Palo Alto – Security Profiles

Standard

While starting up my lab environment and getting the basics configured, I was perplexed by the feature of a “Profile” that can be attached to a policy rule. You could either select a security profile group, configure one on the spot (which doesn’t scale well if you plan on writing these same protections for multiple rules across multiple policies) or leave it as none. Of course, since I was just trying to get the lab up I left it as none for now and decided I would come back to this later to check it out.

What I discovered from these security profiles is that they provide us with a great tool to create custom protection policies for the scenario. Iron Skillet goes over three basic scenarios that we should start off with including an outbound, inbound, and internal protection profile option. This allows us to take a risk based approach to the protections we want to apply based upon the scenario of the rule. I know I quickly enabled an inbound rule to cover my web server with DDoS and IPS protections with the SSL Inbound Inspection configured. This allows me to virtually patch my server on the firewall if there’s not yet a desirable patch for it yet. I am also able to write specific protection scenarios for outbound as well. I wrote where I can perform antivirus scans, URL filtering, and anti-spyware scans so that I could protect my lab from becoming infected. I also wrote a rule to cover the internal access so that I could perform very basic checks of antivirus and anti-spyware, but everything else was allowed.

You would only want to use these protection profiles for permitted traffic. Writing it for traffic you plan on dropping won’t do you any good as it will bypass the inspection engines anyways to go straight to the drop action within the firewall. As I stated earlier, you also want to create these as reusable profile groups with a defined purpose in its title. This provides you with a scalable solution that you can quickly modify by just modifying the attached security profiles within the protection profile and it automatically applies to all of the rules utilizing it.

Each profile can contain the following security profile types:

  • Antivirus
  • Anti-spyware
  • Vulnerability Protection (IPS)
  • URL Filtering
  • File Blocking
  • Data Filtering
  • WildFire Analysis

If you haven’t, check out Iron Skillet on GitHub to see what the starting configuration should be and sit down with your teams to discuss the scenarios you would need to cover. My scenario was fine with the Iron Skillet basic configuration, but I could see scenarios of Third-Party access, Customer Access, Restricted Data Classification Access and more being possibilities depending upon the network architecture.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.