Palo Alto Networks launched PAN-OS 11 Nova, a major update to its operating system. The organization also introduced a range of new next-gen firewalls (NGFWs).

According to the security vendor, PAN-OS 11.0 brings as many as 50 enhancements and features. Palo Alto Networks said the update should help companies detect and counter increasingly sophisticated malware at an early stage.

The update improves network security to counter additional zero-day attacks, increases protection against injection attacks, enhances security architecture and helps companies adopt best practices.

Zero-days and injection attacks

To counter zero-day attacks, the latest release of PAN-OS features Advanced WildFire. The cloud-based security service counters malware that avoids sandbox environments to prevent discovery and analysis. Advanced WildFire uses a modified and hardened hypervisor to detect threats that previously went unnoticed.

Features include intelligent run-time memory analysis, stealth observability and automated depacking. The combination keeps security functionality hidden from malware and prevents advanced evasion attempts. According to Palo Alto Networks, the service stops more zero-days than traditional sandboxes.

Other new functionality

Another new feature in PAN-OS 11 is improved support for web proxies in Palo Alto’s next-gen firewalls (NGFWs). Web proxies increase the security of internet and non-internet traffic. Some customers are required to use proxies in network environments due to compliance reasons. The new functionality for NGFWs and Prisma Access allows customers to implement consistent network security for campus locations, branch offices and mobile end users from a central management environment.

Furthermore, PAN-OS 11 supports a new integration of Palo Alto’s next-gen Cloud Access Security Broker (CASB). An all-new SaaS security posture management (SSPM) tool helps customers find and eliminate misconfigurations in more than 60 enterprise SaaS applications. Furthermore, the new CASB supports real-time data protection for collaboration apps and the detection of suspicious behaviour.

Furthermore, PAN-OS 11 enhances AIOps, Palo Alto’s misconfiguration detection service. The service now protects against best practice violations and helps find inefficiencies in security policies.

New NGFWs

In addition to PAN-OS 11, Palo Alto Networks announced a number of new NGFW systems. The firewalls are especially suitable for branch offices, campus environments and datacenters. According to Palo Alto Networks, the NGFWs should perform up to five times better than predecessors. In addition, the firewalls are capable of bringing fibre and PoE to branch offices.

The new PA-445 and PA-415 NGFWs are designed for small branch offices. The firewalls are able to power IP devices like cameras and phones. The new PA-1400 series is designed for large branch offices. The systems offer more performance and session capacity, as well as support for PoE and fibre ports. Finally, the PA-5440 NGFW is designed for large campus locations and datacenters.

PAN-OS 11 will become available this month. The new machine learning-based NGFWs are expected next month while SSPM is coming in January 2023. Palo Alto Networks indicates that most of the new security functionality will be backwards compatible with previous PAN-OS versions.

Tip: OT security of data centers should be a top priority