Prisma Access Security Profiles
Security profiles scan traffic for threats.
Traffic that a security policy rule allows undergoes further inspection
based on the security profiles enabled for that rule.
Prisma Access provides predefined best practice security profile
rules. These best practice rules are already built-in to security
policy rules, and use the strictest security settings recommended
by Palo Alto Networks. For some profile types, you might see rules
in addition to the best practice rules. You can optionally use these basic
settings to scan—for example—applications that are not business-critical
or that you allow for personal use, while continuing to use the
strict best practice rules to enforce your most sensitive enterprise
applications.
See the best practice profile settings that are built-in to Prisma
Access:
Antivirus
Antivirus detects viruses and malware found in executables
and file types. These profiles scan inside compressed files and
data encoding schemes, and if you have enabled decryption, they
also scan decrypted content. WildFire signatures are integrated
into the Antivirus signature package, and the Antivirus best practice
profile also defines enforcement for WildFire-detected threats.
The best practice Antivirus profile takes one of two actions
on traffic:
- Alert—Generates an alert for each application traffic flow. The alert is saved in the threat log.
- Reset both—For TCP, resets the connection on both client and server ends. For UDP, drops the connection.
Antivirus Profile | Protocol | Action | WildFire Signature Action |
|---|---|---|---|
Best Practice This best practice profile is also the
default profile. | FTP | Reset both | Reset both |
HTTP | Reset both | Reset both | |
HTTP2 | Reset both | Reset both | |
IMAP | Reset both | Alert | |
POP3 | Alert | Alert | |
SMB | Reset both | Reset both | |
SMTP | Reset both | Reset both | |
Default | FTP | Reset both | Reset both |
HTTP | Reset both | Reset both | |
HTTP2 | Reset both | Reset both | |
IMAP | Alert | Alert | |
POP3 | Alert | Alert | |
SMB | Reset both | Reset both | |
SMTP | Alert | Alert |
Anti-Spyware
Anti-spyware detects command-and-control (C2) activity,
where spyware on an infected client is collecting data without the
user's consent and/or communicating with a remote attacker.
Prisma Access enforces a strict best practice Anti-Spyware profile
by default, but also provides an alternate best practice profile.
The best practice profiles enforce one of two actions on matching
traffic:
- Default—The default action Palo Alto Networks sets for a specific signature. Typically the default action is an alert or a reset-both.
- Reset both—For TCP, resets the connection on both client and server ends. For UDP, drops the connection.In some cases, when the profile action is set to reset-both, the associated threat log might display the action as reset-server. This occurs when the firewall detects a threat at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset and only the server-side connection is reset.
DNS Security is enabled as part of both best practice Anti-Spyware
profiles. This means that DNS queries to malicious domains are sinkholed
to a Palo Alto Networks server IP address, so that you can easily
identify infected hosts. The latest detections for malicious domains
are provided as part of content updates, and Prisma Access also
accesses the DNS Security cloud service to check for malicious domains
against the complete database of DNS signatures. Certain signatures—that only
DNS Security provides—can uniquely detect C2 attacks that use machine learning
techniques, like domain generation algorithms (DGAs) and DNS tunneling.
Profile | Signature Severity | Action | Packet Capture | DNS Security |
|---|---|---|---|---|
Best Practice Strict This best practice profile is also the
default profile. | Critical | Reset both | Single Packet | Enabled for all signatures,
and sinkholes malware DNS queries to sinkhole.paloaltonetworks.com |
High | Reset both | Single packet | ||
Medium | Reset both | Single packet | ||
Informational | Default | Single packet | ||
Low | Default | Single packet | ||
Best Practice | Critical | Default | — | Enabled for all signatures,
and sinkholes malware DNS queries to sinkhole.paloaltonetworks.com |
High | Default | — | ||
Medium | Default | — | ||
Informational | Default | — | ||
Low | Default | — | ||
Strict | Critical | Reset both | — | Enabled for all signatures,
and sinkholes malware DNS queries to sinkhole.paloaltonetworks.com |
High | Reset both | — | ||
Medium | Reset both | — | ||
Informational | Default | — | ||
Low | Default | — | ||
Default | Critical | Default | — | Enabled for all signatures,
and sinkholes malware DNS queries to sinkhole.paloaltonetworks.com |
High | Default | — | ||
Medium | Default | — | ||
Low | Default | — |
Vulnerability Protection
Vulnerability Protection detects system flaws that an
attacker might otherwise attempt to exploit. While Anti-Spyware
identifies infected hosts as traffic leaves the network, Vulnerability
Protection protects against threats entering the network. For example,
Vulnerability Protection profiles help protect against buffer overflows,
illegal code execution, and other attempts to exploit system vulnerabilities.
The best practice Vulnerability Protection profiles take one
of two actions on matching traffic:
- Default—The default action Palo Alto Networks specifies for a specific signature. Typically the default action is an alert or a reset-both.
- Reset both—For TCP, resets the connection on both client and server ends. For UDP, drops the connection.In some cases, when the profile action is set to reset-both, the associated threat log might display the action as reset-server. This occurs when the firewall detects a threat at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset and only the server-side connection is reset.
Profile | Signature Severity | Action | Packet Capture |
|---|---|---|---|
Best Practice Strict This best practice profile is also the
default profile. | Critical | Reset both | Single packet |
High | Reset both | Single packet | |
Medium | Reset both | Single packet | |
Informational | Default | Single packet | |
Low | Default | Single packet | |
Best Practice | Critical | Default | Single packet |
High | Default | Single packet | |
Medium | Reset both | Single packet | |
Informational | Default | Single packet | |
Low | Default | Single packet | |
Strict | Critical | Reset both | — |
High | Reset both | — | |
Medium | Reset both | — | |
Informational | Default | — | |
Low | Default | — | |
Default | Critical | Default | — |
High | Default | — | |
Medium | Reset both | — |
URL Filtering
URL Filtering enables you to control how users interact
with web content. The URL Filtering best practice profile gives
you visibility into your users’ web usage, and blocks access to
URL categories that identify malicious and exploitive web content.
The best-practice URL Filtering profile includes credential theft
prevention checks. Credential theft prevention works by scanning
username and password submissions to websites and comparing those
submissions against valid corporate credentials. When the
User
Credential Submission
action for a category is set to alert
,
users can submit credentials to a website, but URL Filtering logs
record when users submit credentials to sites in this URL category.Visit the URL Filtering Test-A-Site to learn more
URL Filtering categories, or to see how a site is categorized.
Profile | URL Categories | Site Access | Credential Submissions |
|---|---|---|---|
Best Practice This best practice profile is also the
default profile. | Malicious and exploitive categories: adult command-and-control copyright-infringement dynamic-dns extremism malware parked phishing proxy-avoidance-and-anonymizers unknown | Block | Block |
All other URL categories | Alert | Alert | |
Default | Malicious and exploitive categories: adult command-and-control copyright-infringement dynamic-dns extremism malware parked phishing proxy-avoidance-and-anonymizers unknown | Block | Allow |
cryptocurrency high-risk medium-risk newly-registered-domain | Alert | Allow |
File Blocking
File blocking gives you a way to monitor file types
in use and limit or stop access to risky file types. The strict
best practice File Blocking profile blocks risky file types and
logs the rest (there are over 150 file types that file blocking detects):
- Alert—When the specified file type is detected, a log is generated in the data filtering log.
- Block—When the risky file type is detected, the file is blocked and a customizable block page is presented to the user. A log is also generated in the data filtering log.
- Continue—When the specified file type is detected, a response page is displayed to the user. The user can click through the page to download the file, and data filtering logs record this event. Because this type of forwarding action requires user interaction, it is only applicable for web traffic.
Profile | File Types | Application | Direction | Action |
|---|---|---|---|---|
Best Practice Strict This best practice profile is also the
default profile. | All risky file types: 7z bat cab chm class cpl dll exe flash hlp hta msi Multi-Level-Encoding ocx PE pif rar scr tar torrent vbe wsf encrypted-rar encrypted-zip | Any | Both (upload and download) | Block |
All remaining file types (there are 150+) | Any | Both (upload and download) | Alert | |
Strict File Blocking | All risky file types: 7z bat cab chm class cpl dll exe flash hlp hta msi Multi-Level-Encoding ocx PE pif rar scr tar torrent vbe wsf | Any | Both (upload and download) | Block |
encrypted-rar encrypted-zip | Any | Both (upload and download) | Block | |
All remaining file types (there are 150+) | Any | Both (upload and download) | Alert | |
Basic File Blocking | Most risky file types: 7z bat chm class cpl dll exe hlp hta jar msi ocx PE pif rar scr torrent vbe wsf | Any | Both (upload and download) | Block |
encrypted-rar encrypted-zip | Any | Both (upload and download) | Block | |
All remaining file types (there are 150+) | Any | Both (upload and download) | Allow |
WildFire Analysis
The WildFire Analysis profile specifies what files to
send to the WildFire cloud service for malware analysis. The best
practice WildFire Analysis profile forwards all unknown (not before
seen) files for WildFire analysis.
Profile | File Type | Application | Direction | Action |
|---|---|---|---|---|
Best Practice This
best practice profile is also the default profile. | All | Any | Both (upload and download) | Forwards to the WildFire global cloud, in the
United States |
Default | All | Any | Both (upload and download) | Forwards to the WildFire global cloud, in the
United States |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
