How to Create Data Center Best Practice Security Profiles
Use Security Profiles to protect against vulnerabilities,
spyware, viruses, bad file types, and unknown threats.
Security profiles provide fundamental
protections by scanning traffic that you allow on the network for
threats. Security profiles provide a full suite of coordinated threat
prevention tools that block peer-to-peer command and control (C2)
application traffic, dangerous file types, attempts to exploit vulnerabilities,
and antivirus signatures, and also identify new and unknown malware.
It takes relatively little effort to apply security profiles
because Palo Alto Networks provides predefined profiles that you
can simply add to security policy allow rules. Customizing security
profiles is easy because you can clone a predefined profile and
then edit it. Of course, you can also create a security profile
from scratch on the firewall or on Panorama.
To detect known and unknown threats in your network traffic,
attach security profiles to all security policy rules that allow
traffic on the network, so that the firewall inspects all allowed
traffic. The firewall applies security profiles to traffic that
matches the security policy allow rule, scans traffic in accordance
with the security profile settings, and then takes appropriate actions
to protect the network. The recommendations for best practice security
profiles apply to all four of the data center traffic flows except
Download content updates automatically and install
them as soon as possible so that you have the latest threat prevention signatures
and content (antivirus, anti-spyware, vulnerabilities, malware,
etc.) on the firewall and block the latest threats.
You don’t need a URL Filtering subscription for data center
firewalls if there is no direct outbound connection to the internet.
Firewalls that don’t connect directly to the internet don’t need
the PAN-DB URL Filtering solution because it identifies internet
URLs, not private data center URLs, so importing the PAN-DB database
and checking URLs against it doesn’t apply to data center traffic.
If you’re not sure whether a firewall has URL traffic, get a trial URL
Filtering subscription and set the profile to alert on all URL categories
to identify any URL traffic. Otherwise, URL Filtering should take
place on firewalls at the network perimeter where user traffic enters
and exits the network, not at the data center perimeter. Consider
creating custom URL categories (
to identify and control access to internal data center web services.