Always Innovating in NetSec Series: PAN-OS, IoT, Cloud NGFW, Adv Wildfire and More

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L3 Networker

Title_Always-Innovating-NetSec-Series_palo-alto-networks.jpg

 

This blog written in collaboration with Jason Baucom, Victoria Wright, Jerry McLaughlin, Ashley Hood, Olivia Vort.

 

Welcome to Always Innovating Network Security - June/July 2024 edition. This time we have a very broad array of innovations to share, from PAN-OS innovations, to Cloud Identity Engine, IoT risk vulnerability prioritization, to Cloud NGFW and Advanced Wildfire. Read on, and stay on top of all the innovations in Network Security from Palo Alto Networks.

 

1. Overlapping IP Address support - Beginning with PAN-OS 11.1.4, duplicate (overlapping) IP address support allows the use of the same IP address on multiple firewall interfaces when the interfaces use different logical routers and also use one of the following combinations: 

    1. Different zones and the same virtual system.
    2. The same zone and different virtual systems.
    3. Different zones and different virtual systems.

 

PA-1400 Series, VM-Series firewalls, and Panorama template stack support overlapping IP addresses. Overlapping IP address support requires the Advanced Routing Engine. For more details, refer to the TechDocs article on Duplicate IP Address Support.

 

 

2. Enabling Encrypted DNS 

Beginning with PAN-OS 11.2.1, you can now enable encrypted DNS by configuring DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). 

  1. To configure encrypted DNS when using DNS proxy, refer to the Networking Administrator's Guide, Configure a DNS Proxy Object.
  2. For the MGT interface, when the firewall requires DNS resolution, and you want to configure encrypted DNS, refer to the Networking Administrator's Guide, Use Case 1: Firewall Requires DNS Resolution.


3. Cloud Identity Engine IP-Tag Collection - Cloud Identity Engine, a free service, now supports harvesting IP-Tags from GCP, as it has for AWS and Azure, to your firewalls. Using IP-Tags, customers can use Dynamic Address Groups (DAGs) with their GCP labels to create granular security policies that accommodate the ephemeral nature of VMs in the cloud. For more details, refer to TechDocs

 

 

4. Risk-based vulnerability prioritization for IoT, OT and MIoT devices - This month we announced our new risk-based vulnerability prioritization, which reduces vulnerability noise for IoT, OT, and MIoT devices by up to 90% and enables network and security teams to focus on what matters. The vulnerability prioritization ranks all the CVEs identified in the customer’s tenant using a multifactor risk assessment and provides a priority classification (Top, Medium or Low) for each CVE. Risk is measured taking into account the vulnerability severity level, the likelihood of exploitation indicators and the potential impact given specific factors unique to the organization environment. This framework also allows us to extend the prioritization methodology to additional contextual data that may be considered relevant as the model evolves and continues to be fine tuned for more meaningful calculation and insights. For more details, checkout our Live Community Blog and also TechDocs (IoT Vulnerabilities)

 

5. Cloud NGFW for AWS and Azure - This month we announced several key updates for Cloud NGFW for AWS and Azure, enhancing functionality, improving visibility, and expanding regional support. 


Cloud NGFW for AWS enhancements:

  1. Centralized Policy Management: You can now link your Cloud NGFW resource with Strata Cloud Manager for centralized policy management, gaining comprehensive visibility and actionable insights. See TechDocs for details.
  2. Enhanced Operational Visibility: Cloud NGFW metrics are now available in AWS CloudWatch, providing enhanced operational visibility. See TechDocs for details. 
  3. Simplified Multi-VPC Functionality: Specify Availability Zone IDs or Names when creating firewall resources, making multi-VPC functionality easier. See TechDocs for details.
  4. Subscription Status Display: The Subscription page now clearly indicates if your subscription is expired, active, or inactive.
  5. Regional Support Expansion: Cloud NGFW for AWS now supports the Asia Pacific (Osaka) region. See TechDocs for supported regions and zones.

 

Cloud NGFW for Azure enhancements:

  1. Security Policy Enforcement: Cloud NGFW for Azure can now use an IP address in an X-Forwarded-For (XFF) header to enforce security policies created on Panorama. See TechDocs for details.
  2. Regional Support Expansion: Now supports the Canada East, Japan West (Osaka), Sweden Central (Gavle), Italy North (Milan), South Africa North (Johannesburg), Israel Central, West Central US (Wyoming), and UAE North (Dubai) regions. See TechDocs for supported regions and zones.
  3. Credit Consumption Visibility: Allocate credits for long-term contracts across Azure environments, providing better visibility into credit consumption and usage. See TechDocs for details.

 

For more details on Cloud NGFW enhancements, check out the "What's New" section for Cloud NGFW in TechDocs:


6. Advanced WildFire Public Sector Cloud has achieved “authorized” status for FedRAMP moderate This month we announced that the Advanced WildFire Public Sector Cloud is now "authorized" for FedRAMP Moderate. This upgrade will replace the WildFire US Government Cloud for all existing customers.

 

 

Why the Change?

  • Enhanced Security: Advanced WildFire features cutting-edge malware detection with intelligent run-time memory analysis and a Precision AI-powered engine to combat evasive malware.
  • Improved Threat Intelligence: Enjoy real-time integration of threat data from local and cloud sources, stopping over 99% of known and unknown malware.
  • Privacy Protection: The service operates independently from other cloud regions, ensuring your privacy while leveraging global threat data for optimal protection.

 

Get started now by preparing to use the Advanced WildFire Public Sector Cloud environment with your firewalls. If no action is taken, the old URL will automatically update to the new platform on November 30, 2024. Please reach out to your sales representative to discuss any additional costs at your renewal date. For more detailed information, visit the Advanced Wildfire Public Sector Cloud - What's New Guide on TechDocs and FedRAMP.gov.

 

 

7. Advanced WildFire Government Cloud has achieved the “In Process” status for FedRAMP High authorization

We’re thrilled to announce that the Advanced WildFire Government Cloud is now “In process” for FedRAMP High. This significant milestone underscores our dedication to being the top cybersecurity partner for federal organizations, providing unparalleled support and tools for a secure digital environment. For more detailed information, visit our Live Community blog post and Advanced Wildfire Government Cloud - What’s New Guide on Tech Docs.

 

Thank you for reading our latest edition of the Always Innovating in Network Security Blog. We covered several innovations in this edition, but that’s just from June and July. If you want to look at the last few editions, you can find them here, here and here

 

 

  • 1754 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels