PAN-OS 8.0: PAN-DB Five-Minute Update for Malware and Phishing
Resolution
This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.
With this PAN-OS update we enhanced PAN-DB so that it provides better coverage associated with the phishing and malware categories. We introduce this change to match the WildFire 5-minute dynamic updates. This equals a whopping 288 updates per day!
In doing so we remove the gap between identification of malicious websites and hosts via WildFire, and coverage for PAN-DB customers.
We also provide a more granular cache expiration to avoid excessive trie update operations on our devices.
Details :
- URL cache expiration time updates per risk level :
- High risk
- Categories
- Dynamic DNS
- Content delivery networks
- Web hosting
- Malware
- Phishing
- Parked
- Expiration time set to five minutes, including all parent and children
- Categories
- Medium risk
- URLs with malware or phishing activity observed in the past 180 days
- Newly added domains and hosts
- Domains and hosts that have been added in the last 180 days
- Categories
- Hacking
- Personal sites and blogs
- Peer-to-peer
- Shareware-and-freeware
- Expiration time set to 30 minutes, including all parents and children
- Low risk
- Expiration time set to one day
- High risk
- M-500 :
- Will check for PAN-DB updates to malware and phishing every five minutes
- Cache expiration entries will match those used in the cloud
- Compatibility
- Devices running releases prior to PAN-OS 8.0 will use appropriate cache expiration timers
- One day for Alexa top million
- 30 minutes for everything else, including malware and phishing
- Older PAN-OS releases will be able to take advantage of the new phishing feed
- Devices running releases prior to PAN-OS 8.0 will use appropriate cache expiration timers
- Cache timeouts are based on first lookup when no entry exists
- Does not get refreshed with subsequent accesses to domains
- New cache expiration timers will be applied automatically after upgrading to PAN-OS 8.0
- Previous cache expiration timers will be applied after downgrade
Below is a list of possible command you might need should you want to debug this new feature :
show url-cloud status
show system setting ctd url-block-cache
show system setting url-database
show system setting url-cache statistics
show system setting url-cache all
show system setting url-filtering-feature
debug device-server set url <basic|cloud|ha|match|rfs|stat|all>
debug device-server set url_trie <basic|stat|all>
debug device-server unset url <basic|all>
debug device-server test url-category <1-16383>
debug device-server test dynamic-url cloud <yes|no> unknown-only <yes|no> async <yes|no>
debug device-server test url-update-server
debug device-server reset url dynamic-url-timeout <1-43200>
debug device-server reset url dynamic-url-size <10-1000000>
debug device-server pan-url-db db-info
debug device-server pan-url-db db-perf
debug device-server pan-url-db show-stats
debug device-server pan-url-db cloud-reelect
debug device-server pan-url-db db-backup back-duration <5-480> back-threshold <3-30>
debug device-server dump dynamic-url database start-from <1-1000000> category <value>
debug device-server dump dynamic-url statistics
debug device-server dump pan-url-db statistics
debug device-server dump com url
debug dataplane test url-resolve-path <value>
debug dataplane test url-bloom <value>
debug dataplane test url-cache-resolve-path max-per-sec <1-65535>
debug dataplane show url-cache statistics
debug dataplane reset ctd url-block-cache lockout
debug dataplane packet-diag set log feature module url
debug dataplane packet-diag set log feature ctd url
debug dataplane packet-diag set log feature ctd urlcat
debug dataplane packet-diag set log feature url_trie <basic|stat|all>
set system setting url-database <value>
set system setting url-filtering-feature cache <True|False>
set system setting url-filtering-feature filter <True|False>
request url-filtering save url-database
request url-filtering install pandb-database
request url-filtering install signed-database
request url-filtering install database major-version <1-65535> minor-version <0-65535> md5 <value>
request url-filtering update url <value>
request url-filtering download status vendor paloaltonetworks
request url-filtering download paloaltonetworks region <value>
test url <value>
test url-info-host <value>
test url-info-cloud <value>
test url-wpc <value>
Cheers !
-Kim.