Security Profiles provide threat protection in security policies. For example, you can apply an antivirus profile to a security policy and all traffic that matches the security policy will be scanned for viruses.
The following sections provide steps for setting up a basic threat prevention configuration:
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
Every Palo Alto Networks next-generation firewall comes with redefined Antivirus, Anti-Spyware, and Vulnerability Protection profiles that you can attach to security policies. There is one predefined Antivirus profile, default, which uses the default action for each protocol (block HTTP, FTP, and SMB traffic and alert on SMTP, IMAP, and POP3 traffic). There are two predefined Anti-Spyware and Vulnerability Protection profiles:
default —Applies the default action to all client and server critical, high, and medium severity spyware/vulnerability protection events. It does not detect low and informational events. strict —Applies the block response to all client and server critical, high and medium severity spyware/vulnerability protection events and uses the default action for low and informational events.
To ensure that the traffic entering your network is free from threats, attach the predefined profiles to your basic web access policies. As you monitor the traffic on your network and expand your policy rulebase, you can then design more granular profiles to address your specific security needs.
Set up Antivirus/Anti-Spyware/Vulnerability Protection
Verify that you have a Threat Prevention license. The Threat Prevention license bundles the Antivirus, Anti-Spyware, and the Vulnerability Protection features in one license. Select Device > Licenses to verify that the Threat Prevention license is installed and valid (check the expiration date).
Download the latest antivirus threat signatures. Select Device > Dynamic Updates and click Check Now at the bottom of the page to retrieve the latest signatures. In the Actions column, click Download to install the latest Antivirus, and Applications and Threats signatures.
Schedule signature updates. Perform a download-and-install on a daily basis for antivirus updates and weekly for applications and threats updates. From Device > Dynamic Updates, click the text to the right of Schedule to automatically retrieve signature updates for Antivirus and Applications and Threats. Specify the frequency and timing for the updates and whether the update will be downloaded and installed or only downloaded. If you select Download Only, you would need to manually go in and click the Install link in the Action column to install the signature. When you click OK, the update is scheduled. No commit is required. (Optional) You can also enter the number of hours in the Threshold field to indicate the minimum age of a signature before a download will occur. For example, if you entered 10, the signature must be at least 10 hours old before it will be downloaded, regardless of the schedule. In an HA configuration, you can also click the Sync To Peer option to synchronize the content update with the HA peer after download/install. This will not push the schedule settings to the peer firewall; you need to configure the schedule on each firewall.
Recommendations for HA Configurations: Active/Passive HA —If the firewalls use the MGT port for content updates, configure a schedule on each firewall so that each firewall downloads and installs content independently. If the firewalls are using a data port for content updates, the passive firewall will not perform downloads while it is in the passive state. In this case set a schedule on each peer and enable Sync To Peer to ensure that content updates on the active peer sync to the passive peer. Active/Active HA —If the firewalls use the MGT port for content updates, configure a schedule on each firewall, but do not enable Sync To Peer. If the firewalls are using a data port for content updates, schedule content updates on each firewall and select Sync To Peer to enable the active-primary firewall to download and install the content updates and then push the content update to the active-secondary peer.
Attach the security profiles to a security policy. Attach a clone of a predefined security profile to your basic Security policy rules. That way, if you want to customize the profile you can do so without deleting the read-only predefined strict or default profile and attaching a customized profile. Select Policies > Security, select the desired policy to modify it and then click the Actions tab. In Profile Settings, click the drop-down next to each security profile you would like to enable. In this example we choose default for Antivirus and WildFire Analysis, and strict for Vulnerability Protection and Anti-Spyware. If you don’t see drop-downs for selecting profiles, select Profiles from the Profile Type drop-down.
Save the configuration. Click Commit.
Set Up File Blocking
File Blocking Profiles allow you to identify specific file types that you want to want to block or monitor. For most traffic (including traffic on your internal network) you will want to block files that are known to carry threats or that have no real use case for upload/download. Currently, these include batch files, DLLs, Java class files, help files, Windows shortcuts (.lnk), and BitTorrent files. Additionally, to provide drive-by download protection, allow download/upload of executables and archive files (.zip and .rar), but force users to acknowledge that they are transferring a file so that they will notice that the browser is attempting to download something they were not aware of. For policy rules that allow general web browsing, be more strict with your file blocking because the risk of users unknowingly downloading malicious files is much higher. For this type of traffic you will want to attach a more strict file blocking profile that also blocks portable executable (PE) files.
Configure File Blocking
Configure a File Blocking profile for general use. Select Objects > Security Profiles > File Blocking and click Add. Enter a Name for the file blocking profile, for example general-file-blocking. Optionally enter a Description, such as block-risky-apps. Click Add to define the profile settings. Enter a Name, such as block-risky. Set File Types to block. For example, Add the following: bat, dll, jar, hlp, lnk, and torrent. Leave the Direction set to both. Set the Action to block. Add a second rule and enter a Name, for example continue exe and archive. Set File Types to continue. For example, Add the following: PE, zip and rar. Leave the Direction set to both. Set the Action to block. Click OK to save the profile.
Configure a File Blocking profile for risky traffic. When users are web browsing it is much more likely that they will download a malicious file unintentionally. Therefore, it is important to attach a stricter file blocking policy than you would attach to Security policy rules that allow access to less risk-prone application traffic. On the Objects > Security Profiles > File Blocking page, select the file blocking profile you just created for general traffic and click Clone. Select the profile to clone and click OK. Select the cloned profile and give it a new Name, such as strict-block-risky-apps. Click in the File Types section of the block rule and Add the PE file type. Click in the File Types section of the continue rule, select PE and click Delete. Click OK to save the profile.
Attach the file blocking profile to the security policies that allow access to content. Select Policies > Security and either select an existing policy or create a new policy as described in Set Up a Basic Security Policy. Click the Actions tab within the security policy. In the Profile Settings section, click the drop-down and select the file blocking profile you created. If you don’t see drop-downs for selecting profiles, select Profiles from the Profile Type drop-down.
Enable response pages in the management profile for each interface on which you are attaching file blocking profile with a continue action. Select Network > Network Profiles > Interface Mgmt and then select an interface profile to edit or click Add to create a new profile. Select Response Pages, as well as any other management services required on the interface. Click OK to save the interface management profile. Select Network > Interfaces and select the interface to which to attach the profile. On the Advanced > Other Info tab, select the interface management profile you just created. Click OK to save the interface settings.
Save the configuration. Click Commit.
Test the file blocking configuration. From a client PC in the trust zone of the firewall, attempt to download an.exe file from a website in the Internet zone. Make sure the file is blocked as expected based on the action you defined in the file blocking profile: If you selected alert as the action, check the data filtering log to make sure you see a log entry for the request. If you selected block as the action, the File Blocking Block Page response page should display. If you selected the continue action, the File Blocking Continue Page response page should display. Click Continue to download the file. The following shows the default File Blocking Continue Page.

Related Documentation