Palo Alto: Security Profiles

This Document is for Firewall Administrators with super admin access who will be making advanced changes to their virtual systems.

Summary:
The four advanced protection groups. What are they and how do they protect us? Think of the group as protecting the UW from cyber threats, both intentional and unintentional.
The Security Profiles can be found under Objects > Security Profiles.

Advanced-Protections

  • Global Properties of Advanced Protections Security Profiles:
    • To create customized profile actions:
    • Click to highlight the security-baseline or default and clone the read-only profile then edit the clone or
    • Add a brand new profile
    • objects-action-items
    • Action type explanations: List of Actions
    • Allow - Allows and does not log
    • Alert - Allows but creates a log
    • Drop - Hard drops the packets
    • Reset-client - sends a TCP unreachable to the client
    • Reset-server - sends a TCP unreachable to the server
    • Reset-both - sends a TCP unreachable to both client and server
  • Antivirus:
    • With the UW license the Palo Altos have a schedule of every 30 minutes past the hour to check for updates and are made available from Palo Alto every 24 hours.
    • The Action to take is based on the AntiVirus signatures delivered in the daily content updates.
    • WildFire Action is the action to take based on signatures delivered by WildFire.
    • Default is the action specified in the application signature table found under Objects > Applications.
    • The packet capture option tells Palo Alto to create a pcap file for traffic identified by the profile. The files can be found attached to logged events under Monitor > Logs > Threat.
  • Anti-Spyware:
  • Palo Alto Anti-Spyware signatures are provided through Dynamic updates (Device > Dynamic Updates) and are released every 24 hours.
  • Spyware is detected when a malicious program attempts phone home connections to a Command and Control server.
  • The Firewalls come with two pre-defined security profiles, default and strict. DoIT has created the profiles: UW-Default, UW-Strict, Security-Baseline-Antispyware and Security-Strict-AntiSpyware. These are all available for use along with individually curated profiles.
  • Each profile has a set of predefined rules with threat signature IDs organized by the severity of the threat as identified by Palo Alto resources.
  • Each threat signature includes a default action specified by Palo Alto Networks.
  • Anti-Spyware profile custom rules can be created for actions on any threat (create rules by navigating to Objects > Security Profiles > Anti-Spyware > Add > Rules > Add) actions are differentiated by severity level.
  • These levels are: critical, high, medium, low and informational. They show up color coded in the threat logs.
  • anti-spyware-color-coding
  • Anti-Spyware signatures can provide packet captures for additional details on traffic matching the signature. It is not recommended to choose extended-capture as this captures anywhere from 1 to 50 packets and can greatly impact the overall firewall performance.
  • Packet capture will not occur if the action is set to block, drop or reset as the session is ended immediately.
  • The exceptions tab allows you to change the action for a specific signature and are provided to remedy identified false-positives.
  • The actions specified in the profile will override the action configured in the security policy rules.
  • The DNS Signatures tab provides an additional method of identifying infected hosts.
    • DNS Signatures are downloaded with the AntiVirus updates.
    • The actions configured for detected DNS signatures identified with malware are:
      • Allow
      • Alert
      • Sinkhole
      • Block
    • Hosts that perform DNS queries for malicious domains will appear in the botnet report, found under Monitor > Botnet.
    • The options under DNS Signatures are: External Dynamic Lists and Action.
      • External Dynamic Lists provide a dynamically adjusted list external to static maintained lists on the firewall. These can specify IP addresses or FQDN for known malicious servers out in the wild.
        • To add a new list click Add and select the External Dynamic List. Custom lists can be created under Objects > External Dynamic Lists.
      • The actions taken are similar to all other use case with Sinkhole being the difference with Anti-Spyware.
        • DNS Sinkhole action provides admins further means of identifying infected hosts using DNS traffic.
        • Sink-holing malware DNS queries forges responses to the queries directed at malicious domains so the compromised host attempts connections to an IP address specified by the administrator rather than the malicious mother-ship.
    • The administrator is alerted of a malicious DNS query in the threat log, and can then search the traffic logs for the sinkhole IP address and can easily locate the client IP address that is trying to start a session with the sinkhole IP address.
      • Action of sinkhole used for identification under Monitor > Logs > Threat (action eq sinkhole)
  • Vulnerability Protections:
  • Vulnerabilities are prevalent in all systems. Fortunately we have many organizations who test and release announcements along with vendor notifications for vulnerabilities. The United States Department of Homeland Security and NIST has many organizations that keep databases of vulnerabilities and release announcements with remedies on a regular basis.
  • CVE defines a vulnerability as:
  • "A weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)." quotation source
  • CVE vulnerabilities are rated on an Informational to Critical level, so Palo Alto has modeled the Vulnerability protection risk levels to match. They even went as far as to reference the CVE in their online threat database.
  • Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized access to systems. Vulnerability Protection profiles protect against threats entering the network. For example, Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities.

  • Our Palo Alto Firewalls use the vulnerability protection profiles and provide our firewall administrators the ability to take specific actions by:
    • Severity levels
    • Traffic Direction (From client, from server, or both)
    • CVE references
    • Threat names
  • They also allow for packet captures to be taken for use for better documentation in any incident response cases.
  • Each threat is assigned a unique threat-id which is used as a reference in:
      • Vulnerability protection profile exceptions and
    Vulnerability Exception
      • Threat log filtering Monitor > Logs > Threat
    ThreatLog-Example
  • It is highly recommended that we setup high and critical severity vulnerability protection rules to either reset or block these vulnerabilities.
  • URL Filtering:
  • URL filtering works on categories specified by Palo Alto engineers based on internal tests, traffic analysis, customer reports and third-party sources. If there's a URL that you are unsure of, PA has an online tool for checking the categorization that includes evidence in their analysis.
  • Palo Alto Networks strongly emphasizes blocking the following categories:
    • Command-and-control
    • Malware
    • Phishing
  • They recommend blocking the following categories:
    • Copyright-infringement
    • Dynamic-dns
    • Extremism
    • Parked
    • Proxy-avoidance-and-anonymizers
  • In your URL profile, it is suggested to set the site access action to Alert rather than allow for the above URL categories in order to get a view into the activity of your network.
  •  
  • Under the profile there's a setting for URL credential submission protection. By default these settings are disabled. Palo Alto best practices suggest enabling these protections on all categories.
  • Palo Alto Provides the option to create custom URL categories under Objects > Custom Objects > URL Category. The idea behind this is:
    • Provide more granular control over URL filtering
    • Enable the admin to block or allow access to specific web sites
    • Override the category setting mentioned above.
  • A custom URL category enables you to create a custom list of specific URLs that you either want to allow or deny access to. Once you have created your custom URL category, you can use the category in a URL filtering Profile or as criteria to match in a security rule.
  •  
  • Another feature provided by Palo Alto URL filtering is named "Safe Search". Many search engines have a safe search setting that filters out adult images and videos in search query return traffic. When you select the setting to enable safe search enforcement, the firewall blocks search results on the category if the end users is not using the strictest settings in the search query. The firewall can enforce safe search for the following providers: Google, Yahoo, BING, Yandex and YouTube. This is a best-effort setting and is not guaranteed by the search providers to work with every website.
  • In addition to the local static lists of URLs and generic categories, the firewalls can use External Dynamic Lists (EDLs) of URLs in the URL filtering security profile.
    • EDLs are lists of items, URLs in this instance, that are dynamically updated by external trusted sources that the firewalls use.
    • To add an existing EDL to your URL filtering profile, follow the steps from Palo Alto:
      • Select your profile by going to Objects > Security Profiles > URL Filtering.
      • Add or modify an existing URL Filtering profile.
      • In the profile, under the Categories tab, select the EDL from the category list (depicted with a + symbol).
      • Click action to select a more specific action for the URLs provided in the list.
      • You're done! Click OK and then add your URL Filtering profile to your "allow" security policies, or to a Security Profile Group to then add to your allow policies.
  • Profile Groups:
  • Profile Groups are, exactly as they sound, groups of security profiles. These can be found by navigating to Objects > Security Profile Groups.
  •  
  • When editing your security profile group, drop-down menus are provided for all security profile types, that will list your security profiles created above and available security profiles (I.e. Security-BaselineAntiSpyware under the Anti-Spyware dropdown).

  • PaloAlto_SecurityProfileGroup
  • Once you have your security profile group built you can add this group to your security rule, rather than applying each individual profile to the rule. Providing cleaner security rule management.
  • PaloAlto_SecurityProfileGroup-PolicyUse
  • Palo Alto Best Practice Suggestions:
  • AntiVirus:
    • Configure the best practice Antivirus profile to reset both the client and the server for all six protocol decoders and WildFire actions, and then attach the profile to the Security policy allow rules. By attaching Antivirus profiles to all Security rules you can block known malicious files (malware, ransomware bots, and viruses) as they are coming into the network.

  • Vulnerability Protections:
    • Attach a Vulnerability Protection profile to all allowed traffic to protect against buffer overflows, illegal code execution, and other attempts to exploit client- and server-side vulnerabilities. The best practice profile is a clone of the predefined Strict profile, with single packet capture (PCAP) settings enabled to help you track down the source of any potential attacks.

    • Without strict vulnerability protection, attackers can leverage client and server-side vulnerabilities to compromise end-users. Vulnerability Protection profiles also prevent an attacker from using vulnerabilities on internal hosts to move laterally within your network.

    • *Don't enable PCAP for informational activity because it generates a relatively high volume of that traffic

  • Anti-Spyware:
      • Attach an Anti-Spyware profile to all allowed traffic to detect command and control traffic (C2) initiated from malicious code running on a server or endpoint and prevent compromised systems from establishing an outbound connection from your network.
      • Edit the profile to enable DNS sinkhole and packet capture to help you track down the endpoint that attempted to resolve the malicious domain.

    • The best practice Anti-Spyware profile retains the default Action to reset the connection when the firewall detects a medium, high, or critical severity threat, and enables single packet capture (PCAP) for those threats.
    • The best practice Action on DNS Queries is to block or to sinkhole DNS queries for known malicious domains. It is also a best practice to enable PCAPs. Enabling DNS sinkhole identifies potentially compromised hosts that attempt to access suspicious domains by tracking the hosts and preventing them from accessing those domains.
  • URL Filtering:
    • As a best practice, use PAN-DB URL filtering to prevent access to web content that is at high-risk for being malicious. Attach a URL Filtering profile to all rules that allow access to web-based applications to protect against URLs that have been observed hosting malware or exploitive content. The best practice URL Filtering profile sets all known dangerous URL categories to block.

Additional Online Resources: