How to Create Data Center Best Practice Security Profiles

Use Security Profiles to protect against vulnerabilities, spyware, viruses, bad file types, and unknown threats.
Security profiles provide fundamental protections by scanning traffic that you allow on the network for threats. Security profiles provide a full suite of coordinated threat prevention tools that block peer-to-peer command and control (C2) application traffic, dangerous file types, attempts to exploit vulnerabilities, and antivirus signatures, and also identify new and unknown malware.
It takes relatively little effort to apply security profiles because Palo Alto Networks provides predefined profiles that you can simply add to security policy allow rules. Customizing security profiles is easy because you can clone a predefined profile and then edit it. Of course, you can also create a security profile from scratch on the firewall or on Panorama.
To detect known and unknown threats in your network traffic, attach security profiles to all security policy rules that allow traffic on the network, so that the firewall inspects all allowed traffic. The firewall applies security profiles to traffic that matches the security policy allow rule, scans traffic in accordance with the security profile settings, and then takes appropriate actions to protect the network. The recommendations for best practice security profiles apply to all four of the data center traffic flows except as noted.
Update threat content as often as often as possible without disrupting operations so that you have the latest threat prevention signatures and content (antivirus, anti-spyware, vulnerabilities, malware, etc.) on the firewall and block the latest threats. You can manage new and modified App-IDs, and if necessary, delay the installation of App-ID content updates to test whether new or modified App-IDs break any existing applications.
You don’t need a URL Filtering subscription for data center firewalls if there is no direct outbound connection to the internet. Firewalls that don’t connect directly to the internet don’t need the PAN-DB URL Filtering solution because it identifies internet URLs, not private data center URLs, so importing the PAN-DB database and checking URLs against it doesn’t apply to data center traffic. If you’re not sure whether a firewall has URL traffic, get a trial URL Filtering subscription and set the profile to alert on all URL categories to identify any URL traffic. Otherwise, URL Filtering should take place on firewalls at the network perimeter where user traffic enters and exits the network, not at the data center perimeter. Consider creating custom URL categories (ObjectsCustom ObjectsURL Category) to identify and control access to internal data center web services.

Related Documentation