Focus

Network Security

Security Profile: Anti-Spyware

Table of Contents

Security Profile: Vulnerability Protection

Security Profile: Anti-Spyware

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS & Panorama Managed) Prisma Access (Cloud Managed) Prisma Access (Panorama Managed)	Check for any license or role requirements for the products you're using: Prisma Access license or AIOps for NGFW license Advanced Threat Prevention license

Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients. You can apply various levels of protection between zones. For example, you may want to have custom Anti-Spyware profiles that minimize inspection between trusted zones, while maximizing inspection on traffic received from an untrusted zone, such as internet-facing zones. When using a Panorama management server, the Threat ID is mapped to the corresponding custom threat such that a threat log populated with the configured custom Threat ID is generated.

You can define your own custom Anti-Spyware profiles, or choose one of the following predefined profiles when applying Anti-Spyware to a Security policy rule:

Default

—Uses the default action for every signature, as specified by Palo Alto Networks when the signature is created.

Strict

—Overrides the default action of critical, high, and medium severity threats to the block action, regardless of the action defined in the signature file. This profile still uses the default action for low and informational severity signatures.

When a threat event is detected, you can configure the following actions in an Anti-Spyware profile:

Default

—For each threat signature and Anti-Spyware signature that is defined by Palo Alto Networks, a default action is specified internally. Typically the default action is an alert or a reset-both. The default action is displayed in parenthesis, for example default (alert) in the threat or Antivirus signature.

Allow

—Permits the application traffic.

The

Allow

action does not generate logs related to the signatures or profiles.

Alert

—Generates an alert for each application traffic flow. The alert is saved in the threat log.

Drop

—Drops the application traffic.

Reset Client

—For TCP, resets the client-side connection. For UDP, drops the connection.

Reset Server

—For TCP, resets the server-side connection. For UDP, drops the connection.

Reset Both

—For TCP, resets the connection on both client and server ends. For UDP, drops the connection.

In some cases, when the profile action is set to

reset-both

, the associated threat log might display the action as

reset-server

. This occurs when a threat is detected at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset, and only the server-side connection is reset.

Block IP

— This action blocks traffic from either a source or a source-destination pair. It's configurable for a specified period of time.

Security Profile: Vulnerability Protection

Security Profile: DNS Security