1. Home
    2. Best Practices
    3. Internet Gateway Best Practice Security Policy
    4. Best Practice Internet Gateway Security Policy
    5. Define the Initial Internet Gateway Security Policy
    6. Step 1: Create Rules Based on Trusted Threat Intelligence Sources

    Step 1: Create Rules Based on Trusted Threat Intelligence Sources

    Before you allow and block traffic by application, block traffic from hosts that Palo Alto Networks and trusted third-party sources have proven to be malicious. With an active Threat Prevention license, Palo Alto Networks provides built-in external dynamic lists that contain these malicious IP addresses and that you can use in policy. The lists are compiled and dynamically updated based on the latest threat intelligence.
    1. Block traffic to and from IP addresses that Palo Alto Networks has identified as malicious.
      Why do I need these rules?
      Rule Highlights
      • This rule protects you against IP addresses that Palo Alto Networks has proven to be used almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
      • One rule blocks outbound traffic to known malicious IP addresses, while another rule blocks inbound traffic to those addresses.
      • Set the external dynamic list
        Palo Alto Networks - Known malicious IP addresses
         as the Destination address for the outbound traffic rule, and as the Source address for the inbound traffic rule.
      • Deny traffic that match these rules.
      • Enable logging for traffic matching these rules so that you can investigate potential threats on your network.
      • Because these rules are intended to catch malicious traffic, they match traffic from any user running on any port.
    2. Block traffic to and from Bulletproof hosting providers.
      Why do I need these rules?
      Rule Highlights
      • This rule protects you against IP addresses that Palo Alto Networks has shown to belong to Bulletproof hosting providers.
        Bulletproof hosting providers have no or very limited restrictions on content and don’t log events. This makes Bulletproof sites ideal places from which to launch command-and-control (C2) attacks and illegal activity because anything goes and nothing is tracked.
      • One rule blocks outbound traffic to known Bulletproof hosting IP addresses, while another rule blocks inbound traffic to those addresses.
      • Set the external dynamic list
        Palo Alto Networks - Bulletproof IP addresses
         as the Destination address for the outbound traffic rule, and as the Source address for the inbound traffic rule.
      • Deny traffic that match these rules.
      • Enable logging for traffic matching these rules so that you can investigate potential threats on your network.
      • Because these rules are intended to catch malicious traffic, they match traffic from any user running on any port.
    3. Block and log traffic to and from high-risk IP addresses from trusted threat advisories.
      Why do I need these rules?
      Rule Highlights
      Although Palo Alto Networks has no direct evidence of the maliciousness of the IP addresses in the high-risk IP address feed, threat advisories have linked them to malicious behavior.
      • Block and log the traffic as shown in this example.
      • If you must allow a high-risk IP address for business reasons, create a Security policy rule that allows only that IP address and place it in front of the high-risk IP address block rule in the rulebase. Closely monitor and log any high-risk IP addresses that you choose to allow.
      • One rule logs blocked outbound traffic to high-risk IP addresses and another rule logs blocked inbound traffic to those addresses.
      • Set the external dynamic list
        Palo Alto Networks - High risk IP addresses
         as the Destination address for the outbound traffic rule and as the Source address for the inbound traffic rule.
      • If you allow the traffic, apply best practice Security profiles.
      • Because this rule is intended to block malicious traffic, it matches traffic to and from any user, running on any port, and for any application.
    4. (
      MineMeld users only
      ) Block traffic from inbound IP addresses that trusted third-party feeds have identified as malicious.
      Why do I need this rule?
      Rule Highlights
      • Block traffic from malicious IP addresses based on block lists compiled by Spamhaus and the Internet Storm Center, a branch of the SANS Institute. The lists contain IP addresses that attackers use to spread malware, Trojans, and botnets, and to carry out large-scale infrastructure attacks.
      • To enforce this rule:
        1. Use MineMeld to forward the IP addresses from the following sources (known as miners in MineMeld), spamhaus.DROP, spamhaus.EDROP, and dshield.block, to an external dynamic list
        2. Configure the firewall to access an ExternalDynamicList, using the URL that MineMeld provides for the list.
        3. Set the external dynamic list as the Source address for the rule.
      • Use the
        Drop
         Action to silently drop the traffic without sending a signal to the client or the server.
      • Enable logging for traffic matching this rule so that you can investigate misuse of applications and potential threats on your network.
      • Because this rule is intended to catch malicious traffic, it matches to traffic from any user running on any port.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo