5

content-id

• Look more on incoming traffic

• Scans for content of traffic

• Only if the security policy rule allows the packet, then will the packet be scanned for content/profile of traffic

• There are several Security Profile Types:

  • Antivirus

  • Anti-Spyware

  • Vulnerability Protection - detects attempts to exploit known software vulnerabilities

  • URL Filtering

  • File Blocking

  • Data Filtering

  • WildFire Analysis - forward unknown files to the wildfire service for malware analysis

  • Security Profile Group - a set of security profiles that are treated as a unit, can be thought of as "custom security profile type"

Antivirus, Anti-Spyware and Vulnerability Profiles

• Most of these events are logged (if specified)

Antivirus

• Protects against viruses, worms and trojans, along with spyware.

  • Available actions for traffic that matches an Antivirus Profile rule are as follows:

    • allow: Permits the traffic without logging

    • alert: Permits and logs the traffic

    • drop: Discards the traffic and generates a log entry

    • reset-client: For TCP, resets the client-side connection. For UDP, drops the connection.

    • reset-server: For TCP, resets the server-side connection. For UDP, drops the connection.

    • reset-both: For TCP, resets the connection on both the client and server. For UDP, drops the connection.

Anti-Spyware

• A sign of spyware present in compromised hosts is when firewalls detect malicious traffic leaving the network from the clients.

• Updated anti-spyware signatures are made available every day by Palo Alto Networks

• Helps to identify infected hosts as traffic leaves the network

• Two predefined anti-spyware policy actions

  • default: This profile applies the “default” action to all client and server critical, high-severity, medium-severity, and low-severity spyware events. The default profile typically is used for proof-of-concept or first-phase deployments.

  • strict: This profile applies the “reset-both” response to all critical, high-severity, and medium-severity spyware events and uses the “default” action for all informational and low-severity spyware events. The strict profile is used for out-of-the-box protection with a recommended block of critical, high-severity, and medium-severity threats.

• It is recommended to use the 'sinkhole' action when configuring Anti-Spyware profile

  • Can use either sinkhole FQDN supplied by Palo Alto or configure a real host and IP address as the sinkhole address

    • Try to use a real host, so that you can analyze the behavior of the infected host on the network.

    • Sinkholes and real host should be in different security zone (as firewalls can only log traffic that travels between firewall zones)

    • Third party malicious domains are configured with sinkhole as a policy action

Sinkhole

Vulnerability Protection

• Stops attempts to exploit system flaws/gain unauthorized access to systems

• Protects against threats entering the network

File Blocking

• Prevent introduction of malicious data

• Prevent exfiltration of sensitive data

• The File Blocking Profiles identify and control the flow of a wide range of file types

• File blocking activity is logged to Data filtering log

• Three defined file blocking policy actions:

  • Alert

  • Continue

  • Block

Blocking Multi-Level Encoded Files

• Firewall is able to decode up to four layers of encoding to scan files for malicious/sensitive content.

You can block files that are encoded more than 4 times, using Multi-Level Encoding File type!

Data Filtering Profiles

• Used to prevent sensitive/confidential and proprietary information from leaving the network by using data patterns to enable compliance for standards.

URL Filtering Rules

• Currently two methods that URL filtering features are supported by:

  • PAN-DB, a Palo Alto maintained Database of URL to filter URL

  • Admin-defined URLS

• Commonly used to disrupt delivery/C2C stage of cyber kill chain

• URL Filtering Profiles are performed after security rules are evaluated first

• Three defined file blocking policy actions:

  • Alert

  • Continue

  • Block

  • Override

Policy and Security Profile

Policy	Security Profile
Applied to use as a match function	Applied to traffic allowed by security policy
URLs matched to predefined or custom URL categories	URLs matched to predefined or custom URL categories
Action determined by policy rule	More granularly configured for individual URL/URL categories
URL Category name logged in URL filtering log	URL details logged in URL filtering log

Best practice is to block high-risk and new-registered domain in URL Filtering Profiles

URL Filtering Security Default Categories

• One of the many methods PAN-DB classifies websites based on its risk categories. (High, Medium, Low)

  • It also assigns website via multiple categories (content, purpose/function of site)

• A risk level is only applicable to URLs that have not been verified

• Websites registered for fewer than 32 days are assigned a category of 'new-registered-domain)

Custom URL Category

• Filtered based on specific URLS (*xxx.com/*.amazon.com)

• Filtered by Category (Shopping/Games/Auctions)

URL Admin Settings

• Configure URL Admin Override password

• Configure URL Admin Override password timeout -> time before a user must re-enter the URL Admin Override password for URLs in the same category

• URL Admin Lockout Timeout -> Waiting period that a user must wait after three unsuccessful override attempts

Mode	Description
Redirect	Block page originates from L3/loopback interface on firewall. Firewall intercepts the request and redirects to the configured IP address on the firewall (the block page) - This mode supports session cookies , hence it is recommended
Transparent	Block pages appear to originate fromt he blocked website Firewall impersonates web server and prompts for a password. Transparent mode is required only if no L3 interfaces are configured on the firewall.