PAN-OS 9.0 - DNS Security and Content Inspection

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cyber Elite
Cyber Elite


PAN-OS 9.0 Release Features DNS Security and Content Inspection.jpg


Read about the new Palo Alto Networks PAN-OS 9.0 and its new features to Content Inspection, including DNS Security, URL Filtering Categories and WildFire upload sizes. Got Questions? Get answers on LIVEcommunity.


PAN-OS 9.0 Release Features: DNS Security and Content Inspection

The new PAN-OS version 9.0 was just released, and there's excitement at Palo Alto Networks about the new features that are included. Before you update to PAN-OS 9, check out some of the big changes add to Content inspection.


DNS Security

With the addition of DNS Security, the full database of Palo Alto Networks DNS signatures can now be leveraged for content scanning. By adding the DNS Security cloud to an AntiSpyware DNS, signature configuration will enable real-time, on-demand lookups of all DNS requests against a massive database, which will greatly expand the available signatures from the content updates.


The DNS cloud service is equipped with built-in domain detection logic that can identify potentially malicious C2 domains by analyzing lookups to suspiciously named domains as well as unusual DNS query patterns. New DNS protections are generated by using this C2 prevention service and is distributed by the cloud without the limitations of the downloadable DNS signature sets, which come with a hard-coded capacity limitation of 100k signatures. 


Adding the DNS Security cloud to AntiSpyware Sinkhole configurationAdding the DNS Security cloud to AntiSpyware Sinkhole configuration


URL Filtering New Categories

We've added new Security-Focused URL categories to help you implement simple security in decryption policies based on a website's overall safety.


High Risk

  • Sites that have previously been confirmed malware, phishing or C2 but have displayed only benign activity in at least 30 days
  • Sites that are associated with confirmed malware activity (i.e., a malicious host may be on the same domain)
  • Unknown sites that still need a full site analysis (these sites share the unknown category, more on that below)
  • Sites hosted on ASNs that allow malicious content


Medium Risk

  • All Cloud Storage sites
  • Sites that have previously been confirmed malware, phishing or C2, but have only displayed benign activity for at least 60 days


Low Risk

  • All web content that is not medium or high risk and has displayed only benign activity for at least 90 days



  • Any domains that were registered within the last 32 days (It is recommended to block this category as malware commonly generates new websites to try and circumvent URL filtering)


New URL categories in a URL Filtering profileNew URL categories in a URL Filtering profile


Multi-Category URL Filtering

Starting from PAN-OS 9.0, every URL now has up to four categories, including a risk category. More granular URL categorizations mean that you can move beyond a basic "block-or-allow" approach to web access. Instead, you can control how your users interact with online content that, while necessary for business, is more likely to be used as part of a cyberattack.
For instance, you might consider certain URL categories risky to your organization but are hesitant to block them outright as they also provide valuable resources or services (such as cloud storage services or blogs). Now, you can allow users to visit sites that fall into these types of URL categories while also protecting your network by decrypting and inspecting traffic and enforcing read-only access to the content.


This opens a new option in the Custom URL Filtering profiles as you can now build a custom profile for sites that match a set of categories rather than a RegEx string. A site must match all the categories for it to be matched to the custom profile.


Category Match Custom URL Filtering ProfileCategory Match Custom URL Filtering Profile



The quantity and maximum size of files that a PAN-OS firewall can forward to WildFire has increased to provide greater visibility and detection of uncommonly large malicious samples. 



Additional resources

See more about PAN-OS 9.0 by Palo Alto Networks


Take a closer look at our take on PAN-OS 9.0 features through the Live Community:


PAN-OS 9.0 Release Features: Policy Optimizer and App-ID

PAN-OS 9.0 Release Features: Panorama

PAN-OS 9.0 Release Features: GlobalProtect

PAN-OS 9.0 Release Features: User-ID

PAN-OS 9.0 Release Features: Networking and Virtualization

PAN-OS 9.0 Release Features: Management

PAN-OS 9.0 Release Features: PA-7000 New Cards

PAN-OS 9.0: Got Questions? Get Answers!


Then ask a question, join a discussion, or answer someone else's inquiry—that's community!


Not a member of the Live Community yet? It's simple and easy to join. Just sign up with an email address. 


Follow us on Twitter.


Check out our YouTube channel and join more than 8,000 other subscribers learning about PAN-OS 9.0 and more!


Feel free to ask any questions you might have in the comment section below.


Stay Frosty

Reaper out

  • 325 Subscriptions
Register or Sign-in
About the Author
I drink and I know things