Configure an Anti-Spyware Profile (Strata Cloud Manager)

1. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesAnti-Spyware.
2. Add Profile.
3. Configure the settings in this table:

   Anti-Spyware Profile Settings	Description
   Name	Enter a profile name (up to 31 characters). This name appears in the list of Anti-Spyware profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
   Description	Enter a description for the profile (up to 255 characters).
   Anti-Spyware Rules Anti-Spyware rules allow you to define a custom severity and action to take on any threat, a specific threat name that contains the text that you enter, and/or by a threat category, such as adware. Add Rule, or select an existing rule and select Find Matching Signatures to filter threat signatures based on that rule.
   Rule Name	Specify the rule name.
   Threat Name	Enter any to match all signatures, or enter text to match any signature containing the entered text as part of the signature name.
   Category	Choose a category, or choose any to match all categories.
   Action	Choose an action for each threat. The Default action is based on the predefined action that is part of each signature provided by Palo Alto Networks.
   Packet Capture	Select this option if you want to capture identified packets. Select single-packet to capture one packet when a threat is detected, or select the extended-capture option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context about the threat when analyzing the Threat logs. If the action for a given threat is allow, your configuration does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action. Enable extended-capture for critical, high, and medium-severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable extended-capture for informational and low-severity events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.
   Severity	Choose a severity level (critical, high, medium, low, or informational).
   Overrides Allows you to change the action for a specific signature. For example, you can generate alerts for a specific set of signatures and block all packets that match all other signatures. Threat exceptions are usually configured when false-positives occur. Ensure that you obtain the latest content updates so that you're protected against new threats and have new signatures for any false-positives.
   Overrides	Add Override and Enable each threat for which you want to assign an action or select All to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections. Click into the IP Address section to Add (+) IP address filters to a threat exception. If IP addresses are added to a threat exception, the threat exception action for that signature overrides the action for a rule only when the signature is triggered by a session with a source or destination IP address that matches an IP address in the exception. You can add up to 100 IP addresses per signature. With this option, you don't have to create a new security rule and a new vulnerability profile to create an exception for a specific IP address. Create an exception only if you're sure that a signature identified as spyware isn't a threat (it's a false positive). If you believe you discovered a false positive, open a support case with TAC so Palo Alto Networks can analyze and fix the incorrectly identified signature. As soon as the issue is resolved, remove the exception from the profile.
   Inline Cloud Analysis Tab Inline Cloud Analysis allows you to enable and configure the settings for real-time analysis of advanced C2 threats on a per detection engine basis.
   Enable cloud inline analysis—Enables real-time analysis of advanced C2 threats across all available deep inline cloud analysis engines.
   Available Analysis Engines	For each available analysis engine representing a threat category, you can select one of the following actions that you want your configuration to enforce when a corresponding threat is detected: Allow—The website is allowed and no log entry is generated. Alert—The website is allowed and a log entry is generated in the URL filtering log. Drop—Drops the traffic. A reset action isn't sent to the host/application. Reset-Client—Resets the client-side connection. Reset-Server—Resets the server-side connection. Reset-Both—Resets the connection on both client and server ends. The default action for all analysis engines is alert.
   Exceptions	Allows you to select a URL or IP address exception list that bypasses the inline cloud analysis engines. Exceptions can be specified using URLs and/or IP addresses. URL exceptions include an EDL (external dynamic list) or a custom URL category, while IP address exceptions include an EDL or an Address object. Click Add to view and select from the available options. You can select the following list types: EDL URL—External Dynamic Lists containing a series of URLs or a custom URL category. IP Address—IP address lists defined in an External Dynamic List or within an Address object. Only create IP address and URL exceptions when the identified threats don't pose a danger, such as in the case of a false-positive.

4. Save your configuration.

   An Anti-Spyware profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate an Anti-Spyware profile (and any Security profile).