Data Center Best Practice Security Profiles

This document summarizes the best practice configurations for various Security Profiles in Palo Alto Networks firewalls, aimed at protecting data center environments from known and unknown threats.

Antivirus Profile

Purpose: Detects and blocks viruses, worms, and trojans in traffic across multiple protocols.

Best Practices:

Clone the default Antivirus profile and modify it to reset both client and server upon detection.
Apply the profile to all security policy rules that allow traffic.
Ensure coverage for protocols: FTP, HTTP, HTTP2, IMAP, POP3, SMB, and SMTP.

Reference: Create the Data Center Best Practice Antivirus Profile

Anti-Spyware Profile

Purpose: Identifies and blocks spyware and command-and-control traffic.

Best Practices:

Clone the predefined strict Anti-Spyware profile.
Enable DNS sinkhole with packet capture to identify infected hosts.
Retain default actions to reset connections for medium, high, or critical severity threats.

Reference: Create the Data Center Best Practice Anti-Spyware Profile

Vulnerability Protection Profile

Purpose: Protects against exploits and protocol anomalies targeting client and server vulnerabilities.

Best Practices:

Clone the predefined strict Vulnerability Protection profile.
Enable single packet capture (PCAP) for all rules except informational ones.
Apply the profile to all security policy rules that allow traffic.

Reference: Create the Data Center Best Practice Vulnerability Protection Profile

File Blocking Profile

Purpose: Blocks or alerts on specific file types to prevent the transfer of malicious files.

Best Practices:

Use the predefined strict File Blocking profile to block high-risk file types.
Alert on other file types to gain visibility and determine if policy adjustments are needed.
Customize the profile as necessary to accommodate business-critical applications.

Reference: Create the Data Center Best Practice File Blocking Profile

WildFire Analysis Profile

Purpose: Detects unknown threats by forwarding files to WildFire for analysis.

Best Practices:

Use the default WildFire Analysis profile to forward all unknown files.
Ensure that WildFire content updates are downloaded and installed automatically.
Apply the profile to all security policy rules that allow traffic with potential file transfers.

Reference: Create the Data Center Best Practice WildFire Analysis Profile

Data Center Best Practice Security Profiles

Antivirus Profile

Anti-Spyware Profile

Vulnerability Protection Profile

File Blocking Profile

WildFire Analysis Profile

References