You can specify how the firewall responds to threat events by defining an action in certain security profile ( Objects > Security Profiles) or custom spyware and vulnerability signatures ( Objects > Custom Objects > Spyware/Vulnerability). Palo Alto Networks defines a default action for threat signatures, though you can set a new action for the firewall to use to enforce a specific threat or types of threats:
Set the action in Antivirus profile to define how the firewall treats worms, viruses, trojans and spyware downloads ( Objects > Security Profiles > Antivirus). Set the action in an Anti-Spyware profile to define how the firewall treats attempts from spyware on compromised hosts to phone-home or beacon out to external command and control (C2) servers ( Objects > Security Profiles > Anti-Spyware Profile). Set the action in a Vulnerability Protection profile to define how the firewall treats attempts to exploit system flaws or gain unauthorized access to systems ( Objects > Security Profiles > Vulnerability Protection). Set the action for custom spyware and vulnerability signatures to define how the firewall treats threats that match these custom patterns ( Objects > Custom Objects > Spyware/Vulnerability).
The following table describes actions you can perform on profiles and custom objects.
Action Description Antivirus Profile Anti-Spyware profile Vulnerability Protection Profile Custom Objects—Spyware and Vulnerability
Default Takes the default action that is specified internally for each threat signature. For antivirus profiles, it takes the default action for the virus signature.
Allow Permits the application traffic.
Alert Generates an alert for each application traffic flow (alert is saved in the threat log).
Drop Drops the application traffic.
Reset Client For TCP, resets the client-side connection. For UDP, the connection is dropped. In cases where HTTP traffic or decrypted HTTPS traffic is blocked based on the Reset Client setting, a TCP reset is not sent to the client; instead, a block page is presented to inform the user that the file download is not permitted. However, if a file triggers the Reset Client action after it has already started to be transmitted to the client, the file transmission ceases and a TCP reset is sent.
Reset Server For TCP, resets the server-side connection. For UDP, the connection is dropped.
Reset Both For TCP, resets the connection on both client and server ends. For UDP, the connection is dropped. In cases where HTTP traffic or decrypted HTTPS traffic is blocked based on the Reset Both setting, a TCP reset is not sent to the client; instead, a block page is presented to inform the user that the file download is not permitted. However, if a file triggers the Reset Both action after it has already started to be transmitted to the client, the file transmission ceases and a TCP reset is sent.
Block IP This action blocks traffic from either a source or a source-destination pair; configurable for a specified period of time.
Sinkhole This action directs DNS queries for malicious domains to a sinkhole IP address. To learn more, see Action on DNS queries. The action is available for Palo Alto Networks DNS signatures and for custom domains included in Objects > External Dynamic Lists.

Related Documentation