Anti-Spyware profiles blocks spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients. You can apply various levels of protection between zones. For example, you may want to have custom Anti-Spyware profiles that minimize inspection between trusted zones, while maximizing inspection on traffic received from an untrusted zone, such as internet-facing zones.
You can define your own custom Anti-Spyware profiles, or choose one of the following predefined profiles when applying Anti-Spyware to a Security policy rule:
Default —Uses the default action for every signature, as specified by Palo Alto Networks when the signature is created. Strict —Overrides the default action of critical, high, and medium severity threats to the block action, regardless of the action defined in the signature file. This profile still uses the default action for low and informational severity signatures.
When the firewall detects a threat event, you can configure the following actions in an Anti-Spyware profile:
Default —For each threat signature and Anti-Spyware signature that is defined by Palo Alto Networks, a default action is specified internally. Typically the default action is an alert or a reset-both. The default action is displayed in parenthesis, for example default (alert) in the threat or Antivirus signature. Allow —Permits the application traffic Alert —Generates an alert for each application traffic flow. The alert is saved in the threat log. Drop —Drops the application traffic. Reset Client —For TCP, resets the client-side connection. For UDP, drops the connection. Reset Server —For TCP, resets the server-side connection. For UDP, drops the connection. Reset Both —For TCP, resets the connection on both client and server ends. For UDP, drops the connection. Block IP — This action blocks traffic from either a source or a source-destination pair. It is configurable for a specified period of time.
In addition, you can enable the DNS Sinkholing action in Anti-Spyware profiles to enable the firewall to forge a response to a DNS query for a known malicious domain, causing the malicious domain name to resolve to an IP address that you define. This feature helps to identify infected hosts on the protected network using DNS traffic Infected hosts can then be easily identified in the traffic and threat logs because any host that attempts to connect to the sinkhole IP address are most likely infected with malware.
Anti-Spyware and Vulnerability Protection profiles are configured similarly.

Related Documentation