Objects > Security Profiles > Vulnerability Protection
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Objects > Security Profiles > Vulnerability Protection
A Security policy rule can include specification of
a Vulnerability Protection profile that determines the level of
protection against buffer overflows, illegal code execution, and other
attempts to exploit system vulnerabilities. There are two predefined
profiles available for the Vulnerability Protection feature:
- The default profile applies the default action to all client and server critical, high, and medium severity vulnerabilities. It does not detect low and informational vulnerability protection events. The Palo Alto Networks content package on the device determines the default action.
- The strict profile applies the block response to all client and server critical, high and medium severity spyware events and uses the default action for low and informational vulnerability protection events.
Customized profiles can be used to minimize vulnerability checking
for traffic between trusted security zones, and to maximize protection
for traffic received from untrusted zones, such as the Internet,
as well as the traffic sent to highly sensitive destinations, such
as server farms. To apply Vulnerability Protection profiles to Security
policies, refer to Policies
> Security.
Apply a Vulnerability Protection profile
to every Security Policy rule that allows traffic to protect against
buffer overflows, illegal code execution, and other attempts to
exploit client- and server-side vulnerabilities.
The Rules settings specify collections of signatures to enable,
as well as actions to be taken when a signature within a collection
is triggered.
The Exceptions settings allows you to change the response to
a specific signature. For example, you can block all packets that
match a signature, except for the selected one, which generates
an alert. The Exception tab supports filtering
functions.
The Vulnerability Protection page presents
a default set of columns. Additional columns of information are
available by using the column chooser. Click the arrow to the right
of a column header and select the columns from the Columns sub-menu.
The following tables describe the Vulnerability Protection profile settings:
Vulnerability Protection
Profile Settings | Description |
---|---|
Name | Enter a profile name (up to 31 characters).
This name appears in the list of Vulnerability Protection profiles
when defining security policies. The name is case-sensitive and
must be unique. Use only letters, numbers, spaces, hyphens, periods,
and underscores. |
Description | Enter a description for the profile (up
to 255 characters). |
Shared (Panorama only) | Select this option if you want the profile
to be available to:
|
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this Vulnerability Protection profile
in device groups that inherit the profile. This selection is cleared
by default, which means administrators can override the settings
for any device group that inherits the profile. |
Rules Tab | |
Rule Name | Specify a name to identify the rule. |
Threat Name | Specify a text string to match. The firewall
applies a collection of signatures to the rule by searching signature
names for this text string. |
CVE | Specify common vulnerabilities and exposures
(CVEs) if you want to limit the signatures to those that also match
the specified CVEs. Each CVE is in the format CVE-yyyy-xxxx,
where yyyy is the year and xxxx is the unique identifier. You can
perform a string match on this field. For example, to find vulnerabilities
for the year 2011, enter “2011”. |
Host Type | Specify whether to limit the signatures
for the rule to those that are client side, server side, or either (any). |
Severity | Select severities to match (informational, low, medium, high,
or critical) if you want to limit the signatures
to those that also match the specified severities. |
Action | Choose the action to take when the rule
is triggered. For a list of actions, see Actions
in Security Profiles. The Default action
is based on the pre-defined action that is part of each signature
provided by Palo Alto Networks. To view the default action for a
signature, select ObjectsSecurity ProfilesVulnerability Protection and Add or
select an existing profile. Click the Exceptions tab
and then click Show all signatures to see
a list of all signatures and the associated Action. For the best security, set the Action for both
client and server critical, high, and medium severity events to reset-both and
use the default action for Informational and Low severity events. |
Packet Capture | Select this option if you want to capture
identified packets.
Threats that are detected using the advanced Inline Cloud
Analysis engines do not generate packet capture data.
Select single-packet to
capture one packet when a threat is detected, or select the extended-capture option
to capture from 1 to 50 packets (default is 5 packets). Extended-capture
provides more context to the threat when analyzing the threat logs.
To view the packet capture, select MonitorLogsThreat and
locate the log entry you are interested in and then click the green down
arrow in the second column. To define the number of packets that
should be captured, select DeviceSetupContent-ID and
then edit the Content-ID Settings. If the action for a given
threat is allow, the firewall does not trigger a Threat log and
does not capture packets. If the action is alert, you can set the
packet capture to single-packet or extended-capture. All blocking
actions (drop, block, and reset actions) capture a single packet.
The content package on the device determines the default action. Enable extended-capture for critical, high,
and medium severity events and single-packet capture for low severity
events. Use the default extended-capture value of 5 packets, which
provides enough information to analyze the threat in most cases. (Too
much packet capture traffic may result in dropping packet captures.)
Don’t enable packet capture for informational events because it’s
not very useful compared to capturing information about higher severity
events and creates a relatively high volume of low-value traffic. Apply
extended packet capture using the same logic you use to decide what
traffic to log—take extended captures of the traffic you log, including
traffic you block. |
Exceptions Tab | |
Enable | Select Enable for
each threat for which you want to assign an action, or select All to respond
to all listed threats. The list depends on the selected host, category,
and severity. If the list is empty, there are no threats for the current
selections. |
ID | |
Vendor ID | Specify vendor IDs if you want to limit
the signatures to those that also match the specified vendor IDs. For
example, the Microsoft vendor IDs are in the form MSyy-xxx, where
yy is the two-digit year and xxx is the unique identifier. For example,
to match Microsoft for the year 2009, enter “MS09” in the Search
field. |
Threat Name | Only create a threat
exception if you are sure an identified threat is not a threat (false
positive). If you believe you have discovered a false positive,
open a support case with TAC so Palo Alto Networks can investigate
the incorrectly identified threat. When the issue is resolved, remove
the exception from the profile immediately. The vulnerability
signature database contains signatures that indicate a brute force
attack; for example, Threat ID 40001 triggers on an FTP brute force
attack. Brute-force signatures trigger when a condition occurs in
a certain time threshold. The thresholds are pre-configured for
brute force signatures, and can be changed by clicking edit ( Thresholds
can be applied on a source IP, destination IP or a combination of
source IP and destination IP. The default action is shown
in parentheses. |
IP Address Exemptions | Click into the IP Address Exemptions column
to Add IP address filters to a threat exception.
When you add an IP address to a threat exception, the threat exception
action for that signature will take precedence over the rule's action
only if the signature is triggered by a session with either a source
or destination IP address matching an IP address in the exception.
You can add up to 100 IP addresses per signature. You must enter
a unicast IP address (that is, an address without a netmask), such
as 10.1.7.8 or 2001:db8:123:1::1. By adding IP address exemptions,
you do not have to create a new policy rule and new vulnerability
profile to create an exception for a specific IP address. |
Rule | |
CVE | The CVE column shows identifiers for common vulnerabilities and exposures (CVE). These unique, common identifiers are for publicly known information security vulnerabilities. |
Host | |
Category | Select a vulnerability category if you want
to limit the signatures to those that match that category. |
Severity | |
Action | Choose an action from the drop-down, or
choose from the Action drop-down at the top
of the list to apply the same action to all threats. |
Packet Capture | Select Packet Capture if
you want to capture identified packets. |
Show all signatures | Enable Show all signatures to
list all signatures. If Show all signatures is disabled,
only the signatures that are exceptions are listed. |
Inline Cloud Analysis Tab Inline
Cloud Analysis allows you to enable and configure the settings
for real-time analysis of command injection and SQL injection vulnerabilities
on a per detection engine basis. | |
Enable cloud inline analysis—Enables
inline deep learning detection engines used to detect command injection
and SQL injection vulnerabilities across all available inline cloud analysis
engines. | |
Available Analysis Engines | For each available analysis engine representing
a vulnerability category, you can select one of the following actions
that you want the firewall to enforce when a corresponding vulnerability
is detected:
The default action
for all analysis engines is alert. |
Exclude from Inline Cloud Analysis | Allows you to select a URL or IP address
exception list that bypasses the inline cloud analysis engines.
Exceptions can be specified using URLs and/or IP addresses. URL
exceptions include an EDL (external dynamic list) or a custom URL
category, while IP address exceptions include an EDL or an Address
object. Click Add to view and select from
the available options. You can select the following list types:
|