Hi everyone! This is Tom with the
community team and in this video tutorial we're going to take a look at optimizing
your security policy let's take a look at a couple of example
policies. An administrator that just started setting up his appliance might be tempted to use 'any' in the source and/or destination for their security policy
because that's "easy to work with" you don't need to take care your zones are
accurate before you start working, but those configurations tend to stay there
for a while and might actually introduce some security risks because you kind of
tend to lose control or sight over where your traffic is going and can be coming from so as an example I've set up a LAN
connection and WAN connection over here and these are set to intra-zone and
interzone instead of universal So, what's the difference between
these 3? A universal policy will apply any in any direction so a 'local' source
zone is going to be allowed to the 'local' destination zone and 'remote' destination
zone and then the 'remote' source zone will be allowed to the 'local' destination and
the 'remote' destination if you have an intranet zone set this
means that even if you have is a mixture of all your zones in the source and the
destination, they'll only be allowed to connect to their own zone so that means
a 'local' will only be allowed to connect back to the 'local' zone and the 'remote'
source zone will only be allowed to connect back to the 'remote' destination zone. While Interzone is going to be the reverse: the 'local' source zone is only going to be
allowed to talk to any destination zone it isn't itself and then the 'remote'
source zone is only going to be allowed to talk to any other destinations zone
except itself so 'local' and any other zones but not 'remote' another important step to improve your
security is to change the service from any to application-default or a static
set of ports, depending on your needs, but at least make sure there is no 'any' left. So go ahead and change this to application-default Since PAN-OS 6.0, if you create a
new security policy it's going to be application-default by
default but it might be worth revisiting your security policy, it might have been
there for a while and if it has been set to 'any' manually or was created before
you migrated to PAN-OS 6.0 there might still be services set to
'any' which is not optimal Why is this? For example: any session that
gets created on the firewall is going to pass through the firewall policy twice.
Which means that when you receive your SYN packet App-ID is not going to be
able to identify an application just yet because it's new, there's no data in there yet the only thing the firewall has is the 5-tuple set of: source zone, source subnet, destination zone, destination subnet and
destination port so for example if you're running a
security policy that is only going to allow web browsing on port 80 and DNS on UDP
port 53, any session coming in or going out on port 22 should be denied. If your
service is set to 'any' the handshake will be let through and App-ID will need to
determine if this application is web browsing or something completely
different, which means that in this scenario, where the application is still
set to 'any', we won't be able to restrict the creation of sessions based on the
destination port just yet, because there aren't any applications that can guide
the application-default to only allow certain ports to be open during the
session creation phase. In many cases, especially when a firewall administrator is creating his very first policy, he might not be aware which applications
to allow or deny maybe there are a couple of
straightforward applications like web browsing and ssl, DNS that might be allowed, but there are many others where it might not be as easy to
determine which ones to deny and to allow For cases like that there's a nifty feature that's called
the application filter Application filter is a sort of group that groups
your applications by means of their behavior so what you can do, for example, I have my
blocked-apps filter here I've selected all the subcategories I don't like in a risk factor i don't like. and it's going to populate the list of applications automatically which also
means that if in the near future a new application becomes available
through a dynamic update which is added to the application repository which
matches these parameters it's automatically going to be added to
my list. So if I do the same thing for my allowed applications: so I create for example 'allowed apps filter' And I select services that I like like for example: authentication, maybe
some database internally, ERP and then internal file sharing do not like gaming.. general business... some internet utility and I select the technology that I like,
for example, I do not want peer-to-peer so, browser based, client-server, network protocol and i only want the fairly low risk to high-ish risk applications, but nothing that's risk factor of five And now I have a friendly list of applications of things that I trust based on the category, subcategory, technology and
risk factor without going in and pinpointing specific applications that i
want to allow. If I now go back to my security policy and add them in here This will make your environment a lot
more secure Another thing that's often overlooked, are the security profiles. In all cases I would recommend administrators to create their own security profiles instead of using the default. This will help you get more acquainted with what is available to you and secondly it's also going to allow you to set a couple of features that are not
available in the default profile. For example if we go to the antivirus
profile and create a new one we can set packet captures this is going
to create a little packet capture each time a virus is detected which can be
helpful if you want any post-mortem information or want to investigate
what's going on on the network and also includes a set of wildfire actions which
aren't included in the default profile. Next: in the anti spyware profile you can
create a profile that's just a little more aggressive than the default one. By, for example, setting the action to reset or block IP instead of the default action
assigned to a specific anti spyware threat and it can also collect packet captures Another neat feature in the anti spyware profile is that you can enable DNS sinkhole which means that, if in your
organization a host sends out a DNS request for a malicious domain,
that request is intercepted and the reply is spoofed with a different IP address
than the actual host. This will serve two purposes first off it's going to
interrupt any command and control sessions going out because they are not
going to be able to reach the intended IP address to actually receive commands from out there, and it will be more easy to detect any host that have been
infected because they will be connecting to an IP address you know, being the sinkhole IP address. you can either choose to put in your own IP address choose the IPv4 loopback on the
host itself, which means it's going to create the sinkhole on the host which will
not be detected by the firewall, or you can use the Palo Alto Networks provided
sinkhole IP address on a public IP If you're going to use your own IP address, make sure to not use an IP address that's actually being used inside your
organization because that's going to spawn connections to that host. You can also set an IPv6 sinkhole and
you can enable packet capture if you need to. Enabling passive DNS monitoring will
send out anonymized DNS information to Palo Alto Networks so we can gather
that information and use it to improve our signatures so if you can i would
recommend enabling this as that will improve life for everyone. Another cool feature, if you do have your
own dynamic block list you can add it right here and set the action that needs
to be applied to that, so we can allow, block, alert or sinkhole For the vulnerability protection profile
you can create a profile that's also a little more aggressive so
for example, if we create a profile for anything it's critical or high from host type clients, so meaning
coming from the client instead of taking the default action
we're going to block the IP address for a certain amount of time for example 600 we're going to enable extented packet capture and then you can create a similar rule for server-side and then we can create policies for lower severity medium, low, informational and set the action to drop instead of Block
the IPaddress client... still want to have extended packet captures We're going to clone
that for the server side as well creating a custom URL filtering profile
will allow you to change some of the logging attributes from the default as you can see here. Default has a lot of allow categories which isn't a bad thing but
anything that's allowed in the URL filter profile is not going to be logged
by default so if you want to get a view of what's being passed through your firewall: You can set all the actions to alert and
then still block all the categories that you don't want to allow. But you'll get a
log entry for each allowed category that's going through your firewall When this is done: in the settings
you'll also be able to manipulate a couple of settings that you won't be able to
change in the default one, for example you can disable 'log container pages only'
which will give you a full URL instead of just the the host you can enable safe search enforcement
which will make sure that your users are using google in safe search mode only you can add a couple of options to add
to your logging With this profile you'll get far more information of what's being accessed by your users then the default one. For file blocking profile I've actually created a different video
called 'tips from the field: file blocking profile' I'll add the link below make sure to
check it out it's really really interesting and contains a lot of useful
information of which file types you will want to block and why Lastly: if you go to your security policy make sure to actually change your profiles
from anything that's default into all the stuff you just created so you can take
advantage of these profiles don't forget to add wildfire analysis
this will ensure that PE APK PDF ms-office jar and flash files are uploaded to the
Wildfire cloud for analysis If any of the uploaded files containing an
infection, signatures can be created to block these files Thanks for watching! I hope you liked the
video if you did please hit the like button and don't forget to subscribe to
our channel, thanks!
