Block dangerous URL Categories-paloaltonetworks-panos

Block dangerous URL Categories-paloaltonetworks-panos
0

Block dangerous URL Categories-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if any of the dangerous URL Categories are allowed

Remediation Steps:
Set the following URL categories to Block: command-and-control, copyright-infringement, dynamic-dns, extremism, malware, parked, phishing, proxy-avoidance-and-anonymizers, unknown. https://www.paloaltonetworks.com/documentation/80/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles

How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured URL-Filtering profiles and check if any of them has the action of any of these categories set to != Block. The alarm should dump the name of the URL-Filtering profile.

Why is this important?
The best practice URL Filtering profile sets all known dangerous URL categories to block. These include command-and-control, copyright-infringement, dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers, unknown, and parked. Failure to block these dangerous categories puts you at risk for exploit infiltration, malware download, command and control activity, and data exfiltration.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Objects” -> “Security Profiles” -> “URL Filtering” and check each profile manually.

panos-url-filtering-bad-categories

name: panos-url-filtering-bad-categories
description: Check all URL-Filtering profiles have all the known bad url categories
    are configured to block
type: monitoring
monitoring_interval: 59 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
comments:
    url-filtering-block-categories:
        why: |
            The best practice URL Filtering profile sets all known dangerous URL categories to block.
            These include command-and-control, copyright-infringement, dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers, unknown, and parked.
            Failure to block these dangerous categories puts you at risk for exploit infiltration, malware download, command and control activity, and data exfiltration.
        how: |
            This alert uses the Palo Alto Networks API interface to parse through the configured URL-Filtering profiles and check if any of them has the action of any of these categories set to != Block.
            The alarm should dump the name of the URL-Filtering profile.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config//profiles/url-filtering&key=${api-key}
    parse:
        type: XML
        file: panos-url-filtering-block-categories.parser.1.xml.yaml

panw_url_filtering_ensure_block_categories

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/panw_url_filtering_ensure_block_categories.scala