Best Practice Security Profiles

Review the best practice security settings that are built-in to Cloud Managed Prisma Access.
Best practice security profiles are built-in to Prisma Access and enabled by default. Best practice profiles use the strictest security settings recommended by Palo Alto Networks. For some profile types, you might see built-in rules in addition to the best practice rules. You can optionally use these basic predefined settings to scan—for example—applications that are not business-critical or that you allow for personal use, while continuing to use the strict best practice rules to enforce your most sensitive enterprise applications.
Review built-in profile settings:

Antivirus

Antivirus detects viruses and malware found in executables and file types. These profiles scan inside compressed files and data encoding schemes, and if you have enabled decryption, they also scan decrypted content. WildFire signatures are integrated into the Antivirus signature package, and the Antivirus best practice profile also defines enforcement for WildFire-detected threats.
The best practice Antivirus profile takes one of two actions on traffic:
  • Alert
    —Generates an alert for each application traffic flow. The alert is saved in the threat log.
  • Reset both
    —For TCP, resets the connection on both client and server ends. For UDP, drops the connection.
Antivirus Profile
Protocol
Action
WildFire Signature Action
Best Practice
This best practice profile is also the default profile.
FTP
Reset both
Reset both
HTTP
Reset both
Reset both
HTTP2
Reset both
Reset both
IMAP
Reset both
Alert
POP3
Alert
Alert
SMB
Reset both
Reset both
SMTP
Reset both
Reset both
Default
FTP
Reset both
Reset both
HTTP
Reset both
Reset both
HTTP2
Reset both
Reset both
IMAP
Alert
Alert
POP3
Alert
Alert
SMB
Reset both
Reset both
SMTP
Alert
Alert

Anti-Spyware

Anti-spyware detects command-and-control (C2) activity, where spyware on an infected client is collecting data without the user's consent and/or communicating with a remote attacker.
Prisma Access enforces a strict best practice Anti-Spyware profile by default, but also provides an alternate best practice profile. The best practice profiles enforce one of two actions on matching traffic:
  • Default
    —The default action Palo Alto Networks sets for a specific signature. Typically the default action is an alert or a reset-both.
  • Reset both
    —For TCP, resets the connection on both client and server ends. For UDP, drops the connection.
    In some cases, when the profile action is set to reset-both, the associated threat log might display the action as reset-server. This occurs when the firewall detects a threat at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset and only the server-side connection is reset.
DNS Security is enabled as part of both best practice Anti-Spyware profiles. This means that DNS queries to malicious domains are sinkholed to a Palo Alto Networks server IP address, so that you can easily identify infected hosts. The latest detections for malicious domains are provided as part of content updates, and Prisma Access also accesses the DNS Security cloud service to check for malicious domains against the complete database of DNS signatures. Certain signatures—that only DNS Security provides—can uniquely detect C2 attacks that use machine learning techniques, like domain generation algorithms (DGAs) and DNS tunneling.
Profile
Signature Severity
Action
Packet Capture
DNS Security
Best Practice Strict
This best practice profile is also the default profile.
Critical
Reset both
Single Packet
Enabled for all signatures, and sinkholes malware DNS queries to sinkhole.paloaltonetworks.com
High
Reset both
Single packet
Medium
Reset both
Single packet
Informational
Default
Single packet
Low
Default
Single packet
Best Practice
Critical
Default
Enabled for all signatures, and sinkholes malware DNS queries to sinkhole.paloaltonetworks.com
High
Default
Medium
Default
Informational
Default
Low
Default
Strict
Critical
Reset both
Enabled for all signatures, and sinkholes malware DNS queries to sinkhole.paloaltonetworks.com
High
Reset both
Medium
Reset both
Informational
Default
Low
Default
Default
Critical
Default
Enabled for all signatures, and sinkholes malware DNS queries to sinkhole.paloaltonetworks.com
High
Default
Medium
Default
Low
Default

Vulnerability Protection

Vulnerability Protection detects system flaws that an attacker might otherwise attempt to exploit. While Anti-Spyware identifies infected hosts as traffic leaves the network, Vulnerability Protection protects against threats entering the network. For example, Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities.
The best practice Vulnerability Protection profiles take one of two actions on matching traffic:
  • Default
    —The default action Palo Alto Networks specifies for a specific signature. Typically the default action is an alert or a reset-both.
  • Reset both
    —For TCP, resets the connection on both client and server ends. For UDP, drops the connection.
    In some cases, when the profile action is set to reset-both, the associated threat log might display the action as reset-server. This occurs when the firewall detects a threat at the beginning of a session and presents the client with a 503 block page. Because the block page disallows the connection, the client-side does not need to be reset and only the server-side connection is reset.
Profile
Signature Severity
Action
Packet Capture
Best Practice Strict
This best practice profile is also the default profile.
Critical
Reset both
Single packet
High
Reset both
Single packet
Medium
Reset both
Single packet
Informational
Default
Single packet
Low
Default
Single packet
Best Practice
Critical
Default
Single packet
High
Default
Single packet
Medium
Reset both
Single packet
Informational
Default
Single packet
Low
Default
Single packet
Strict
Critical
Reset both
High
Reset both
Medium
Reset both
Informational
Default
Low
Default
Default
Critical
Default
High
Default
Medium
Reset both

URL Filtering

URL Filtering enables you to control how users interact with web content. The URL Filtering best practice profile gives you visibility into your users’ web usage, and blocks access to URL categories that identify malicious and exploitive web content.
The best-practice URL Filtering profile includes credential theft prevention checks. Credential theft prevention works by scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. When the
User Credential Submission
action for a category is set to
alert
, users can submit credentials to a website, but URL Filtering logs record when users submit credentials to sites in this URL category.
Visit the URL Filtering Test-A-Site to learn more URL Filtering categories, or to see how a site is categorized.
Profile
URL Categories
Site Access
Credential Submissions
Best Practice
This best practice profile is also the default profile.
Malicious and exploitive categories:
adult
command-and-control
copyright-infringement
dynamic-dns
extremism
malware
parked
phishing
proxy-avoidance-and-anonymizers
unknown
Block
Block
All other URL categories
Alert
Alert
Default
Malicious and exploitive categories:
adult
command-and-control
copyright-infringement
dynamic-dns
extremism
malware
parked
phishing
proxy-avoidance-and-anonymizers
unknown
Block
Allow
cryptocurrency
high-risk
medium-risk
newly-registered-domain
Alert
Allow

File Blocking

File blocking gives you a way to monitor file types in use and limit or stop access to risky file types. The strict best practice File Blocking profile blocks risky file types and logs the rest (there are over 150 file types that file blocking detects):
  • Alert
    —When the specified file type is detected, a log is generated in the data filtering log.
  • Block
    —When the risky file type is detected, the file is blocked and a customizable block page is presented to the user. A log is also generated in the data filtering log.
  • Continue
    —When the specified file type is detected, a response page is displayed to the user. The user can click through the page to download the file, and data filtering logs record this event. Because this type of forwarding action requires user interaction, it is only applicable for web traffic.
Profile
File Types
Application
Direction
Action
Best Practice Strict
This best practice profile is also the default profile.
All risky file types:
7z
bat
cab
chm
class
cpl
dll
exe
flash
hlp
hta
msi
Multi-Level-Encoding
ocx
PE
pif
rar
scr
tar
torrent
vbe
wsf
encrypted-rar
encrypted-zip
Any
Both (upload and download)
Block
All remaining file types (there are 150+)
Any
Both (upload and download)
Alert
Strict File Blocking
All risky file types:
7z
bat
cab
chm
class
cpl
dll
exe
flash
hlp
hta
msi
Multi-Level-Encoding
ocx
PE
pif
rar
scr
tar
torrent
vbe
wsf
Any
Both (upload and download)
Block
encrypted-rar
encrypted-zip
Any
Both (upload and download)
Block
All remaining file types (there are 150+)
Any
Both (upload and download)
Alert
Basic File Blocking
Most risky file types:
7z
bat
chm
class
cpl
dll
exe
hlp
hta
jar
msi
ocx
PE
pif
rar
scr
torrent
vbe
wsf
Any
Both (upload and download)
Block
encrypted-rar
encrypted-zip
Any
Both (upload and download)
Block
All remaining file types (there are 150+)
Any
Both (upload and download)
Allow

WildFire Analysis

The WildFire Analysis profile specifies what files to send to the WildFire cloud service for malware analysis. The best practice WildFire Analysis profile forwards all unknown (not before seen) files for WildFire analysis.
Profile
File Type
Application
Direction
Action
Best Practice
This best practice profile is also the default profile.
All
Any
Both (upload and download)
Forwards to the WildFire global cloud, in the United States
Default
All
Any
Both (upload and download)
Forwards to the WildFire global cloud, in the United States

Recommended For You