Configure a Vulnerability Protection Profile (Strata Cloud Manager)

1. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesVulnerability Protection.
2. Add Profile.
3. Configure the settings in this table:

   Vulnerability Protection Profile Settings	Description
   Name	Enter a profile name (up to 31 characters). This name appears in the list of Vulnerability Protection profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
   Description	Enter a description for the profile (up to 255 characters).
   Profile Rules
   Rule Name	Specify a name to identify the rule.
   Threat Name	Specify a text string to match. Your configuration applies a collection of signatures to the rule by searching signature names for this text string.
   CVE	Specify Common Vulnerabilities and Exposures (CVEs) if you want to limit the signatures to those that also match the specified CVEs. Each CVE is in the format CVE-yyyy-xxxx, where yyyy is the year and xxxx is the unique identifier. You can perform a string match on this field. For example, to find vulnerabilities for the year 2011, enter “2011”.
   Host Type	Specify whether to limit the signatures for the rule to those that are client side, server side, or either (any).
   Severity	Select severities to match (informational, low, medium, high, or critical) if you want to limit the signatures to those that also match the specified severities.
   Action	Choose the action to take when the rule is triggered. For a list of actions, see Security Rule Actions. For the best security, set the Action for both client and server critical, high, and medium severity events to reset-both and use the default action for Informational and Low severity events.
   Packet Capture	Select this option if you want to capture identified packets. Select single-packet to capture one packet when a threat is detected, or select the extended-capture option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context to the threat when analyzing the Threat logs. If the action for a given threat is allow, your configuration does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action. Enable extended-capture for critical, high, and medium severity events and single-packet capture for low-severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable packet capture for informational events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic. Apply extended packet capture using the same logic you use to decide what traffic to log—take extended captures of the traffic you log, including traffic you block.
   Overrides
   Enable	Select Enable for each threat for which you want to assign an action, or select All to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.
   Threat ID
   Vendor Reference ID	Specify vendor IDs if you want to limit the signatures to those that also match the specified vendor IDs. For example, the Microsoft vendor IDs are in the form MSyy-xxx, where yy is the two-digit year and xxx is the unique identifier. For example, to match Microsoft for the year 2009, enter “MS09” in the Search field.
   Threat Name	Exclude a signature from enforcement or change a signature action by creating an override (exception). Only override the default behavior for a signature if you know that the activity the signature detects does not pose a threat to your organization. If you think you've identified a false positive, open a support case so that the Palo Alto Networks threat team can investigate. When the issue is resolved, remove the corresponding override. The vulnerability signature database contains signatures that indicate a brute-force attack; for example, Threat ID 40001 triggers on an FTP brute-force attack. Brute-force signatures trigger when a condition occurs in a certain time threshold.
   Apply to IP address	Click into the IP Address section to Add (+) IP address filters to a threat exception. When you add an IP address to a threat exception, the threat exception action for that signature will take precedence over the rule's action only if the signature is triggered by a session with either a source or destination IP address matching an IP address in the exception. You can add up to 100 IP addresses per signature. You must enter a unicast IP address (that is, an address without a netmask), such as 10.1.7.8 or 2001:db8:123:1::1. By adding IP address exemptions, you don't have to create a new security rule and new vulnerability profile to create an exception for a specific IP address.
   CVE	The CVE column shows identifiers for Common Vulnerabilities and Exposures (CVE). These unique, common identifiers are for publicly known information security vulnerabilities.
   Host Type	Specify whether to limit the signatures for the rule to those that are client side, server side, or either (any).
   Category	Select a vulnerability category if you want to limit the signatures to those that match that category.
   Severity	Select severities to match (informational, low, medium, high, or critical) if you want to limit the signatures to those that also match the specified severities.
   Default Action	Choose an action from the drop-down, or choose from the Action drop-down at the top of the list to apply the same action to all threats.
   Packet Capture	Enable Packet Capture if you want to capture identified packets.

   Apply a Vulnerability Protection profile to every Security rule that allows traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities.
4. Save your configuration.

   A Vulnerability Protection profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a Vulnerability Protection profile (and any Security profile).