Create Best Practice Security Profiles for the Internet Gateway

Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely enable applications you must scan all traffic allowed into the network for threats. To do this, attach security profiles to all Security policy rules that allow traffic so that you can detect threats—both known and unknown—in your network traffic. The following are the recommended best practice settings for each of the security profiles that you should attach to every Security policy rule on your internet gateway policy rulebase.
Consider adding the best practice security profiles to a default security profile group so that it will automatically attach to any new Security policy rules you create.

Best Practice Internet Gateway File Blocking Profile

Use these File Blocking settings as a best practice at your internet gateway.
Use the predefined strict file blocking profile to block files that are commonly included in malware attack campaigns and that have no real use case for upload/download. Blocking these files reduces the attack surface. The predefined strict profile blocks batch files, DLLs, Java class files, help files, Windows shortcuts (.lnk), BitTorrent files, .rar files, .tar files, encrypted-rar and encrypted-zip files, multi-level encoded files (files encoded or compressed up to four times), .hta files, and Windows Portable Executable (PE) files, which include .exe, .cpl, .dll, .ocx, .sys, .scr, .drv, .efi, .fon, and .pif files. The predefined strict profile alerts on all other file types for visibility into other file transfers so that you can determine if you need to make policy changes.
In some cases, the need to support critical applications may prevent you from blocking all of the strict profile’s file types. Follow the Transition File Blocking Profiles Safely to Best Practices advice to help determine whether you need to make exceptions in different areas of the network. Review the data filtering logs (MonitorLogsData Filtering) to identify file types and talk with business stakeholders about the file types their applications require. Based on this information, if necessary, clone the strict profile and modify it as needed to allow only the other file type(s) that you need to support the critical applications. You can also use the Direction setting to restrict files types from flowing in both directions or block files in one direction but not in the other direction.
bp-file-blocking-profiles.png

Why do I need this profile?

There are many ways for attackers to deliver malicious files: as attachments or links in corporate email or in webmail, links or IMs in social media, Exploit Kits, through file sharing applications (such as FTP, Google Drive, or Dropbox), or on USB drives. Attaching the strict file blocking profile reduces your attack surface by preventing these types of attacks.

What if I can’t block all of the file types covered in the predefined strict profile?

If you have mission-critical applications that prevent you from blocking all of the file types included in the predefined strict profile, you can clone the profile and modify it for those users who must transfer a file type covered by the predefined profile. If you choose not to block all PE files per the recommendation, make sure you send all unknown files to WildFire for analysis. Additionally, set the Action to continue to prevent drive-by downloads, which is when an end user downloads content that installs malicious files, such as Java applets or executables, without knowing they are doing it. Drive-by downloads can occur when users visit web sites, view email messages, or click into pop-up windows meant to deceive them. Educate your users that if they are prompted to continue with a file transfer they didn’t knowingly initiate, they may be subject to a malicious download. In addition, using file blocking in conjunction with URL filtering to limit the categories in which users can transfer files is another good way to reduce the attack surface when you find it necessary to allow file types that may carry threats.

Best Practice Internet Gateway Antivirus Profile

Use these Antivirus security profiles settings as a best practice at your internet gateway.
Clone the default Antivirus profile and edit it. To ensure availability for business-critical applications, follow the Transition Antivirus Profiles Safely to Best Practices advice as you move from your current state to the best practice profile. To achieve the best practice profile, modify the default profile as shown here and attach it to all security policy rules that allow traffic. The Antivirus profile has decoders that detect and prevent viruses and malware from being transferred over six protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB. You can set WildFire actions for all six protocols because the Antivirus profile also enforces actions based on WildFire signatures.
Configure the cloned best practice Antivirus profile to reset both the client and the server for all six protocol decoders and WildFire actions, and then attach the profile to the Security policy allow rules.
antivirus-profile-best-practice.png

Why do I need this profile?

By attaching Antivirus profiles to all Security rules you can block known malicious files (malware, ransomware bots, and viruses) as they are coming into the network. Common ways for users to receive malicious files include malicious attachments in email, links to download malicious files, or silent compromise facilitated by Exploit Kits that exploit a vulnerability and then automatically download malicious payloads to the end user’s device.

Best Practice Internet Gateway Vulnerability Protection Profile

Use these Vulnerability Protection security profile settings as a best practice at your internet gateway.
Attach a Vulnerability Protection profile to all allowed traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities. Clone the predefined strict Vulnerability Protection profile. To ensure availability for business-critical applications, follow the Transition Vulnerability Protection Profiles Safely to Best Practices advice as you move from your current state to the best practice profile. For the best practice profile, for each rule except simple-client-informational and simple-server-informational, double-click the Rule Name and change Packet Capture from disable to single-packet to enable packet capture (PCAP) for each rule so you can track down the source of potential attacks. Don’t change the rest of the settings. Download content updates automatically and install them as soon as possible so that the signature set is always up-to-date.
vuln-protection-profile-bp-pcap.png

Why do I need this profile?

Without strict vulnerability protection, attackers can leverage client- and server-side vulnerabilities to compromise end-users. For example, an attacker could leverage a vulnerability to install malicious code on client systems or use an Exploit Kit (Angler, Nuclear, Fiesta, KaiXin) to automatically deliver malicious payloads to the end user. Vulnerability Protection profiles also prevent an attacker from using vulnerabilities on internal hosts to move laterally within your network.
Don’t enable PCAP for informational activity because it generates a relatively high volume of that traffic and it’s not particularly useful compared to potential threats. Apply extended PCAP (as opposed to single PCAP) to high-value traffic to which you apply the alert Action. Apply PCAP using the same logic you use to decide what traffic to log—take PCAPs of the traffic you log. Apply single PCAP to traffic you block. The default number of packets that extended PCAP records and sends to the management plane is five packets, which is the recommended value. In most cases, capturing five packets provides enough information to analyze the threat. If too much PCAP traffic is sent to the management plane, then capturing more than five packets may result in dropping PCAPs.

Best Practice Internet Gateway Anti-Spyware Profile

Use these Anti-Spyware security profile settings as a best practice at your internet gateway.
Attach an Anti-Spyware profile to all allowed traffic to detect command and control traffic (C2) initiated from malicious code running on a server or endpoint and prevent compromised systems from establishing an outbound connection from your network. Clone the predefined strict Anti-Spyware profile and edit it. To ensure availability for business-critical applications, follow the Transition Anti-Spyware Profiles Safely to Best Practices advice as you move from your current state to the best practice profile. Edit the profile to enable DNS sinkhole and packet capture to help you track down the endpoint that attempted to resolve the malicious domain. The best practice Anti-Spyware profile retains the default Action to reset the connection when the firewall detects a medium, high, or critical severity threat, and enables single packet capture (PCAP) for those threats.
anti-spyware-profile-bp-pcap.png
Don’t enable PCAP for informational activity because it generates a relatively high volume of that traffic and it’s not particularly useful compared to potential threats. Apply extended PCAP (as opposed to single PCAP) to high-value traffic to which you apply the alert Action. Apply PCAP using the same logic you use to decide what traffic to log—take PCAPs of the traffic you log. Apply single PCAP to traffic you block. The default number of packets that extended PCAP records and sends to the management plane is five packets, which is the recommended value. In most cases, capturing five packets provides enough information to analyze the threat. If too much PCAP traffic is sent to the management plane, then capturing more than five packets may result in dropping PCAPs.
The best practice Action on DNS Queries is to block or to sinkhole DNS queries for known malicious domains. It is also a best practice to enable PCAPs.
Enabling DNS sinkhole identifies potentially compromised hosts that attempt to access suspicious domains by tracking the hosts and preventing them from accessing those domains. Enable DNS sinkhole when the firewall can’t see the originator of the DNS query (typically when the firewall is north of the local DNS server) so that you can identify infected hosts. Don’t enable DNS sinkhole when the firewall can see the originator of the DNS query (typically when the firewall is south of the local DNS server; in this case, the firewall’s blocking rules and logs provide visibility into the traffic) or on traffic you block.
as-bp-2.png

Best Practice Internet Gateway URL Filtering Profile

Use these URL Filtering security profile settings as a best practice at your internet gateway.
As a best practice, use PAN-DB URL filtering to prevent access to web content that is at high-risk for being malicious. Attach a URL Filtering profile to all rules that allow access to web-based applications to protect against URLs that have been observed hosting malware or exploitive content.
To ensure availability for business-critical applications, follow the Transition URL Filtering Profiles Safely to Best Practices advice as you move from your current state to the best practice profile. The best practice URL Filtering profile sets all known dangerous URL categories to block. These include command-and-control, copyright-infringement, dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers, unknown, newly-registered-domain, and parked. Failure to block these dangerous categories puts you at risk for exploit infiltration, malware download, command and control activity, and data exfiltration.
If you have a business purpose for a dynamic DNS domain, then make sure you whitelist those URLs in your URL Filtering profile.
In addition to blocking known bad categories, you should also alert on all other categories so that you have visibility into the sites your users are visiting. If you need to phase in a block policy, set categories to continue and create a custom response page to educate users about your acceptable use policies and alert them to the fact that they are visiting a site that may pose a threat. This paves the way for you to outright block the categories after a monitoring period.
url-bp-igw-kiev-with-newly-registered-domain.png

What if I can’t block all of the recommended categories?

If you find that users need access to sites in the blocked categories, consider creating an allow list for just the specific sites, if you feel the risk is justified. Be aware of local laws and regulations that govern the types of sites you can block, can’t block, and must block. On categories you decide to allow, make sure you set up credential phishing prevention to ensure that users aren’t submitting their corporate credentials to a site that may be hosting a phishing attack.
Allowing traffic to a recommended block category poses the following risks:
  • malware—Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
  • phishing—Known to host credential phishing pages or phishing for personal identification.
  • dynamic-dns—Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
  • unknown—Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
    PAN-DB Real-Time Updates learns unknown sites after the first attempt to access an unknown site, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
  • newly-registered-domains—Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
  • command-and-control—Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
  • copyright-infringement—Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
  • extremism—Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
  • proxy-avoidance-and-anonymizers—URLs and services often used to bypass content filtering products.
  • parked—Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
The default URL Filtering profile blocks the malware, phishing, and command-and-control URL categories, but not the rest of the categories recommended to block. The default URL Filtering profile also blocks the abused-drugs, adult, gambling, hacking, questionable, and weapons URL categories. Whether to block these URL categories depends on your business requirements. For example, a university probably won’t want to restrict student access to most of these sites because availability is important, but a business that values security first may block some or all of them.

Best Practice Internet Gateway WildFire Analysis Profile

Use these WildFire Analysis security profile settings as a best practice at your internet gateway.
While the rest of the best practice security profiles significantly reduce the attack surface on your network by detecting and blocking known threats, the threat landscape is ever changing and the risk of unknown threats lurking in the files we use daily—PDFs, Microsoft Office documents (.doc and .xls files)—is ever growing. And, because these unknown threats are increasingly sophisticated and targeted, they often go undetected until long after a successful attack. To protect your network from unknown threats, you must configure the firewall to forward files to WildFire for analysis. Without this protection, attackers have free reign to infiltrate your network and exploit vulnerabilities in the applications your employees use everyday. Because WildFire protects against unknown threats, it is your greatest defense against advanced persistent threats (APTs).
Set up WildFire appliance content updates to download and install automatically every minute so that you always have the most recent support. For example, support for Linux and SMB files were first delivered in WildFire appliance content updates.
The best practice WildFire Analysis profile sends all files in both directions (upload and download) to WildFire for analysis. Specifically, make sure you are sending all PE files (if you’re not blocking them per the file blocking best practice), Adobe Flash and Reader files (PDF, SWF), Microsoft Office files (PowerPoint, Excel, Word, RTF), Java files (Java, .CLASS), and Android files (.APK).
wf-bp.png
Set up alerts for malware through email, SNMP, or a syslog server so that the firewall immediately notifies you when it encounters a potential issue. The faster you isolate a compromised host, the lower the chance that the previously unknown malware has spread to other data center devices, and the easier it is to remediate the issue.
If necessary, you can restrict the applications and file types sent for analysis based on the traffic’s direction.
WildFire Action settings in the Antivirus profile may impact traffic if the traffic generates a WildFire signature that results in a reset or a drop action. You can exclude internal traffic such as software distribution applications through which you deploy custom-built programs to transition safely to best practices, because WildFire may identify custom-built programs as malicious and generate a signature for them. Check MonitorLogsWildFire Submissions to see if any internal custom-built programs trigger WildFire signatures.

Related Documentation