Focus

Next-Generation Firewall

Actions in Security Profiles

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Objects > Security Profiles

Objects > Security Profiles > Antivirus

Actions in Security Profiles

The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo Alto Networks includes a default action, which is typically either set to Alert, which informs you using the option you have enabled for notification, or to Reset Both, which resets both sides of the connection. However, you can define or override the action on the firewall. The following actions are applicable when defining Antivirus profiles, Anti-Spyware profiles, Vulnerability Protection profiles, custom spyware objects, custom vulnerability objects, or DoS Protection profiles.

Action	Description	Antivirus Profile	Anti-Spyware profile	Vulnerability Protection Profile	Custom Object—Spyware and Vulnerability	DoS Protection Profile
Default	Takes the default action that is specified internally for each threat signature. For antivirus profiles, it takes the default action for the virus signature.				—	Random Early Drop
Allow	Permits the application traffic. The Allow action does not generate logs related to the signatures or profiles.					—
Alert	Generates an alert for each application traffic flow. The alert is saved in the threat log.					Generates an alert when attack volume (cps) reaches the Alarm threshold set in the profile.
Drop	Drops the application traffic.					—
Reset Client	For TCP, resets the client-side connection. For UDP, the connection is dropped					—
Reset Server	For TCP, resets the server-side connection. For UDP, the connection is dropped					—
Reset Both	For TCP, resets the connection on both client and server ends. For UDP, the connection is dropped					—
Block IP	Blocks traffic from either a source or a source-destination pair; Configurable for a specified period of time.	—
Sinkhole	This action directs DNS queries for malicious domains to a sinkhole IP address. The action is available for Palo Alto Networks DNS- signatures and for custom domains included in Objects > External Dynamic Lists.	—	—	—	—	—
Random Early Drop	Causes the firewall to randomly drop packets when connections per second reach the Activate Rate threshold in a DoS Protection profile applied to a DoS Protection rule.	—	—	—	—
SYN Cookies	Causes the firewall to generate SYN cookies to authenticate a SYN from a client when connections per second reach the Activate Rate Threshold in a DoS Protection profile applied to a DoS Protection rule.	—	—	—	—

You cannot delete a profile that is used in a policy rule; you must first remove the profile from the policy rule.

Objects > Security Profiles

Objects > Security Profiles > Antivirus

Next-Generation Firewall Docs

Actions in Security Profiles

Next-Generation Firewall Docs

Actions in Security Profiles

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner