Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

Use the following workflow to set up the default Antivirus, Anti-Spyware, and Vulnerability Protection Security Profiles.
All anti-spyware and vulnerability protection signatures have a default action defined by Palo Alto Networks. You can view the default action by navigating to
Objects
Security Profiles
Anti-Spyware
or
Objects
Security Profiles
Vulnerability Protection
and then selecting a profile. Click the
Exceptions
tab and then click
Show all signatures
and you will see a list of the signatures with the default action in the Action column. To change the default action, you must create a new profile and then create rules with a non-default action, and/or add individual signature exceptions to
Exceptions
in the profile.
  1. Verify that you have a Threat Prevention license.
    The Threat Prevention subscription bundles the antivirus, anti-spyware, and the vulnerability protection features in one license. To verify that you have an active Threat Prevention subscription, select
    Device
    Licenses
    to verify that the
    Threat Prevention
    license is installed and check the expiration date.
  2. Download the latest antivirus threat signatures.
    1. Select
      Device
      Dynamic Updates
      and click
      Check Now
      at the bottom of the page to retrieve the latest signatures.
    2. In the
      Actions
      column, click
      Download
      to install the latest Antivirus and Applications and Threats signatures.
  3. Schedule signature updates.
    1. From
      Device
      Dynamic Updates
      , click the text to the right of
      Schedule
      to automatically retrieve signature updates for
      Antivirus
      and
      Applications and Threats
      .
    2. Specify the frequency and timing for the updates and whether the update will be downloaded and installed or only downloaded. If you select
      Download
      Only
      , you would need to manually go in and click the
      Install
      link in the
      Action
      column to install the signature. When you click
      OK
      , the update is scheduled. No commit is required.
    3. (Optional) You can also enter the number of hours in the
      Threshold
      field to indicate the minimum age of a signature before a download will occur. For example, if you entered 10, the signature must be at least 10 hours old before it will be downloaded, regardless of the schedule.
    4. In an HA configuration, you can also click the
      Sync To Peer
      option to synchronize the content update with the HA peer after download/install. This will not push the schedule settings to the peer firewall; you need to configure the schedule on each firewall.
    Best Practices for Antivirus Schedules
    The general recommendation for antivirus signature update schedules is to perform a
    download-and-install
    on a daily basis for antivirus and weekly for applications and vulnerabilities.
    Recommendations for HA Configurations:
    • Active/Passive HA
      —If the MGT port is used for antivirus signature downloads, you should configure a schedule on both firewalls and both firewalls will download/install independently. If you are using a data port for downloads, the passive firewall will not perform downloads while it is in the passive state. In this case you would set a schedule on both firewalls and then select the
      Sync To Peer
      option. This will ensure that whichever firewall is active, the updates will occur and will then push to the passive firewall.
    • Active/Active HA
      —If the MGT port is used for antivirus signature downloads on both firewalls, then schedule the download/install on both firewalls, but do not select the
      Sync To Peer
      option. If you are using a data port, schedule the signature downloads on both firewalls and select
      Sync To Peer
      . This will ensure that if one firewall in the active/active configuration goes into the active-secondary state, the active firewall will download/install the signature and will then push it to the active-secondary firewall.
  4. Attach the security profiles to a Security policy rule.
    1. Select
      Policies
      Security
      , select the desired policy to modify it and then click the
      Actions
      tab.
    2. In
      Profile Settings
      , click the drop-down next to each security profile you would like to enable. In this example we choose default for
      Antivirus, Vulnerability Protection,
      and
      Anti-Spyware
      . The default Anti-Spyware rule enables DNS Sinkholing.
      If no security profiles have been previously defined, select
      Profiles
      from the
      Profile Type
      drop-down. You will then see the list of options to select the security profiles.
      security_profiles_attach_policy.png
  5. Save the configuration.
    Click
    Commit
    .

Related Documentation