How Palo Alto NGFW Prevent Unknow CVEs?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How Palo Alto NGFW Prevent Unknow CVEs?

L1 Bithead

Dear Team,


I hope all of you are doing well.

I have one question. How can PA prevent an unknown CVE on NGFW?


Why I brought up this question is because I saw that from one vendor to another, they have different CVE numbers and IDs.

I was wondering if you could advise me.




L4 Transporter

Hello @SopheaHem - CVE IDs are centrally allocated, but it is inevitable that there is some duplication and overlap among the 220,000+ CVE records currently available. Sometimes an "unknown" one (to us) might actually be known to us as a different CVE ID.  A similar story would apply to any other security vendor.


Bear in mind that CVE IDs can be allocated before any information is known about the specifics of the threat, and without threat specifics we would need to rely on other heuristics to identify a novel threat. 


Like any good answer, the best answer I can give here is, "it depends."  No security vendor, be it Palo Alto Networks or anyone else, can guarantee anything about detecting and eliminating unknown CVEs, and you should be highly suspicious of claims to the contrary.  If they're unknown, or highly novel, there is always a risk that they could slip past unnoticed.  This is where tools like App-ID, URL Filtering, and WildFire, and having a sensible but strict security policy that utilises them, really come into their own.   Defence in depth is an excellent approach as well: don't just rely on App-ID, for example, but instead use all of the tools at your disposal.


Moreover, not every CVE is network-centric, which makes it hard for a next-generation firewall to have any impact, positive or negative, on the detection of those.


What we can also do is use tools like Advanced WildFire to detect and eliminate threats, including novel one threats, as quickly as possible using a range of analysis tools and techniques.  This can also include threats that don't (yet) have a CVE identified.  This relies on the knowledge gained from multiple sources including other customer environments using Advanced WildFire, which means that on average, any novel threat will have been seen at least once, and hopefully identified as such, before it encroaches on your environment. 

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks
  • 1 replies
  • 38 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!