Security Profile: Anti-Spyware
Focus
Focus

Network Security

Security Profile: Anti-Spyware

Table of Contents

Security Profile: Anti-Spyware

Where Can I Use This?
What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Cloud Managed)
  • Prisma Access (Panorama Managed)
Check for any license or role requirements for the products you're using:
Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients. You can apply various levels of protection between zones. For example, you may want to have custom Anti-Spyware profiles that minimize inspection between trusted zones, while maximizing inspection on traffic received from an untrusted zone, such as internet-facing zones. When using a Panorama management server, the Threat ID is mapped to the corresponding custom threat such that a threat log populated with the configured custom Threat ID is generated.
You can define your own custom Anti-Spyware profiles, or choose one of the following predefined profiles when applying Anti-Spyware to a Security policy rule:
  • Default
    —Uses the default action for every signature, as specified by Palo Alto Networks when the signature is created.
  • Strict
    —Overrides the default action of critical, high, and medium severity threats to the block action, regardless of the action defined in the signature file. This profile still uses the default action for low and informational severity signatures.
When a threat event is detected, you can configure the following actions in an Anti-Spyware profile:
  • Default
    —For each threat signature and Anti-Spyware signature that is defined by Palo Alto Networks, a default action is specified internally. Typically the default action is an alert or a reset-both. The default action is displayed in parenthesis, for example default (alert) in the threat or Antivirus signature.
  • Allow
    —Permits the application traffic.
    The
    Allow
    action does not generate logs related to the signatures or profiles.
  • Alert
    —Generates an alert for each application traffic flow. The alert is saved in the threat log.
  • Drop
    —Drops the application traffic.
  • Reset Client
    —For TCP, resets the client-side connection. For UDP, drops the connection.
  • Reset Server
    —For TCP, resets the server-side connection. For UDP, drops the connection.
  • Reset Both
    —For TCP, resets the connection on both client and server ends. For UDP, drops the connection.
    In some cases, when the profile action is set to
    reset-both
    , the associated threat log might display the action as
    reset-server
    . This occurs when a threat is detected at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset, and only the server-side connection is reset.
  • Block IP
    — This action blocks traffic from either a source or a source-destination pair. It's configurable for a specified period of time.

Recommended For You