The 6 Major Updates Coming in PAN-OS 10

Overview

The best security operating platform just got even better with the recent release of PAN-OS 10.0. Not surprising that there are over 70 exciting new features/upgrades that we believe will improve your security posture.

Some of these new features are industry firsts especially those with new machine learning capabilities to automatically analyze traffic and recommend appropriate security policies.

Machine Learning and automated security are major feature drivers for PAN-OS 10 with their current subscriptions Wildfire, DNS Security, and URL Filtering. Also new with version 10 is a brand new IoT Security subscription.

 

1. Machine-Learning + Strata Firewall

With Palo Alto releasing an industry-first machine-learning powered firewall and Wildfire, this Strata firewall subscription has always been the strongest tool in the toolkit to prevent against the ever-growing increase of zero-day threats in the wild. Up until this point, Palo Alto Networks has been able to respond to these global threats as quickly as 5 minutes. But even that in today’s threat landscape isn’t fast enough to protect against the most advanced targeted attacks.

The Strata Firewall is now capable of analyzing Windows executables and PowerShell scripts using machine learning on the data plane. This enables you to intercept malware before it can infiltrate your network by providing real-time analysis capabilities on the firewall, which reduces the possibility of propagation of unknown malware variants. So, you are able to prevent up to 95% of zero-day malware inline (resulting in a 99.5 percent reduction in systems infected). Combining this with zero-delay signature updates cuts down the response time to 5 seconds!

But it doesn’t stop there. The firewall can also use machine learning on the data plane to analyze web page content to determine if it contains malicious JavaScript or is being used for credential phishing. Inline ML prevents web page threats from infiltrating your network by providing real-time analysis capabilities on the firewall, reducing the possibility of the proliferation of unknown JavaScript variants and various phishing vectors. I believe the best part about this is if you already have the Wildfire and URL Filtering subscriptions, you will also have the new file-based and web-based ML-powered capabilities to prevent nefarious activities.

 

2. IoT Security

Speaking of nefarious activities looking to exploit our environments. Internet of Things (IoT) devices have quickly become a problem for corporate environments.  They are rapidly climbing the list of avenues taken by hackers to breach a network.  Palo Alto Networks saw this as an increasing problem and last year acquired the ML-powered solution Zingbox. If you’ve been following Palo Alto Networks for some time, you know they are not strangers to acquiring other cybersecurity companies. Luckily, they do an incredible job of incorporating these acquisitions within their Security Operating Platform.

Palo Alto Networks’ new firewall IoT Security subscription allows Strata firewalls to dynamically discover and maintain a real-time inventory of the IoT devices on your network. Through AI and machine-learning algorithms, you can achieve a high level of accuracy with classifying current and brand new IoT devices seen for the first time. With this dynamic capability, your IoT device inventory is always up to date.

The dynamic capabilities of IoT Security also provide the automatic generation of policy recommendations to control IoT device traffic, as well as the automatic creation of IoT device attributes for use in firewall policies. The firewall can now collect metadata to detect and identify devices on your network and obtain recommendations on how to secure them. You’ll know what devices are connected and then use those devices as match criteria to create adaptive device-based policy rules. This is especially important in environments with an increasing demand for BYOD and IoT devices. This subscription will help tremendously with this difficult problem.

 

3. SD-WAN Enhancements from the CloudGenix Acquisition

Speaking of another acquisition Palo Alto Networks has made within the last year or so is CloudGenix. The first iteration of their SD-WAN solution released earlier this year in Q1. It focused on application health with jitter, delay, latency. In my opinion, it wasn’t mature enough for customers to move over just yet to their solution. This latest release is beginning to change my mind. There are far too many features to talk about within SD-WAN alone so I will shorten it.

 

SD-WAN New Features

– Flexible Deployment Options: mesh, hub-and-spoke, cloud-based

– Pre-defined thresholds for common application categories

– Forward Error Correction (FEC)

– Packet Duplication

– SAAS App path monitoring

– Passive performance health switch path measuring jitter, delay, latency, packet loss via application flows

– Active methods ICMP, HTTP(s) pings to the target IP or URL

– Zero Touch Provisioning

– Simply enable the SD-WAN subscription on your Next-Generation Firewalls and begin

– Best implemented with Prisma Access as the SD-WAN hub

– Central management via Panorama

 

4. Container-Based Virtual Firewall for Kubernetes

Now for another industry first. The industry’s 1st next-generation firewall delivered in a container form factor & natively integrated with Kubernetes, the containerized version of ML-Powered Next-Generation Firewall (NGFW). The CN-NGFW is designed specifically for Kubernetes environments, leveraging deep container context to protect inbound, outbound, and east-west traffic between container trust zones (i.e. between namespaces, or between PCI-infected apps and non-PCI apps), along with other components of enterprise IT environments.

This is especially important because up until this point Palo Networks firewalls were only able to be deployed at the edge of a Kubernetes environment. Containers seem like a secure option for running applications. But while containers are walled off from each other, many are deployed on the same IP space. If attackers gain access to even a single container, they can then spread the attack throughout the cluster. With this new CN-NGFW, we are now able to focus on picosegmentation to see and protect all traffic between containers.

 

5. GlobalProtect Client VPN Enhancements

I think this next feature will excite those who have had to expand their remote workforce due to current times (basically all of us). We’re all in this together and GlobalProtect is here to help protect our remote workers in the cyber world. GlobalProtect now makes it easier for you to block compromised devices from your network and keep them off until they have been sanitized. This is done by allowing you to track these devices via unique attributes such as the hardware serial number of the device and unique host information.

This ability can be preferable instead of blocking by IP address. Device IP addresses change all of the time due to different locations, networks, etc. Security policies based on IP addresses only then become ineffective and could allow the endpoint back on the network. After GlobalProtect identifies a device as compromised, it can automatically add the device to a quarantine list and permanently block it from accessing the network. You can set security policies to quarantine the device or manually add it to a quarantine list. This cuts response time down incredibly and allows us deeper visibility into your remote workforce.

 

6. Encryption & Decryption

As it’s always been, we can’t protect what we can’t see. Decryption has always been an issue for the industry. Now, 70% of malware is encrypted & designed to evade security measures. Some companies have figured this problem out, but most are still having their own issues. You can now decrypt, gain full visibility, and prevent known and unknown threats within TLSv1.3 protocol traffic. TLSv1.3 is the latest version of the TLS protocol, which provides security and performance improvements for applications. Today, 33% of TLS traffic is utilized by the TLSv1.3 protocol. PAN-OS 10.0 supports TLSv1.3 decryption in all decryption modes available within the platform.

 

Conclusion

It’s another exciting time within the cybersecurity industry. As always with these new features and upgrades, you’ll want to get your hands on them as soon as possible and start implementing. But it’s always our recommendation to wait until Palo Alto Networks TAC changes their recommended OS version to the new 10.0.X implementation of the software. This will reduce the implications of any potential bugs that may affect your environment. As history states though it will not take much time for Palo Alto Networks to release those .x fixes.

If you have any questions or would like to learn more about these newly released capabilities, please use the form below to get in touch with our Palo Alto Networks team here at Integration Partners.