and Virtualization

PAN-OS 9.0 Release Features: Management

PAN-OS 9.0 Release Features: PA-7000 New Cards

PAN-OS 9.0: Got Questions? Get Answers!

 

Then ask a question, join a discussion, or answer someone else's inquiry—that's community!

 

Not a member of the Live Community yet? It's simple and easy to join. Just sign up with an email address. 

 

Follow us on Twitter.

 

Check out our YouTube channel and join more than 8,000 other subscribers learning about PAN-OS 9.0 and more!

 

Feel free to ask any questions you might have in the comment section below.

 

Stay Frosty

Reaper out

5,176 Views
Comments
L2 Linker

Are there instructions anywhere, to show how to activate the DNS Security subscription on a pre-existing Lab appliance?  I see that I can add the 90-day eval to an NFR unit, but I can't add it to my lab PA-220.

4,949 Views
L1 Bithead

When using Multi-Category URL filters what is the expected behavior when a URL matches two categories with different actions? for example if i access a site that is classified as shopping and sports but my policy says block shopping sites but allow sports, will i be able to get to the site?


4,227 Views
L7 Applicator

@BetterGriffin,

The block action associated with shopping would overrule the allow action associated with sports. 

4,225 Views
L1 Bithead

@BPry Thanks for the info! this is very helpfull 

4,221 Views
Ask Questions Get Answers Join the Live Community
Labels