Block dangerous URL Categories-paloaltonetworks-panos
Vendor: paloaltonetworks
OS: panos
Description:
Indeni will alert if any of the dangerous URL Categories are allowed
Remediation Steps:
Set the following URL categories to Block: command-and-control, copyright-infringement, dynamic-dns, extremism, malware, parked, phishing, proxy-avoidance-and-anonymizers, unknown. https://www.paloaltonetworks.com/documentation/80/best-practices/best-practices-internet-gateway/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles
How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured URL-Filtering profiles and check if any of them has the action of any of these categories set to != Block. The alarm should dump the name of the URL-Filtering profile.
Why is this important?
The best practice URL Filtering profile sets all known dangerous URL categories to block. These include command-and-control, copyright-infringement, dynamic-dns, extremism, malware, phishing, proxy-avoidance-and-anonymizers, unknown, and parked. Failure to block these dangerous categories puts you at risk for exploit infiltration, malware download, command and control activity, and data exfiltration.
Without Indeni how would you find this?
Login to the device’s web interface and click on “Objects” -> “Security Profiles” -> “URL Filtering” and check each profile manually.
panos-url-filtering-bad-categories
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/panos-url-filtering-block-categories/panos-url-filtering-block-categories.ind.yaml
panw_url_filtering_ensure_block_categories
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/panw_url_filtering_ensure_block_categories.scala