Content Inspection Features
New Content Inspection Features Description
Credential Phishing Prevention Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the passwords that provide access to your network. You can now identify and prevent in-progress phishing attacks by controlling sites to which users can submit corporate credentials based on the site’s URL category. This feature integrates with User-ID (group mapping or user mapping, depending on which method you choose to detect credentials) to enable the firewall to detect when users are attempting to submit their corporate username and or username and password and block the submission.
Telemetry You can now participate in a community‐driven approach to threat prevention through telemetry. Telemetry allows your firewall to periodically collect and share information about applications, threats, and device health with Palo Alto Networks. Palo Alto Networks uses the threat intelligence collected from you and other customers to improve the quality of intrusion prevention system (IPS) and spyware signatures and the classification of URLs in PAN-DB. For example, when a threat event triggers vulnerability or spyware signatures, the firewall shares the URLs associated with the threat with the Palo Alto Networks threat research team, so they can properly classify the URLs as malicious. Telemetry also allows Palo Alto Networks to rapidly test and evaluate experimental threat signatures with no impact to your network, so that critical threat prevention signatures can be released to all customers faster. You have full control over which data the firewall shares through telemetry, and samples of this data are available to view through your Telemetry settings. Palo Alto Networks does not share your telemetry data with other customers or third-party organizations.
Palo Alto Networks Malicious IP Address Feeds Palo Alto Networks now provides malicious IP address feeds that you can use to help secure your network from known malicious hosts on the Internet. One feed contains IP addresses verified as malicious by Palo Alto Networks, and another feed contains malicious IP addresses from reputable third-party threat advisories. Palo Alto Networks maintains both feeds, which you can reference in Security policy rules to allow or block traffic. You can also create your own external dynamic lists based on these feeds and customize them as needed. You must have an active Threat Prevention license to view and use the Palo Alto Networks malicious IP address feeds.
Enhanced Coverage for Command-and-Control (C2) Traffic C2 signatures—signatures that detect where a compromised system is surreptitiously communicating with an attacker’s remote server—are now generated automatically. While C2 protection is not new, previous signatures looked for an exact match to a domain name or a URL to identify a C2 host. The new, automatically-generated C2 signatures detect certain patterns in C2 traffic, providing more accurate, timely, and robust C2 detection even when the C2 host is unknown or changes rapidly.
GPRS Tunneling Protocol (GTP) Security (PAN-OS 8.0.4 and later releases) You can now deploy the Palo Alto Networks firewall to protect the core network in Mobile Network Operator environments that use GTP between GPRS Support Nodes (GSNs) from malformed GTP packets, denial of service attacks, out-of-state GTP messages, and protect subscribers from spoofed IP packets and over-billing attacks. Equipped with App-IDs for GTPv1-C, GTPv2-C, GTP-U, GTPv0 and GTP’, the firewall can perform stateful inspection and protocol validation on GTP control (GTPv1-C and/or GTPv2-C) and user data (GTP-U) messages, and decapsulate GTP-U packets to inspect inner IP traffic for threats and provide visibility into subscriber activity. The ability to statefully inspect GTP-C traffic also provides visibility into International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI), which you can correlate to the corresponding user data sessions for the subscriber. Further, for regulating subscriber access, you can filter traffic based on the IMSI/ IMSI-Prefix, Radio Access Technology (RAT), and Access Point Network (APN).
Data Filtering Support for Data Loss Prevention (DLP) Solutions Data filtering is enhanced to work with third-party, endpoint DLP solutions that populate file properties to indicate sensitive content, enabling the firewall to enforce your DLP policy. To better secure this confidential data, you can now create Data Filtering profiles that identify the file properties and values set by a DLP solution and then log or block the files the Data Filtering profile identifies.
External Dynamic List Enhancements New enhancements provide better security, flexibility, and ease-of-use when working with external dynamic lists. The enhancements include the options to: Enable Authentication for External Dynamic Lists to validate the identity of a list source and to forward login credentials for access to external dynamic lists that enforce basic HTTP authentication. Use new Palo Alto Networks Malicious IP Address Feeds in security policy rules to block traffic from malicious IP addresses. View the contents of an external dynamic list directly on the firewall, with the option to exclude entries or view threat intelligence associated with an entry in AutoFocus.
New Scheduling Options for Application and Threat Content Updates The firewall can now check for the latest App-ID, vulnerability protection, and anti-spyware signatures every 30 minutes or hourly, in addition to being able to check for these updates daily and weekly. This feature enables more immediate coverage for newly-discovered threats and strengthens safe enablement for updated and newly-defined applications.
Five-Minute Updates for PAN-DB Malware and Phishing URL Categories The Malware and Phishing URL categories in PAN-DB are now updated every five minutes, based on the latest malicious and phishing sites WildFire identifies. These more frequent updates ensure that the firewall is equipped with the very latest information to detect and then block access to malicious and phishing sites.
Globally Unique Threat IDs All Palo Alto Networks threat signatures now have permanent, globally unique IDs that you can use to look up threat signature information and create permanent threat exceptions: Change the action (for example, block or alert) the firewall uses to enforce a threat signature—threat exceptions are useful if a signature is triggering false positives. Easily check if a threat signature is configured as an exception. Use threat IDs in the Threat Vault and AutoFocus to gain context for a threat signature.
New Predefined File Blocking Profiles Two new predefined File Blocking profiles—basic file blocking and strict file blocking—have been added via content release version 653. You can use these profiles to quickly and easily apply the best practice file blocking settings to your Security policy allow rules to ensure that users are not inadvertently downloading malicious content into your network or exfiltrating sensitive data out of your network in legitimate application traffic.
Enhanced Unicode Decoding Support (PAN-OS 8.0.3-h4 and later releases) The firewall can now decode UTF-16 and UTF-32 encoded data, to provide threat analysis and inspection for the encoded data.

Related Documentation