Palo Alto firewall - PAN-OS 10.0 (first ML-Powered NGFW)

Palo Alto Networks announced the world's first ML-Powered Next-Generation Firewall in June 2020. It includes 70+ innovative new capabilities, including easier decryption, high availability clustering, a new high-performance hardware card, Threat Prevention, and DNS Security enhancements. The ML-Powered NGFW plus more than 70 new features are all there in the new PAN-OS 10.0

After that, PAN-OS 10.0 officially released on July 16.
I am going to gather and update here all of the new features included with PAN-OS 10.0.

Here are four key factors for ML-Powered NGFW.

• ML must be inline
• ML must be both embedded and cloud based
• Near real-time ML should make instant changes (as opposed to signature updates every X minutes)
• Massive data collection is required for ML

What is the ML-Powered NGFW?
The foundation of the ML-Powered NGFW is the current next-generation firewall. However, PAN added three key aspects:

• Prevent – Put ML inline with zero delay update signatures. Prevent up to 95% of zero-day malware
• Detect – Extend the ML security analytics to IoT security
• Improve – ML-powered policy recommendations. Automate and simplify

What firewall models support PAN-OS 10.0?

70 new features in the new PAN-OS 10.0

PAN-OS ® New Features Guide, Version 10.0

▶ IoT Security

• Visibility into IoT devices
• Behavioral anomaly detection
• Risk-based policy recommendations
• Native enforcement

▶ Prevention of Patient Zero

• Inline machine learning at the network level
• WildFire and URL Filtering prevent weaponized files, credential phishing, and malicious scripts
• Patented signatureless based approach

▶ CN-Series

• Containerized form factor of NGFW
• Native deployment within Kubernetes
• Centralized management with Panorama

▶ Decryption

• Support for TLS 1.3
• Better visibility
• Enhanced troubleshooting

▶ Networking

• HA clustering
• HA additional path monitoring groups
• Ethernet SGT protection

▶ GlobalProtect

• Identification and quarantine of compromised devices

▶ SD-WAN

• SaaS app path monitoring
• Forward error correction
• Packet duplication

▶ WildFire

• Multi-vector recursive analysis to prevent multi-stage, multi-hop, attacks
• Improvement to static analysis model delivering verdicts in seconds from over 90% of malicious PE samples

▶ Snort Support

• UI and API support of both SNORT and Suricata signatures
• Automatically convert, sanitize, upload, and manage up to 7000 IDPS signatures

▶ Data Processing Card

• New card for the PA-7000 Series: data processing card with 33% increase in throughput

▶ Policy Features

• X-Forwarded-For HTTP header data support in policy

▶ 5G Security

• 5G network slice security
• 5G and 4G equipment ID security
• 5G and 4G subscriber ID security