Advanced Threat Prevention Powered by Precision AI™
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
Table of Contents
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Every Palo Alto Networks next-generation firewall comes with
predefined Antivirus, Anti-Spyware, and Vulnerability Protection profiles that
you can attach to Security policy rules. There is one predefined
Antivirus profile,
default
, which uses the
default action for each protocol (block HTTP, FTP, and SMB traffic
and alert on SMTP, IMAP, and POP3 traffic). There are two predefined
Anti-Spyware and Vulnerability Protection profiles:- default—Applies the default action to all client and server critical, high, and medium severity spyware/vulnerability protection events. It does not detect low and informational events.
- strict—Applies the block response to all client and server critical, high and medium severity spyware/vulnerability protection events and uses the default action for low and informational events.
To ensure that the traffic entering your network is free from
threats, attach the predefined profiles to your basic web access
policies. As you monitor the traffic on your network and expand
your policy rulebase, you can then design more granular profiles
to address your specific security needs.
Use the following workflow to set up the default Antivirus, Anti-Spyware,
and Vulnerability Protection Security Profiles.
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection (Cloud Management)
Cloud Management
)- Use the credentials associated with your Palo Alto Networks support account and log in to theStrata Cloud Manageron the hub.The Threat Prevention subscription bundles the antivirus, anti-spyware, and vulnerability protection features in one license and is part of yourPrisma Accesssubscription. For information about the applications and services offered withPrisma Access, refer to All Available Apps and Services. To verify subscriptions for which you have currently-active licenses, Check What’s Supported With Your License.
- (Optional) Create custom security profiles for antivirus, anti-spyware, and vulnerability protection.Alternatively, you can use the predefined Best-Practice profiles.Transition safely to best practice Security profiles for the best security posture.
- To create custom WildFire and Antivirus Profiles, selectandManageConfigurationNGFW andPrisma AccessSecurity ServicesWildFire and AntivirusAdd Profile. Use the Antivirus profile transition steps to safely reach your goal.
- To create custom Anti-Spyware Profiles, selectandManageConfigurationNGFW andPrisma AccessSecurity ServicesAnti-SpywareAdd Profile. Use the Anti-Spyware profile transition steps to safely reach your goal.
- To create custom Vulnerability Protection Profiles, selectandManageConfigurationNGFW andPrisma AccessSecurity ServicesVulnerability ProtectionAdd Profile. Use the Vulnerability Protection profile transition steps to safely reach your goal.
- Attach security profiles to yourSecurity Policy Rules.Prisma Accessenforces best practice security policy rules by default.When you configure a Security policy rule that uses a Vulnerability Protection profile to block connections when exploits or attempts to gain unauthorized access are detected,Prisma Accessautomatically blocks that traffic and logs those incidents (see Monitor Blocked IP Addresses).
- Selectand select the rule you want to modify orManageConfigurationNGFW andPrisma AccessSecurity ServicesSecurity PolicyAdd Rule.
- InAction and Advanced Inspection, select theProfile Groupand that includes the following security profiles:WildFire and Antivirus,Anti-Spyware, andVulnerability Protection.You can create new Profile groups in. For more information, refer to Enable a Security Profile.ManageConfigurationNGFW andPrisma AccessSecurity ServicesProfile GroupsBy default, thebest-practiceprofile group is enabled with the best-practice configuration for all available security profiles.
- Commit your changes.
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection (NGFW (Managed by PAN-OS or Panorama))
NGFW (Managed by PAN-OS or Panorama)
)Palo Alto Networks defines
a default action for all anti-spyware and vulnerability protection
signatures. To see the default action, select or and
then select a profile. Click the Exceptions tab and then click Show
all signatures to view the list of the signatures and the corresponding
default
Objects
Security Profiles
Anti-Spyware
Objects
Security Profiles
Vulnerability Protection
Action
. To change the default action,
create a new profile and specify an Action
,
and/or add individual signature exceptions to Exceptions
in
the profile.- Verify that you have a Threat Prevention subscription.The Threat Prevention subscription bundles the antivirus, anti-spyware, and vulnerability protection features in one license. To verify that you have an active Threat Prevention subscription, selectand verify that theDeviceLicensesThreat Preventionexpiration date is in the future.
- Download the latest content.
- Selectand clickDeviceDynamic UpdatesCheck Nowat the bottom of the page to retrieve the latest signatures.
- In theActionscolumn, clickDownloadand install the latest Antivirus updates and then download and thenInstallthe latest Applications and Threats updates.
- Schedule content updates.Review the Best Practices for Applications and Threats Content Updates for important information on deploying updates.
- Selectand then clickDeviceDynamic UpdatesScheduleto automatically retrieve signature updates forAntivirusandApplications and Threats.
- Specify the frequency and timing for the updates:
- download-only—The firewall automatically downloads the latest updates per the schedule you define but you must manuallyInstallthem.
- download-and-install—The firewall automatically downloads and installs the updates per the schedule you define.
- ClickOKto save the update schedule; a commit is not required.
- (Optional) Define aThresholdto indicate the minimum number of hours after an update becomes available before the firewall will download it. For example, setting theThresholdto10means the firewall will not download an update until it is at least 10 hours old regardless of the schedule.
- (HA only) Decide whether toSync To Peer, which enables peers to synchronize content updates after download and install (the update schedule does not sync across peers; you must manually configure the schedule on both peers).There are additional considerations for deciding if and how toSync To Peerdepending on your HA deployment:
- Active/Passive HA—If the firewalls are using the MGT port for content updates, then schedule both firewalls to download and install updates independently. However, if the firewalls are using a data port for content updates, then the passive firewall will not download or install updates unless and until it becomes active. To keep the schedules in sync on both firewalls when using a data port for updates, schedule updates on both firewalls and then enableSync To Peerso that whichever firewall is active downloads and installs the updates and also pushes the updates to the passive firewall.
- Active/Active HA—If the firewalls are using the MGT interface for content updates, then selectdownload-and-installon both firewalls but do not enableSync To Peer. However, if the firewalls are using a data port, then selectdownload-and-installon both firewalls and enableSync To Peerso that if one firewall goes into the active-secondary state, the active-primary firewall will download and install the updates and push them to the active-secondary firewall.
- (Optional) Create custom security profiles for antivirus, anti-spyware, and vulnerability protection.Alternatively, you can use the predefined default or strict profiles.Transition safely to best practice Security profiles for the best security posture.
- To create custom Antivirus Profiles, selectandObjectsSecurity ProfilesAntivirusAdda new profile. Use the Antivirus profile transition steps to safely reach your goal.
- To create custom Anti-Spyware Profiles, selectandObjectsSecurity ProfilesAnti-SpywareAdda new profile. Use the Anti-Spyware profile transition steps to safely reach your goal.
- To create custom Vulnerability Protection Profiles, selectandObjectsSecurity ProfilesVulnerability ProtectionAdda new profile. Use the Vulnerability Protection profile transition steps to safely reach your goal.
- Attach security profiles to your Security policy rules.When you configure the firewall with a Security policy rule that uses a Vulnerability Protection profile to block connections, the firewall automatically blocks that traffic in hardware (see Monitor Blocked IP Addresses).
- Selectand select the rule you want to modify.PoliciesSecurity
- In theActionstab, selectProfilesas theProfile Type.
- Select the security profiles you created forAntivirus,Anti-Spyware, andVulnerability Protection.
- Commit your changes.ClickCommit.