How to Create Data Center Best Practice Security Profiles
Use Security Profiles to protect against vulnerabilities,
spyware, viruses, bad file types, and unknown threats.
Security profiles provide fundamental
protections by scanning traffic that you allow on the network for
threats. Security profiles provide a full suite of coordinated threat
prevention tools that block peer-to-peer command and control (C2)
application traffic, dangerous file types, attempts to exploit vulnerabilities,
and antivirus signatures, and also identify new and unknown malware.
It takes relatively little effort to apply security profiles
because Palo Alto Networks provides predefined profiles that you
can simply add to security policy allow rules. Customizing security
profiles is easy because you can clone a predefined profile and
then edit it. Of course, you can also create a security profile from
scratch on the firewall or on Panorama.
To detect known and unknown threats in your network traffic,
attach security profiles to all security policy rules that allow
traffic on the network, so that the firewall inspects all allowed
traffic. The firewall applies security profiles to traffic that
matches the security policy allow rule, scans traffic in accordance with
the security profile settings, and then takes appropriate actions
to protect the network. The recommendations for best practice security
profiles apply to all four of the data center traffic flows except
Download content updates automatically
and install them as soon as possible so that you have the latest
threat prevention signatures and content (antivirus, anti-spyware,
vulnerabilities, malware, etc.) on the firewall and block the latest
Create one or more Security profile groups so
that you can apply all of the profiles to a Security policy rule
at one time instead of specifying them individually.
You don’t need a URL Filtering subscription for data center
firewalls if there is no direct outbound connection to the internet.
Firewalls that don’t connect directly to the internet don’t need
the PAN-DB URL Filtering solution because it identifies internet
URLs, not private data center URLs, so importing the PAN-DB database
and checking URLs against it doesn’t apply to data center traffic.
If you’re not sure whether a firewall has URL traffic, get a trial
URL Filtering subscription and set the profile to alert on all URL
categories to identify any URL traffic. Otherwise, URL Filtering
should take place on firewalls at the network perimeter where user
traffic enters and exits the network, not at the data center perimeter.
Consider creating custom URL categories (
to identify and control access to internal data center web services.