On Cloud NGFW, you define Security policy rules and group those rules together in a rulestack.

While Security policy rules enable you to allow or block traffic on your network, Security Profiles help you define an allow but scan rule, which scans allowed applications for threats, such as malware, spyware, and DDoS attacks. When traffic matches the allow rule defined in the Security policy rule, the Security Profiles attached to the rule are applied for further content inspection rules such as antivirus checks and data filtering.

Security Profiles are not used in the match criteria of a traffic flow. The Security Profile is applied to scan traffic after the Security policy rule allows the application or category.

The firewall provides default Security Profiles that you can use out of the box to begin protecting your network from threats. See Set Up a Basic Security Policy for information on using the default profiles in your Security policy rule.

For recommendations on the best practice settings for Security Profiles, review the best practices for creating security profiles.

You can add Security Profiles that are commonly applied together to Create a Security Profile Group; this set of profiles are treated as a unit and added to Security policy rules in one step (or included in Security policy rules by default, if you choose to set up a default Security Profile Group).

Security profiles provide fundamental protections by scanning traffic that you allow on the network for threats. Security Profiles provide a full suite of coordinated threat prevention tools that block peer-to-peer command and control (C2) application traffic, dangerous file types, attempts to exploit vulnerabilities, and antivirus signatures, and also identify new and unknown malware.

It takes relatively little effort to apply Security Profiles because Palo Alto Networks provides predefined profiles that you can simply add to Security policy allow rules. Customizing Security Profiles is easy because you can clone a predefined profile and then edit it. You can also create a Security Profile from scratch on the firewall or on Panorama.

To detect known and unknown threats in your network traffic, attach Security Profiles to all Security policy rules that allow traffic on the network, so that the firewall inspects all allowed traffic. The firewall applies Security Profiles to traffic that matches the Security policy allow rule, scans traffic in accordance with the Security Profile settings, and then takes appropriate actions to protect the network. The recommendations for best practice Security Profiles apply to all four of the data center traffic flows except as noted.