Wednesday, July 29, 2020

Palo Alto firewall - PAN-OS 10.0 (first ML-Powered NGFW)

Palo Alto Networks announced the world's first ML-Powered Next-Generation Firewall in June 2020. It includes 70+ innovative new capabilities, including easier decryption, high availability clustering, a new high-performance hardware card, Threat Prevention, and DNS Security enhancements. The ML-Powered NGFW plus more than 70 new features are all there in the new PAN-OS 10.0

After that, PAN-OS 10.0 officially released on July 16.
I am going to gather and update here all of the new features included with PAN-OS 10.0.

Here are four key factors for ML-Powered NGFW.
  • ML must be inline
  • ML must be both embedded and cloud based
  • Near real-time ML should make instant changes (as opposed to signature updates every X minutes)
  • Massive data collection is required for ML

What is the ML-Powered NGFW?
The foundation of the ML-Powered NGFW is the current next-generation firewall. However, PAN added three key aspects:
  • Prevent – Put ML inline with zero delay update signatures. Prevent up to 95% of zero-day malware
  • Detect – Extend the ML security analytics to IoT security
  • Improve – ML-powered policy recommendations. Automate and simplify

What firewall models support PAN-OS 10.0?

70 new features in the new PAN-OS 10.0

PAN-OS ® New Features Guide, Version 10.0

IoT Security
  • Visibility into IoT devices
  • Behavioral anomaly detection
  • Risk-based policy recommendations
  • Native enforcement

▶ Prevention of Patient Zero
  • Inline machine learning at the network level
  • WildFire and URL Filtering prevent weaponized files, credential phishing, and malicious scripts
  • Patented signatureless based approach

  • Containerized form factor of NGFW
  • Native deployment within Kubernetes
  • Centralized management with Panorama

  • Support for TLS 1.3
  • Better visibility
  • Enhanced troubleshooting

▶ Networking

▶ GlobalProtect

  • SaaS app path monitoring
  • Forward error correction
  • Packet duplication

▶ WildFire
  • Multi-vector recursive analysis to prevent multi-stage, multi-hop, attacks
  • Improvement to static analysis model delivering verdicts in seconds from over 90% of malicious PE samples

▶ Snort Support
  • UI and API support of both SNORT and Suricata signatures
  • Automatically convert, sanitize, upload, and manage up to 7000 IDPS signatures

▶ Data Processing Card
  • New card for the PA-7000 Series: data processing card with 33% increase in throughput

▶ Policy Features

▶ 5G Security
  • 5G network slice security
  • 5G and 4G equipment ID security
  • 5G and 4G subscriber ID security

No comments: