Security Settings
Review and configure the security settings available in PAN-OS 12.1 and
later.
Where Can I Use This? | What Do I Need? |
PAN-OS 12.1 Orion includes several enhancements and new features that improve
the security of PAN-OS against attacks on the platform. A majority of these features are
implemented behind the scenes as part of the platform’s built-in protections. These
features are designed to prevent successful exploits, reduce the impact of exploits,
detect attempted exploits, and enable the ability to respond to attacks on PAN-OS. The
features described here either have settings that can be configured or that generate
logs to provide more information on PAN-OS security.
Integrity Measurement Architecture (IMA) runs in enforcement mode by default,
and only allows execution of binaries and programs cryptographically signed by Palo Alto
Networks. This prevents the execution of malware that might be dropped by an attacker
and blocks attempts to modify existing PAN-OS binaries, effectively extending the secure
boot into the run-time environment. You can monitor IMA violations through system logs
using the CLI or the web interface. When IMA detects an attempted violation, it logs a
critical severity system that you can use for investigation.
When IMA detects violations or attempted violations, PAN-OS can be configured
to either continue running (collect logs and alerts for investigation), which is the
default, or reboot to maintenance mode to disrupt the attacker and facilitate a more
thorough investigation.
Software integrity checks run at boot time and then daily at a set time. You
can now schedule the checks to run at a different time to better accommodate your
requirements.