PAN-OS 9.0 - DNS Security and Content Inspection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cyber Elite
Cyber Elite

 

PAN-OS 9.0 Release Features DNS Security and Content Inspection.jpg

 

Read about the new Palo Alto Networks PAN-OS 9.0 and its new features to Content Inspection, including DNS Security, URL Filtering Categories and WildFire upload sizes. Got Questions? Get answers on LIVEcommunity.

 

PAN-OS 9.0 Release Features: DNS Security and Content Inspection

The new PAN-OS version 9.0 was just released, and there's excitement at Palo Alto Networks about the new features that are included. Before you update to PAN-OS 9, check out some of the big changes add to Content inspection.

 

DNS Security

With the addition of DNS Security, the full database of Palo Alto Networks DNS signatures can now be leveraged for content scanning. By adding the DNS Security cloud to an AntiSpyware DNS, signature configuration will enable real-time, on-demand lookups of all DNS requests against a massive database, which will greatly expand the available signatures from the content updates.

 

The DNS cloud service is equipped with built-in domain detection logic that can identify potentially malicious C2 domains by analyzing lookups to suspiciously named domains as well as unusual DNS query patterns. New DNS protections are generated by using this C2 prevention service and is distributed by the cloud without the limitations of the downloadable DNS signature sets, which come with a hard-coded capacity limitation of 100k signatures. 

 

Adding the DNS Security cloud to AntiSpyware Sinkhole configurationAdding the DNS Security cloud to AntiSpyware Sinkhole configuration

 

URL Filtering New Categories

We've added new Security-Focused URL categories to help you implement simple security in decryption policies based on a website's overall safety.

 

High Risk

  • Sites that have previously been confirmed malware, phishing or C2 but have displayed only benign activity in at least 30 days
  • Sites that are associated with confirmed malware activity (i.e., a malicious host may be on the same domain)
  • Unknown sites that still need a full site analysis (these sites share the unknown category, more on that below)
  • Sites hosted on ASNs that allow malicious content

 

Medium Risk

  • All Cloud Storage sites
  • Sites that have previously been confirmed malware, phishing or C2, but have only displayed benign activity for at least 60 days

 

Low Risk

  • All web content that is not medium or high risk and has displayed only benign activity for at least 90 days

 

Newly-Registered-Domains

  • Any domains that were registered within the last 32 days (It is recommended to block this category as malware commonly generates new websites to try and circumvent URL filtering)

 

New URL categories in a URL Filtering profileNew URL categories in a URL Filtering profile

 

Multi-Category URL Filtering

Starting from PAN-OS 9.0, every URL now has up to four categories, including a risk category. More granular URL categorizations mean that you can move beyond a basic "block-or-allow" approach to web access. Instead, you can control how your users interact with online content that, while necessary for business, is more likely to be used as part of a cyberattack.
 
For instance, you might consider certain URL categories risky to your organization but are hesitant to block them outright as they also provide valuable resources or services (such as cloud storage services or blogs). Now, you can allow users to visit sites that fall into these types of URL categories while also protecting your network by decrypting and inspecting traffic and enforcing read-only access to the content.

 

This opens a new option in the Custom URL Filtering profiles as you can now build a custom profile for sites that match a set of categories rather than a RegEx string. A site must match all the categories for it to be matched to the custom profile.

 

Category Match Custom URL Filtering ProfileCategory Match Custom URL Filtering Profile

 

WildFire

The quantity and maximum size of files that a PAN-OS firewall can forward to WildFire has increased to provide greater visibility and detection of uncommonly large malicious samples. 

 

 

Additional resources

See more about PAN-OS 9.0 by Palo Alto Networks

 

Take a closer look at our take on PAN-OS 9.0 features through the Live Community:

 

PAN-OS 9.0 Release Features: Policy Optimizer and App-ID

PAN-OS 9.0 Release Features: Panorama

PAN-OS 9.0 Release Features: GlobalProtect

PAN-OS 9.0 Release Features: User-ID

PAN-OS 9.0 Release Features: Networking and Virtualization

PAN-OS 9.0 Release Features: Management

PAN-OS 9.0 Release Features: PA-7000 New Cards

PAN-OS 9.0: Got Questions? Get Answers!

 

Then ask a question, join a discussion, or answer someone else's inquiry—that's community!

 

Not a member of the Live Community yet? It's simple and easy to join. Just sign up with an email address. 

 

Follow us on Twitter.

 

Check out our YouTube channel and join more than 8,000 other subscribers learning about PAN-OS 9.0 and more!

 

Feel free to ask any questions you might have in the comment section below.

 

Stay Frosty

Reaper out

4 Comments
L2 Linker

Are there instructions anywhere, to show how to activate the DNS Security subscription on a pre-existing Lab appliance?  I see that I can add the 90-day eval to an NFR unit, but I can't add it to my lab PA-220.

L1 Bithead

When using Multi-Category URL filters what is the expected behavior when a URL matches two categories with different actions? for example if i access a site that is classified as shopping and sports but my policy says block shopping sites but allow sports, will i be able to get to the site?


Cyber Elite
Cyber Elite

@BetterGriffin,

The block action associated with shopping would overrule the allow action associated with sports. 

L1 Bithead

@BPry Thanks for the info! this is very helpfull 

  • 18389 Views
  • 4 comments
  • 3 Likes
Register or Sign-in
Labels