>
    Security Profile: Vulnerability Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Security Profiles
    5. Security Profile: Vulnerability Protection
    Download PDF
    Network Security

    Security Profile: Vulnerability Protection

    Table of Contents

    Security Profile: Vulnerability Protection

    Stop attempts to exploit system flaws or gain unauthorized access to systems.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Cloud Managed)
    • Prisma Access (Panorama Managed)
    Check for any license or role requirements for the products you're using.
    Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized access to systems. While antispyware profiles help identify infected hosts as traffic leaves the network, Vulnerability Protection profiles protect against threats entering the network. For example, Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection profile protects clients and servers from all known critical, high, and medium-severity threats. You can also create exceptions, which allow you to change the response to a specific signature. When using the Panorama management server, the Threat ID is mapped to the corresponding custom threat so that a Threat log populated with the configured custom Threat ID can be generated.
    When a threat event is detected, you can configure the following actions in a Vulnerability Protection profile:
    • Default
      —For each threat signature and Vulnerability Protection profile signature that is defined by Palo Alto Networks, a default action is specified internally. Typically the default action is an alert or a reset-both. The default action is displayed in parentheses, for example default (alert) in the threat or Vulnerability Protection profile signature.
    • Allow
      —Permits the application traffic
      The
      Allow
       action does not generate logs related to the signatures or profiles.
    • Alert
      —Generates an alert for each application traffic flow. The alert is saved in the Threat log.
    • Drop
      —Drops the application traffic.
    • Reset Client
      —For TCP, resets the client-side connection. For UDP, drops the connection.
    • Reset Server
      —For TCP, resets the server-side connection. For UDP, drops the connection.
    • Reset Both
      —For TCP, resets the connection on both client and server ends. For UDP, drops the connection.
      In some cases, when the profile action is set to
      reset-both
      , the associated Threat log might display the action as
      reset-server
      . This occurs when a threat is detected at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset, and only the server-side connection is reset.
    • Block IP
      — This action blocks traffic from either a source or a source-destination pair. It's configurable for a specified period of time.
    Rule order is important!
    Rules are enforced from the top down, even when a Vulnerability Protection profile has multiple rules of the same severity, much like those in a Security policy. Be sure to place rules you want to prioritize over other rules of the same severity higher on the list.

    Configure a Vulnerability Protection Profile

    Cloud Managed

    Stop attempts to exploit system flaws or gain unauthorized access to systems.
    Follow these steps to configure a Vulnerability Protection profile.
    1. Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Vulnerability Protection
      .
    2. Add Profile
      .
    3. Configure the settings in this table:
      Vulnerability Protection Profile Settings
      Description
      Name
      Enter a profile name (up to 31 characters). This name appears in the list of Vulnerability Protection profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
      Description
      Enter a description for the profile (up to 255 characters).
      Profile Rules
      Rule Name
      Specify a name to identify the rule.
      Threat Name
      Specify a text string to match. Your configuration applies a collection of signatures to the rule by searching signature names for this text string.
      CVE
      Specify Common Vulnerabilities and Exposures (CVEs) if you want to limit the signatures to those that also match the specified CVEs.
      Each CVE is in the format CVE-yyyy-xxxx, where yyyy is the year and xxxx is the unique identifier. You can perform a string match on this field. For example, to find vulnerabilities for the year 2011, enter “2011”.
      Host Type
      Specify whether to limit the signatures for the rule to those that are client side, server side, or either (
      any
      ).
      Severity
      Select severities to match (
      informational
      ,
      low
      ,
      medium
      ,
      high
      , or
      critical
      ) if you want to limit the signatures to those that also match the specified severities.
      Action
      Choose the action to take when the rule is triggered. For a list of actions, see Security Rule Actions.
      For the best security, set the Action for both client and server critical, high, and medium severity events to
      reset-both
       and use the default action for Informational and Low severity events.
      Packet Capture
      Select this option if you want to capture identified packets.
      Select
      single-packet
       to capture one packet when a threat is detected, or select the
      extended-capture
       option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context to the threat when analyzing the Threat logs.
      If the action for a given threat is allow, your configuration does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
      Enable extended-capture for critical, high, and medium severity events and single-packet capture for low-severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable packet capture for informational events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.
      Apply extended packet capture using the same logic you use to decide what traffic to log—take extended captures of the traffic you log, including traffic you block.
      Overrides
      Enable
      Select
      Enable
       for each threat for which you want to assign an action, or select
      All
       to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.
      Threat ID
      Vendor Reference ID
      Specify vendor IDs if you want to limit the signatures to those that also match the specified vendor IDs.
      For example, the Microsoft vendor IDs are in the form MSyy-xxx, where yy is the two-digit year and xxx is the unique identifier. For example, to match Microsoft for the year 2009, enter “MS09” in the Search field.
      Threat Name
      Exclude a signature from enforcement or change a signature action by creating an override (exception). Only override the default behavior for a signature if you know that the activity the signature detects does not pose a threat to your organization. If you think you've identified a false positive, open a support case so that the Palo Alto Networks threat team can investigate. When the issue is resolved, remove the corresponding override.
      The vulnerability signature database contains signatures that indicate a brute-force attack; for example, Threat ID 40001 triggers on an FTP brute-force attack. Brute-force signatures trigger when a condition occurs in a certain time threshold.
      Apply to IP address
      Click into the
      IP Address
       section to
      Add (+)
       IP address filters to a threat exception. When you add an IP address to a threat exception, the threat exception action for that signature will take precedence over the rule's action only if the signature is triggered by a session with either a source or destination IP address matching an IP address in the exception. You can add up to 100 IP addresses per signature. You must enter a unicast IP address (that is, an address without a netmask), such as 10.1.7.8 or 2001:db8:123:1::1. By adding IP address exemptions, you don't have to create a new security rule and new vulnerability profile to create an exception for a specific IP address.
      CVE
      The
      CVE
       column shows identifiers for Common Vulnerabilities and Exposures (CVE). These unique, common identifiers are for publicly known information security vulnerabilities.
      Host Type
      Specify whether to limit the signatures for the rule to those that are client side, server side, or either (
      any
      ).
      Category
      Select a vulnerability category if you want to limit the signatures to those that match that category.
      Severity
      Select severities to match (
      informational
      ,
      low
      ,
      medium
      ,
      high
      , or
      critical
      ) if you want to limit the signatures to those that also match the specified severities.
      Default Action
      Choose an action from the drop-down, or choose from the
      Action
       drop-down at the top of the list to apply the same action to all threats.
      Packet Capture
      Enable
      Packet Capture
       if you want to capture identified packets.
      Apply a Vulnerability Protection profile to every Security rule that allows traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities.
    4. Save
       your configuration.
      A Vulnerability Protection profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a Vulnerability Protection profile (and any Security profile).

    PAN-OS & Panorama

    Stop attempts to exploit system flaws or gain unauthorized access to systems.
    A Security rule can include the specification of a Vulnerability Protection profile that determines the level of protection against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. There are two predefined profiles available for the Vulnerability Protection feature:
    • The
      default
       profile applies the default action to all client and server critical, high, and medium severity vulnerabilities. It does not detect low and informational vulnerability protection events. The Palo Alto Networks content package on the device determines the default action.
    • The
      strict
       profile applies the block response to all client and server critical, high, and medium severity spyware events and uses the default action for low and informational vulnerability protection events.
    Customized profiles can be used to minimize vulnerability checking for traffic between trusted security zones, and to maximize protection for traffic received from untrusted zones, such as the internet, as well as the traffic sent to highly sensitive destinations, such as server farms.
    Apply a Vulnerability Protection profile to every Security rule that allows traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities.
    The Rules settings specify collections of signatures to enable, as well as actions to be taken when a signature within a collection is triggered.
    The Exceptions settings allow you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The
    Exception
     tab supports filtering functions.
    The
    Vulnerability Protection
     page presents a default set of columns. Additional columns of information are available by using the column chooser. Click the arrow to the right of a column header and select the columns from the Columns sub-menu.
    Follow these steps to configure a Vulnerability Protection profile.
    1. Go to
      Objects
      Security Profiles
      Vulnerability Protection
      .
    2. Add
       a profile.
    3. Configure the settings in this table:
      Vulnerability Protection Profile Settings
      Description
      Name
      Enter a profile name (up to 31 characters). This name appears in the list of Vulnerability Protection profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
      Description
      Enter a description for the profile (up to 255 characters).
      Shared (
      Panorama only
      )
      Select this option if you want the profile to be available to:
      • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the
        Virtual System
         selected in the
        Objects
         tab.
      • Every device group on Panorama. If you clear this selection, the profile will be available only to the
        Device Group
         selected in the
        Objects
         tab.
      Disable override (
      Panorama only
      )
      Select this option to prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
      Rules Tab
      Rule Name
      Specify a name to identify the rule.
      Threat Name
      Specify a text string to match. The firewall applies a collection of signatures to the rule by searching signature names for this text string.
      CVE
      Specify Common Vulnerabilities and Exposures (CVEs) if you want to limit the signatures to those that also match the specified CVEs.
      Each CVE is in the format CVE-yyyy-xxxx, where yyyy is the year and xxxx is the unique identifier. You can perform a string match on this field. For example, to find vulnerabilities for the year 2011, enter “2011”.
      Host Type
      Specify whether to limit the signatures for the rule to those that are client side, server side, or either (
      any
      ).
      Severity
      Select severities to match (
      informational
      ,
      low
      ,
      medium
      ,
      high
      , or
      critical
      ) if you want to limit the signatures to those that also match the specified severities.
      Action
      Choose the action to take when the rule is triggered. For a list of actions, see Security Rule Actions.
      The
      Default
       action is based on the predefined action that is part of each signature provided by Palo Alto Networks. To view the default action for a signature, select
      Objects
      Security Profiles
      Vulnerability Protection
       and
      Add
       or select an existing profile. Click the
      Exceptions
       tab and then click
      Show all signatures
       to see a list of all signatures and the associated
      Action
      .
      For the best security, set the Action for both client and server critical, high, and medium severity events to
      reset-both
       and use the default action for Informational and Low severity events.
      Packet Capture
      Select this option if you want to capture identified packets.
      Select
      single-packet
       to capture one packet when a threat is detected, or select the
      extended-capture
       option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context to the threat when analyzing the Threat logs. To view the packet capture, select
      Monitor
      Logs
      Threat
       and locate the log entry you're interested in, and then click the green down arrow in the second column. To define the number of packets that should be captured, select
      Device
      Setup
      Content-ID
       and then edit the Content-ID Settings.
      If the action for a given threat is allow, the firewall does not trigger a Threat log and does not capture packets. If the action is alert, you can set the packet capture to single-packet or extended-capture. All blocking actions (drop, block, and reset actions) capture a single packet. The content package on the device determines the default action.
      Enable extended-capture for critical, high, and medium severity events and single-packet capture for low-severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable packet capture for informational events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.
      Apply extended packet capture using the same logic you use to decide what traffic to log—take extended captures of the traffic you log, including traffic you block.
      Exceptions Tab
      Enable
      Select
      Enable
       for each threat for which you want to assign an action, or select
      All
       to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.
      ID
      Vendor ID
      Specify vendor IDs if you want to limit the signatures to those that also match the specified vendor IDs.
      For example, the Microsoft vendor IDs are in the form MSyy-xxx, where yy is the two-digit year and xxx is the unique identifier. For example, to match Microsoft for the year 2009, enter “MS09” in the Search field.
      Threat Name
      Only create a threat exception if you're sure an identified threat isn't a threat (false positive). If you believe you have discovered a false positive, open a support case with TAC so Palo Alto Networks can investigate the incorrectly identified threat. When the issue is resolved, remove the exception from the profile immediately.
      The vulnerability signature database contains signatures that indicate a brute-force attack; for example, Threat ID 40001 triggers on an FTP brute-force attack. Brute-force signatures trigger when a condition occurs in a certain time threshold. The thresholds are pre-configured for brute-force signatures, and can be changed by clicking the edit icon next to the threat name on the
      Vulnerability
       tab (with the
      Custom
       option selected). You can specify the number of hits per unit of time and whether the threshold applies to source, destination, or source-and-destination.
      Thresholds can be applied on a source IP, destination IP or a combination of source IP and destination IP.
      The default action is shown in parentheses.
      IP Address Exemptions
      Click into the
      IP Address Exemptions
       column to
      Add
       IP address filters to a threat exception. When you add an IP address to a threat exception, the threat exception action for that signature will take precedence over the rule's action only if the signature is triggered by a session with either a source or destination IP address matching an IP address in the exception. You can add up to 100 IP addresses per signature. You must enter a unicast IP address (that is, an address without a netmask), such as 10.1.7.8 or 2001:db8:123:1::1. By adding IP address exemptions, you don't have to create a new security rule and new vulnerability profile to create an exception for a specific IP address.
      Rule
      CVE
      The
      CVE
       column shows identifiers for Common Vulnerabilities and Exposures (CVE). These unique, common identifiers are for publicly known information security vulnerabilities.
      Host
      Category
      Select a vulnerability category if you want to limit the signatures to those that match that category.
      Severity
      Action
      Choose an action from the drop-down, or choose from the
      Action
       drop-down at the top of the list to apply the same action to all threats.
      Packet Capture
      Select
      Packet Capture
       if you want to capture identified packets.
      Show all signatures
      Enable
      Show all signatures
       to list all signatures. If
      Show all signatures
       is disabled, only the signatures that are exceptions are listed.
      Inline Cloud Analysis Tab
      Inline Cloud Analysis
       allows you to enable and configure the settings for real-time analysis of command injection and SQL injection vulnerabilities on a per detection engine basis.
      Enable cloud inline analysis
      —Enables inline deep learning detection engines used to detect command injection and SQL injection vulnerabilities across all available inline cloud analysis engines.
      Available Analysis Engines
      For each available analysis engine representing a vulnerability category, you can select one of the following actions that you want the firewall to enforce when a corresponding vulnerability is detected:
      • Allow
        —The request is allowed and no log entry is generated.
      • Alert
        —The request is allowed and a Threat log entry is generated.
      • Reset-Client
        —Resets the client-side connection.
      • Reset-Server
        —Resets the server-side connection.
      • Reset-Both
        —Resets the connection on both client and server ends.
      The default action for all analysis engines is alert.
      Exclude from Inline Cloud Analysis
      Allows you to select a URL or IP address exception list that bypasses the inline cloud analysis engines. Exceptions can be specified using URLs and/or IP addresses. URL exceptions include an EDL (external dynamic list) or a custom URL category, while IP address exceptions include an EDL or an Address object. Click
      Add
       to view and select from the available options. You can select the following list types:
      • EDL URL
        —External Dynamic Lists containing a series of URLs or a custom URL category.
      • IP Address
        —IP address lists defined in an External Dynamic List or within an Address object.
        Only create IP address and URL exceptions when the identified threats don't pose a danger, such as in the case of a false-positive.
    4. Select
      OK
       to save your configuration.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.