Documente Academic
Documente Profesional
Documente Cultură
Tech Note
PAN-OS 6.0
Deployment modes are configured on an interface level and can be combined on the same firewall appliance. The
threat prevention capabilities discussed in this document can be enabled for each of these deployment modes.
For detailed information on the different deployment modes and an overview of available scenarios, please refer
to the following document on Knowledgepoint (support login required):
Threat prevention capabilities of the Palo Alto Networks next-generation firewall currently include the following:
Application Identification
User Identification
URL Filtering
Antivirus
Anti-Spyware
Vulnerability Protection
File Blocking
Wildfire Advanced Malware Protection
DoS Protection
Zone Protection
Each of these functionalities can protect against specific types of threats and can be configured through firewall
rules, security profiles and zone settings. When combined, these functionalities provide an excellent defense-in-
depth mechanism and at the same time improve visibility and control over the network.
The following trends are observed upon closer inspection of network application behavior:
Many Internet bound networking applications are designed to access the Internet over port 80 using the
HTTP protocol or they use port 80 as a fallback port in case their regular port is blocked.
SSL encryption is used more and more in order to securely tunnel applications through the firewall.
Internal applications often use multiple and/or dynamic ports to facilitate communication between end
points.
Using traditional firewalls, it becomes difficult for security administrators to maintain visibility and
distinguish between applications based on port or protocol alone.
Applications by themselves can be used as a launch platform for attacks and carry threats inside a companys
network. Application identification and control helps in reducing the attack surface for your organization, which is
defined as the sum of all possible exploitable targets. All systems, services, applications and users on your network
are a potential target for cybercriminals. By creating security policies based on true application identification
rather than port or protocol alone, it is possible to reduce the risk your systems, services, applications and users
are exposed to. This is done by only allowing those applications that are required for day-to-day business use and
by consequently blocking all others.
Here are some examples of common applications as seen in todays company networks:
Some applications will also contain a number of application functions. For example, the application Facebook has
application functions such as facebook-base, facebook-chat, facebook-mail, facebook-posting, etc. In order to
enforce proper security policies, it may be required to only allow certain applications functions instead of the
complete application.
A full overview of each supported application is available via the Applications view under the Objects tab or via the
Applipedia web page at: http://apps.paloaltonetworks.com/applipedia/
Unknown applications
One specific use case of application identification is the ability of the App-ID engine to identify and control
unknown applications. Unknown applications are applications that are not part of the current App-ID application
database and are identified as unknown-udp, unknown-tcp or unknown-p2p.
With regards to App-ID as a threat prevention mechanism, the ability to identify and control unknown applications
becomes important as a generic approach to block malware communication. Malware will often use a proprietary
protocol to communicate with outside command-and-control servers and in many cases this traffic is identified as
unknown.
Recommendations
The key principle to apply when defining an application based firewall policy is to build a policy that uses a positive
enforcement approach. Positive enforcement means that you selectively allow what is required for day-to-day
business operations as opposed to a negative enforcement approach where you would selectively block everything
that is not allowed. A negative enforcement approach requires you to keep track of any new applications and
constantly adapt your policy to block them. This would be a non-stop task and would still leave a high risk gap. A
positive enforcement approach only requires you to define an allowed list of applications and have the firewall
block everything else with a cleanup rule at the end of the rule base.
Heres an example of the recommended approach showing a positive enforcement firewall policy.
As you can see, it will be much easier to maintain a positive enforcement firewall policy over time as you will only
need to add those applications required for day-to-day business operations.
When switching from a port-based to an application-based firewall security policy, the most important task is to
determine what applications should be allowed for day-to-day business operations. If no well-defined list of
allowed applications exists, it is advisable to first configure the Palo Alto Networks firewall as a traditional port-
Unknown applications
Given that the App-ID application database now covers most Internet applications, any observation of unknown
traffic should be investigated. In order to apply better control over unknown applications and potentially related
malware, it is advised to create custom applications or configure application override policies where needed to
identify and allow known-good applications that are initially detected as unknown. Combining this approach with a
positive enforcement firewall policy will give you strict control over unknown applications, both known-good and
bad ones.
More information on handling unknown applications can be found here: Unknown applications
Besides explicitly defining what applications are allowed, access to applications should also be restricted on a user
group level as opposed to using IP addresses in the source fields. The following topic will discuss User-ID in detail.
Use Case
The use case section for each topic will create an example policy that describes how to enable and deploy each
feature in an actual security policy.
This first part of the use case will focus on controlling application access for external hosts to public services such
as web or mail servers for our example company. In our use case, access policies for two services will be created:
web and e-mail.
To allow outbound access from the DMZ for update purposes, an additional rule will be created.
By defining access by application rather than port or protocol, any traffic to the public services that does not match
the application will be denied. This approach reduces the attack surface for these services by disallowing any
applications that may have been inadvertently been left enabled on the server, but are not required for proper
operation.
Observations
Logs
An overview of all application activity can be consulted via the App Scope Network Monitor, under the Monitor tab.
Drill-down analysis can be performed via the Application Command Center (ACC).
Network Monitor
Traffic that matches a rule will generate a log entry in the firewall traffic log if logging is enabled for that rule. A
rule can have logging enabled on session end (default), but also on session start.
Traffic Log
Unknown applications
Any new instances of traffic identified as unknown-udp, unknown-tcp or unknown-p2p will trigger a packet capture
that is included in the corresponding traffic log. These packet captures may provide an initial indication about the
type of traffic.
Application dependency
Certain applications will depend on other applications for proper operation. In order to allow applications, it is
required that the parent applications are allowed as well. The most common example of such application
dependency is the reliance of web-based applications on applications ssl and web-browsing. Within one particular
application it is also possible that applications functions depend on a parent application. For example, the
application function facebook-posting depends on the parent application facebook-base.
The application web-browsing is a very generic application that encompasses any http-based traffic that is not
recognized as a specific application. If the Palo Alto Networks firewall is positioned in between host systems and a
web-proxy, any proxied http traffic is classified as application http-proxy instead of web-browsing.
As of 5.0, application dependency has been removed for applications that can be identified within a pre-
determined point in the session, and use any of the following protocols: HTTP, SSL, MSRPC, RPC, t.120, RTSP, RTMP,
and NETBIOS-SS. Custom applications based on HTTP, SSL, MS-RPC, or RTSP can also be allowed in security policy
without explicitly allowing a parent application. For example, if you want to allow Java software updates, which
use HTTP, you no longer have to allow web-browsing.
Should you want to allow only specific applications that still have an explicit dependency on web-browsing and at
the same time block all or selected generic web-browsing, you can apply a URL Filtering profile for this purpose.
For more information on URL filtering, see the dedicated topic on this.
Active Directory
LDAP
eDirectory
In addition, there is a User-ID agent for Citrix and Microsoft Terminal Services environments and it is possible to
rd
feed 3 party authentication information through a User-ID API. This allows integration with other network
components that have already authenticated a user, e.g. wireless access solutions.
When using Active Directory, User-ID can be performed transparent to the end-user by deploying one or more
User-ID agents that can monitor user logon events on domain controllers and Exchange servers and perform IP-
address-to-user name mapping. This information is then passed on to the firewall(s) that will perform user-to-
group mapping and match user IDs and/or user groups to the right policy rules.
Recommendations
When creating policies based on users and groups, it is advised that you make separate rules per user or user
group rather than combine users or groups into one rule, even if they have the same access privileges. This
approach will make overall access management easier for each group. It will also provide more rule-based filtering
possibilities when building custom reports.
In case the User-ID agent is used to provide IP-address-to-user name mapping, it is advised that you deploy
multiple agent instances for redundancy purposes. In addition, you can define a Captive Portal rule for any users
on the network that are not authenticated transparently, e.g. because their host machine is not part of the AD
domain.
Use Case
In this particular part of the security policy design, the following list of applications required per user group has
been defined:
Translating this allow-list into a firewall security policy results in the following rule base:
The policy as shown above will reduce the attack surface for these user groups and at the same time improve
workforce performance by blocking access to non-work related applications.
Observations
Authentication
If user authentication is performed against Microsoft Active Directory using the User-ID agent, then authentication
will be done transparent to the user if the user has previously logged on to the domain, i.e. the user will not notice
the authentication process.
If user authentication is performed against an LDAP directory, a Captive Portal page will be presented to the user.
Log entries can be consulted from the Monitor tab, under Logs -> Traffic. As you can see from the screenshot
below, the user name will be present in the log entry.
Traffic Log
User Notification
When access to a web-based application is blocked, the user will receive a notification in the browser window. The
message and page layout can be customized.
Once firewall access rules have been enabled, a URL Filtering profile can be applied to those rules that allow web
access for internal hosts and users in order to further reduce the overall attack surface of your company. In its
most basic form this can be done by blocking access to those sites classified as being undeniably malicious. Other
possibilities include blocking access to those web categories or sites that pose an increased risk because they serve
a large audience and as such are a favorite source platform for malware propagation by cybercriminals. Examples
include file-sharing sites, user forums or social media sites.
URL Filtering can be enabled either by placing categories directly in the security rule or by defining and enabling a
URL Filtering profile per rule.
There is one default profile available for URL Filtering, which blocks access to the following categories:
Abused-drugs
Adult
Gambling
Hacking
Malware
Phishing
Questionable
Weapons
Custom profiles can be created to filter categories following the companys security or acceptable-use policies.
Recommendations
The URL Filtering feature can potentially generate a large amount of log entries. In order to reduce the log volume,
you can configure a URL Filtering profile to only log container pages. This will only create a log entry for those URIs
where the requested page file name matches certain mime-types. The default set includes the following mime-
types:
application/pdf
application/soap+xml
application/xhtml+xml
text/html
text/plain
text/xml
You can add additional container page mime-types under Device -> Setup -> Content-ID -> Content-ID features ->
Container Pages.
Use Case
In our use case, we will define a URL filtering policy based on the following requirements:
1. Access to the following external sites should be blocked for everyone using the companys Internet link.
This includes employees and guests.
Hacking
Malware
Peer-to-peer
PhishingProxy-avoidance-and-anonymizers
Questionable
2. Access to any other external site should be monitored and alerted on for authenticated users, but not
blocked.
3. Access to any other external site should be blocked for non-authenticated users.
4. Access to the company web site should be allowed for everyone, both internal and external. No URL
filtering should be performed on this type of traffic.
The first requirement can be accomplished by creating a firewall block rule for these categories. By placing this rule
before any other rules that allow outbound access you can assure that no person or system behind the firewall can
access any of these categories.
Note: The above policy rule may generate application dependency warnings during commit for ssl and web-
browsing dependent applications because the action is set to block and URL categories in policy rules are not
considered during application dependency checking. While this does not impact proper firewall functionality, these
warnings may not be desired. An alternative approach would be to configure the block action for these categories
in the URL profile, as described under the second requirement below.
The second requirement can be accomplished by creating a URL Filtering profile that alerts on all categories and
you then apply this profile to the access rule that is already in place for each user group. One additional firewall
rule will be created to match any remaining authenticated users that do not match the existing rules.
The third requirement is accomplished by creating a general block rule that blocks any traffic not explicitly allowed.
This rule is then placed at the bottom of the rule base.
Note: A Block All rule can potentially block connections that are required for proper firewall management and
operation of the firewall if the firewall management IP address is accessed through the firewall. Make sure you
include the necessary rules to allow firewall management traffic should this be the case.
The fourth requirement is accomplished by the External Web Access rule that was placed at the top of the rule
base under the Application Identification section of this use case.
Observations
Logs
Drill-down analysis based on URL categories can be performed via the Application Command Center (ACC).
URL Filtering log entries can be consulted via the URL Filtering log view, under the Monitor tab. The detailed view
for a particular URL will also reference related logs associated with that URL log entry.
User Notification
When access to a web site is blocked, the user will receive a notification in the browser window. The message and
page layout can be customized.
HTTP
FTP
SMTP
IMAP
POP3
SMB
Files transferred by any application that uses any of the above protocols can be inspected by the Antivirus feature.
Inspection is done through stream-based analysis, which means files are not cached or stored in their entirety on
the firewall, but analyzed in real-time as they pass through the firewall.
Currently there is one predefined profile - named default - available for the Antivirus profile. This profile has the
default action configured for each protocol. The default action differs for each protocol and follows the most up-
to-date recommendation from Palo Alto Networks. The current default action for each protocol is listed below.
HTTP BLOCK
FTP BLOCK
SMTP ALERT
IMAP ALERT
POP3 ALERT
SMB BLOCK
Note: The reason why SMTP, POP3 and IMAP have the default action set to ALERT is because in most cases there is
already a dedicated Antivirus gateway solution in place for these protocols. Specifically for POP3 and IMAP, it is not
possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session.
This is due to shortcomings in these protocols to deal with this kind of situation.
Custom profiles can be created and allow you to customize the action for each protocol.
Recommendations
The default Antivirus profile can be used in most situations where dedicated SMTP, POP3 and/or IMAP-scanning
solutions are also present. Because predefined profiles are read-only, it is advised to work with a custom clone of
the predefined profiles, so exceptions can be defined when needed.
If no dedicated Antivirus gateway solution is present for SMTP, it is possible to define a custom Antivirus profile
and apply the BLOCK action to infected attachments. In such case, a 541 response will be sent back to the sending
SMTP server to prevent it from resending the blocked message.
Typically, Antivirus signatures have an extremely low false positive rate. Should a false positive occur, it is possible
to exclude specific Threat IDs from detection by defining Virus Exceptions in the Antivirus profile. For the same
purpose, certain applications can also be excluded from being inspected. In such cases, it is best practice to create
Use Case
In our use case, we will enable Antivirus for all traffic generated by internal users. A clone of the default Antivirus
profile will be applied to each rule.
Additionally we will also enable Antivirus for outbound update traffic from the DMZ.
Observations
Logs
An overview of Antivirus activity can be consulted via the App Scope Threat Monitor, under the Monitor tab.
Drill-down analysis can be performed via the Application Command Center (ACC).
Details for each Antivirus alert can be consulted via the Threat log view, under the Monitor tab. The detailed view
for a particular threat will also reference related logs associated with the threat log entry.
Threat Log
User Notification
Users who are attempting to download an infected file will be presented with a Virus Download Blocked message
in the browser. The message and page layout can be customized.
There are two predefined profiles available for the Anti-Spyware feature:
The default profile applies the default action to all critical, high, medium and low severity spyware
events. It does not detect informational severity spyware events.
As of 5.0, the default profile applies the alert action to DNS queries that trigger DNS signatures for
malware domains.
The strict profile applies the block response to critical, high and medium severity spyware events and
uses the default action for low and informational severity spyware events.
As of 5.0, the strict profile applies the block action to DNS queries that trigger DNS signatures for
malware domains.
In addition to the predefined Anti-Spyware profiles, you can create custom profiles tailored to the environment
you want to protect. A custom profile can contain one or more rules and exceptions that define which Anti-
Spyware signatures to include.
DNS Sinkholing
As of 6.0 the Anti-Spyware profile offers the ability to apply a sinkhole action to DNS queries made to malicious
domains. The DNS sinkhole action provides administrators with a method of identifying infected hosts on the
network using DNS traffic, even when the firewall is north of a local DNS server (i.e. the firewall cannot see the
originator of the DNS query). When a threat prevention license is installed and an anti-spyware profile is enabled in
a security profile, the DNS-based signatures will trigger on DNS queries directed at malware domains. In a typical
deployment where the firewall is north of the local DNS server, the threat log will identify the local DNS resolver as
the source of the traffic rather than the actual infected host. Sinkholing malware DNS queries solves this visibility
problem by forging responses to the queries directed at malicious domains, so that clients attempting to connect
to malicious domains (for command-and-control, for example) instead attempt connections to an IP address
specified by the administrator. Infected hosts can then be easily identified in the traffic logs because any host that
attempts to connect to the sinkhole IP are most likely infected with malware.
Passive DNS
As of 6.0, the Anti-Spyware profile also offers the ability to enable passive DNS collection. Passive DNS is an opt-in
feature that enables the firewall to act as a passive DNS sensor and send select DNS information to Palo Alto
Networks for analysis in order to improve threat intelligence and threat prevention capabilities. The data collected
includes non-recursive (i.e. originating from the local recursive resolver, not individual clients) DNS query and
response packet payloads.
Recommendations
The predefined profiles will cover the majority of use cases. Because predefined profiles are read-only, it is advised
to work with a custom clone of the predefined profiles, so exceptions can be defined when needed. In
environments where blocking traffic is not allowed, a custom profile can also be used to only alert on spyware
events.
Use Case
In our use case, we will enable Anti-Spyware for all traffic generated by internal users. A clone of the strict Anti-
Spyware profile will be applied to each rule.
In addition, it is advisable to also turn on Anti-spyware for any security rules that allow outbound traffic from the
DMZ.
An overview of all Anti-Spyware activity can be consulted via the App Scope Threat Monitor, under the Monitor tab.
Drill-down analysis can be performed via the Application Command Center (ACC).
Details for Anti-Spyware alerts can be consulted via the Threat log view, under the Monitor tab. The detailed view
for a particular threat will also reference related logs associated with the threat log entry.
Currently there are two predefined profiles available for the Vulnerability Protection feature:
The default profile applies the default action to all client and server critical, high, and medium severity
vulnerabilities. It does not detect low and informational vulnerability protection events.
The strict profile applies the block response to all client and server critical, high and medium severity
spyware events and uses the default action for low and informational vulnerability protection events.
In addition to the predefined Vulnerability Protection profiles, you can create custom profiles tailored to the
environment you want to protect. A custom profile can contain one or more rules and exceptions that define
which vulnerability protection signatures to include.
Recommendations
When deploying vulnerability protection, special care should be taken to avoid a negative impact on the protected
traffic. While vulnerability protection signatures are developed with great care and are submitted to extensive
regression tests, some of the signatures are generic in nature and can trigger on traffic coming from misconfigured
services or faulty applications. This is especially true for applications that have been custom-built such as in-house
developed web applications. Because of this, it is generally not a good idea to simply turn on blocking for large
groups of signatures without prior examination of those signatures and the potential impact they may have on the
network.
If time and circumstances permit, it is advised to include an analysis phase in the vulnerability protection
deployment timeline. In particular for environments where service availability is critical, such a phase will be
required to assure proper functionality of the infrastructure once vulnerability protection is made fully operational.
In general, it is advised to start with a profile that uses the default action for each signature. Alternatively, it is
possible to deploy a custom vulnerability protection profile in alert-only or monitoring mode first, to obtain a clear
picture on how blocking-mode may affect the infrastructure. Such a profile will have the action set to alert for
each signature. For a more detailed description of the steps involved to deploy an alert-only profile during an
analysis phase, see Appendix C: Guidelines for the Vulnerability Protection Analysis Phase.
Use Case
In our use case, we will enable Vulnerability Protection for all traffic generated by internal users as well as
outbound traffic for the DMZ. A clone of the default Vulnerability Protection profile will be applied to each rule.
Observations
Logs
An overview of all Vulnerability Protection activity can be consulted via the App Scope Threat Monitor, under the
Monitor tab.
Drill-down analysis can be performed via the Application Command Center (ACC).
Details for Vulnerability Protection alerts can be consulted via the Threat log view, under the Monitor tab. The
detailed view for a particular threat will also reference related logs associated with the threat log entry.
Threat Log
Starting with firmware 5.0, it is possible to create IP address-based exceptions for Vulnerability Protection events.
This can be accomplished by clicking on the threat name in the Threat log view and adding the exempt IP
addresses for selected exempt profiles in the pop up window.
Recommendations
File blocking can be particularly useful in preventing users from downloading and installing additional software on
company assets and can also prevent drive-by-downloads. No predefined file blocking profiles exist, but they are
easy to configure.
Use Case
In our use case, we will implement the following requirements with regards to file blocking for all user groups
except the IT user group.
- Block executables
- Block torrent files
- Warn the user when downloading encrypted files
This profile is then enabled for each user access rule except the IT user group.
Observations
Logs
File transfers in sessions matching a rule with a file blocking profile enabled will generate a log entry in the Data
Filtering log view, under the Monitor tab.
User notification
When a file download is blocked, the user will see a block or continue notification in the browser.
The Palo Alto Networks WildFire engine exposes zero-day and targeted malware through direct observation in a
virtual environment within the WildFire system. The WildFire feature also makes extensive use of Palo Alto
Networks App-ID technology by identifying file transfers within all applications, not just email attachments or
browser-based file downloads.
The key benefits of the Palo Alto Networks WildFire feature is that it can discover zero-day malware and can
quickly generate signatures to protect against future infections of all of the malware it discovers. The firewall can
provide instant alerts whenever malware is detected on your network by sending email alerts, syslog alerts, or
SNMP traps. This allows you to quickly identify the user who downloaded the malware and eradicate it before it
causes extensive damage or propagates to other users. In addition, every signature generated by WildFire is
automatically propagated to all Palo Alto Networks firewalls protected with a Threat Prevention and/or WildFire
subscription, which provides automatic protection from malware even if it was not found in your network. Palo
Alto Networks is currently discovering and generating signatures for thousands of zero-day malware every week
and this number continues to grow.
Recommendations
As of 6.0, WildFire is capable of analyzing files of type APK, MS-Office, JAR, CLASS, and PDF in addition to the
executable file types that were already supported. To forward these file types to the WildFire analysis engine, a file
blocking profile needs to be created with an action of forward or continue-and-forward.
Note: A WildFire subscription is required to forward the new file types to WildFire.
Use Case
In our use case, we will enable forwarding of files to WildFire for the IT user group. The file blocking profile looks as
follows:
Additionally, we will enable WildFire also for all other users by adapting the existing file blocking profile. The new
file blocking profile now looks like this:
Observations
Logs
File transfers in sessions matching a rule with file blocking profile will generate a log entry in the Data Filtering log
view, under the Monitor tab.
Forward is displayed if the file is successfully forwarded by the file blocking profile and security policy.
Wildfire-upload-success will be displayed if the file was sent to WildFire. This means the file is not signed
by a trusted file signer and it has not been previously analyzed by WildFire.
Wildfire-upload-skip will be displayed for malware that has been seen before, so the sample does not
need to be sent to the WildFire cloud. In this case, only session information (if enabled) will be sent in
order to show a log entry in the WildFire web portal and in the Data Filtering log on the firewall. If benign
file logging is enabled, wildfire-upload-skip will also be displayed for benign files that have been seen
before.
As of 5.0, additional log entries will be recorded in the WildFire log for files which have been found to be malicious.
With PAN-OS 5.0, full details of the WildFire analysis can be obtained via the View WildFire Report button in the
log details. This will launch a web browser directing you to the WildFire portal. The WildFire portal can also be
reached directly at https://wildfire.paloaltonetworks.com
The new report can be downloaded as a pdf from this window and also offers the ability to download the original
sample file and pcap file of network traffic from the malware sample as seen by WildFire. Furthermore, the new
User notification
When a file download is performed and the file is identified as malicious because it matches a WildFire signature,
the file will be blocked according to the settings in the Anti- Virus profile and the user will receive a notification in
his browser.
Flood ProtectionDetect and prevent flooding attacks where the network is flooded with packets which
typically result in too many half-open sessions and/or services being unable to respond to each request. In
this type of attack, the source address is often spoofed. Flood Protection can start blocking packets on an
aggregate or classified basis as soon as a configurable threshold has been exceeded.
Resources ProtectionDetect and prevent session exhaustion attacks. This type of attack is typically
performed using a large amount of source hosts (bots) to create as many fully established sessions as
possible. It is more difficult to detect as the sessions may be used to send valid-looking requests to the
target host. Resources Protection can limit the amount of available sessions on an aggregate or classified
basis.
Both mechanisms can be used together in the same DoS Protection profile.
Recommendations
Defining the correct DoS Protection profile(s) largely depends on what services require protection and what
audience will be served. Because each environment is different, a certain amount of up-front analysis will need to
be done. Some configuration examples are provided further down this guide.
Regardless of the environment, it is important to pay special attention to the following factors.
Note: As of 4.0, SYN-cookie is active by default if selected as a protection mechanism with the default Activate
Rate setting (Activate Rate = 0).
Maximal Rate
When the Maximal Rate threshold is exceeded, any further packets that match the DoS Protection rule and
classification criteria (in case of a classified profile) will be dropped for the block duration specified. The default
value for SYN-cookie is 1.000.000 which will prevent it from being triggered in almost any environment. You should
adjust this value to match your environment in the following scenarios:
To protect against TCP SYN floods where Random Early Drop is used.
To protect against UDP, ICMP or other IP floods.
When SYN-cookie is used in a source-ip classification profile and there is never a need for a client to send
more SYN pps than the maximal rate value. The SYN-cookie mechanism already provides protection by
itself, so the maximal rate value will not provide additional protection to any service except for the
firewalls SYN-cookie mechanism itself.
When configuring DoS thresholds for flood and resources protection it is important to understand the difference
between aggregate and classified profile types.
AggregateApplies the DoS thresholds configured in the profile to all packets that match the rule criteria
on which this profile is applied. For example, an aggregate rule with a SYN flood threshold of 10000
packets per second (pps) counts all packets that hit that particular DoS rule.
From these definitions, you can already guess that an aggregate profile will be the better choice when protecting
against attacks from the Internet. A classified profile is less appropriate here because there may be many clients
residing behind a NAT device.
For internal clients not behind a NAT device, a source-ip classification profile may be a good fit from a resource
limitation point of view. For example, in an educational environment where internal clients are allowed to run any
type of tool (e.g. peer-to-peer) this can be used to limit the amount of concurrent sessions per client to prevent
overall session saturation.
SYN-cookie is a superior mechanism to counter SYN flood attacks. It is preferred over Random Early Drop for
defending against SYN floods. For other traffic, Random Early Drop is the default and only option. Random Early
Drop starts randomly dropping packets if the packet rate is between the Activate Rate value and Maximal Rate
value. The drop probability increases linearly with the packet rate. If the packet rate exceeds the Maximal Rate
value then all excess packets will be dropped.
Use Case
The following examples will provide some ideas on how to implement DoS Protection profiles.
With only one or more web servers to protect, DoS Protection profiles and rules can be very generic. However, it is
good practice to already plan for future service additions by making the DoS Protection rules as specific as possible.
Requirements:
A DoS Protection profile that protects against SYN floods as well as TCP session exhaustion attacks.
One or more DoS Protection rules that apply the profile to matching traffic.
To protect against SYN Floods, it is advised to use the SYN-cookie mechanism over Random Early Drop as it is
superior in preventing floods to reach the target. Adjust the rate values based on actual session data from the
protected environment.
To protect against session exhaustion, you should balance the advantages and disadvantages of the following
techniques and choose the most appropriate one or a combination for your environment:
Use a classified profile with limited concurrent sessions per source-destination-ip. This will reduce the
impact from a limited botnet attack while maintaining availability for regular clients. If you set the session
limit too low, this may affect concurrent clients accessing your web service from behind a NAT device. If
you set it too high, it becomes easier for a small botnet attack to exhaust all available sessions.
Use an aggregate profile in combination with geo-IP location data in the DoS Protection rule base. An
aggregate profile in itself is not sufficient to prevent a session exhaustion attack, but combined with geo-
IP location data in the DoS Protection rule base, it can reduce the impact of a global DDoS attack. This
approach is acceptable if the main audience for your web service resides in a select list of countries.
Once the necessary DoS Protection profiles have been defined, you can make them active by creating DoS
Protection rules. DoS Protection rules define source and destination parameters on which the profile will be
applied.
It is best practice to make the rules as specific as possible. For this particular example situation, you would define a
rule for each server/service you want to protect. By doing so, the counter values defined in the profile will apply
only to the server/service defined in the rule.
The screenshot below shows a DoS rule configuration using an aggregate profile in combination with geo-IP
location data.
Note that you can use negate to assign a specific DoS Protection profile to any source IP address not from a
particular country. This can be a worthwile approach in DDoS defense by limiting sessions for countries that do not
typically fall within the general visitor audience for an enterprises web site.
Observations
Flood Protection
When enabled and triggered, Flood Protection alerts are sent to the Threat Log. Log entries will display different
values for source and destination zones and addresses depending on the type of DoS Flood Protection that was
configured. Destination port will always show 0.
When set to aggregate, then both source and destination address fields will display 0.0.0.0 and no zone
information is displayed.
When set to classified, source and destination address fields will display the actual addresses if they are
part of the classification criteria.
o E.g. source-ip will only list actual source IP addresses
o E.g. source-dest-ip will list actual source and destination IP addresses
When enabled, Resources Protection will limit the number of concurrent sessions that match the DoS Protection
rule. No log entries will be created when the maximum number is reached. There is a session timeout that will
keep a session in the state table for 30 seconds by default after the session has been ended with FIN/RST. The
result is that the actual number of concurrent active sessions as perceived from the client side may not always
match the maximum number configured in the DoS Protection profile. See Appendix D: Slow HTTP Test Output
for the output of a slowhttptest attack for further clarification.
Flood ProtectionPrevents flooding attacks in the same way as the Flood Protection feature in DoS
Protection profiles.
Reconnaissance ProtectionDetects and blocks port scans and host sweeps.
Packet Based Attack ProtectionProvides protection against specific IP level attacks.
Recommendations
Zone protection profiles can only be applied to entire zones. Therefore it is important to investigate any possible
issues that may arise when applying zone protection profiles.
Flood Protection
Configure Flood Protection settings based on the number of packets you want to allow to each service behind the
firewall. Settings apply to all traffic that enters the network through any interface in the zone on which the Zone
Protection Profile is active, but a separate counter is maintained for each source IP/destination IP/destination port
tuple.
Reconnaissance Protection
In general it should be safe to enable this feature on external zones. For internal zones however, you should make
sure settings will not negatively affect any monitoring tools that often use the same scanning techniques to
determine if servers and services are up and running.
In general it should be safe to enable this feature on external zones. For internal zones however, you should make
sure settings will not negatively affect network communications from other devices that may rely on some of these
techniques for proper operation.
One specific example is the use of ICMP Ping ID 0, where other devices may use this type of packet to check
availability of hosts they need to communicate with. Blue Coat proxy devices have been known to do this.
Use Case
In our use case, we will enable a Zone Protection profile for the untrustL3 zone, i.e. the zone where public traffic
is reaching the firewall.
Zone settings
Observations
Flood Protection
Flood Protection is identical to the same feature available in DoS Protection profiles. However, since it can be
applied to a zone only, there are less fine-tuning options available to match specific traffic flows based on service
or IP address as you could do with DoS Protection rules.
Flood Protection enabled under Zone Protection is applied to the aggregate traffic seen on a specific zone. It will
maintain a single counter for all traffic, regardless of source IP/destination IP/destination port. This is similar to
Flood Protection under DoS Protection, when an aggregate profile type is selected.
Reconnaissance Protection
Reconnaissance protection can detect and block host sweep and TCP & UDP port scans. It will trigger when the
amount of scan packets exceeds the thresholds within the intervals specified.
TCP and UDP Port scan will trigger when a TCP or UDP port scan is executed against a single host and the
scan packet rate exceeds the configured threshold.
Host Sweep will trigger when a range of hosts is scanned on specific ports either through TCP, UDP or
ICMP.
When enabled and triggered, Reconnaissance Protection alerts are sent to the Threat Log.
Packet Based Attack Protection can detect and prevent attacks that try to evade firewall inspection. When enabled,
packets that match detection criteria will be dropped and since this type of traffic is considered noise, no log entry
will be written to the Threat Log.
Unknown TCP/UDP Botnet traffic is regularly encrypted and unknown. Since Palo Alto Networks
identifies all traffic tracking unknown TCP and UDP traffic can be a perfect starting point for finding bot-
infected machines. The report allows staff to track unknown traffic by sessions, destinations and bytes.
Presence of Dynamic DNS Malware will often use dynamic DNS in order to make botnet
communications more difficult to track. By bouncing traffic between multiple infected hosts with an ever-
changing list of IP addresses, it can become very difficult to track the path of the bot and its true source
and destination.
Activity on Known Malware Sites As part of the URL filtering solution, Palo Alto Networks constantly
tracks sites that have hosted malware whether intentionally or unintentionally. Palo Alto Networks can
track if a user is repeatedly visiting one of these sites and attempting to download files.
Visiting Recently Registered Domains Botnets are constantly moving around in order to avoid detection
and to recover as servers are discovered or disabled. As a result, botnets will often have to use new
domains to support the command and control infrastructure. A user repeatedly visiting a newly registered
domain will certainly not be conclusive, but may help to provide corroborating evidence of an infection.
Browsing to IP domains Instead of URL In a similar vein, bots will often use hard-coded IP addresses or
known IP ranges in order to communicate as opposed to users which typically prefer to use URLs. As with
tracking newly registered domains, tracking connections using IP domains can sometimes indicate the
presence of a bot at work as opposed to a human.
Executable files from unknown sites Identifies executable files downloaded from unknown URLs.
IRC traffic IRC traffic is one of the most well-known communication methods for botnets, and provides
an additional strong piece of correlating data for finding a bot.
The Behavioral Botnet Report takes all of the factors above and automatically correlates them to find hosts that
are likely infected with a bot. When run, the report provides specific directory user names of the users or machines
that are likely infected along with what behaviors contributed to the analysis. Each user is also provided a score
based on how many of the factors listed above were correlated, allowing staff to focus on the devices that are the
most likely to be infected.
Recommendations
The behavioral botnet report is enabled by default. It will run on a daily basis and generate a report on the
detected behaviors for the previous day. It may be required to further tune the default detection threshold values
based on the initial report findings.
One notable configuration setting that will have a positive impact on performance is DSRI or Disable Server
Response Inspection. With DSRI turned on, server response traffic is not inspected, which will increase the
throughput capacity. Obviously, enabling this feature is only recommended for trusted servers.
Upon the initial installation of a Threat Prevention update, the default action for each signature is set by the Palo
Alto Networks Threat Prevention research team to the most appropriate response at any moment based on a
wider set of criteria. The default action can change over time when new threat prevention updates are released.
The default action can also be modified on a per-signature basis when creating a custom profile.
Below are the available actions that can be applied to individual Anti-Spyware and Vulnerability Protection events.
Allow
Alert
Block-IP
Drop
Drop-all-
packets
Reset-both
Reset-client
Reset-server
For the Antivirus feature, the default action is not set on a per-signature basis, but configured and applied per
protocol.
Below are the available actions that can be applied to Antivirus events.
Allow
Alert
Block
The following steps will help you determine the correct profile settings for a given location or host.
The goal here is to create a alert-only protection profile that has alert defined as the action for each signature.
This will prevent the accidental blocking of legitimate traffic during the analysis phase. You can accomplish this
with one profile rule that includes all signatures. The disadvantage of this approach is that the threat log will not
display the actual action applied when in blocking mode using the default action for each signature.
Alternatively you can monitor a segment or host via a port of the firewall in TAP-mode and use a protection profile
that applies the default action for each signature. This will also prevent the accidental blocking of legitimate
traffic, but the advantage here is that the threat log displays the actual action that would be taken for each
signature when in blocking mode.
Configure the necessary firewall rules for hosts and segments you want to protect.
During the analysis phase, it is important to define and match the firewall security policy rules as close as possible
to what the final security policy will look like. This will help you map vulnerability protection events to specific
segments, hosts and traffic flows in your network and facilitate the analysis phase.
Initially, you will have the alert-only profile applied to each rule. Over time, it may be required to create
additional profiles that are fine-tuned for specific network segments or hosts.
The goal here is to acquire a representative baseline set of threat log events that can be used as the starting point
for further fine-tuning of the vulnerability protection profile(s). It is important to define the monitor period in line
with regular business and infrastructure management processes that may only occur at specific times, e.g. once a
month.
Depending on the severity and type of threat detected, the source and destination as well as the recurrence of an
event, this may or may not be an easy task at hand. Especially for those events that are generic in nature and
where custom applications are involved, this may require some detailed analysis. The possibility to take a packet
capture of these events can be of great help here.
A classic example is a custom web application that relies on a back-end database system. If the web application is
not well coded, certain injection attack signatures may in fact trigger on what is typical traffic for the application.
The same applies to generic cross-site scripting signatures.
Another example is the probing that some network infrastructure monitoring tools perform against components
in the network. While these can also trigger certain signatures, the severity for this type of event is typically low or
informational. Nevertheless, it is important to verify that there is an exception defined in case a block action
should be required.
Use the gathered analysis information to build and fine-tune a block-enabled protection profile.
Once the analysis results are consistent, they can be used to create vulnerability protection profiles that provide
adequate protection tailored to the requirements for the different segments or hosts in the network. In most cases,
fine-tuning will consist of adding exceptions to the general vulnerability protection rules, either in order to avoid a
false positive or to modify the default action for specific signatures.
Slowhttptest tool used to open 1000 connections at a rate of 200 new connections per second.