Palo Alto Firewall Signature Based Security Profiles | PAN-OS 9.1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] guys welcome to mb tech talker my name's matt in this video i'm going to show you how to configure palo alto signature-based security profiles using palo alto network's best practices i'll show you how to do all of this using a vm series next generation firewall using vmware workstation hopefully you already enjoyed the video if you do please like comment and consider subscribing to my channel before jumping into the configuration let's go over what security profiles are and how they are used so what actually are security profiles while these profiles are attached to the firewall security rules which scans and inspects allowed applications for threats while security policy rules enable you to allow or block traffic on your network security profiles help you define an allow but scan rule which scans allowed applications with threats such as viruses malware spyware and ddos attacks when traffic matches the allow rule defined in the security policy the security profiles that are attached to the rule are applied for further content inspection so in this video i'm going to talk specifically about the signature based security profiles and their configuration which are anti-virus signatures anti-spyware signatures and vulnerability signatures now there are a few things you need to remember when working with these security profiles you need to make sure you have a threat prevention and wildfire license to take full advantage of the signature based security profiles and don't forget security profiles are not used in the initial match criteria the security profile is used to scan the traffic after the traffic has been allowed by the security rule there is absolutely no reason to add a security profile to a deny rule okay so let's take a look at the lab if you've watched my previous videos you should be familiar with my lab topology and how i've configured the palo alto network's next generation files inside of vmware fusion if not go and grab yourself a coffee as it's a very in-depth lab setup video i'll put the link in the description and a card above anyway focusing on this lab i've downloaded a spreadsheet from the palo alto network's public github repository which contains all the cli set commands needed to configure the three signature-based security profiles and the corresponding security profile groups that are used in the lab i'm not going to deep dive into the whole iron skillet thing in this video i'll create a separate video going through the whole process okay so each security profile starts with the following names outband this is traffic originating inside the network accessing external sites inbound which is traffic originating on the outside of the network accessing internal sites and internal which is traffic originating inside the network accessing other internal sites okay so i'm already logged onto the firewall let's take a look at this security profiles so let's click on the objects tab and let's go down to the security profiles and then click on antivirus so these antivirus profiles are used to protect against worms viruses and trojans and to block spyware downloads this profile has the ability to scan for malware in executables pdf files html and javascript viruses as well as scanning compressed files so i have three av profiles which are configured identically except for the profile names let's take a look at the outbound profile as you can see there's a list of protocol decoders these decoders detect and prevent viruses and malware from being transferred over these six protocols if the firewall detects a threat use any of these protocols the file will enforce the action in either one of these action columns so in this case the action has been set to reset both which results in the firewall resetting the connection to both the client and the server now let's take a look at the anti-spyware profiles so let's click on anti-spyware so these profiles block spyware on compromised hosts from trying to establish an outbound connection or trying to signal out to an external command and control c2 server the firewall can detect malicious traffic leaving your network from a potentially infected host the best practice is to base the outbound and inbound anti-spyware profile on the predefined strict profile so looking at the outbound as profile the default reset both action has been set for critical medium and high severity levels and additionally a single packet capture has been enabled so that the threat event will be captured by the firewall and gives us data to analyze if further investigations is required both low and informational severities are set to default which is normally alert which means traffic will be allowed and a log generated which will be seen in the threat log the internal as profile is less strict um so medium severities take the default action and no packet capture is taken so i'm not going to go and talk about the dns signatures tab at this point that warrants a separate video and i'll go into much more detail so moving on to the vulnerability protection profiles these profiles will protect against buffer overflows or illegal code execution which is a way of attempting to exploit system flaws in order to gain unauthorized access from outside the network the iron skillet vulnerability protection profile bundles up critical high and medium threat severity levels into one rule and then sets the action to reset both and then enables a single packet capture the second rule is aimed at low and informational threat severities the action is set to default and the packet captures are disabled so let's say you want to see more information on the signatures by severity and what the default action is if you highlight the rule and then click on the find matching signatures it will open up the exceptions tab and you'll notice that the show or signatures checkbox is ticked which in turn shows the number of threats filtered on critical high and medium severities along with the granular information including the signatures default actions so this type of search function is also available in the anti-spyware profiles so going back to the exceptions tab it kind of speaks for itself you can configure threat exceptions for antivirus vulnerabilities and spyware in order to change the firewalls enforcement for example let's say an organization had some linux servers in different security zones and the traffic was traversing the palo alto firewalls a security profile had recently been attached to the security rule which was allowing the traffic however some reason the traffic was being blocked and after further investigation it was proved that the firewall had detected a microsoft vulnerability and was resetting the connection between the servers the server and file admin agree that this is a false positive and as there were no microsoft servers in that environment so the firewall admin creates an exception in the vulnerability protection profile by changing the action from reset both to alert okay so once the security profiles have been created they can be used in two ways so i'm going to click on the policies tab and inside security i'm going to open up the general internet access rule and you can see that this rule is allowing dns google based ssl and web browsing now go into the actions tab you'll see we have a profile settings area and clicking the drop down gives us three options profiles group and none now you'll notice in this rule that there is a a tag associated with it called outbound now this is been tagged to show file admins the direction of the traffic so you can see the traffic is sourcing from the dc and users internal zones and it's destined to the untrust zone so this is a an outbound connection so going back to the actions tab and the profile settings we're going to choose the the profiles that match the direction of the traffic so for antivirus it's going to be outbound av for vulnerability protection it's going to be outbound vp and then for anti-spyware is going to be outbound as and then click ok ok so the second way of attaching security profiles is bundling the security profiles up and using a security profile group so let's go back to the objects tab but this time we're going to go down to security profile groups you can see we have three groups named in the direction the traffic that they should be applied and then inside of each of the groups you can see the corresponding security profiles so going back to the policies tab and then opening up the general internet access rule and then heading over to the actions tab instead of choosing the individual profiles we can change this to group and then we can select the group profile in the direction of the traffic which is outbound and then click ok now you can see that the icon has changed and if you hover over it it will actually tell you the profile group that's associated with the rule because the policy has been configured to allow specific application the attached security profile will be used to scan those applications for threats okay so that's the end of the lab i hope you like the video and you find it useful i'll see you in the next one okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto firewall features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas of video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks

Info

Channel: MB Tech Talker

Views: 370

Rating: undefined out of 5

Keywords:

Id: vTNS88UT8Vc

Channel Id: undefined

Length: 11min 38sec (698 seconds)

Published: Fri Mar 19 2021