Anti-Spyware profile is not following best practices-paloaltonetworks-panos

Anti-Spyware profile is not following best practices-paloaltonetworks-panos
0

Anti-Spyware profile is not following best practices-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if the action for threat severity Low and Informational is not set at least as ‘default’, or if the threat severity is selected as ‘Any’ but the action field is not configured as ‘reset-both’.

Remediation Steps:
It is recommended to clone the predefined strict Anti-Spyware profile as explained inthis document: https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles.html#ide042a854-cf6c-4535-a54b-6def3b2350ed_id17A29F060SK

How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured Anti-Spyware profiles and check the configured action for Information and Low severity.

Why is this important?
In each Anti-Spyware profile we have the ability to select an action for different threat severity. In this case for threat severity Low and Informational we need to set the action as ‘default’. Default ensure the action defined by the Pan OS to be taken if a threat with this severity passes through the firewall that has this profile configured. The default action in most cases would be Alert, reset-both, allow etc. If in an Anti-Spyware profile if the threat severity is selected as ‘Any’ then we should have the action field configured as ‘reset-both’. It is a good practice to select specific threat severity and assign the action and not configure as ‘Any’. If ‘Any’ is selected it contains all severities Critical, High, Medium, Low and Informational so it has to get the action ‘reset-both’ to block the severe threats. The check looks for the fields Category and Severity and decides which Action best fits in the rule for the Anti-Spyware profile.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Objects” -> “Security Profiles” -> “Anti-Spyware” and check each profile manually.

panos-anti-spyware-info-low-severity

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/panos-anti-spyware-info-low-severity/panos-anti-spyware-info-low-severity.ind.yaml

PanosAntiSpywareInfoLowSevRule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosAntiSpywareInfoLowSevRule.scala