Objects > Security Profiles > Vulnerability Protection

A Security policy rule can include specification of a Vulnerability Protection profile that determines the level of protection against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. There are two predefined profiles available for the Vulnerability Protection feature:
  • The
    default
    profile applies the default action to all client and server critical, high, and medium severity vulnerabilities. It does not detect low and informational vulnerability protection events.
  • The
    strict
    profile applies the block response to all client and server critical, high and medium severity spyware events and uses the default action for low and informational vulnerability protection events.
Customized profiles can be used to minimize vulnerability checking for traffic between trusted security zones, and to maximize protection for traffic received from untrusted zones, such as the Internet, as well as the traffic sent to highly sensitive destinations, such as server farms. To apply Vulnerability Protection profiles to Security policies, refer to Policies > Security.
Apply a Vulnerability Protection profile to every Security Policy rule that allows traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities.
The Rules settings specify collections of signatures to enable, as well as actions to be taken when a signature within a collection is triggered.
The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The
Exception
tab supports filtering functions.
The
Vulnerability Protection
page presents a default set of columns. Additional columns of information are available by using the column chooser. Click the arrow to the right of a column header and select the columns from the Columns sub-menu.
The following tables describe the Vulnerability Protection profile settings:
Vulnerability Protection Profile Settings
Description
Name
Enter a profile name (up to 31 characters). This name appears in the list of Vulnerability Protection profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, periods, and underscores.
Description
Enter a description for the profile (up to 255 characters).
Shared
Select this option if you want the profile to be available to:
  • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the
    Virtual System
    selected in the
    Objects
    tab.
  • Every device group on Panorama. If you clear this selection, the profile will be available only to the
    Device Group
    selected in the
    Objects
    tab.
Disable override (
Panorama only
)
Select this option to prevent administrators from overriding the settings of this Vulnerability Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
Rules Tab
Rule Name
Specify a name to identify the rule.
Threat Name
Specify a text string to match. The firewall applies a collection of signatures to the rule by searching signature names for this text string.
Action
Choose the action to take when the rule is triggered. For a list of actions, see Actions in Security Profiles.
The
Default
action is based on the pre-defined action that is part of each signature provided by Palo Alto Networks. To view the default action for a signature, select
Objects
Security Profiles
Vulnerability Protection
and
Add
or select an existing profile. Click the
Exceptions
tab and then click
Show all signatures
to see a list of all signatures and the associated
Action
.
For the best security, set the Action for both client and server critical, high, and medium severity events to
reset-both
and use the default action for Informational and Low severity events.
Host Type
Specify whether to limit the signatures for the rule to those that are client side, server side, or either (
any
).
Packet Capture
Select this option if you want to capture identified packets.
Select
single-packet
to capture one packet when a threat is detected, or select the
extended-capture
option to capture from 1 to 50 packets (default is 5 packets). Extended-capture provides more context to the threat when analyzing the threat logs. To view the packet capture, select
Monitor
Logs
Threat
and locate the log entry you are interested in and then click the green down arrow in the second column. To define the number of packets that should be captured, select
Device
Setup
Content-ID
and then edit the Content-ID Settings.
Packet captures only occur if the action is
allow
or
alert
. If the
block
action is set, the session ends immediately.
Enable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases. (Too much packet capture traffic may result in dropping packet captures.) Don’t enable packet capture for informational events because it’s not very useful compared to capturing information about higher severity events and creates a relatively high volume of low-value traffic.
Apply extended packet capture using the same logic you use to decide what traffic to log—take extended captures of the traffic you log, including traffic you block.
Category
Select a vulnerability category if you want to limit the signatures to those that match that category.
CVE List
Specify common vulnerabilities and exposures (CVEs) if you want to limit the signatures to those that also match the specified CVEs.
Each CVE is in the format CVE-yyyy-xxxx, where yyyy is the year and xxxx is the unique identifier. You can perform a string match on this field. For example, to find vulnerabilities for the year 2011, enter “2011”.
Vendor ID
Specify vendor IDs if you want to limit the signatures to those that also match the specified vendor IDs.
For example, the Microsoft vendor IDs are in the form MSyy-xxx, where yy is the two-digit year and xxx is the unique identifier. For example, to match Microsoft for the year 2009, enter “MS09”.
Severity
Select severities to match (
informational
,
low
,
medium
,
high
, or
critical
) if you want to limit the signatures to those that also match the specified severities.
Exceptions Tab
Threats
Only create a threat exception if you are sure an identified threat is not a threat (false positive). If you believe you have discovered a false positive, open a support case with TAC so Palo Alto Networks can investigate the incorrectly identified threat. When the issue is resolved, remove the exception from the profile immediately.
Select
Enable
for each threat for which you want to assign an action, or select
All
to respond to all listed threats. The list depends on the selected host, category, and severity. If the list is empty, there are no threats for the current selections.
Choose an action from the drop-down, or choose from the
Action
drop-down at the top of the list to apply the same action to all threats. If you selected
Show All
, then all signatures are listed. If not, only the signatures that are exceptions are listed.
Select
Packet Capture
if you want to capture identified packets.
The vulnerability signature database contains signatures that indicate a brute force attack; for example, Threat ID 40001 triggers on an FTP brute force attack. Brute-force signatures trigger when a condition occurs in a certain time threshold. The thresholds are pre-configured for brute force signatures, and can be changed by clicking edit ( icon_pencil.png ) next to the threat name on the
Vulnerability
tab (with the
Custom
option selected). You can specify the number of hits per unit of time and whether the threshold applies to source, destination, or source-and-destination.
Thresholds can be applied on a source IP, destination IP or a combination of source IP and destination IP.
The default action is shown in parentheses. The CVE column shows identifiers for common vulnerabilities and exposures (CVE). These unique, common identifiers are for publicly known information security vulnerabilities.
Click into the IP Address Exemptions column to
Add
IP address filters to a threat exception. When you add an IP address to a threat exception, the threat exception action for that signature will take precedence over the rule's action only if the signature is triggered by a session with either a source or destination IP address matching an IP address in the exception. You can add up to 100 IP addresses per signature. You must enter a unicast IP address (that is, an address without a netmask), such as 10.1.7.8 or 2001:db8:123:1::1. By adding IP address exemptions, you do not have to create a new policy rule and new vulnerability profile to create an exception for a specific IP address.

Related Documentation