Objects > Security Profiles > Antivirus
Use the Antivirus Profiles page to configure options to have the firewall scan for viruses on the defined traffic. Set the applications that should be inspected for viruses and the action to take when a virus is detected. The default profile inspects all of the listed protocol decoders for viruses, generates alerts for Simple Mail Transport Protocol (SMTP), Internet Message Access Protocol (IMAP), and Post Office Protocol Version 3 (POP3), and takes the default action for other applications (alert or deny), depending on the type of virus detected. The profile will then be attached to a Security policy rule to determine the traffic traversing specific zones that will be inspected.
Customized profiles can be used to minimize antivirus inspection for traffic between trusted security zones, and to maximize the inspection of traffic received from untrusted zones, such as the internet, as well as the traffic sent to highly sensitive destinations, such as server farms.
To add a new Antivirus profile, select Add and enter the following settings:
Enter a profile name (up to 31 characters). This name appears in the list of antivirus profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
Enter a description for the profile (up to 255 characters).
Select this option if you want the profile to be available to:
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this Antivirus profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
The Antivirus tab allows you to specify the action for the different types of traffic, such as ftp, and http.
Select this option if you want to capture identified packets.
Decoders and Actions
For each type of traffic that you want to inspect for viruses, select an action from the drop-down. You can define different actions for standard antivirus signatures (Action column) and signatures generated by the WildFire system (WildFire Action column).
Some environments may have requirements for a longer soak time for antivirus signatures, so this option enables the ability to set different actions for the two antivirus signature types provided by Palo Alto Networks. For example, the standard antivirus signatures go through a longer soak period before being released (24 hours), versus WildFire signatures, which can be generated and released within 15 minutes after a threat is detected. Because of this, you may want to choose the alert action on WildFire signatures instead of blocking.
Applications Exceptions and Actions
The Applications Exception table allows you to define applications that will not be inspected. For example, to block all HTTP traffic except for a specific application, you can define an antivirus profile for which the application is an exception. Block is the action for the HTTP decoder, and Allow is the exception for the application. For each application exception, select the action to be taken when the threat is detected. For a list of actions, see Actions in Security Profiles.
To find an application, start typing the application name in the text box. A matching list of applications is displayed, and you can make a selection.
The Virus Exceptions tab to define a list of threats that will be ignored by the antivirus profile.
To add specific threats that you want to ignore, enter one Threat ID at a time and click Add. Threat IDs are presented as part of the threat log information. Refer to Monitor > Logs.
Create Threat Exceptions
Create Threat Exceptions Palo Alto Networks defines a recommended default action (such as block or alert) for threat signatures. You can use a threat ID ...
Enhanced Coverage for Command and Control (C2) Traffic
Enhanced Coverage for Command and Control (C2) Traffic Command-and-control (C2) describes when a compromised system is surreptitiously communicating with an attacker’s remote server to receive ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...
New Threat Categories and How to Use Them
New Threat Categories and How to Use Them This feature also introduces new threat categories to classify different types of threats. You can use threat ...
Set Up Antivirus, Anti-Spyware, and Vulnerability Protectio...
Set Up Antivirus, Anti-Spyware, and Vulnerability Protection Every Palo Alto Networks next-generation firewall comes with predefined Antivirus , Anti-Spyware , and Vulnerability Protection profiles that ...
Create the Data Center Best Practice Antivirus Profile
Protect your data center from viruses and malware hidden in HTTP, SMTP, IMAP, POP3, FTP, and SMB files. ...
Security Profiles While security policy rules enable you to allow or block traffic on your network, security profiles help you define an allow but scan ...
Take a Threat Packet Capture
Take a Threat Packet Capture To configure the firewall to take a packet capture (pcap) when it detects a threat, enable packet capture on Antivirus, ...
How to Create Data Center Best Practice Security Profiles
Use Security Profiles to protect against vulnerabilities, spyware, viruses, bad file types, and unknown threats. ...