Indicates low resources for encrypted traffic.

Action: Analyze traffic patterns and reallocate resources to support encrypted traffic.

Firewall objects (rules, groups, and security profiles) are nearing device limits.

Action: Review and optimize configurations to stay within limits.

Packet Buffer resources are running low.

Action: Analyze network traffic and adjust resource allocation to ensure sufficient buffer capacity.

Site-to-Site VPN Tunnels are down.

Action: Investigate the VPN configuration and connectivity issues, and restore the affected tunnels.

A NAT rule cannot allocate sufficient resources for translation.

Action: Review and adjust NAT rules to ensure adequate resource allocation.

Navigate to the Best Practices dashboard to evaluate security feature configurations against Palo Alto Networks' best practices.

Use the Security Posture Insights dashboard to review device health, including operational status and software versions.

Action: Plan upgrades for outdated software versions using Insights > NGFW > Upgrade Recommendations.

Ensure threat intelligence feeds are updated regularly to detect threats effectively.

Action: Set up alert notifications for critical alerts so that you can respond to them immediately. Furthermore, integrate AIOps with your incident response platform to automate the response process.

Threat intelligence feeds are outdated.

Action: Update feeds by verifying connectivity with the threat intelligence servers and scheduling regular updates.

SSL/TLS certificates used for secure communication have expired.

Action: Renew certificates through the issuing Certificate Authority (CA) and configure them on relevant devices.

Licenses for Palo Alto Networks products have expired.

Action: Renew licenses through your Palo Alto Networks sales representative or customer portal.

High Availability (HA) between firewalls is not functioning correctly.

Action: Verify HA configurations, including links, statuses, and synchronization, and resolve any issues per documentation.

This alert indicates that one of your Anti-spyware profiles isn't strict, which could potentially allow spyware activity on the network. After receiving this alert, your security team reviews the alert details. They find that the alert is related to the security posture of their platform and falls under the category of Malware Defenses. The alert suggests that to prevent spyware activity on the network, they should clone the predefined strict Anti-Spyware profile and retain the default “reset-both” Action for critical, high, and medium severity levels.

Action: Clone and configure a strict profile to block spyware effectively.

This alert indicates that an application isn't set in a rule, which could potentially allow unauthorized traffic through the firewall. However, upon reviewing the alert, the security team realizes that this is due to a new application that they are currently testing. They have intentionally not set the application in a rule yet because they are still in the process of evaluating the application's security.

Action: Temporarily suppress the alert if the application is under evaluation. Revisit and configure the rule after completing testing.

Review Activity Insights: Navigate to the Activity Insights dashboard in your Strata Cloud Manager. You can view a holistic picture of all threats detected and blocked in your network across various security subscriptions. As an example, you notice an alert about "Anti-Spyware Profile Not Strict". After reviewing the alert details, you clone the predefined strict Anti-Spyware profile and adjust the settings as suggested.

Addressing Security Gaps: While reviewing the Activity Insights dashboard, identify the security policy rules that enforced the blocked and allowed threats. You notice that some rules are allowing threats. To address this, you review these rules and make necessary modifications to ensure they block such threats in the future.

Suppression: In another instance, you notice an alert about "Application Not Set In Rule". However, upon reviewing the alert, you realize that this is due to a new application that you are currently testing. You have intentionally not set the application in a rule yet because you are still in the process of evaluating the application's security. In this case, you decide to suppress the alert temporarily until you have complete your testing and evaluation of the new application.

Assessing Most Impacted Applications and Users: The Activity Insights dashboard also provides information about the applications and users most impacted by the threats. You review this information to identify any patterns or trends that might indicate a larger security issue. If necessary, you take action to address these issues, such as updating security policies or providing additional training to users.