Focus

Network Security

Security Profile: Vulnerability Protection

Table of Contents

Security Profile: Vulnerability Protection

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS & Panorama Managed) Prisma Access (Cloud Managed) Prisma Access (Panorama Managed)	Check for any license or role requirements for the products you're using: Prisma Access license or AIOps for NGFW license Advanced Threat Prevention license

Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized access to systems. While Anti-Spyware profiles help identify infected hosts as traffic leaves the network, Vulnerability Protection profiles protect against threats entering the network. For example, Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection profile protects clients and servers from all known critical, high, and medium-severity threats. You can also create exceptions, which allow you to change the response to a specific signature. When using the Panorama management server, the Threat ID is mapped to the corresponding custom threat so that a threat log populated with the configured custom Threat ID can be generated.

When a threat event is detected, you can configure the following actions in an Anti-Spyware profile:

Default

—For each threat signature and Anti-Spyware signature that is defined by Palo Alto Networks, a default action is specified internally. Typically the default action is an alert or a reset-both. The default action is displayed in parenthesis, for example default (alert) in the threat or Antivirus signature.

Allow

—Permits the application traffic

The

Allow

action does not generate logs related to the signatures or profiles.

Alert

—Generates an alert for each application traffic flow. The alert is saved in the threat log.

Drop

—Drops the application traffic.

Reset Client

—For TCP, resets the client-side connection. For UDP, drops the connection.

Reset Server

—For TCP, resets the server-side connection. For UDP, drops the connection.

Reset Both

—For TCP, resets the connection on both client and server ends. For UDP, drops the connection.

In some cases, when the profile action is set to

reset-both

, the associated threat log might display the action as

reset-server

. This occurs when a threat is detected at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset, and only the server-side connection is reset.

Block IP

— This action blocks traffic from either a source or a source-destination pair. It's configurable for a specified period of time.

Security Profile: Antivirus

Security Profile: Anti-Spyware