 Threat log keeps records of vuln, AV, Anti-SW that can be reviewed, and can be forwarded

to an external log server.

Vulnerability Protection Security Profiles
 Include 2 predefined read only profiles. These can be cloned for making custom, or a new
profile can be built from scratch.
o Strict: Strict implementation of the profiles. Used for 'out of the box' protection.
o Default: Default action that will happen that will be applied to traffic. Generally used for
PoC and initial deployments
 Each individual vuln signature has a predefined default action. The default action can be
seen under:
o Objects > Security Profiles > Vulnerability Protection > Add > Exceptions - then select
'show all signatures' checkbox
 New updates are released weekly from PAN. *
 Rules can be configured to take packet captures
 Threat Name can be for 'any' for all, or a specific string to only scan for signatures matching
that name
 Categories can can for Any or a specific CVE/Vendor ID
 Actions can include:
o Allow: Permit without logging
o Alert: Allow with Logging
o Drop: drops and logs
o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the
connection/session
o Block IP: Blocks traffic/sessions from an IP, and a time to block can be set in seconds.
 Exceptions can be set to override the actions on rules. This can be used to override false
detection being detected blocking legitimate traffic. A list of IP's can be added to the
exemptions column, useful for servers that may be flagged as sending out false positives.
AV Security Profiles
 Default Policy is available out of the box. This is recommended for initial configurations and
TAP gatherings
 A custom policy is recommended. Options are to clone the default or make a new one from
scratch
 The profile has predefined application decoders for common apps: FTP, HTTP, IMAP, Pop3,
SMB, SMTP
 Virus signatures are release every 24 hours by PAN
 Action is what will occur when a virus signature is detected.
 Actions can include:
o Allow: Permit without logging
o Alert: Allow with Logging
 o Drop: drops and logs
o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the
connection/session
 Application Exceptions can be added to the Application Exception section in the profile config
screen. Any application can be added, and the action specified.
 Packet Capture can be set to run a capture when a suspected virus is detected. This can be
useful to help troubleshoot and resolve false positives.
 The Virus Exception tab can be configured to add false positives to virus detections. Add the
Thread ID to the list to whitelist that pattern from having the specified action taken.
Anti-Spyware Security Profiles
 Include 2 predefined read only profiles. These can be cloned for making custom, or a new
profile can be built from scratch.
o Strict: Strict implementation of the profiles. Used for 'out of the box' protection.
o Default: Default action that will happen that will be applied to traffic. Generally used for
PoC and initial deployments
 Each individual Anti-Spyware signature has a predefined default action. The default action
can be seen under:
o Objects > Security Profiles > Anti-Spyware Protection > Add > Exceptions - then
select 'show all signatures' checkbox
 Virus signatures are release every 24 hours by PAN
 Spyware is generally detected when it attempts to 'phone home' to a C2 Server.
 A custom policy is recommended. Options are to clone the default or make a new one from
scratch. Best Practice is to create to your network design, deployment and company security
policy.
 Each profile can contain several rules to apply policy based on the severity or type of
spyware.
 Threat Name can be for 'any' for all, or a specific string to only scan for signatures matching
that name
 Actions can include:
o Allow: Permit without logging
o Alert: Allow with Logging
o Drop: drops and logs
o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session
o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session
o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the
connection/session
 The Exception tab can be configured to add false positives to anti-spyware detections. Add
the item to the list to whitelist that pattern from having the specified action taken. The action
here will override the rule with the action in the 'Action' column
  DNS Signatures are included in the anti-spyware definition updates from PAN, but additional
custom DNS domains can be blacklisted manually.
 Exceptions can also be added by thread ID's. Add the thread ID and the threat name to the
exceptions list.
 Actions are:
o Allow - Permit without logging
o Alert - Permit with Logging
o Block - Block with Logging
o Sinkhole - This is a specified IP to send DNS lookup for C2 traffic servers to a dead
end. This can be sent to a PAN-provided IP, a local loopback, or a custom specified IP
address. it is recommended that the sinkhole be in a different zone unless intrazone
traffic is logged, so that the traffic can be logged.
 Actions are also available with single packet or extended packet capture
 Sinkhole traffic can be seen in the Monitor > Logs > Threat - action of 'sinkhole'
File Blocking Profiles
 Allows blocking of prohibited, malicious and sensative files
 File blocking can be done by extension or examination of files
 Granular control can be done by (example) blocking .exe files from gmail, but allowing .exe's
from FTP
 Profiles have these actions available:
o Alert: Allow and Log
o Continue: Log incident, send user to a browser response page for them to
review/continue/stop.
o Block: Block file and log
 Monitor > Logs > Data Filtering can be used to see the actions taken and the file name/type
 There is no predefined file block profile. One must be created manually.
 Rules can be set for:
o Specific applications
o File Types
o Direction (upload/download/both)
o Action (alert/continue/block)
 If a file matches multiple rules, the highest matching rule is applied.
 If Continue is set, the transfer is halted to alert the user that a matched file is attempting to
be downloaded. This can be set to help prevent 'drive-by' downloads, or downloads that are
done without the user knowing or interaction by the user.
o Continue only functions with an application over http
 The File Block can decode up to 4 layers of encoding. Encoding includes files such as .zip,
.tar, docx, .gzip, etc
o The 'Multi-Level Encoding' needs to be set under the 'File Types' in the file block rule
Attaching Security Profiles to Security Policy Rules
  Security Groups can be used to group a set of Security profiles. This will simplify Security
Policy rule maintenance and deployment by selecting one group that can contain AV, ASW,
Vuln, URL Filtering, File Blocking, Wildfire and Data Filtering Profiles.
 You can also assign individual Security Profiles to a rule
Telemetry and Threat Intelligence
 Opt in is required, and can be customized to what data you want to share
 Information sent to PAN is sanitized before being sent to PAN, and is not shared with any
3rd parties.
 Telemetry can be configured under Device > Setup > Telemetry and Threat Intelligence. The
check boxes can be selected for what you want to upload. A download box in the corner can
be used to get a copy of the 100 most recent folder with packet captures and threat data that
has been sent to PAN.
Denial of Service Protection
 DoS is Packet based, not session based.
 Use packet header info rather than signature matching.
 These are not linked to Security Policies.
 Zone Protection:
o Provides edge protection
o First line of defense
o Flood Protection:
 Protects agains most common attack types, including UDP flood, Syn Flood,
ICMP Floods.
 All Categories use a random early drop, except SYN (provide choice of RED or
SYN Cookies)
o Reconnaissance Protection
 Protects against TCP/UDP/ICMP sweeps and port scans within the criteria set
 Actions include:
 Allow: Permits the scan
 Alert: Generates an alert for each scan that matches the time interval
 Block: Blocks the attempts
 Block IP: Can be specified to block traffic from the source or for the
source/destination combo.
o Packet Based Attack Protection
 Protects agains specific type of packet attacks. Examples include Spoofed IP,
fragmented traffic, timestamp forging, etc
o Protocol Protection:
 Applies to L2 or Vwire zones only
 Used to allow or deny non-IP protocols can move between zone.
 Include list will allow specified protocols only; Exclude list will allow all but the
specified protocols
o Protection is enabled on a 'per-zone' basis
 o Only one Profile can be set per zone.
 DoS Policy
o Provide flexible rules and matching criteria
o Can be used for specific hosts that are critical or have been hit previously
o This can be based on match criteria such as Source/Desination zone/interface, IP
address, user and services.
o Profiles include:
 Protect:
 Aggregate profile: applies limits to ALL incoming traffic
 Classified Profile: applies limits to a single IP address
 Allow: Permit all packets
 Deny: Drop all packets
o Added under: Polices > DoS Protection > Add
 Specify match for source/destination/option-protection tabs
 You can specify the aggregate and/or classified profile if Protect is selected
 Example setting is to protect a web server from attacks or floods.
 Added under: Objects > Security Profiles > DoS Protection > Add
 This will allow to set the profile options for flood proection. Syn, UDP, ICMP,
ICMPv6 and Other IP.
 Resource Protection can be set to limit sessions to a host to prevent port
depletion or resource (cpu/memory) exhaustion
URL Filtering

URL Filtering Security profiles

 Added to security policies that are set to 'allow'
 Applied to all packets over the life of a session
 Items are logged under:
o Monitor > Logs
o URL Category in the logs show which category the site falls under.
o The actions of 'Alert', 'Block', 'Continue' and 'Override' will generate a log entry
o Filtering logs can be done with (URL contains 'facebook') to search for all entries with
users going to facebook.
 Rules can be created to block access to specific websites, or website categories
 A default profile is included to be used 'out of the box'.
 A custom profile can be created based on your companies internal security policies
 A URL profile can be configured to take specific actions per each category.
 If User-ID is configured, you can enable under the 'User Credential Detection' tab to log the
user information to the logfiles.
 To create a new custom URL Category, go to: Objects > Custom Objects > URL Category >
Add
 o Entries are case sensative, and subdomain considerations should be checked.
o www.ebay.com will not block cdn.ebay.com in a block list.
o *.ebay.com would block all ebay subdomains.
 Allow list and block lists can be used to add sites you don't want users to access.
 Actions available under the block list include:
o Block: block access, access attempt is logged, and a response page is given to the
user notifying them the site is blocked.
o Continue: a response page is presented, asking the user to confirm they want to
proceed. Item is logged as 'block-continue' when the continue page is presented, and
changed to 'continue' if the user proceed to the page.
o Override: will prompt for an administrator page to override a URL block. Used for
administrators and others that need a way to bypass blocks to some pages when
needed.
o Alert: allows the user to proceed without interruption, and generates an alert in the
URL log.
 Custom HTML pages can be created and uploaded to the PAN firewall.
 Custom HTML block pages are limited to 16kb
 Block pages are used to provide a challenge/response or notification if a URL has an action
of block, continue or override.
 User's name will be displayed on the page if UserID is enabled; otherwise the IP will be
displayed.
 If Continue or Override is used, a 15 minute timer is set to allow access to that category.
o Timer can be changed at: Device > setup > content-id > URL Filtering
o Admin Password can be changed at : Device > Setup > Content ID > URL Admin
Override
o Only one override password is allowed.
o An SSL/TLS profile can be used to specify a certificate to secure the connection to the
firewall if Admin override is set to 'Redirect'
o Transparent mode can be used make block pages look to originate from the blocked
website
o Redirect will send the request to the specified IP. This IP must be an L3 interface on
the firewall.
o Safe Search can be selected under Objects > Security Profiles > URL Filtering >
(profile name) under the URL Filtering Tab
 This is based on the browser's safe search setting
 Log Container Page Only can be selected in this same section
 Only the name of the page will be logged if Log Container Page is
selected(helps with log containment and size)
o Both SafeSearch and Log Container are both recommended settings by PAN for best
practice.
 To configure Credential Phishing profiles by where users are allowed to submit credentials