Create Best Practice Security Profiles for the Internet Gateway
Most malware sneaks onto the network in legitimate applications
or services. Therefore, to safely enable applications you must scan
all traffic allowed into the network for threats. To do this, attach
security profiles to all Security policy rules that allow traffic
so that you can detect threats—both known and unknown—in your network
traffic. The following are the recommended best practice settings
for each of the security profiles that you should attach to every
Security policy rule on your internet gateway policy rulebase.
Consider adding the best practice security
profiles to a default security profile group so that
it will automatically attach to any new Security policy rules you
create.
Best Practice Internet Gateway File Blocking Profile
Use these File Blocking settings as a best practice at
your internet gateway.
Use the predefined strict file blocking profile to block files that
are commonly included in malware attack campaigns and that have
no real use case for upload/download. Blocking these files reduces
the attack surface. The predefined strict profile blocks batch files,
DLLs, Java class files, help files, Windows shortcuts (.lnk), BitTorrent
files, .rar files, .tar files, encrypted-rar and encrypted-zip files,
multi-level encoded files (files encoded or compressed up to four
times), .hta files, and Windows Portable Executable (PE) files,
which include .exe, .cpl, .dll, .ocx, .sys, .scr, .drv, .efi, .fon,
and .pif files. The predefined strict profile alerts on all other
file types for visibility into other file transfers so that you
can determine if you need to make policy changes.
In some cases, the need to support critical applications
may prevent you from blocking all of the strict profile’s file types.
Follow the Transition File Blocking Profiles Safely to Best Practices advice
to help determine whether you need to make exceptions in different
areas of the network. Review the data filtering logs ()
to identify file types and talk with business stakeholders about
the file types their applications require. Based on this information,
if necessary, clone the strict profile and modify it as needed to
allow only the other file type(s) that you need to support the critical
applications. You can also use the Direction setting to restrict
files types from flowing in both directions or block files in one
direction but not in the other direction.
Why do I need this profile?
There are
many ways for attackers to deliver malicious files: as attachments
or links in corporate email or in webmail, links or IMs in social
media, Exploit Kits, through file sharing applications (such as
FTP, Google Drive, or Dropbox), or on USB drives. Attaching the
strict file blocking profile reduces your attack surface by preventing
these types of attacks.
What if I can’t block all of the file types covered
in the predefined strict profile?
If you have mission-critical
applications that prevent you from blocking all of the file types
included in the predefined strict profile, you can clone the profile
and modify it for those users who must transfer a file type covered
by the predefined profile. If you choose not to block all PE files
per the recommendation, make sure you send all unknown files to
WildFire for analysis. Additionally, set the Action to continue
to prevent drive-by downloads, which is when an end user downloads
content that installs malicious files, such as Java applets or executables,
without knowing they are doing it. Drive-by downloads can occur
when users visit web sites, view email messages, or click into pop-up
windows meant to deceive them. Educate your users that if they are
prompted to continue with a file transfer they didn’t knowingly
initiate, they may be subject to a malicious download. In addition, using
file blocking in conjunction with URL filtering to limit the categories
in which users can transfer files is another good way to reduce
the attack surface when you find it necessary to allow file types
that may carry threats.
Best Practice Internet Gateway Antivirus Profile
Use these Antivirus security profiles settings as a best
practice at your internet gateway.
Clone the default Antivirus profile and edit it. To ensure
availability for business-critical applications, follow the Transition Antivirus Profiles Safely to Best Practices advice
as you move from your current state to the best practice profile.
To achieve the best practice profile, modify the default profile
as shown here and attach it to all security policy rules that allow
traffic. The Antivirus profile has protocol decoders that detect
and prevent viruses and malware from being transferred over seven
protocols: FTP, HTTP, HTTP2, IMAP, POP3, SMB, and SMTP. You can
set WildFire actions for all seven protocols because the Antivirus
profile also enforces actions based on WildFire signatures.
Configure the cloned best practice Antivirus profile to reset
both the client and the server for all seven protocol decoders and
WildFire actions, and then attach the profile to the Security policy
allow rules.
Why do I need this profile?
By attaching
Antivirus profiles to all Security rules you can block known malicious
files (malware, ransomware bots, and viruses) as they are coming
into the network. Common ways for users to receive malicious files
include malicious attachments in email, links to download malicious
files, or silent compromise facilitated by Exploit Kits that exploit
a vulnerability and then automatically download malicious payloads
to the end user’s device.
Best Practice Internet Gateway Vulnerability Protection Profile
Use these Vulnerability Protection security profile settings
as a best practice at your internet gateway.
Attach a Vulnerability Protection profile to all
allowed traffic to protect against buffer overflows, illegal code
execution, and other attempts to exploit client- and server-side
vulnerabilities. Clone the predefined strict Vulnerability Protection
profile. To ensure availability for business-critical applications,
follow the Transition Vulnerability Protection Profiles Safely to Best Practices advice
as you move from your current state to the best practice profile.
For the best practice profile, for each rule except
simple-client-informational
and simple-server-informational
,
double-click the Rule Name
and change Packet Capture
from disable
to single-packet
to
enable packet capture (PCAP) for each rule so
you can track down the source of potential attacks. Don’t change
the rest of the settings. Download content updates automatically and
install them as soon as possible so that the signature set is always
up-to-date.
Why do I need this profile?
Without strict
vulnerability protection, attackers can leverage client- and server-side
vulnerabilities to compromise end-users. For example, an attacker
could leverage a vulnerability to install malicious code on client
systems or use an Exploit Kit (Angler, Nuclear, Fiesta,
KaiXin) to automatically deliver malicious payloads to the end user.
Vulnerability Protection profiles also prevent an attacker from
using vulnerabilities on internal hosts to move laterally within
your network.
Don’t enable PCAP for informational activity
because it generates a relatively high volume of that traffic and
it’s not particularly useful compared to potential threats. Apply
extended PCAP (as opposed to single PCAP) to high-value traffic
to which you apply the
alert
Action. Apply
PCAP using the same logic you use to decide what traffic to log—take
PCAPs of the traffic you log. Apply single PCAP to traffic you block.
The default number of packets that extended PCAP records and sends
to the management plane is five packets, which is the recommended
value. In most cases, capturing five packets provides enough information
to analyze the threat. If too much PCAP traffic is sent to the management
plane, then capturing more than five packets may result in dropping
PCAPs.Best Practice Internet Gateway Anti-Spyware Profile
Use these Anti-Spyware security profile settings as a
best practice at your internet gateway.
Attach an Anti-Spyware profile to all allowed traffic
to detect command and control traffic (C2) initiated from malicious code
running on a server or endpoint and prevent compromised systems
from establishing an outbound connection from your network. Clone
the predefined strict Anti-Spyware profile and edit it. To ensure
availability for business-critical applications, follow the Transition Anti-Spyware Profiles Safely to Best Practices advice
as you move from your current state to the best practice profile.
Edit the profile to enable DNS sinkhole and packet capture to help
you track down the endpoint that attempted to resolve the malicious
domain. The best practice Anti-Spyware profile retains the default
Action
to
reset the connection when the firewall detects a medium, high, or
critical severity threat, and enables single packet capture (PCAP) for those threats.Allow traffic only to sanctioned DNS
servers. Use the DNS Security service to
prevent connections to malicious DNS servers.
Don’t enable PCAP for informational activity because it generates
a relatively high volume of that traffic and it’s not particularly
useful compared to potential threats. Apply extended PCAP (as opposed
to single PCAP) to high-value traffic to which you apply the
alert
Action. Apply
PCAP using the same logic you use to decide what traffic to log—take
PCAPs of the traffic you log. Apply single PCAP to traffic you block.
The default number of packets that extended PCAP records and sends
to the management plane is five packets, which is the recommended
value. In most cases, capturing five packets provides enough information
to analyze the threat. If too much PCAP traffic is sent to the management
plane, then capturing more than five packets may result in dropping
PCAPs.Configure your DNS Policies to protect your network from DNS
queries to malicious domains. You can configure your anti-spyware
profile to use locally available, downloadable DNS signature sets
(packaged with the antivirus and WildFire updates) or, optionally,
access DNS Security, a cloud-based service that provides real-time
access to DNS signatures and protections against advanced threats.
These are configurable as individual signature sources; additionally,
DNS Security allows you to configure each domain category separately.
It is a best practice to override the default settings and to reconfigure
each category with a log severity, policy action, and packet capture
setting that reflects the risks associated with a given domain type.
Using the sinkhole setting identifies potentially compromised
hosts that attempt to access suspicious domains by tracking the
hosts and preventing them from accessing those domains. Palo Alto
Networks recommends using the sinkhole policy action instead of
block to maintain optimum protection while providing a mechanism
to assist in identifying compromised endpoints. For domain categories
that pose a greater threat, a higher log severity level and/or packet
capture settings are used. This can help determine if the attack
was successful, identity the attack methods, and provide better overall
context.
Configure the DNS signature source categories using the settings
described below:
DNS Signature Source | Log Severity | Policy Action | Packet Capture |
|---|---|---|---|
Palo Alto Networks Content | |||
default-paloalto-dns | default | sinkhole | extended-capture |
DNS Security | |||
Command And Control Domains | high (default) | sinkhole | extended-capture |
Dynamic DNS Hosted Domains | informational (default) | sinkhole | disable (default) |
Grayware Domains | low (default) | sinkhole | disable (default) |
Malware Domains | medium (default) | sinkhole | disable (default) |
Parked Domains | informational (default) | sinkhole | disable (default) |
Phishing Domains | low (default) | sinkhole | disable (default) |
Proxy Avoidance and Anonymizers | low (default) | sinkhole | disable (default) |
Newly Registered Domains | informational (default) | sinkhole | disable (default) |
Ad Tracking Domains | informational (default) | sinkhole | disable (default) |
For more information about the DNS signature source categories,
see DNS Security Analytics.
Best Practice Internet Gateway URL Filtering Profile
Use these URL Filtering security profile settings as
a best practice at your internet gateway.
Use PAN-DB URL filtering to prevent access to web
content high-risk for being malicious. Attach a URL Filtering profile to
all rules that allow access to web-based applications to protect
against URLs that Palo Alto Networks has observed hosting malware
or exploitive content.
To ensure availability for business-critical applications, follow
the Transition URL Filtering Profiles Safely to Best Practices advice
as you move from your current state to the best practice profile.
The best practice URL Filtering profile sets all known dangerous
URL categories to block. These include command-and-control, copyright-infringement,
dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers, unknown,
newly-registered-domain, grayware, and parked. Failure to block
these dangerous categories puts you at risk for exploit infiltration,
malware download, command-and-control activity, and data exfiltration.
If you have a business purpose for a dynamic DNS domain,
then make sure you allow those URLs in your URL Filtering profile.
In addition to blocking known bad categories, alert on all other
categories so you have visibility into the sites your users are
visiting. If you need to phase in a block policy, set categories
to continue and create a custom response page to educate
users about your acceptable use policies and alert them to the fact
they are visiting a site that may pose a threat. This paves the
way for you to outright block the categories after a monitoring
period.
If you are running PAN-OS 9.0.4 or later, ensure that the firewall
handles user web requests as securely as possible by enabling the
option to hold client requests (enter
config
then set deviceconfig setting ctd hold-client-request yes
).
By default, the firewall allows requests while it looks up an uncached
URL category in PAN-DB and then enforces
the appropriate policy when the server responds. Maximize security
by opting to hold requests during this lookup. For details, see Configure URL Filtering.What if I can’t block all of the recommended categories?
If
users need access to sites in the blocked categories, consider creating
an allow list for just the specific sites, if you feel the risk
is justified. Be aware of local laws and regulations that govern
the types of sites you can block, can’t block, and must block. On
categories you decide to allow, make sure you set up credential phishing protection to
ensure that users aren’t submitting their corporate credentials
to a site that may be hosting a phishing attack.
Allowing
traffic to a recommended block category poses the following risks:
- malware—Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
- phishing—Known to host credential phishing pages or phishing for personal identification.
- dynamic-dns—Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
- unknown—Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.PAN-DB Real-Time Updates learns unknown sites after the first attempt to access an unknown site, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
- newly-registered-domain—Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
- command-and-control—Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
- copyright-infringement—Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
- extremism—Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
- proxy-avoidance-and-anonymizers—URLs and services often used to bypass content filtering products.
- grayware—Websites and services that do not meet the definition of a virus but are malicious or questionable and may degrade device performance and cause security risks. Prior to Content release version 8206, the firewall placed grayware in either the malware or questionable URL category. If you are unsure about whether to block grayware, start by alerting on grayware, investigate the alerts, and then decide whether to block grayware or continue to alert on grayware.
- parked—Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
The
default URL Filtering profile blocks the malware, phishing, and
command-and-control URL categories, but not the rest of the categories
recommended to block as a best practice. The default URL Filtering
profile also blocks the abused-drugs, adult, gambling, hacking,
questionable, and weapons URL categories. Whether to block these
URL categories depends on your business requirements. For example,
a university probably won’t restrict student access to most of these
sites because availability is important, but a business that values
security first may block some or all of them.
URL Filtering Examples
URL Filtering works
with File Blocking, Decryption, External Dynamic Lists (EDLs), Logging,
and other security capabilities to create granular policies that
can go beyond simply blocking or allowing entire URL categories.
Use the URL Filtering safe
transition steps to evaluate what sites you want to allow
and what sites you want to block, then use the power of the Palo
Alto Networks platform to implement policies that fit your business
requirements. For example, you can:
- Use risk-based URL categories (high-risk, medium-risk, and low-risk) to simplify policy. If (after monitoring the traffic) you determine that you can block high-risk and/or medium-risk categories completely, you can quickly and simply tighten security. This enables you to control large numbers of potentially risky sites with one policy.
- Use risk-based URL categories to simplify decryption. If you determine that you can decrypt the sites in the high-risk and/or medium-risk categories, instead of creating decryption rules for many different applications, you can decrypt these risk categories in one simple rule.
- Log all user agents and referrers, all URLs, and all file downloads for high-risk and medium-risk category domains to increase visibility.
- Allow access to categories such as personal-sites-and-blogs while applying a File Blocking profile to the traffic to prevent downloading risky content such as .exe, .scr, and other potentially malicious files.
- If you can’t block high-risk and/or medium-risk categories, apply a File Blocking profile to prevent downloading risky files.
- Allow all finance sites and use the predefinedPalo Alto Networks - Bulletproof IP addressesEDL to prevent access to sites hosted on Bulletproof ISPs.
- Allow newly registered domains (if your business requires it) and automatically decrypt those sites and inspect the traffic. This method of applying decryption to entire categories works for any URL category you need to allow but that may pose risk.
- Use combinations of URL categories to simplify policy.
Best Practice Internet Gateway WildFire Analysis Profile
Use these WildFire Analysis security profile settings
as a best practice at your internet gateway.
While the rest of the best practice security profiles
significantly reduce the attack surface on your network by detecting
and blocking known threats, the threat landscape is ever changing
and the risk of unknown threats lurking in the files we use daily—PDFs,
Microsoft Office documents (.doc and .xls files)—is ever growing.
And, because these unknown threats are increasingly sophisticated
and targeted, they often go undetected until long after a successful
attack. To protect your network from unknown threats, you must configure
the firewall to forward files to WildFire for analysis. Without
this protection, attackers have free reign to infiltrate your network
and exploit vulnerabilities in the applications your employees use
everyday. Because WildFire protects against unknown threats, it
is your greatest defense against advanced persistent threats (APTs).
Set up WildFire appliance content updates to
download and install automatically every minute so that you always
have the most recent support. For example, support for Linux and
SMB files were first delivered in WildFire appliance content updates.
The best practice WildFire Analysis profile sends all files
in both directions (upload and download) to WildFire for analysis.
Specifically, make sure you are sending all PE files (if you’re
not blocking them per the file blocking best practice), Adobe Flash
and Reader files (PDF, SWF), Microsoft Office files (PowerPoint,
Excel, Word, RTF), Java files (Java, .CLASS), and Android files
(.APK).
Set up alerts for malware through email,
SNMP, or a syslog server so that the firewall immediately notifies
you when it encounters a potential issue. The faster you isolate
a compromised host, the lower the chance that the previously unknown
malware has spread to other data center devices, and the easier
it is to remediate the issue.
If necessary, you can restrict the applications and file types
sent for analysis based on the traffic’s direction.
WildFire Action settings in the Antivirus profile may impact
traffic if the traffic generates a WildFire signature that results
in a reset or a drop action. You can exclude internal traffic such
as software distribution applications through which you deploy custom-built
programs to transition safely to
best practices, because WildFire may identify custom-built programs
as malicious and generate a signature for them. Check to see if any internal custom-built
programs trigger WildFire signatures.
