Thursday, March 28, 2019

By Dwight Hobbs, Fuel User Group, Board of Directors

Palo Alto Networks recently announced the availability of PAN-OS 9.0, the next major release of their appliance operating system. With any major update there are always bug fixes and improvements, as well as those big new features that everyone wants to get their hands on and try out. For PAN-OS 9.0, the major additions are a new security subscription (called DNS Security), large improvements to URL filtering, a new Policy Optimizer tool, and new high-end firewalls (both physical and virtual).

Unfortunately for me, my organization is going through a tech refresh cycle, so I won’t be able to test out the new features in production for a little while. In the meantime, I want to highlight the two features that I’m most interested in testing.

DNS Security

DNS Security provides an interesting approach to securing a critical IT component that is often overlooked. PAN-OS already provides the ability to do DNS sinkholing for malicious domains, but this new feature promises a few new benefits. Malicious domains will be identified using both threat intelligence (Unit 42 research, WildFire, etc.) and sharing from other partners, as well as a new machine learning feature that promises to predict malicious domains before they’re created. This is an interesting idea and I’m curious to see if there will be any false positives in production environments.

DNS Security also offers protection against DNS tunneling. There will always be ways for an attacker to hide and tunnel their traffic outside a network, but DNS tunneling is a common technique with off-the-shelf tools readily available. It will take some testing to see how well the tunnel blocking works, but I think this feature will be a welcome addition to the toolkit. 

A graphic of the DNS Security feature from Palo Alto Networks’ website

Policy Optimizer

Policy Optimizer provides a feature that was previously only available in third-party products, integrated directly into PAN-OS. This tool identifies port-based firewall policies and suggests App-ID based policies to replace them. I think many legacy policies are left in place because administrators aren’t sure what application is communicating on specific ports. I’m interested to see how well the policies suggested by this new tool will work in complex environments.

Another feature of the Policy Optimizer tool is to identify unused applications in existing App-ID based policies. This will allow organizations that have already migrated to App-ID to reduce their threat surface even further by identifying unused parts of existing policies. While this tool won’t replace third-party optimization products it’s a great framework and I’m excited to see what optimizations Palo Alto Networks will add in the future. 

Have you tested some of these features in PAN-OS 9.0? Other thoughts to share? We want to hear from you. Start a discussion in the Fuel Virtual Water Cooler.