High-Impact, Easy Things You Must Do Now

File Blocking Profiles


Use the predefined strict file blocking profile to block files that are commonly included in malware attack campaigns or that have no real use case for upload/download.

Anti-Virus Profiles


Attach an Antivirus profile to all allowed traffic to detect and prevent viruses and malware from being transferred over the HTTP, SMTP, IMAP, POP3, FTP, and SMB protocols.

Vulnerability Protection Profiles


Attach a Vulnerability Protection profile to all allowed traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities.

Anti-Spyware Profiles


Attach an Anti-Spyware profile to all allowed traffic to detect command and control traffic (C2) initiated from spyware installed on a server or endpoint and prevent compromised systems from establishing an outbound connection from your network.

Got Time, Do These Recommended Steps Next

Prevent Credential Phishing


Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user information, especially the credentials that provide access to your network. When a phishing email enters a network, it takes just a single user to click the link and enter credentials to set a breach into motion. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.

Extremely Important, Requires Planning

Application Whitelist Example


Keep in mind that you do not need to capture every application that might be in use on your network in your initial inventory. Instead you should focus on the applications (and general types of applications) that you want to allow. Temporary rules in the best practice rulebase will catch any additional applications that may be in use on your network so that you are not inundated with complaints of broken applications during your transition to application-based policy. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.

Decryption Best Practices


This document is a streamlined checklist of pre-deployment, deployment, and post-deployment best practices that you can follow to implement decryption. Each section includes links to detailed information in the PAN-OS 8.0 Admin Guide, including how to configure Decryption policy rules and profiles. Temporary rules in the best practice rulebase will catch any additional applications that may be in use on your network so that you are not inundated with complaints of broken applications during your transition to application-based policy. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.

How to Block Tor (The Onion Router)


The Tor network (The Onion Router) disguises user identity by moving their data across different Tor servers, and encrypting that traffic so it isn't traced back to the user. Anyone who tries to trace would see traffic coming from random nodes on the Tor network, rather than the user's computer. Use the recommended configurations on the Palo Alto Networks Next-Generation firewall can block Tor application traffic on your network. Temporary rules in the best practice rulebase will catch any additional applications that may be in use on your network so that you are not inundated with complaints of broken applications during your transition to application-based policy. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.

Enable O365


In the week of August 29th, 2016 Palo Alto Networks released changes to App-ID for Microsoft® Office 365™. To allow our customers to prepare for this change and avoid any problems, Palo Alto Networks is releasing the following placeholder App-IDs and decode contexts as part of Application and Threat Update version 597. To ensure that existing Office 365 policies continue to work after the week of August 29th, 2016 we strongly encourage customers to read and fully understand this document. Use the recommended configurations on the Palo Alto Networks Next-Generation firewall can block Tor application traffic on your network. Temporary rules in the best practice rulebase will catch any additional applications that may be in use on your network so that you are not inundated with complaints of broken applications during your transition to application-based policy. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to which users can submit corporate credentials based on the site’s URL category. This allows you to block users from submitting credentials to untrusted sites while allowing users to continue to submit credentials to corporate and sanctioned sites.