>
    Strata Copilot
    Apply a Virtual Patch to Risky Assets
    Focus
    Download PDF
    Focus
    1. Home
    2. Device Security
    3. Device Security Administration Guide
    4. IoT Device Vulnerability Detection
    5. Virtual Patching with Device Security
    6. Apply a Virtual Patch to Risky Assets
    Download PDF
    Device Security

    Apply a Virtual Patch to Risky Assets

    Table of Contents

    Apply a Virtual Patch to Risky Assets

    Create Security policy rules to apply virtual patches to risky assets.
    Where Can I Use This?What Do I Need?
    • Device Security (Managed by Strata Cloud Manager)
    One of the following subscriptions:
    • Device Security subscription for an advanced Device Security product (Enterprise, OT, or Medical)
    • Device Security X subscription
    To apply a virtual patch to risky assets, you create a Security Policy Rule. Applying a virtual patch requires an account with the Superuser role.
    To begin, in Device Security in Strata Cloud Manager, navigate to AssetsInventory In the Risk Score table, click View More to expand the table and review active vulnerabilities.

    Verify Firewall Status

    When viewing a vulnerability with an available Threat Signature, you may need to update your firewalls before you can apply a virtual patch.
    1. Choose a vulnerability with a Threat Signature and view the virtual patching vulnerability information.
    2. In the Mitigate the vulnerability risk section, look for a warning to "Verify Threat Prevention License and/or the Application and Threat Content Update Version on your firewalls."
      If there is no warning, you can skip to Create a Security Policy Rule.
    3. In the warning, click View Details to bring up the Warning pop-up.
      The pop-up displays all firewalls managed by Strata Cloud Manager which don't have an active Threat Prevention license with the latest Applications and Threats content version to leverage the Threat Signature. The table includes information about the current content version on each firewall, as well as the first release and the last update which contain the threat signature for the vulnerability. The current content version needs to match the last update.
    4. Click View Firewalls to go to the Device Management page in Strata Cloud Manager.
      This takes you out of Device Security and to the firewall management page in Strata Cloud Manager, where you can configure Threat Prevention and update your Applications and Threats content version.

    Create a Security Policy Rule

    You can apply a virtual patch by creating Security Policy Rules based on recommended behaviors detected by Device Security.
    1. Choose the vulnerability that you want to create a Security policy rule for and view the virtual patching vulnerability information.
    2. In the Mitigate the vulnerability risk section, click Create Security Policy Rules to go to the AssetsProfilesBehaviors page for the associated device profile.
    3. Click Create Security Policy RulesStrata Cloud Manager.
    4. Optional Filter the profile behaviors based on the direction you want to create a Security policy rule for.
      You can filter by inbound, outbound, or both directions.
    5. Select the profile behaviors you want to create a Security Policy Rule for, and then click Next to go to the Policy Configuration page of the workflow.
    6. In the Configure Security Policy Rules section, select Folders or Snippets, and then select the specific Location or Snippet for the Configuration Scope.
    7. Select the Profile Group.
    8. Select Security Rules to see configuration options, and then define the Source Zone, Destination Zone, Service, or Tag for the behavior that you want to create a rule for.
    9. Click Next to go to the Review page of the workflow.
    10. Optional Click the Edit (pencil) icon on each row to change the Security policy rule name.
      Security policy rules need to have unique names. The system generates a unique name that you can change to suit your needs.
    11. Click Create to send the Security policy rule configuration to Strata Cloud Manager and bring up the Security Policy Rules Created popup.
      From the Security Policy Rules Created popup, you can edit your Security policy rules or update the vulnerability status on your devices.
    12. Click Review or edit security policies to open the Security Policy page in Strata Cloud Manager in a new tab and view your Security Policies.
    13. Resolve the vulnerability or add a comment in the Change Status section to complete the virtual patching workflow.
      1. Choose whether to Resolve: Vulnerability Mitigated or Do not resolve.
        Choosing Resolve: Vulnerability Mitigated means that you applied compensating controls (Security policy rules). This removes the contribution of the vulnerability towards the affected devices' risk scores and means that Device Security will no longer monitor this vulnerability on these devices.
      2. Add a comment to describe the action taken.
      3. Go Back to the Asset Dashboard and verify that the vulnerability for that profile no longer appears in the Risk Score list.

    © 2026 Palo Alto Networks, Inc. All rights reserved.