Threat log keeps records of vuln, AV, Anti-SW that can be reviewed, and can be forwarded
to an external log server.
Vulnerability Protection Security Profiles Include 2 predefined read only profiles. These can be cloned for making custom, or a new profile can be built from scratch. o Strict: Strict implementation of the profiles. Used for 'out of the box' protection. o Default: Default action that will happen that will be applied to traffic. Generally used for PoC and initial deployments Each individual vuln signature has a predefined default action. The default action can be seen under: o Objects > Security Profiles > Vulnerability Protection > Add > Exceptions - then select 'show all signatures' checkbox New updates are released weekly from PAN. * Rules can be configured to take packet captures Threat Name can be for 'any' for all, or a specific string to only scan for signatures matching that name Categories can can for Any or a specific CVE/Vendor ID Actions can include: o Allow: Permit without logging o Alert: Allow with Logging o Drop: drops and logs o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session o Block IP: Blocks traffic/sessions from an IP, and a time to block can be set in seconds. Exceptions can be set to override the actions on rules. This can be used to override false detection being detected blocking legitimate traffic. A list of IP's can be added to the exemptions column, useful for servers that may be flagged as sending out false positives. AV Security Profiles Default Policy is available out of the box. This is recommended for initial configurations and TAP gatherings A custom policy is recommended. Options are to clone the default or make a new one from scratch The profile has predefined application decoders for common apps: FTP, HTTP, IMAP, Pop3, SMB, SMTP Virus signatures are release every 24 hours by PAN Action is what will occur when a virus signature is detected. Actions can include: o Allow: Permit without logging o Alert: Allow with Logging o Drop: drops and logs o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session Application Exceptions can be added to the Application Exception section in the profile config screen. Any application can be added, and the action specified. Packet Capture can be set to run a capture when a suspected virus is detected. This can be useful to help troubleshoot and resolve false positives. The Virus Exception tab can be configured to add false positives to virus detections. Add the Thread ID to the list to whitelist that pattern from having the specified action taken. Anti-Spyware Security Profiles Include 2 predefined read only profiles. These can be cloned for making custom, or a new profile can be built from scratch. o Strict: Strict implementation of the profiles. Used for 'out of the box' protection. o Default: Default action that will happen that will be applied to traffic. Generally used for PoC and initial deployments Each individual Anti-Spyware signature has a predefined default action. The default action can be seen under: o Objects > Security Profiles > Anti-Spyware Protection > Add > Exceptions - then select 'show all signatures' checkbox Virus signatures are release every 24 hours by PAN Spyware is generally detected when it attempts to 'phone home' to a C2 Server. A custom policy is recommended. Options are to clone the default or make a new one from scratch. Best Practice is to create to your network design, deployment and company security policy. Each profile can contain several rules to apply policy based on the severity or type of spyware. Threat Name can be for 'any' for all, or a specific string to only scan for signatures matching that name Actions can include: o Allow: Permit without logging o Alert: Allow with Logging o Drop: drops and logs o Reset Client: TCP, sends a TCP reset to the client. UDP: Drops traffic/session o Reset Server: TCP: sends a TCP reset to the server. UDP: Drops traffic/session o Reset Both: TCP: sents TCP resets to both client and server. UDP: Drops the connection/session The Exception tab can be configured to add false positives to anti-spyware detections. Add the item to the list to whitelist that pattern from having the specified action taken. The action here will override the rule with the action in the 'Action' column DNS Signatures are included in the anti-spyware definition updates from PAN, but additional custom DNS domains can be blacklisted manually. Exceptions can also be added by thread ID's. Add the thread ID and the threat name to the exceptions list. Actions are: o Allow - Permit without logging o Alert - Permit with Logging o Block - Block with Logging o Sinkhole - This is a specified IP to send DNS lookup for C2 traffic servers to a dead end. This can be sent to a PAN-provided IP, a local loopback, or a custom specified IP address. it is recommended that the sinkhole be in a different zone unless intrazone traffic is logged, so that the traffic can be logged. Actions are also available with single packet or extended packet capture Sinkhole traffic can be seen in the Monitor > Logs > Threat - action of 'sinkhole' File Blocking Profiles Allows blocking of prohibited, malicious and sensative files File blocking can be done by extension or examination of files Granular control can be done by (example) blocking .exe files from gmail, but allowing .exe's from FTP Profiles have these actions available: o Alert: Allow and Log o Continue: Log incident, send user to a browser response page for them to review/continue/stop. o Block: Block file and log Monitor > Logs > Data Filtering can be used to see the actions taken and the file name/type There is no predefined file block profile. One must be created manually. Rules can be set for: o Specific applications o File Types o Direction (upload/download/both) o Action (alert/continue/block) If a file matches multiple rules, the highest matching rule is applied. If Continue is set, the transfer is halted to alert the user that a matched file is attempting to be downloaded. This can be set to help prevent 'drive-by' downloads, or downloads that are done without the user knowing or interaction by the user. o Continue only functions with an application over http The File Block can decode up to 4 layers of encoding. Encoding includes files such as .zip, .tar, docx, .gzip, etc o The 'Multi-Level Encoding' needs to be set under the 'File Types' in the file block rule Attaching Security Profiles to Security Policy Rules Security Groups can be used to group a set of Security profiles. This will simplify Security Policy rule maintenance and deployment by selecting one group that can contain AV, ASW, Vuln, URL Filtering, File Blocking, Wildfire and Data Filtering Profiles. You can also assign individual Security Profiles to a rule Telemetry and Threat Intelligence Opt in is required, and can be customized to what data you want to share Information sent to PAN is sanitized before being sent to PAN, and is not shared with any 3rd parties. Telemetry can be configured under Device > Setup > Telemetry and Threat Intelligence. The check boxes can be selected for what you want to upload. A download box in the corner can be used to get a copy of the 100 most recent folder with packet captures and threat data that has been sent to PAN. Denial of Service Protection DoS is Packet based, not session based. Use packet header info rather than signature matching. These are not linked to Security Policies. Zone Protection: o Provides edge protection o First line of defense o Flood Protection: Protects agains most common attack types, including UDP flood, Syn Flood, ICMP Floods. All Categories use a random early drop, except SYN (provide choice of RED or SYN Cookies) o Reconnaissance Protection Protects against TCP/UDP/ICMP sweeps and port scans within the criteria set Actions include: Allow: Permits the scan Alert: Generates an alert for each scan that matches the time interval Block: Blocks the attempts Block IP: Can be specified to block traffic from the source or for the source/destination combo. o Packet Based Attack Protection Protects agains specific type of packet attacks. Examples include Spoofed IP, fragmented traffic, timestamp forging, etc o Protocol Protection: Applies to L2 or Vwire zones only Used to allow or deny non-IP protocols can move between zone. Include list will allow specified protocols only; Exclude list will allow all but the specified protocols o Protection is enabled on a 'per-zone' basis o Only one Profile can be set per zone. DoS Policy o Provide flexible rules and matching criteria o Can be used for specific hosts that are critical or have been hit previously o This can be based on match criteria such as Source/Desination zone/interface, IP address, user and services. o Profiles include: Protect: Aggregate profile: applies limits to ALL incoming traffic Classified Profile: applies limits to a single IP address Allow: Permit all packets Deny: Drop all packets o Added under: Polices > DoS Protection > Add Specify match for source/destination/option-protection tabs You can specify the aggregate and/or classified profile if Protect is selected Example setting is to protect a web server from attacks or floods. Added under: Objects > Security Profiles > DoS Protection > Add This will allow to set the profile options for flood proection. Syn, UDP, ICMP, ICMPv6 and Other IP. Resource Protection can be set to limit sessions to a host to prevent port depletion or resource (cpu/memory) exhaustion URL Filtering
URL Filtering Security profiles
Added to security policies that are set to 'allow' Applied to all packets over the life of a session Items are logged under: o Monitor > Logs o URL Category in the logs show which category the site falls under. o The actions of 'Alert', 'Block', 'Continue' and 'Override' will generate a log entry o Filtering logs can be done with (URL contains 'facebook') to search for all entries with users going to facebook. Rules can be created to block access to specific websites, or website categories A default profile is included to be used 'out of the box'. A custom profile can be created based on your companies internal security policies A URL profile can be configured to take specific actions per each category. If User-ID is configured, you can enable under the 'User Credential Detection' tab to log the user information to the logfiles. To create a new custom URL Category, go to: Objects > Custom Objects > URL Category > Add o Entries are case sensative, and subdomain considerations should be checked. o www.ebay.com will not block cdn.ebay.com in a block list. o *.ebay.com would block all ebay subdomains. Allow list and block lists can be used to add sites you don't want users to access. Actions available under the block list include: o Block: block access, access attempt is logged, and a response page is given to the user notifying them the site is blocked. o Continue: a response page is presented, asking the user to confirm they want to proceed. Item is logged as 'block-continue' when the continue page is presented, and changed to 'continue' if the user proceed to the page. o Override: will prompt for an administrator page to override a URL block. Used for administrators and others that need a way to bypass blocks to some pages when needed. o Alert: allows the user to proceed without interruption, and generates an alert in the URL log. Custom HTML pages can be created and uploaded to the PAN firewall. Custom HTML block pages are limited to 16kb Block pages are used to provide a challenge/response or notification if a URL has an action of block, continue or override. User's name will be displayed on the page if UserID is enabled; otherwise the IP will be displayed. If Continue or Override is used, a 15 minute timer is set to allow access to that category. o Timer can be changed at: Device > setup > content-id > URL Filtering o Admin Password can be changed at : Device > Setup > Content ID > URL Admin Override o Only one override password is allowed. o An SSL/TLS profile can be used to specify a certificate to secure the connection to the firewall if Admin override is set to 'Redirect' o Transparent mode can be used make block pages look to originate from the blocked website o Redirect will send the request to the specified IP. This IP must be an L3 interface on the firewall. o Safe Search can be selected under Objects > Security Profiles > URL Filtering > (profile name) under the URL Filtering Tab This is based on the browser's safe search setting Log Container Page Only can be selected in this same section Only the name of the page will be logged if Log Container Page is selected(helps with log containment and size) o Both SafeSearch and Log Container are both recommended settings by PAN for best practice. To configure Credential Phishing profiles by where users are allowed to submit credentials