PAN 11.0 Nova, the latest version of Palo Alto's firewall operating system, enables upgraded malware sandboxing and ties into the vendor’s new CASB. Credit: iStock Palo Alto Networks has released next-generation firewall (NGFW) software that includes some 50 new features aimed at helping enterprise organizations battle zero-day threats and advanced malware attacks. The new features are built into the latest version of Palo Alto’s firewall operating system – PAN 11.0 Nova – and include upgraded malware sandboxing for the company’s WildFire malware-analysis service, advanced threat prevention (ATP), and a new cloud access security broker (CASB). WildFire is Palo Alto’s on-prem or cloud-based malware sandbox that is closely integrated with Palo Alto’s firewalls. When a firewall detects anomalies, it sends data to WildFire for analysis. WildFire uses machine learning, static analysis, and other analytics to discover threats, malware and zero-day threats, according to the vendor. New to the service are Advanced WildFire features designed to better detect highly evasive zero-day malware attacks. With Advanced WildFire, Palo Alto added intelligent run-time memory analysis combined with stealthy observation techniques that will let the system detect and protect resources quickly, said Anand Oswal, senior vice president, network security, at Palo Alto. “Stopping the zero-day threats – that is the singular focus of this release,” Oswal said. “The new release stops 26% more zero-day malware than traditional sandboxes and detects 60% more injection attacks and keeps enterprises one step ahead of some very sophisticated threats.” Oswal cited GuLoader, which is an advanced trojan downloader that uses shellcode to evade antivirus-analysis techniques, as an example of today’s sophisticated threats PAN-11 Nova also builds on the previous version of the OS – which brought inline deep-learning capabilities – and adds ATP support for inline detection of zero-day injection attacks. The idea behind applying deep learning inline, in real-time, on network traffic, is to detect and prevent new threats, including malware variants. The service can stop unknown attacks as they happen, not just remediate them after the fact, Oswal said. “Look at injection attempts, which push malicious code into computer systems by really exploiting unpatched vulnerabilities in software,” Oswal said. “We built in high-fidelity telemetry data from thousands of exploitable vulnerabilities over the last decade. And our internal testing has shown that when we enable this advanced threat prevention, we were able to detect 60% more zero injection attacks than in the past.” The new PAN-OS also ties into Palo Alto’s recently introduced next-generation CASB to help customers spot cloud security issues such as system misconfigurations, unnecessary user accounts, excessive user permissions, and compliance risks. The idea is to provide a dashboard to fix problems more quickly and lock critical security settings in place. Palo Alto also bulked up the OS’ AIops support by adding the ability to search for and correct inefficiencies in firewall security policies before committing changes, helping organizations fortify their cyberdefenses. “We have developed cybersecurity best practices over the years, and the system can tell customers, through ‘what if’ analysis what would bolster their security posture,” Oswal said. “For example, a customer might want to know ‘what will happen if I enable encryption here or what happens if I change these configurations?’ The system can offer the best practice for the configuration of those devices.” In addition to the software upgrade, Palo Alto added new boxes to its NGFW family. At the high-end, it added the fixed-form-factor 2RU PA-5440, which is twice as fast as the high-end PA-5260. The 5440 is aimed at large campus and data center customers. For large branch-office environments, the company added the PA-1400, which features 5x performance and 7x session capacity compared to its previous generation box. Lastly, the company introduced the PA-445 and PA-415 for small branches. These feature Power over Ethernet (PoE) support and are aimed at protecting devices such as access points, IP cameras, and IP phones without the need for additional electrical circuits. All of the new firewalls will be available in December. PAN-OS 11.0 will be available in this month. Related content news Cisco Live: AI takes center stage Cisco CEO Chuck Robbins says the AI evolution is coming on fast, like the cloud transition on steroids. By Michael Cooney Jun 05, 2024 8 mins Generative AI Network Security Networking analysis Juniper tunes AI to find and fix SD-WAN, WAN routing problems New AI-driven management capabilities aim to provide greater visibility into SD-WAN performance and reduce WAN troubleshooting time. By Michael Cooney Jun 05, 2024 4 mins SASE SD-WAN Network Management Software news Cisco shows off new AI features to secure data flows The networking giant is busy embedding AI capabilities across the Cisco Security Cloud and beyond. By John E. Dunn Jun 04, 2024 4 mins Generative AI Network Security Networking news Network jobs watch: Hiring, skills and certification trends What IT leaders need to know about expanding responsibilities, new titles and hot skills for network professionals and I&O teams. By Denise Dubie Jun 04, 2024 10 mins Careers Data Center Networking PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe