Security Settings
    Review and configure the security settings available in PAN-OS 12.1 and
        later.
    
  
    
  
| Where Can I Use This? | What Do I Need? | 
|---|
    
  
 
  
PAN-OS 12.1 Orion includes several enhancements and new features that improve
            the security of PAN-OS against attacks on the platform. A majority of these features are
            implemented behind the scenes as part of the platform’s built-in protections. These
            features are designed to prevent successful exploits, reduce the impact of exploits,
            detect attempted exploits, and enable the ability to respond to attacks on PAN-OS. The
            features described here either have settings that can be configured or that generate
            logs to provide more information on PAN-OS security. 
Integrity Measurement Architecture (IMA) runs in enforcement mode by default,
            and only allows execution of binaries and programs cryptographically signed by Palo Alto
            Networks. This prevents the execution of malware that might be dropped by an attacker
            and blocks attempts to modify existing PAN-OS binaries, effectively extending the secure
            boot into the run-time environment. You can monitor IMA violations through system logs
            using the CLI or the web interface. When IMA detects an attempted violation, it logs a
            critical severity system that you can use for investigation. 
When IMA detects violations or attempted violations, PAN-OS can be configured
            to either continue running (collect logs and alerts for investigation), which is the
            default, or reboot to maintenance mode to disrupt the attacker and facilitate a more
            thorough investigation.
Software integrity checks run at boot time and then daily at a set time. You
            can now schedule the checks to run at a different time to better accommodate your
            requirements.