>
    Strata Copilot
    Cloud NGFW for AWS Security Profiles
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Administration
    4. Protect
    5. Cloud NGFW Native Policy Management
    6. Cloud NGFW for AWS Security Profiles
    Download PDF
    Cloud NGFW for AWS

    Cloud NGFW for AWS Security Profiles

    Table of Contents

    Cloud NGFW for AWS Security Profiles

    Learn about the Security Profiles used by Cloud NGFW for AWS.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    Cloud NGFW uses your rulestack definitions to protect your VPC traffic by a two-step process. First, it enforces your rules to allow or deny your traffic. Second, it performs content inspection on the allowed traffic (URLs, threats, files) based on what you specify on the Security Profiles. Additionally, it helps you define how Cloud NGFW should scan the allowed traffic and block threats such as malware, malware, spyware, and DDoS attacks.

    IPS and Spyware Threat Protection

    • IPS Vulnerability—(enabled by default and preconfigured based on best practices) an intrusion prevention system (IPS) vulnerability profile stop attempts to exploit system flaws or gain unauthorized access to systems. While antispyware profiles help identify infected hosts as traffic leaves the network, IPS Vulnerability profiles protect against threats entering the network. For example, Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection profile protects clients and servers from all known critical, high, and medium-severity threats.
      The following table describes the default best practice IPS Vulnerability configuration.
      Signature Severity
      Action
      Critical
      Reset Both
      High
      Reset Both
      Medium
      Reset Both
      Informational
      Default
      Low
      Default
    • Antispyware—(enabled by default and preconfigured based on best practices) an antispyware profile blocks spyware on compromised hosts from trying to phone-home or beacon out to external command and control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients.
      The following table describes the default best practice antispyware configuration.
      Signature Severity
      Action
      Critical
      Reset Both
      High
      Reset Both
      Medium
      Reset Both
      Informational
      Default
      Low
      Default
    The following table lists all possible signatures for the Vulnerability and spyware categories. These signatures are continuously updated on your NGFWs.
    Threat Category
    Description
    Vulnerability signatures
    Brute-force
    A brute-force signature detects multiple occurrences of a condition in a particular time frame. While the activity in isolation might be benign, the brute-force signature indicates that the frequency and rate at which the activity occurred is suspect. For example, a single FTP login failure does not indicate malicious activity. However, many failed FTP logins in a short period likely indicate an attacker attempting password combinations to access an FTP server.
    code execution
    Detects a code execution vulnerability that an attacker can use to run code on a system with the privileges of the logged-in user.
    code-obfuscation
    Detects code that has been transformed to conceal certain data while retaining its function. Obfuscated code is difficult or impossible to read, so it's not apparent what commands the code is executing or with which programs it's designed to interact. Most commonly, malicious actors obfuscate code to conceal malware. More rarely, legitimate developers might obfuscate the code to protect privacy, intellectual property, or to improve user experience. For example, certain types of obfuscation (like minification) reduce file size, which decreases website load times and bandwidth usage.
    DoS
    Detects a denial-of-service attack, where an attacker attempts to render a targeted system unavailable, temporarily disrupting the system and dependent applications and services. To perform a DoS attack, an attacker might flood a targeted system with traffic or send information that causes it to fail. DoS attacks deprive legitimate users (like employees, members, and account holders) of the service or resource to which they expect access.
    exploit-kit
    Detects an exploit kit landing page. Exploit kit landing pages often contain several exploits that target one or many Common Vulnerabilities and Exposures (CVEs), for multiple browsers and plugins. Because the targeted CVEs change quickly, exploit-kit signatures trigger based on the exploit kit landing page, and not the CVEs.
    When a user visits a website with an exploit kit, the exploit kit scans for the targeted CVEs and attempts to silently deliver a malicious payload to the victim’s computer.
    info-leak
    Detects a software vulnerability that an attacker could exploit to steal sensitive or proprietary information. Often, an info-leak might exist because comprehensive checks don't exist to guard the data, and attackers can exploit info-leaks by sending crafted requests.
    insecure-credentials
    Detects the use of weak, compromised, and manufacturer default passwords for software, network appliances, and IoT devices.
    Overflow
    Detects an overflow vulnerability, where a lack of proper checks on requests could be exploited by an attacker. A successful attack could lead to remote code execution with the privileges of the application, server, or operating system.
    phishing
    Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network.
    protocol-anomaly
    Detects protocol anomalies, where a protocol behavior deviates from standard and compliant usage. For example, a malformed packet, a poorly written application, or an application running on a nonstandard port would all be considered protocol anomalies, and could be used as evasion tools.
    sql-injection
    Detects a common hacking technique where an attacker inserts SQL queries into an application’s requests, to read from or modify a database. This type of technique is often used on websites that don't comprehensively sanitize user input.
    Spyware signatures
    Spyware
    Detect outbound C2 communication. These signatures are either autogenerated or are manually created by Palo Alto Networks researchers.
    Spyware and autogen signatures both detect outbound C2 communication; however, autogen signatures are payload-based and can uniquely detect C2 communications with C2 hosts that are unknown or change rapidly.
    adware
    Detects programs that display potentially unwanted advertisements. Some adware modifies browsers to highlight and hyperlink the most frequently searched keywords on web pages-these links redirect users to advertising websites. Adware can also retrieve updates from a command and control (C2) server and install those updates in a browser or onto a client system.
    autogen
    These payload-based signatures detect command and control (C2) traffic and are autogenerated. Importantly, autogen signatures can detect C2 traffic even when the C2 host is unknown or changes rapidly.
    Backdoor
    Detects a program that allows an attacker to gain unauthorized remote access to a system.
    Botnet
    Indicates botnet activity. A botnet is a network of malware-infected computers (“bots”) that an attacker controls. The attacker can centrally command every computer in a botnet to simultaneously carry out a coordinated action (like launching a DoS attack, for example).
    browser-hijack
    Detects a plugin or software that’s modifying browser settings. A browser hijacker might take over auto search or track users’ web activity and send this information to a C2 server.
    cryptominer
    (Sometimes known as cryptojacking or miners) Detects the download attempt or network traffic generated from malicious programs designed to use computing resources to mine cryptocurrencies without the user's knowledge. Cryptominer binaries are frequently delivered by a shell script downloader that attempts to determine system architecture and kill other miner processes on the system. Some miners execute within other processes, such as a web browser rendering a malicious webpage.
    data-theft
    Detects a system sending information to a known C2 server.
    DNS
    Detects DNS requests to connect to malicious domains.
    downloader
    (Also known as droppers, stagers, or loaders) Detects programs that use an internet connection to connect to a remote server to download and execute malware on the compromised system. The most common use case is for a downloader to be deployed as the culmination of stage one of a cyberattack, where the downloader’s fetched payload execution is considered the second stage. Shell scripts (Bash, PowerShell, etc.), trojans, and malicious lure documents (also known as mallocs) such as PDFs and Word files are common downloader types.
    fraud
    (Including formjacking, phishing, and scams) Detects access to compromised websites that have been determined to be injected with malicious JavaScript code to collect sensitive user information. (For example, Name, address, email, credit card number, CVV, expiration date) from payment forms that are captured on the checkout pages of e-commerce websites.
    hacktool
    Detects traffic generated by software tools that are used by malicious actors to conduct reconnaissance, attack or gain access to vulnerable systems, exfiltrate data, or create a command and control channel to surreptitiously control a computer system without authorization. These programs are associated with malware and cyberattacks. Hacking tools might be deployed in a benign manner when used in Red and Blue Team operations, penetration tests, and R&D. The use or possession of these tools may be illegal in some countries, regardless of intent.
    networm
    Detects a program that self-replicates and spreads from system to system. Net-worms might use shared resources or leverage security failures to access target systems.
    phishing-kit
    Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network.
    postexploitation
    Detects activity that indicates the postexploitation phase of an attack, where an attacker attempts to assess the value of a compromised system. This might include evaluating the sensitivity of the data stored on the system, and the system’s usefulness in further compromising the network.
    Webshell
    Detects web shells and web shell traffic, including implant detection and command and control interaction. A malicious actor implants a web shell onto the compromised host, most often targeting a web server or framework. Subsequent communication with the web shell file frequently enables a malicious actor to establish a foothold in the system, conduct service and network enumeration, data exfiltration, and remote code execution in the context of the web server user. The most common web shell types are PHP, .NET, and Perl markup scripts. Attackers can also use web shell-infected web servers (the web servers can be both internet-facing or internal systems) to target other internal systems.
    keylogger
    Detects programs that allow attackers to secretly track user activity, by logging keystrokes and capturing screenshots.
    Key loggers use various C2 methods to periodically send logs and reports to a predefined e-mail address or a C2 server. Through keylogger surveillance, an attacker could retrieve credentials that would enable network access.

    Malware and File-based Threat Protection

    • Antivirus—(enabled by default and preconfigured based on best practices) antivirus profiles protect against malware, worms, and Trojans as well as spyware downloads. Using a stream-based malware prevention engine, which inspects traffic the moment the first packet is received, the Palo Alto Networks antivirus solution can provide protection for clients without significantly impacting the performance of the firewall. This profile scans for a wide variety of malware in executables, PDF files, HTML and JavaScript malware, including support for scanning inside compressed files and data encoding schemes.
      The following table describes the default best practice antivirus configuration.
      Protocol
      Action
      FTP
      Reset Both
      HTTP
      Reset Both
      HTTP2
      Reset Both
      IMAP
      Reset Both
      POP3
      Alert
      SMB
      Reset Both
      SMTP
      Reset Both
    • File blocking—a file blocking profile allows you to identify specific file types that you want to block or monitor. The firewall uses file blocking profiles to block specific file types over specified applications and in the specified session flow direction (inbound/outbound/both). You can set the profile to alert or block on upload and/or download and you can specify which applications will be subject to the file blocking profile.
      • Alert—when the specified file type is detected, a log is generated in the data filtering log.
      • Block—when the specified file type is detected, the file is blocked. A log is also generated in the data filtering log. For information about changing your file blocking profile, see Setup File Blocking.
      The following table describes the default best practice file blocking configuration.
      File Types
      Application
      Direction
      Action
      All risky file types:
      • 7z
      • bat
      • cab
      • chm
      • class
      • CPL
      • DLL
      • exe
      • flash
      • hip
      • hta
      • msi
      • Multi-Level-Encoding
      • ocx
      • PE
      • pif
      • rar
      • scr
      • tar
      • torrent
      • vbe
      • wsf
      • encrypted-rar
      • encrypted-zip
      Any
      Both (upload and download)
      Block
      All remaining file types
      Any
      Both (upload and download)
      Alert
    The following table lists all possible signatures for the Antivirus category. These signatures are continuously updated on your NGFWs.
    Threat Category
    Description
    Antivirus signatures
    APK
    Malicious Android Application (APK) files.
    Mac OS X
    Malicious Mac OS X files, including:
    • Apple disk image (DMG) files.
    • Mach object files (Mach-O) are executables, libraries, and object code.
    • Apple software installer packages (PKGs)
    flash
    Adobe Flash applets and Flash content embedded in webpages.
    jar
    Java applets (JAR/class file types).
    ms-office
    Microsoft Office files, including documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), and PowerPoint presentations (PPT, PPTX). This also includes Office Open XML (OOXML) 2007+ documents.
    pdf
    Portable Document Format (PDF) files.
    PE
    Portable Executable (PE) files can automatically execute on a Microsoft Windows system and should only be allowed when authorized. These files types include:
    • Object code.
    • Fonts (FONs).
    • System files (SYS).
    • Driver files (DRV).
    • Windows control panel items (CPLs).
    • DLLs (dynamic-link libraries).
    • OCXs (libraries for OLE custom controls, or ActiveX controls).
    • Windows screensaver files (SCRs).
    • Extensible Firmware Interface (EFI) files, which run between an OS and firmware to facilitate device updates and boot operations.
    • Program information files (PIFs).
    linux
    Executable and Linkable Format (ELF) files.
    archive
    Roshal Archive (RAR) and 7-Zip (7z) archive files.

    Web-based Threat Protection

    • URL categories and Filtering—URL Filtering profiles enable you to monitor and control how users access the web over HTTP and HTTPS. The firewall comes with a default profile that is configured to block websites such as known malware sites, phishing sites, and adult content sites. URL Filtering profile isn't enabled by default. When you enable URL Filtering profile in your rulestack, Cloud NGFW enforces the best practices URL Filtering profile on your traffic. You have an option to modify the default access option on each of the categories, based on your needs
      The following table describes the default best practice URL filtering configuration.
      URL Categories
      Site Access
      Credential Submissions
      Malicious and exploitative categories:
      • adult
      • Command and control
      • copyright-infringement
      • Dynamic DNS
      • extremism
      • Malware
      • parked
      • phishing
      • proxy-avoidance-and-anonymizers
      • unknown
      Block
      Block
      All other URL categories
      Alert
      Alert

    Encrypted Threat Protection

    • Outbound decryption—an Outbound decryption profile enables you to specify traffic to decrypt by destination, source, service, or URL category, and to block, restrict, or forward the specified traffic according to the security settings in the associated decryption profile. An Outbound decryption profile controls SSL protocols, certificate verification, and failure checks to prevent traffic that uses weak algorithms or unsupported modes from accessing the network. Cloud NGFW resources use certificates to decrypt traffic to plaintext. Then it enforces App-ID and Security Profiles on the plaintext traffic, including decryption, Antivirus, Vulnerability, antispyware, URL Filtering, and file blocking profiles. After decrypting and inspecting traffic, the firewall reencrypts the plaintext traffic as it exits the firewall to ensure privacy and security.

    © 2026 Palo Alto Networks, Inc. All rights reserved.