Objects > Security Profiles > Vulnerability Protection
A Security policy rule can include specification of
a Vulnerability Protection profile that determines the level of
protection against buffer overflows, illegal code execution, and
other attempts to exploit system vulnerabilities. There are two
predefined profiles available for the Vulnerability Protection feature:
- Thedefaultprofile applies the default action to all client and server critical, high, and medium severity vulnerabilities. It does not detect low and informational vulnerability protection events.
- Thestrictprofile applies the block response to all client and server critical, high and medium severity spyware events and uses the default action for low and informational vulnerability protection events.
Customized profiles can be used to minimize vulnerability checking
for traffic between trusted security zones, and to maximize protection
for traffic received from untrusted zones, such as the internet, as
well as the traffic sent to highly sensitive destinations, such
as server farms. To apply Vulnerability Protection profiles to Security
policies, refer to Policies
> Security.
The Rules settings specify collections of signatures to enable,
as well as actions to be taken when a signature within a collection
is triggered.
The Exceptions settings allows you to change the response to
a specific signature. For example, you can block all packets that
match a signature, except for the selected one, which generates
an alert. The
Exception
tab supports filtering
functions.The
Vulnerability Protection
page presents
a default set of columns. Additional columns of information are
available by using the column chooser. Click the arrow to the right
of a column header and select the columns from the Columns sub-menu.The following tables describe the Vulnerability Protection profile settings:
Vulnerability Protection
Profile Settings | Description |
|---|---|
Name | Enter a profile name (up to 31 characters).
This name appears in the list of Vulnerability Protection profiles
when defining security policies. The name is case-sensitive and
must be unique. Use only letters, numbers, spaces, hyphens, periods,
and underscores. |
Description | Enter a description for the profile (up
to 255 characters). |
Shared | Select this option if you want the profile
to be available to:
|
Disable override ( Panorama only ) | Select this option to prevent administrators
from overriding the settings of this Vulnerability Protection profile
in device groups that inherit the profile. This selection is cleared
by default, which means administrators can override the settings
for any device group that inherits the profile. |
Rules Tab | |
Rule Name | Specify a name to identify the rule. |
Threat Name | Specify a text string to match. The firewall
applies a collection of signatures to the rule by searching signature
names for this text string. |
Action | Choose the action to take when the rule
is triggered. For a list of actions, see Actions
in Security Profiles. The Default action
is based on the pre-defined action that is part of each signature
provided by Palo Alto Networks. To view the default action for a
signature, select and Add or
select an existing profile. Click the Exceptions tab
and then click Show all signatures to see
a list of all signatures and the associated Action . |
Host Type | Specify whether to limit the signatures
for the rule to those that are client side, server side, or either
( any ). |
Packet Capture | Select this option if you want to capture
identified packets. Select single-packet to
capture one packet when a threat is detected, or select the extended-capture option
to capture from 1 to 50 packets. Extended-capture will provides
much more context to the threat when analyzing the threat logs.
To view the packet capture, select and
locate the log entry you are interested in and then click the green
down arrow in the second column. To define the number of packets
that should be captured, select and
then edit the Content-ID Settings.Packet captures will only
occur if the action is allow or alert. If the block action is set,
the session is ended immediately. |
Category | Select a vulnerability category if you want
to limit the signatures to those that match that category. |
CVE List | Specify common vulnerabilities and exposures
(CVEs) if you want to limit the signatures to those that also match
the specified CVEs. Each CVE is in the format CVE-yyyy-xxxx,
where yyyy is the year and xxxx is the unique identifier. You can
perform a string match on this field. For example, to find vulnerabilities
for the year 2011, enter “2011”. |
Vendor ID | Specify vendor IDs if you want to limit
the signatures to those that also match the specified vendor IDs. For
example, the Microsoft vendor IDs are in the form MSyy-xxx, where
yy is the two-digit year and xxx is the unique identifier. For example,
to match Microsoft for the year 2009, enter “MS09”. |
Severity | Select severities to match ( informational , low , medium , high ,
or critical ) if you want to limit the signatures
to those that also match the specified severities. |
Exceptions Tab | |
Threats | Select Enable for
each threat for which you want to assign an action, or select All to
respond to all listed threats. The list depends on the selected
host, category, and severity. If the list is empty, there are no threats
for the current selections.Choose an action from the drop-down,
or choose from the Action drop-down at the
top of the list to apply the same action to all threats. If you
selected Show All , then all signatures are
listed. If not, only the signatures that are exceptions are listed.Select Packet
Capture if you want to capture identified packets.The
vulnerability signature database contains signatures that indicate a
brute force attack; for example, Threat ID 40001 triggers on an
FTP brute force attack. Brute-force signatures trigger when a condition occurs
in a certain time threshold. The thresholds are pre-configured for
brute force signatures, and can be changed by clicking edit (
) next to the threat name on
the Vulnerability tab (with the Custom option
selected). You can specify the number of hits per unit of time and
whether the threshold applies to source, destination, or source-and-destination.Thresholds
can be applied on a source IP, destination IP or a combination of
source IP and destination IP. The default action is shown
in parentheses. The CVE column shows identifiers for common vulnerabilities
and exposures (CVE). These unique, common identifiers are for publicly
known information security vulnerabilities. Click into the
IP Address Exemptions column to Add IP address
filters to a threat exception. When you add an IP address to a threat exception,
the threat exception action for that signature will take precedence
over the rule's action only if the signature is triggered by a session
with either a source or destination IP address matching an IP address
in the exception. You can add up to 100 IP addresses per signature.
You must enter a unicast IP address (that is, an address without
a netmask), such as 10.1.7.8 or 2001:db8:123:1::1. By adding IP
address exemptions, you do not have to create a new policy rule
and new vulnerability profile to create an exception for a specific IP
address. |
